This document outlines various scenarios and considerations for the voluntary Midata programme in the UK. The programme involves suppliers making customers' transaction data available to them in computer-readable format. It discusses the roles of suppliers, customers, and potential midata stores and service providers in different release scenarios. It also covers the developing co-regulatory environment, common operational risks and controls, and challenges specific to midata, such as issues around data portability, personal information management, and establishing appropriate principles for the midata community.
3. Overview
• The voluntary Midata programme involves a Supplier making
each Customer’s transaction data available to the Customer
in computer-readable format (“midata”).
• This suggests three types of scenario:
1. Release of midata by a Current Supplier to the Customer
2. Release of midata by a Current Supplier to the Customer’s duly
authorised data storage provider (Midata Store) or more active
data services provider (Midata Service Provider)
3. Release of midata by Current Supplier to Customer or MS/MSP,
who transfers it to a third party supplier (“3PS”)
4. Participants/Roles
• Supplier
– Supplier of goods or services whose systems generate midata (e.g. utility, bank,
telco)
– Includes Supplier’s own outsourced service provider(s)
• Customer
– person or micro-business who interacts with Supplier to produce midata
• Provider of data storage or extra data services, acting for the Customer:
– Midata Store (“MS”)
• Only receives, stores and/or transmits midata, or tracks where midata sits
• May receive midata from Customer or from Current Supplier (“Linked Midata Store”)
• can’t ‘see’ or otherwise process content
• ‘mere conduit’?
– Midata Service Provider (“MSP”)
• May also act as a Midata Store
• Adds value by analysing or otherwise processing data
• May alter content and/or produce a result on which Customer/3PS relies.
• Third Party Supplier (“3PS”)
– Receives ‘midata’ (or a small extract) only for the purpose of deciding to supply
goods or services to the Customer
5. Process Flows
Midata involves two separate process flows:
• Transaction flows
– Offer and acceptance => contract between each of Customer,
Current Supplier and MS/MSP
– Messaging, including identification of each party, data release
request, confirmation of receipt etc.
• Midata flows
– Actual transfers of midata
[Funds flows related to payments due between participants
are currently out of scope]
6. Developing Co-regulatory Environment
• Data Protection Act 1998 (“DPA”) etc supervised by Information
Commissioner’s Office (“ICO”) and related exemptions
• Guidance etc issued by ICO
• Sector-specific law/regulation
– Sections 9 DPA and 159 of Consumer Credit Act 1974, applicable to credit
reference agency data
– Electricity Act, Gas Act => Data and Communications Company
– [new Telecoms/banking/consumer credit regulation]
• Industry Codes
– Principles of Reciprocity (Credit Reference Agency data)
– Smart Energy Code
– [Other sector codes]
– Security standards, Privacy by Design etc.
– [Midata Principlesstandard permissions, rules on liablility etc?]
• Contracts
– Consents etc given under Contracts
– [standard Midata permissions or Midata sharing agreements?]
7. Midata Scenario 1
1. ID authentication (“auth”)
2. Midata request
Current
Customer
Supplier
3. Midata transfer
Supply contract
8. Midata Scenario 2a
MS/MSP
4. ID auth. 6. Midata
5. Midata Request transfer
1. ID auth 2. Midata request
Current
Customer
Supplier
3. Midata transfer
Supply contract PIM Service contract
9. Midata Scenario 2b
MS/MSP
3. ID auth.
4. Midata request
Supplier Customer
1. ID auth
2. Midata Request
Supply contract PIM Service contract
10. Midata Scenario 2b
Co-regulatory
MS/MSP
relationship?
3. ID auth.
4. Midata request
Current
Customer
Supplier
1. ID auth
2. Midata Request
Supply contract PIM Service contract
11. Midata Scenario 3a
8. Data transfer
3PS 7. ID auth MS/MSP
Transaction flow
3. ID auth; 4. Request
Current
Customer
Supplier
Transaction flow
1. ID auth; 2. Request
Supply contract PIM Service contract 3PS Service contract
12. Midata Scenario 3a
8. Data transfer
3PS 7. ID auth MS/MSP
Transaction flow
3. ID auth; 4. Request
Current
Customer
Supplier
Transaction flow
1. ID auth; 2. Request
Co-regulatory
Supply contract PIM Service contract 3PS Service contract
relationships?
13. Midata Scenario 3b
8. Data transfer
3PS 7. ID auth MS/MSP
4. ID auth. 6. Midata
5. Midata Request transfer
1. ID auth 2. Midata request
Current
Customer
Supplier
3. Midata transfer
Supply contract PIM Service contract 3PS Service contract
14. Midata Scenario 3b
8. Data transfer
3PS 7. ID auth MS/MSP
4. ID auth. 6. Midata
5. Midata Request transfer
1. ID auth 2. Midata request
Current
Customer
Supplier
3. Midata transfer
Co-regulatory
Supply contract PIM Service contract 3PS Service contract
relationships?
15. Midata Scenario 3c
3PS
6. Midata
transfer
4. ID auth.
5. Midata Request
1. ID auth
Current 2. 2. Midata request Customer
Supplier
3. Midata transfer
Supply contract PIM Service contract 3PS Service contract
16. Common Operational Risks
• Failure to identify one or more parties
• Fraudulent impersonation of one or more parties
• ‘Wrongful’ refusal to release midata
• Interception of messaging and/or midata in transit
• Wrong midata released
• Midata is inaccurate, late and/or unreliable
• Midata is false, altered or corrupted
• Midata misuse:
– loss
– destruction
– storage longer than agreed/necessary
– wrongful disclosure
– use for an illicit purpose (including breach of IPRs)
17. Common Operational Controls/Challenges
• Identity authentication/assurance for all parties
• Release of correct midata
• Secure transmission, processing, storage of midata
• Preserving secrecy/confidentiality of midata content
• Maintaining authenticity and integrity of midata
• Ensuring accuracy, timeliness and reliability of midata
• Guarding against various types of midata misuse
• Vesting and protection of intellectual property rights in midata
and/or midata databases
18. Midata-specific Challenges
• Midata portability?
• Extent of ‘agency’ involved in personal information
management by PIM
• Midata ‘community’ issues:
– Principles of reciprocity?
– Appropriate grounds for refusal to release?
– Mirror CRA and/or DCC environment?
– Apportionment of liability for various heads of loss or damage?
– Complaints handling?
– Enforcement?
– Mapping midata to legal rights/obligations to customer permissions
=> a ‘personal data mark-up language’ (WEF “Rethinking Personal
Data”)
19. Comments
Comments welcome via the related post at
The Fine Print:
http://sdj-thefineprint.blogspot.co.uk/2013/01/midata-thoughts-no-2.html