The document summarizes Mydex CIC, a UK social enterprise that empowers individuals to manage their personal data through secure personal data services. Mydex offers identity services, a digital letterbox to store personal data, and acts as a trust framework to facilitate data sharing between individuals and organizations. However, Mydex claims no ownership over individuals' personal data stored in their personal data services and acts only as a platform to enable this functionality. The document discusses emerging issues around personal data stores and their role in data protection law.

1. William Heath – Mydex Chairman (@williamheath & @mydexcic)
Your data, your way
Personal data stores: What is the potential, and where do they
fit in the Data Protection Act.
William Heath – Mydex Chairman (@williamheath & @mydexcic)
www.mydex.org - All right reserved

2. Taking big data to the limit

3. Taking big data to the limit

4. “Exactness requires carefully curated data”
from Big Data: A Revolution That Will Transform How We Live,
Work and Think" by Ken Cukier & Viktor Mayer-Schonberger

5. Complementary approach: small data, “VRM” or The
Intention Economy
DOC SEARLS

6. What is Mydex CIC and what does it offer?
• UK social enterprise formed in 2007
• Empowers individuals to manage their lives more effectively
• Mydex offers highly secure personal data services:
• ID services, federated ID, SSO and ID assurance
• Secure consumer digital letterbox and data channel
• Trust framework; open platform
• Offers integration and new journeys for existing customers
• Supports “Manage my health/shopping/edu/travel/finance” apps
• Apps can be deployed inside or outside the platform
• ISO 270001 compliant; t-Scheme certified, recognised by OIX
www.mydex.org - All right reserved

7. It’s a highly secure personal data service for individuals

8. Mydex provides a Trust Framework as a platform
Mydex Charter | Terms for Members | Terms for Connections
Data Sharing Agreement | ISO27001 | tScheme
Relying Parties
Application Attribute Providers
Service Providers Attribute Verifiers
Trust Framework
Provider and platform
Unique Secure Encrypted
Connections
Mydex Members
www.mydex.org Personal Data Services

9. Mydex delivers a persistent trusted connection between any
organisation and the individual for permissioned two-way data
exchange and interactions
Customer can select the specific
data attributes they wish to share
www.mydex.org on what basis

10. Clarity about role of Personal Data Stores
emerging in many areas

11. Mydex stated position on DPA Status as a Data
Controller
Mydex is not the data
controller for data stored
inside the PDS or shared
via the API
• Mydex has no access to the data at any point
• Mydex has no commercial rights to the data

12. Mydex stated position on DPA Status as a Data
Controller
Yes No
Mydex is data controller Mydex is not data controller
for the information shared in terms of the data stored
with Mydex for the inside the PDS or shared
purposes of service via the API
provision

13. What data does Mydex hold about its members?
• Mydex holds a register of members
• MydexID
• Password (SALT) which accesses only their Mydex Account, not their PDS
• Email address for purposes of service provision and support only
• IP Address for purposes of support only
• The member controls double encrypted files that together
constitute a Personal Data Store.
• Mydex has
• no means of accessing the contents of files
• no means of decrypting files
• no knowledge of what is stored in files
• no knowledge of what is shared with connections

14. What can Mydex do in relation to the PDS data?
• Can suspend ability to send and receive data if Mydex member
instructs Mydex to so
• The member has to be able to log in to their Mydex account
• Possible scenario – loss of PIN/Passphrase by member who then wishes to stop using
PDS and create new one
• Archive a PDS as per account termination defined in members’
Terms
• Delete a PDS as defined by members’ Terms

15. Mydex stores in the cloud, but its Ts&Cs aren't the
usual cloud storage Ts&Cs
• Mydex has no ability and asserts no right to access users’ data
• Not “to operate and improve its service”
• Nor “to personalise its service”
• Nor “to share your personal data with affiliates”
• Nor for any other reason
• Mydex reserves no right to review, screen or remove content
• Mydex can’t remove the encryption users apply
• Mydex’ architecture supports member choice in where they
store their PDS
• Mydex enables the individual to act as Data Controller

16. We see the emergence of secure personal data
services as inevitable. So how far has it got?
• Mydex live “community prototype” completed
• HMG’s BIS midata: business gives structured data back to customers
• Other data givebacks: Google, Facebook, NHS, US blue/green buttons
• UK Government Digital Service (GDS) 'Digital by Default' commitment
• GDS ID Assurance rollout based on 3rd party services
• Mydex CIC is one of the cross-govt ID assurance providers
• Work on quality, standards & interoperability: OIX, tScheme, ISO

17. Where next
Mydex adoption and
emergence of a range
of similar services
Data
minimisation
Diversity and
interoperability

18. The more information you hear, the less funky it is
Nile Rodgers

19. Thank you for your time
WEBSITE: www.mydex.org
FACEBOOK: www.facebook.com/mydex.org
TWITTER: @mydexcic & @williamheath
EMAIL: william@mydex.org
THIRD SECTOR WHITEPAPER: thirdsector.mydex.org
MIDATA WEBSITE: midata.mydex.org
MYDEX OVERVIEW ON SLIDESHARE:
http://www.slideshare.net/mydexcic/introduction-to-mydex-cic-personal-
data-stores-7th-march-2013
MYDEX OVERVIEW ON YOUTUBE:
http://www.youtube.com/watch?v=mQRZfCRbQHs

20. What we find organisations need
• Identity solutions
• Federated login / SSO; to get out of the username/password business
• Verified data attributes
• Certificates to support proofs of claims
• Integrated / streamlined / low cost secure channels
• improve data quality / reduce sparsity
• richer / broader data sets about their customers and prospects
• streamline customer journeys and flows of data
• improve business process flows
• Applications that bridge traditional applications and organisation
boundaries
• Need to work inside and outside the organisation
• Need to include the citizen / customer