Designing a Governance-Aware Access Control Architecture for Secure Data Management of Wearable Health Data

Abstract

The proliferation of wearable smart devices such as smartwatches and rings has enabled continuous monitoring and personalized care. However, adoption remains limited due to challenges in data governance, privacy and access control. Existing frameworks often address regulatory principles at a high level without translating them into a system-level technical design. This paper proposes a governance-aware conceptual architecture for managing Patient Generated Health Data (PGHD) within wearable health ecosystems. The proposed architecture maps data flow across four layers (edge, transmission, cloud and application) and embeds a Policy Enforcement Point (PEP) to support fine-grained Attribute-Based Access Control (ABAC). Governance principles such as consent, purpose limitation, data minimization and auditability are integrated as design elements, enabling regulatory principles such as the European Union’s General Data Protection Regulation (GDPR) to be integrated at the system level. To evaluate system coherence and validate the layered structure against governance principles, the model is assessed through a conceptual use case walkthrough. While not yet empirically tested, the model offers a foundational framework to align technical architecture with regulatory expectations. This architecture supports the development of secure, transparent and user-centric PGHD systems, and serves as a basis for future work in formal policy specification, real world system validation and design of dynamic governance models that are better suited to an evolving healthcare ecosystem.