MyData Ecosystem
MyData defines a human-centric approach to data access and control that makes the individual the point of integration.
MyData seeks to empower individuals and organisations beyond just the provision of rights, and develop interoperability so that individuals have real choices in the management of personal data. The MyData Ecosytem is described in the 2017 MyData Declaration and Coelition has supported work to further describe MyData Operators in the Understanding MyData Operators white paper. This work developed the Reference Model of functional elements that can be used to build a range of personal data intermediary services.
MyData Operator
The role responsible for operating infrastructure and providing tools for the Person in a human-centric system of personal data exchange. Operators enable people to securely access, manage, and use personal data about themselves as well as to control the flow of personal data within and between Data Sources and Data Using Services.
The MyData Operator is a personal data intermediary committed to the principles described in the MyData declaration. One of the central ideas of the MyData Operator is that there will be a large number of actors providing personal data management services, and that those services should be interoperable and substitutable as well as technology agnostic. It is recognised that this kind of interoperability is a journey where every step should have positive impacts for individuals, communities, public bodies and organisations.
Identity management
Identity management handles authentication and authorisation of individuals and organisations in different, linked identity domains and links identities to permissions. Includes:
– Verification & authentication
– Levels of assurance
– Centralised & decentralised approaches
– Anonymisation & pseudonymisation
– Data Using Services, Data Sources, other Operators & Person
Permission management
Permission management enables people to manage and have an overview of data transactions and connections and to execute their legal rights. It includes maintaining records (notices, consents, permissions, mandates, legal bases, purposes, preferences etc.) on data exchange. Includes:
– Revoking 0r updating permissions & consents
– Purpose categories
– Granularity level
– Delivering on data minimisation
– Matching Person and Data Using Service needs
Service management
Service management uses connection and relationship management tools to link Operators, Data Sources, and Data Using ervices. Data can be available from different Data Sources and can be used by multiple Data Using Services. Includes:
– Registration of services
– Searching & rostering of available services
– Pairwise matching of Data Sources & Data Using Services
Value exchange
Value exchange facilitates accounting and capturing value (monetary or other forms of credits or reputation) created in the exchange of data. Includes:
– Supporting the ability of the Person to pay
– Allowing the flow of data royalties back to the Person
– Insight gains for Person & others
– Improvemens to quality of life & wellbeing
– Establishing Person as point of integration
Data model management
Data model management is about managing the semantics (meaning) of data, including conversion from one data model to another. Includes:
– Publication of data in an open, consumable format
– Explaining data to Person & others
– Mechanisms for quality management & update
– Change control updates & backward compatibility
– Mapping between data models
– Input & output in multiple formats
Personal data transfer
Personal data transfer implements the interfaces (e.g. APIs) to enable data exchange between the ecosystem participants in a standardised and secure manner. Personal data transfer facilitates the movement of data from Data Source to Data Using Service without the requirement for persistent intermediate storage. Includes:
– Centralised & decentralised approaches
– Structured & unstructured data
– Data transfer security: encryption types & levels, pen testing etc.
– API & data operations controls
– Data portability
– Visibility & invisibility of data or meta-data to super-user
– Controls for removal after transient handling
Personal data storage
Personal data storage allows data to be integrated from multiple sources (including data created by a Person) in personal data storage (PDS) under the individuals’ control. Personal data stored just for identity & permission management does not fall under personal data storage. Includes:
– Centralised & decentralised approaches
– Structured & unstructured data
– Data transfer security: encryption types & levels, pen testing etc.
– API & data operations controls
– Data portability
– Visibility & invisibility of data or meta-data to super-user
Governance support
Governance support enables compliance with the underlying governance frameworks to establish trustworthy relationships between individuals and organisations. Includes:
– Data storage & processing locations
– Complaint management & support systems
– Redress & reconciliation
– Oversight & reporting responsibilities
– Shareholders, memberships & contracts
– Common standards & open source
– Organisational controls
Logging & accountability
Logging and accountability entails keeping track of all information exchanges taking place and creating transparency about who accessed what and when. Includes:
– Audit & accesss logs
– Change control & immutability
– Historical log management
– Tracking of data use & service use
– Real-time vs batch data access
– Master data management
Person
The role of data subject as represented digitally in the ecosystem. The Person manages the use of personal data about themselves, for their own purposes, and maintain relationships with other persons, services, or organisations.
Data Source
The role responsible for collecting, storing, and controlling personal data which Persons, Operators, and Data Using Services may wish to access and use.
Many MyData Operators also provide personal data storage, this does not make them a Data Sources unless the store they provide or facilitate is not in the exclusive control of the individual. An Operator only performs the role of a Data Source if it aggregates or derives new personal data from data received from other Data Sources or the Person themselves.
Data Using Service
The role responsible for processing personal data from one or more Data Sources to deliver a service to or as directed by the Person.
Data Using Services initiate innovation and new services in the ecosystem. To be successful they must understand the needs of the Person, the technical constraints and the regulatory environment in which they work. They have to build inspiring offerings for the Person by combining the responsible flow of personal data and engaging experiences.
Ecosystem Governance
This role is for actors that are responsible for managing, developing, and enforcing the governance frameworks for the ecosystem. Ecosystem governance should be targeted at facilitating trust and opening up the ecosystems for innovation, with innovation giving the person choices and the opportunity to access new services.
Governance frameworks are based on rulebooks and underlying contractually enforceable agreements between parties in the ecosystem. These basic mechanisms for the governance implementation are further expanded to include the definition of specifications, auditing, and enforcement.