My initial thoughts following discussion of the roles of participants, process flows, the developing co-regulatory environment, risks, controls and challenges. I have also included scenario diagrams covering the three types of scenarios involved. Comments welcome here: http://sdj-thefineprint.blogspot.co.uk/2012/12/midata-thoughts-no-1.html
3. Overview
• The voluntary Midata programme involves a Supplier making
each Customer’s transaction data available to the Customer
in computer-readable format (“midata”).
• This suggests three types of scenario:
1. Release of midata by the Supplier to the Customer
2. Release of midata by the Supplier to the Customer’s duly
authorised Personal Information Manager (“PIM”)
3. Release of midata by Supplier to Customer/PIM, who transfers
it to a third party supplier (“3PS”)
4. Participants/Roles
• Supplier
– Supplier of goods or services whose systems generate midata (e.g. utility,
bank, telco)
– Includes Supplier’s own outsourced service provider(s)
• Customer
– person or micro-business who interacts with Supplier to produce midata
• Personal Information Manager acting for the Customer (“PIM”)
– Passive data repository
• Only receives, stores and/or transmits the data
• can’t ‘see’ or otherwise process content
• ‘mere conduit’?
– Active data repository
• Stores data
• Adds value by analysing or otherwise processing data
• May alter content
• Third Party Supplier (“3PS”)
– Entity other than the Supplier/PIM to whom Customer/PIM supplies ‘midata’
for use only for the purpose of supplying goods or services to the Customer
5. Process Flows
Midata involves two separate process flows:
• Transaction flows
– Offer and acceptance => contract between each of Customer,
Supplier and PIM
– Messaging, including identification of each party, data release
request, confirmation of receipt etc.
• Midata flows
– Actual transfers of midata
[Funds flows related to payments due between participants
are currently out of scope]
6. Developing Co-regulatory Environment
• Data Protection Act 1998 (“DPA”) etc supervised by Information
Commissioner’s Office (“ICO”) and related exemptions
• Guidance etc issued by ICO
• Sector-specific law/regulation
– Sections 9 DPA and 159 of Consumer Credit Act 1974, applicable to credit
reference agency data
– Electricity Act, Gas Act => Data and Communications Company
– [new Telecoms/banking/consumer credit regulation]
• Industry Codes
– Principles of Reciprocity (Credit Reference Agency data)
– Smart Energy Code
– [Other sector codes]
– Security standards, Privacy by Design etc.
– [Midata Principlesstandard permissions, rules on liablility etc?]
• Contracts
– Consents etc given under Contracts
– [standard Midata permissions or Midata sharing agreements?]
7. Midata Scenario 1
1. ID authentication (“auth”)
2. Midata request
Supplier Customer
3. Midata transfer
Supply contract
8. Midata Scenario 2a
PIM
4. ID auth. 6. Midata
5. Midata Request transfer
1. ID auth 2. Midata request
Supplier Customer
3. Midata transfer
Supply contract PIM Service contract
9. Midata Scenario 2b
PIM
3. ID auth.
4. Midata request
Supplier Customer
1. ID auth
2. Midata Request
Supply contract PIM Service contract
10. Midata Scenario 2b
Co-regulatory
PIM
relationship?
3. ID auth.
4. Midata request
Supplier Customer
1. ID auth
2. Midata Request
Supply contract PIM Service contract
11. Midata Scenario 3a
8. Data transfer
3PS 7. ID auth PIM
Transaction flow
3. ID auth; 4. Request
Supplier Customer
Transaction flow
1. ID auth; 2. Request
Supply contract PIM Service contract 3PS Service contract
12. Midata Scenario 3a
8. Data transfer
3PS 7. ID auth PIM
Transaction flow
3. ID auth; 4. Request
Supplier Customer
Transaction flow
1. ID auth; 2. Request
Co-regulatory
Supply contract PIM Service contract 3PS Service contract
relationships?
13. Midata Scenario 3b
8. Data transfer
3PS 7. ID auth PIM
4. ID auth. 6. Midata
5. Midata Request transfer
1. ID auth 2. Midata request
Supplier Customer
3. Midata transfer
Supply contract PIM Service contract 3PS Service contract
14. Midata Scenario 3b
8. Data transfer
3PS 7. ID auth PIM
4. ID auth. 6. Midata
5. Midata Request transfer
1. ID auth 2. Midata request
Supplier Customer
3. Midata transfer
Co-regulatory
Supply contract PIM Service contract 3PS Service contract
relationships?
15. Midata Scenario 3c
3PS
6. Midata
transfer
4. ID auth.
5. Midata Request
1. ID auth
Supplier 2. 2. Midata request Customer
3. Midata transfer
Supply contract PIM Service contract 3PS Service contract
16. Common Operational Risks
• Failure to identify one or more parties
• Fraudulent impersonation of one or more parties
• ‘Wrongful’ refusal to release midata
• Interception of messaging and/or midata in transit
• Wrong midata released
• Midata is inaccurate, late and/or unreliable
• Midata is false, altered or corrupted
• Midata misuse:
– loss
– destruction
– storage longer than agreed/necessary
– wrongful disclosure
– use for an illicit purpose (including breach of IPRs)
17. Common Operational Controls/Challenges
• Identity authentication/assurance for all parties
• Release of correct midata
• Secure transmission, processing, storage of midata
• Preserving secrecy/confidentiality of midata content
• Maintaining authenticity and integrity of midata
• Ensuring accuracy, timeliness and reliability of midata
• Guarding against various types of midata misuse
• Vesting and protection of intellectual property rights in midata
and/or midata databases
18. Midata-specific Challenges
• Midata portability?
• Extent of ‘agency’ involved in personal information
management by PIM
• Midata ‘community’ issues:
– Principles of reciprocity?
– Appropriate grounds for refusal to release?
– Mirror CRA and/or DCC environment?
– Apportionment of liability for various heads of loss or damage?
– Complaints handling?
– Enforcement?
– Mapping midata to legal rights/obligations to customer permissions
=> a ‘personal data mark-up language’ (WEF “Rethinking Personal
Data”)
19. Comments
Comments welcome via the related post at
The Fine Print:
http://sdj-thefineprint.blogspot.co.uk/2012/12/midata-thoughts-no-1.html