Personal Data handling

When users want to include data into their project that contains personal data that falls under Data Privacy regulations, we should require this data to be encrypted before upload.

In order to allow sharing this data, the user would need to request access with the owner of the data/project. When the user selects the use of sensitive data during upload, the platform should forward the uploader to a subproject that allows encrypted upload https://github.com/Forceu/Gokapi

The owner of the data now owns the keys to decrypt the data, while we only store the encrypted data. When a user requests access, a contact form should be provided to be sent to the owner of the data, requesting permissions and reasoning for why access is requested. The owner will then receive an email with an approval link that grants permission for the requesting user to access the encrypted data volume. At the same time the owner is asked to sent the decryption key/link to the requesting user via email, thereby using a different medium that is separate from our infrastructure. The RDMC management platform will never get access to the decryption keys and therefore never handle the sensitive data.

The download link and access permissions can be restricted in both time span and download times. Additionally we can optionally generate individual decryption keys for each download request without requiring data decryption on our platform (Have owner generate new keys or see proxy re-encryption for potential solutions