Enigma Genetics: A Self-Sovereign Genomic Data Platform for Dynamic Consent Enforcement and Longitudinal Data Provenance

Genomics has ushered in a big data era in biomedicine, where large-scale DNA and health datasets drive discoveries in precision medicine and population health. However, human genomic information is exceptionally sensitive: an individual's genome is essentially a lifelong identifier, and even a small subset of genetic markers can uniquely re-identify a person [1,2]. Conventional privacy approaches like anonymization and one-time consent have repeatedly proven inadequate for genomic data. Studies have shown that removing obvious identifiers from DNA datasets is insufficient to prevent re-identification; for example, surname inference from Y-chromosome markers enabled re-identification of research participants [1], and as few as 75 SNPs can uniquely distinguish one individual in a large database [2]. Recognizing these risks, regulators classify genetic data as highly sensitive. The European GDPR designates genetic data as special category personal data, requiring explicit consent and strict safeguards, and pointedly notes that true anonymization may be impossible for genomes [7]. In the United States, the HIPAA Privacy Rule likewise includes genetic information as protected health information, effectively precluding any safe-harbor de-identification for full genomes [8]. In practice, virtually all genomic data use falls under data protection laws, mandating robust consent mechanisms and accountability.

Equally troubling are ethical pitfalls in current genomic data practices. High-profile cases have revealed how data shared under broad consent can be misused: for instance, direct-to-consumer genetic testing companies have amassed DNA databases that were later monetized or even sold as assets, with participants losing control over how their DNA is used. Once genomic data leaves the individual's hands, there is typically no ongoing consent management or audit trail, eroding public trust and potentially deterring participation in research. Static, one-time consent forms — often asking participants to consent to unspecified future research — cannot accommodate new technologies, evolving scientific questions, or changes in a person's preferences over time. There is growing consensus that consent must become dynamic, enabling participants to grant, modify, or revoke authorizations as circumstances change [3,4].

Dynamic consent has been explored in several biomedical research initiatives as a way to enhance participant engagement and autonomy [3,4]. Kaye et al. (2015) introduced the concept as a digital “patient interface” for managing consent choices and staying informed [3], and the CHRIS study demonstrated over a decade that dynamic consent can improve participants' understanding and retention in a large cohort [4]. By allowing individuals granular control — for example, consenting to cancer research but not forensic use — dynamic consent fosters transparency and trust. However, implementing such models at scale poses technological challenges. Every data access request must be checked against the participant's current consent status in real time, requiring robust identity and access management infrastructure. Early prototypes like ConsentChain (a blockchain-based dynamic consent architecture) showed that a distributed ledger and smart contracts can enable real-time consent verification and revocation in a tamper-evident manner [5]. These systems record each consent grant or withdrawal as a transaction on a private blockchain, and researchers query the ledger for permission before accessing encrypted data. While promising, such approaches also highlight unresolved issues: linking digital identities to real individuals, preventing consent fatigue, and ensuring scalability and interoperability across institutions [5].

Beyond blockchain pilots, complementary efforts are shaping a more automated and user-centric data governance ecosystem. For example, the Global Alliance for Genomics and Health (GA4GH) has developed standards like machine-readable consent forms and researcher Passports (using digital tokens of access rights) to streamline data access across repositories. The GA4GH Framework for Responsible Sharing emphasizes principles of autonomy, transparency, and accountability in genomic data sharing [9], aligning with the ethos of dynamic consent. Similarly, emerging ethical guidelines, such as the World Health Organization's 2024 guidance on genomic data sharing, stress the importance of informed consent, privacy, equity, and participant engagement in genomics governance [10]. These trends all point toward an infrastructure where participants are central stakeholders in decisions about their data.

In this paper, we propose a self-sovereign genomic data platform that integrates these cutting-edge ideas into a cohesive, operational system. Our approach, inspired by the Enigma Genetics concept, unifies dynamic consent with self-sovereign identity (SSI) principles, fine-grained access control, and distributed ledger provenance to ensure participants retain agency over their data without stifling research innovation. The contributions of this work are threefold:

• Framework Synthesis: We synthesize prior research in dynamic consent, blockchain-based consent architectures, and genomic data governance into a unified framework. Key concepts from the literature — such as participant-managed consent portals, tamper-proof audit logs, decentralized identifiers (DIDs), and smart-contract enforcement — inform our design. The system is grounded in current legal and ethical standards, demonstrating compliance-by-design with GDPR, HIPAA, and emerging data stewardship principles.
• System Architecture: We present a detailed system architecture comprising four primary components: an Identity Anchor, a Consent Engine, an Authorization Gateway, and an Audit Ledger. We describe how genomic data (and associated health data) are secured in an encrypted vault under the individual's control, and how every data access request is mediated by a user-granted consent token and transparently recorded on an immutable ledger.
• Workflow Realization: We delineate the consent lifecycle and data access workflow enabled by the platform, tracing the lifecycle of consent from initial capture through enforcement, potential revocation, and audit, illustrating how consent remains an active, living agreement.

The platform comprises four core components – Identity Anchor, Consent Engine, Authorization Gateway, and Audit Ledger – supported by an encrypted data vault and user/researcher interfaces. The Identity Anchor is a secure digital identifier linking the individual to their genomic data and consent records, often implemented via biometric-backed decentralized identity. The Consent Engine provides a dynamic consent management service: it authenticates the user and issues cryptographically signed consent tokens that specify who can access what data for what purpose and duration. Every data access request from external Data Requestors must pass through the Authorization Gateway, which enforces policy by checking that a valid consent token or permission exists for that specific request. All access events, as well as consent grants or revocations, are written to the Audit Ledger, a tamper-evident log that records every consent issuance and data retrieval.

Raw genomic data and any associated health data are encrypted and stored in a GeneVault under the individual's control. Data are never directly accessible without going through the Authorization Gateway. The system enforces a zero-trust data access model – nothing is taken on faith; every access requires explicit, verifiable consent.

At the core of self-sovereign data management is the Identity Anchor – a means to establish a tamper-proof link between a real individual and their digital data identity. The identity anchor is implemented as a decentralized identifier (DID) under the user's control, strengthened with biometric authentication for secure binding. A user enrolling generates a unique DID which is recorded in a wallet app or secure enclave on their device. This DID serves as the reference identity for all the user's data and consents. The system employs biometric enrollment: the user registers a biometric (such as a fingerprint or face scan) that will be used to authenticate their identity in future interactions. The biometric itself is stored as a secure template and is never sent raw to the server; it is used locally on the user's device to unlock cryptographic credentials.

The Consent Engine is a dedicated service responsible for capturing the user's consent decisions and issuing verifiable tokens that reflect those decisions. It is the dynamic heart of the platform, turning the user's intentions into enforceable access policies. To grant a consent, a user interacts with a secure interface – for example, a smartphone app where they can review data requests or set general consent preferences. Upon successful biometric check, the consent engine generates a signed consent token: a digital certificate asserting the user's authorization decisions in a verifiable format. Each consent token is time-bound and specific, with short validity to ensure that access is narrowly scoped and automatically expires.

The consent engine also handles consent revocation. If a user later decides to withdraw permission, they can issue a revoke command via the interface. Any tokens associated with that consent are invalidated and revocation events are signed and logged, providing evidence that consent was withdrawn at a specific time. Revocation is enforced in near-real-time, upholding participants' right to withdraw consent at any time [7].

The Authorization Gateway is the policy enforcement point that stands between data requesters and the sensitive data in the vault. It authenticates requests, validates consent, and mediates data transfer. Consent can be verified via two modes: Push Mode, where the requester includes a consent token with their request, or Pull Mode, where the gateway queries the Consent Engine to determine if consent exists. In Pull Mode, the gateway can trigger a dynamic consent capture by notifying the participant for real-time approval.

The Encrypted Data Vault (GeneVault) holds all genomic data securely, with encryption on a per-user basis and even per-file for fine-grained control. The vault may also store metadata tags indicating sensitivity or research categories to help the consent engine determine matching consents. By design, the authorization gateway and vault embody a zero-trust approach: no researcher or external system is inherently trusted, and every single access must present proof of consent.

Transparency and accountability are achieved through the Audit Ledger, an immutable log of all consent and data access events. Implemented using permissioned blockchain technology, the ledger ensures that records, once written, cannot be altered or deleted without detection. Every consent grant, revocation, and data access request triggers a new transaction on the ledger, resulting in a chronological, tamper-evident history of data usage.

The ledger stores only metadata and hashes – never raw genomic data or full personal details – to maintain GDPR compliance. Participants can inspect ledger entries related to their data through a dedicated interface, providing transparency rarely available in today's data sharing models. The audit data also enable analyzing trends and improving governance, creating an adaptive feedback loop.

Implementing this self-sovereign data platform fundamentally shifts power dynamics for both participants and researchers. Participants remain true partners in research, retaining agency over their personal genomic information at all times, leading to higher trust and greater willingness to share data. Researchers gain streamlined access to rich datasets with a clear legal and ethical basis for use, reducing administrative delays and uncertainty through formal, digitally recorded consent.

From a compliance perspective, the audit ledger ensures that research teams are accountable for every data use. The increased transparency improves scientific integrity and deters misuse such as unauthorized sharing of data with third parties or analysis beyond the scope of consent.

Many consents can be pre-collected or batched, enabling instant data access when standing consent exists. From a throughput perspective, the heavy cryptographic operations are all feasible with today's technology at scale. The consent tokens are lightweight, and blockchain transactions are similarly small metadata writes. A permissioned blockchain network can easily handle the transaction volumes required.

The automation of compliance streamlines processes that traditionally consumed significant administrative effort. HIPAA's accounting of disclosures becomes trivial with ledger entries. Under GDPR, demonstrating that consent was obtained for each data processing is mandatory – here each ledger entry is inherently tied to a consent record. This compliance-by-design approach means that regulatory requirements are inherently satisfied as part of the system's normal operation [7,8].

Scalability and User Burden: Scaling dynamic consent to millions of users will require careful attention to user experience. Consent fatigue can be mitigated through granular preference settings, consent bundling, and batch summaries. The platform can be architected for high throughput using sharded ledgers, off-chain processing, and modern serverless architectures.

Interoperability and Standardization: The design is compatible with GA4GH's Passport and Data Use Ontology (DUO), HL7 FHIR consent resources, and W3C Verifiable Credentials. Adopting these open standards ensures that participant choices are honored consistently across biobanks, studies, and international borders.

Security and Privacy: The architecture introduces new attack surfaces that must be addressed through hardware security modules (HSMs), multi-factor authentication, anomaly detection, and permissioned ledger access. Zero-knowledge proofs may hide transaction details while still allowing verification of compliance. The right to erasure under GDPR is addressed by keeping only pseudonymized metadata on-chain.

Regulatory Acceptance: Digital signatures for consent are legally recognized under eIDAS (EU) and ESIGN Act (US). The system provides instant audit report generation for GDPR Article 30 compliance and enforces GDPR consent conditions (explicit, specific, documented, revocable) by design [7].

Limitations and Future Directions: Public health emergencies or law enforcement may require special override mechanisms. Alternative interfaces may be needed for populations without digital access. Future architectures may integrate compute-to-data models, analysis consent, and AI assistants for consent comprehension.

The Enigma Genetics platform – through its combination of dynamic consent, secure identity, fine-grained access control, and auditability – embodies a forward-looking model for genomic data sharing. By integrating a biometric identity anchor, a dynamic consent engine, an authorization gateway, and an immutable audit ledger, the architecture ensures that every access to sensitive genomic data is purpose-specific, transparently logged, and under the control of the individual whose data is at stake.

Successful implementation could mark a paradigm shift in genomic data stewardship, demonstrating that respecting individual autonomy is not only compatible with large-scale science, but can actively enhance it by building public trust and encouraging more diverse participation. While we have focused on genomics, the model of dynamic consent with immutable audits could serve as a template for any domain where sensitive personal data is used – from health records and biomedical imaging to smart city sensor data – ensuring that innovation does not come at the cost of individual rights.

By empowering individuals as active stewards of their own “living code,” we can open new frontiers of biomedical discovery while upholding the dignity and rights of those who make such discovery possible.