Midata Thoughts   Draft v2.0        Simon Deane-Johns        Consultant Solicitor andMember of the Midata Interoperability...
Contents•   Overview•   Participants/roles•   Process flows•   Developing co-regulatory environment•   Scenario diagrams• ...
Overview• The voluntary Midata programme involves a Supplier making  each Customer’s transaction data available to the Cus...
Participants/Roles•   Supplier     – Supplier of goods or services whose systems generate midata (e.g. utility, bank,     ...
Process FlowsMidata involves two separate process flows:• Transaction flows   – Offer and acceptance => contract between e...
Developing Co-regulatory Environment•   Data Protection Act 1998 (“DPA”) etc supervised by Information    Commissioner’s O...
Midata Scenario 1                  1. ID authentication (“auth”)                  2. Midata request       Current         ...
Midata Scenario 2a                                                         MS/MSP                                         ...
Midata Scenario 2b                                              MS/MSP                                                 3. ...
Midata Scenario 2bCo-regulatory                                              MS/MSPrelationship?                          ...
Midata Scenario 3a                  8. Data transfer          3PS     7. ID auth                                 MS/MSP   ...
Midata Scenario 3a                  8. Data transfer          3PS     7. ID auth                                 MS/MSP   ...
Midata Scenario 3b                  8. Data transfer          3PS     7. ID auth                                MS/MSP    ...
Midata Scenario 3b                  8. Data transfer          3PS     7. ID auth                                MS/MSP    ...
Midata Scenario 3c          3PS                                              6. Midata                                    ...
Common Operational Risks•   Failure to identify one or more parties•   Fraudulent impersonation of one or more parties•   ...
Common Operational Controls/Challenges• Identity authentication/assurance for all parties• Release of correct midata• Secu...
Midata-specific Challenges• Midata portability?• Extent of ‘agency’ involved in personal information  management by PIM• M...
Comments       Comments welcome via the related post at                  The Fine Print:http://sdj-thefineprint.blogspot.c...
Upcoming SlideShare
Loading in …5
×

Midata thoughts 121212 v2.0

591 views
515 views

Published on

Summary of my thoughts arising from my involvement in the Midata working groups, as explained in the post here: http://sdj-thefineprint.blogspot.co.uk/2013/01/midata-thoughts-no-2.html

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
591
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Midata thoughts 121212 v2.0

  1. 1. Midata Thoughts Draft v2.0 Simon Deane-Johns Consultant Solicitor andMember of the Midata Interoperability Board 9 January 2013
  2. 2. Contents• Overview• Participants/roles• Process flows• Developing co-regulatory environment• Scenario diagrams• Common operational risks, controls, challenges• Midata-specific challenges
  3. 3. Overview• The voluntary Midata programme involves a Supplier making each Customer’s transaction data available to the Customer in computer-readable format (“midata”).• This suggests three types of scenario: 1. Release of midata by a Current Supplier to the Customer 2. Release of midata by a Current Supplier to the Customer’s duly authorised data storage provider (Midata Store) or more active data services provider (Midata Service Provider) 3. Release of midata by Current Supplier to Customer or MS/MSP, who transfers it to a third party supplier (“3PS”)
  4. 4. Participants/Roles• Supplier – Supplier of goods or services whose systems generate midata (e.g. utility, bank, telco) – Includes Supplier’s own outsourced service provider(s)• Customer – person or micro-business who interacts with Supplier to produce midata• Provider of data storage or extra data services, acting for the Customer: – Midata Store (“MS”) • Only receives, stores and/or transmits midata, or tracks where midata sits • May receive midata from Customer or from Current Supplier (“Linked Midata Store”) • can’t ‘see’ or otherwise process content • ‘mere conduit’? – Midata Service Provider (“MSP”) • May also act as a Midata Store • Adds value by analysing or otherwise processing data • May alter content and/or produce a result on which Customer/3PS relies.• Third Party Supplier (“3PS”) – Receives ‘midata’ (or a small extract) only for the purpose of deciding to supply goods or services to the Customer
  5. 5. Process FlowsMidata involves two separate process flows:• Transaction flows – Offer and acceptance => contract between each of Customer, Current Supplier and MS/MSP – Messaging, including identification of each party, data release request, confirmation of receipt etc.• Midata flows – Actual transfers of midata[Funds flows related to payments due between participantsare currently out of scope]
  6. 6. Developing Co-regulatory Environment• Data Protection Act 1998 (“DPA”) etc supervised by Information Commissioner’s Office (“ICO”) and related exemptions• Guidance etc issued by ICO• Sector-specific law/regulation – Sections 9 DPA and 159 of Consumer Credit Act 1974, applicable to credit reference agency data – Electricity Act, Gas Act => Data and Communications Company – [new Telecoms/banking/consumer credit regulation]• Industry Codes – Principles of Reciprocity (Credit Reference Agency data) – Smart Energy Code – [Other sector codes] – Security standards, Privacy by Design etc. – [Midata Principlesstandard permissions, rules on liablility etc?]• Contracts – Consents etc given under Contracts – [standard Midata permissions or Midata sharing agreements?]
  7. 7. Midata Scenario 1 1. ID authentication (“auth”) 2. Midata request Current Customer Supplier 3. Midata transferSupply contract
  8. 8. Midata Scenario 2a MS/MSP 4. ID auth. 6. Midata 5. Midata Request transfer 1. ID auth 2. Midata request Current Customer Supplier 3. Midata transferSupply contract PIM Service contract
  9. 9. Midata Scenario 2b MS/MSP 3. ID auth. 4. Midata request Supplier Customer 1. ID auth 2. Midata RequestSupply contract PIM Service contract
  10. 10. Midata Scenario 2bCo-regulatory MS/MSPrelationship? 3. ID auth. 4. Midata request Current Customer Supplier 1. ID auth 2. Midata RequestSupply contract PIM Service contract
  11. 11. Midata Scenario 3a 8. Data transfer 3PS 7. ID auth MS/MSP Transaction flow 3. ID auth; 4. Request Current Customer Supplier Transaction flow 1. ID auth; 2. RequestSupply contract PIM Service contract 3PS Service contract
  12. 12. Midata Scenario 3a 8. Data transfer 3PS 7. ID auth MS/MSP Transaction flow 3. ID auth; 4. Request Current Customer Supplier Transaction flow 1. ID auth; 2. Request Co-regulatorySupply contract PIM Service contract 3PS Service contract relationships?
  13. 13. Midata Scenario 3b 8. Data transfer 3PS 7. ID auth MS/MSP 4. ID auth. 6. Midata 5. Midata Request transfer 1. ID auth 2. Midata request Current Customer Supplier 3. Midata transferSupply contract PIM Service contract 3PS Service contract
  14. 14. Midata Scenario 3b 8. Data transfer 3PS 7. ID auth MS/MSP 4. ID auth. 6. Midata 5. Midata Request transfer 1. ID auth 2. Midata request Current Customer Supplier 3. Midata transfer Co-regulatorySupply contract PIM Service contract 3PS Service contract relationships?
  15. 15. Midata Scenario 3c 3PS 6. Midata transfer 4. ID auth. 5. Midata Request 1. ID auth Current 2. 2. Midata request Customer Supplier 3. Midata transferSupply contract PIM Service contract 3PS Service contract
  16. 16. Common Operational Risks• Failure to identify one or more parties• Fraudulent impersonation of one or more parties• ‘Wrongful’ refusal to release midata• Interception of messaging and/or midata in transit• Wrong midata released• Midata is inaccurate, late and/or unreliable• Midata is false, altered or corrupted• Midata misuse: – loss – destruction – storage longer than agreed/necessary – wrongful disclosure – use for an illicit purpose (including breach of IPRs)
  17. 17. Common Operational Controls/Challenges• Identity authentication/assurance for all parties• Release of correct midata• Secure transmission, processing, storage of midata• Preserving secrecy/confidentiality of midata content• Maintaining authenticity and integrity of midata• Ensuring accuracy, timeliness and reliability of midata• Guarding against various types of midata misuse• Vesting and protection of intellectual property rights in midata and/or midata databases
  18. 18. Midata-specific Challenges• Midata portability?• Extent of ‘agency’ involved in personal information management by PIM• Midata ‘community’ issues: – Principles of reciprocity? – Appropriate grounds for refusal to release? – Mirror CRA and/or DCC environment? – Apportionment of liability for various heads of loss or damage? – Complaints handling? – Enforcement? – Mapping midata to legal rights/obligations to customer permissions => a ‘personal data mark-up language’ (WEF “Rethinking Personal Data”)
  19. 19. Comments Comments welcome via the related post at The Fine Print:http://sdj-thefineprint.blogspot.co.uk/2013/01/midata-thoughts-no-2.html

×