際際滷

際際滷Share a Scribd company logo

Midata thoughts 121212 v2.0

Simon Deane-Johns
Simon Deane-Johns

This document outlines various scenarios and considerations for the voluntary Midata programme in the UK. The programme involves suppliers making customers' transaction data available to them in computer-readable format. It discusses the roles of suppliers, customers, and potential midata stores and service providers in different release scenarios. It also covers the developing co-regulatory environment, common operational risks and controls, and challenges specific to midata, such as issues around data portability, personal information management, and establishing appropriate principles for the midata community.

1 of 19
Downloaded 10 times
Midata Thoughts Draft v2.0 Simon Deane-Johns Consultant Solicitor and Member of the Midata Interoperability Board 9 January 2013
Contents Overview Participants/roles Process flows Developing co-regulatory environment Scenario diagrams Common operational risks, controls, challenges Midata-specific challenges
Overview The voluntary Midata programme involves a Supplier making each Customers transaction data available to the Customer in computer-readable format (midata). This suggests three types of scenario: 1. Release of midata by a Current Supplier to the Customer 2. Release of midata by a Current Supplier to the Customers duly authorised data storage provider (Midata Store) or more active data services provider (Midata Service Provider) 3. Release of midata by Current Supplier to Customer or MS/MSP, who transfers it to a third party supplier (3PS)
Participants/Roles Supplier Supplier of goods or services whose systems generate midata (e.g. utility, bank, telco) Includes Suppliers own outsourced service provider(s) Customer person or micro-business who interacts with Supplier to produce midata Provider of data storage or extra data services, acting for the Customer: Midata Store (MS) Only receives, stores and/or transmits midata, or tracks where midata sits May receive midata from Customer or from Current Supplier (Linked Midata Store) cant see or otherwise process content mere conduit? Midata Service Provider (MSP) May also act as a Midata Store Adds value by analysing or otherwise processing data May alter content and/or produce a result on which Customer/3PS relies. Third Party Supplier (3PS) Receives midata (or a small extract) only for the purpose of deciding to supply goods or services to the Customer
Process Flows Midata involves two separate process flows: Transaction flows Offer and acceptance => contract between each of Customer, Current Supplier and MS/MSP Messaging, including identification of each party, data release request, confirmation of receipt etc. Midata flows Actual transfers of midata [Funds flows related to payments due between participants are currently out of scope]
Developing Co-regulatory Environment Data Protection Act 1998 (DPA) etc supervised by Information Commissioners Office (ICO) and related exemptions Guidance etc issued by ICO Sector-specific law/regulation Sections 9 DPA and 159 of Consumer Credit Act 1974, applicable to credit reference agency data Electricity Act, Gas Act => Data and Communications Company [new Telecoms/banking/consumer credit regulation] Industry Codes Principles of Reciprocity (Credit Reference Agency data) Smart Energy Code [Other sector codes] Security standards, Privacy by Design etc. [Midata Principlesstandard permissions, rules on liablility etc?] Contracts Consents etc given under Contracts [standard Midata permissions or Midata sharing agreements?]
Midata Scenario 1 1. ID authentication (auth) 2. Midata request Current Customer Supplier 3. Midata transfer Supply contract
Midata Scenario 2a MS/MSP 4. ID auth. 6. Midata 5. Midata Request transfer 1. ID auth 2. Midata request Current Customer Supplier 3. Midata transfer Supply contract PIM Service contract
Midata Scenario 2b MS/MSP 3. ID auth. 4. Midata request Supplier Customer 1. ID auth 2. Midata Request Supply contract PIM Service contract
Midata Scenario 2b Co-regulatory MS/MSP relationship? 3. ID auth. 4. Midata request Current Customer Supplier 1. ID auth 2. Midata Request Supply contract PIM Service contract
Midata Scenario 3a 8. Data transfer 3PS 7. ID auth MS/MSP Transaction flow 3. ID auth; 4. Request Current Customer Supplier Transaction flow 1. ID auth; 2. Request Supply contract PIM Service contract 3PS Service contract
Midata Scenario 3a 8. Data transfer 3PS 7. ID auth MS/MSP Transaction flow 3. ID auth; 4. Request Current Customer Supplier Transaction flow 1. ID auth; 2. Request Co-regulatory Supply contract PIM Service contract 3PS Service contract relationships?
Midata Scenario 3b 8. Data transfer 3PS 7. ID auth MS/MSP 4. ID auth. 6. Midata 5. Midata Request transfer 1. ID auth 2. Midata request Current Customer Supplier 3. Midata transfer Supply contract PIM Service contract 3PS Service contract
Midata Scenario 3b 8. Data transfer 3PS 7. ID auth MS/MSP 4. ID auth. 6. Midata 5. Midata Request transfer 1. ID auth 2. Midata request Current Customer Supplier 3. Midata transfer Co-regulatory Supply contract PIM Service contract 3PS Service contract relationships?
Midata Scenario 3c 3PS 6. Midata transfer 4. ID auth. 5. Midata Request 1. ID auth Current 2. 2. Midata request Customer Supplier 3. Midata transfer Supply contract PIM Service contract 3PS Service contract
Common Operational Risks Failure to identify one or more parties Fraudulent impersonation of one or more parties Wrongful refusal to release midata Interception of messaging and/or midata in transit Wrong midata released Midata is inaccurate, late and/or unreliable Midata is false, altered or corrupted Midata misuse: loss destruction storage longer than agreed/necessary wrongful disclosure use for an illicit purpose (including breach of IPRs)
Common Operational Controls/Challenges Identity authentication/assurance for all parties Release of correct midata Secure transmission, processing, storage of midata Preserving secrecy/confidentiality of midata content Maintaining authenticity and integrity of midata Ensuring accuracy, timeliness and reliability of midata Guarding against various types of midata misuse Vesting and protection of intellectual property rights in midata and/or midata databases
Midata-specific Challenges Midata portability? Extent of agency involved in personal information management by PIM Midata community issues: Principles of reciprocity? Appropriate grounds for refusal to release? Mirror CRA and/or DCC environment? Apportionment of liability for various heads of loss or damage? Complaints handling? Enforcement? Mapping midata to legal rights/obligations to customer permissions => a personal data mark-up language (WEF Rethinking Personal Data)
Comments Comments welcome via the related post at The Fine Print: http://sdj-thefineprint.blogspot.co.uk/2013/01/midata-thoughts-no-2.html

More Related Content

Midata thoughts 121212 v2.0

  • 1. Midata Thoughts Draft v2.0 Simon Deane-Johns Consultant Solicitor and Member of the Midata Interoperability Board 9 January 2013
  • 2. Contents Overview Participants/roles Process flows Developing co-regulatory environment Scenario diagrams Common operational risks, controls, challenges Midata-specific challenges
  • 3. Overview The voluntary Midata programme involves a Supplier making each Customers transaction data available to the Customer in computer-readable format (midata). This suggests three types of scenario: 1. Release of midata by a Current Supplier to the Customer 2. Release of midata by a Current Supplier to the Customers duly authorised data storage provider (Midata Store) or more active data services provider (Midata Service Provider) 3. Release of midata by Current Supplier to Customer or MS/MSP, who transfers it to a third party supplier (3PS)
  • 4. Participants/Roles Supplier Supplier of goods or services whose systems generate midata (e.g. utility, bank, telco) Includes Suppliers own outsourced service provider(s) Customer person or micro-business who interacts with Supplier to produce midata Provider of data storage or extra data services, acting for the Customer: Midata Store (MS) Only receives, stores and/or transmits midata, or tracks where midata sits May receive midata from Customer or from Current Supplier (Linked Midata Store) cant see or otherwise process content mere conduit? Midata Service Provider (MSP) May also act as a Midata Store Adds value by analysing or otherwise processing data May alter content and/or produce a result on which Customer/3PS relies. Third Party Supplier (3PS) Receives midata (or a small extract) only for the purpose of deciding to supply goods or services to the Customer
  • 5. Process Flows Midata involves two separate process flows: Transaction flows Offer and acceptance => contract between each of Customer, Current Supplier and MS/MSP Messaging, including identification of each party, data release request, confirmation of receipt etc. Midata flows Actual transfers of midata [Funds flows related to payments due between participants are currently out of scope]
  • 6. Developing Co-regulatory Environment Data Protection Act 1998 (DPA) etc supervised by Information Commissioners Office (ICO) and related exemptions Guidance etc issued by ICO Sector-specific law/regulation Sections 9 DPA and 159 of Consumer Credit Act 1974, applicable to credit reference agency data Electricity Act, Gas Act => Data and Communications Company [new Telecoms/banking/consumer credit regulation] Industry Codes Principles of Reciprocity (Credit Reference Agency data) Smart Energy Code [Other sector codes] Security standards, Privacy by Design etc. [Midata Principlesstandard permissions, rules on liablility etc?] Contracts Consents etc given under Contracts [standard Midata permissions or Midata sharing agreements?]
  • 7. Midata Scenario 1 1. ID authentication (auth) 2. Midata request Current Customer Supplier 3. Midata transfer Supply contract
  • 8. Midata Scenario 2a MS/MSP 4. ID auth. 6. Midata 5. Midata Request transfer 1. ID auth 2. Midata request Current Customer Supplier 3. Midata transfer Supply contract PIM Service contract
  • 9. Midata Scenario 2b MS/MSP 3. ID auth. 4. Midata request Supplier Customer 1. ID auth 2. Midata Request Supply contract PIM Service contract
  • 10. Midata Scenario 2b Co-regulatory MS/MSP relationship? 3. ID auth. 4. Midata request Current Customer Supplier 1. ID auth 2. Midata Request Supply contract PIM Service contract
  • 11. Midata Scenario 3a 8. Data transfer 3PS 7. ID auth MS/MSP Transaction flow 3. ID auth; 4. Request Current Customer Supplier Transaction flow 1. ID auth; 2. Request Supply contract PIM Service contract 3PS Service contract
  • 12. Midata Scenario 3a 8. Data transfer 3PS 7. ID auth MS/MSP Transaction flow 3. ID auth; 4. Request Current Customer Supplier Transaction flow 1. ID auth; 2. Request Co-regulatory Supply contract PIM Service contract 3PS Service contract relationships?
  • 13. Midata Scenario 3b 8. Data transfer 3PS 7. ID auth MS/MSP 4. ID auth. 6. Midata 5. Midata Request transfer 1. ID auth 2. Midata request Current Customer Supplier 3. Midata transfer Supply contract PIM Service contract 3PS Service contract
  • 14. Midata Scenario 3b 8. Data transfer 3PS 7. ID auth MS/MSP 4. ID auth. 6. Midata 5. Midata Request transfer 1. ID auth 2. Midata request Current Customer Supplier 3. Midata transfer Co-regulatory Supply contract PIM Service contract 3PS Service contract relationships?
  • 15. Midata Scenario 3c 3PS 6. Midata transfer 4. ID auth. 5. Midata Request 1. ID auth Current 2. 2. Midata request Customer Supplier 3. Midata transfer Supply contract PIM Service contract 3PS Service contract
  • 16. Common Operational Risks Failure to identify one or more parties Fraudulent impersonation of one or more parties Wrongful refusal to release midata Interception of messaging and/or midata in transit Wrong midata released Midata is inaccurate, late and/or unreliable Midata is false, altered or corrupted Midata misuse: loss destruction storage longer than agreed/necessary wrongful disclosure use for an illicit purpose (including breach of IPRs)
  • 17. Common Operational Controls/Challenges Identity authentication/assurance for all parties Release of correct midata Secure transmission, processing, storage of midata Preserving secrecy/confidentiality of midata content Maintaining authenticity and integrity of midata Ensuring accuracy, timeliness and reliability of midata Guarding against various types of midata misuse Vesting and protection of intellectual property rights in midata and/or midata databases
  • 18. Midata-specific Challenges Midata portability? Extent of agency involved in personal information management by PIM Midata community issues: Principles of reciprocity? Appropriate grounds for refusal to release? Mirror CRA and/or DCC environment? Apportionment of liability for various heads of loss or damage? Complaints handling? Enforcement? Mapping midata to legal rights/obligations to customer permissions => a personal data mark-up language (WEF Rethinking Personal Data)
  • 19. Comments Comments welcome via the related post at The Fine Print: http://sdj-thefineprint.blogspot.co.uk/2013/01/midata-thoughts-no-2.html