MIM4 - Trust

OASC MIM4: Personal Data Management

Status

Work Item

Capabilities

Specification

Governance

Background

MIM4 focuses on Personal Data Management in other words how to provide easy to use methods for individuals to control which data sets/attributes they want to share with solution, application, or service providers under transparent circumstances, enabling trust between the different parties.

There are many initiatives seeking to provide personal data management solutions, but these are primarily in the pilot or development phase, and this has led to a fragmented marketplace.

The aims of the different initiatives overlap but are not necessarily identical. Some projects focus just on personal data management, others, such as RUDI, aim to support wider data sharing ecosystems, but with personal data management being a key feature.

There are two networks of providers – MyData and Solid, which each follow different high-level methodologies. Even within each of these two networks, there are significant differences in the technical and processes used by different projects and so individual implementations are not necessarily interoperable.

There are a number of initiatives outside of these networks developing their own technical solutions.

The role of MIM4 is to identify the key capabilities required and identify pivotal points of interoperability between the different solutions to help build confidence and support implementation.

Objectives

To enable individuals to be able to easily manage data about themselves so that it can enable outcomes they want, both for themselves and their community, while not compromising on privacy.

To do this in a way that will make it easy to integrate with whatever credible personal data management systems (such as forthcoming EU-registered personal data intermediary services) the individual may wish to use.

Capabilities

1 individuals[1] can have insight regarding what data about themselves is available, stored, shared, etc. by the providers of the applications and/or services they use

2. individuals can have confidence that data about them is processed appropriately to manage privacy and to a high degree of security

3. individuals can request changes to, or deletion of, part or all data about themselves that is available, stored, shared, etc. by the provider of the applications and/or services using that data. The providers would need to comply with these requests unless there were legally justifiable reasons not to do so[2][3]

4. individuals can choose the operator they wish to manage data about themselves {or produced by themselves} and move from operator to operator

5. Individuals can roam with their data between cities, regionally, nationally and internationally

6. individuals can access and transfer data about themselves {or produced by themselves} through many different channels

7. individuals can only be required to share that information about themselves that is strictly needed for the delivery of a particular service or event. This requires that service providers should explain the reasons for all requests for information and should indicate what information is mandatory for accessing the service and what is optional, along with the consequences for not responding to requests for optional information[4]

8. individuals can indicate in which circumstances what data about themselves {or produced by themselves} is ‘available to be used” by which parties and for which purposes through a 'permission arrangement’[5]

9. individuals can grant consent to providers of applications and/or services, be they governmental or businesses, to access data providing evidence for their eligibility for those applications/services from those agencies that hold that evidence to enable them to easily access these applications and/or services.[6]

10. Individuals can give permission for data about themselves to be combined in ways that enable services to which they are entitled to be offered proactively to them, including at the time they need it[1]

11. Individuals should have a reliable and authoritative way to check that data about themselves {or produced by themselves} is used in strict compliance with the permissions they have granted

12. Individuals should have access to a central point where they can decide on how data about themselves {or produced by themselves} can be used and shared and when and for how long, and where they could find out all the uses for which they have consented that data about them could be used, and where they could review, change or delete their consents.[2]

13. information regarding how data about an individual is being, or will be, used should be provided in a clear, understandable and unambiguous way.


[1] “Individuals” here covers all people that live or work or visit a city or community and all their different roles within that community.

[2] For instance, the citizen cannot expect information regarding their age or any other key factual piece of information to be changed so as to be incorrect, specifically in a way that will affect their eligibility for services.

[3] GDPR, as an example, limits data subject right to data portability and right to be forgotten to a narrow subset of the 6 legal bases of processing (consent and entering a contract).

[4] For instance, additional email addresses or phone numbers may be asked for as back-up to enable access to the content should the provided email address stop working. They are not strictly needed for access to the service, but their absence creates additional risks.

[5] For instance, an individual might give permission for their location data to be used to better understand travel patterns in the city for public transport planning purposes

[6] This could potentially be handled via a trusted third party.

[7] For instance to be made aware of services they might be eligible for or to share information with relevant agencies related to life events such as moving home, leaving education etc.

[8] One way to enable this is to provide individuals with a central repository where all data about themselves could be stored and managed.


Capabilities and Requirements

There are two distinct types of entity that need to comply with a set of requirements to enable the objective and the basic set of capabilities to be achieved – i.e., Data holders/users and Personal Data Intermediaries (PDIs). A PDI can only manage the individual’s data if the data holders/users that hold or use that data enable the data they hold to be found and accessed by authorised PDIs and can handle the use of data coming from PDIs.

Capabilities

Requirements for data holders and data using services

Requirements for Personal Data Intermediaries (PDIs)

C1. individuals can have insight as to what personal data is available, stored, shared, etc. by the providers of the applications and/or services they use

Rdh1. Personal data holders shall ensure that the data they old is documented, and discoverable.

Rdh2. Personal data holders shall describe and list their available data using standard data models

Rdh3. Personal data holders shall use an open API to enable Personal Data Intermediaries to discover and broker data

Rpdi1. PDIs shall make use of that common API.

C2. individuals can have confidence that data about them is processed appropriately to manage privacy and to a high degree of security

Rdh4. Date holders and data using services shall describe how they process Personal data in a way that covers all aspects (purposes, processing, types of data …) in a fine-grained and standardized manner (see as example W3C dpv: https://dpvcg.github.io/dpv/

Rpdi2. PDIs shall describe how they process Personal data in a way that covers all aspects (purposes, processing, types of data …) in a fine-grained and standardized manner (see as example W3C dpv: https://dpvcg.github.io/dpv/

Rdh5. Personal data holders or processors shall manage personal data to a high level of security.

Rpdi3. PDIs shall manage personal data to a high level of security.

C3. individuals can request changes to or deletion of part or all personal data available, stored, shared, etc. by the provider of the applications and/or services in use.

Rdh6. Data holders or data processors shall comply with requests from the citizen relating to changing or deleting data related to themselves unless there were legally justifiable reasons not to do so[1][2]

Rpdi4. PDIs shall be able to handle legally justifiable requests from the citizen relating to the changing or deletion of data related to themselves and confirm that these requests were carried out by the data holders or data processors.

C4. individuals can choose the operator they wish to manage data about themselves or produced by themselves and to move from operator to operator

Rdh7. Date holders shall be flexible enough to respond to Personal Data Intermediaries that use personal data pods to store the data, as well as those that utilise personal data spaces or that allow the data to continue to be stored by the original controller, but where the subject of the data is able to exercise rights as to its re-use by third party data using services.

Rpdi5. PDIs shall enable the citizen to easily move control of their data to another personal data intermediary, if they so wish, and shall ensure that the processes used takes account of all the different options for managing personal data.


[1] For instance, the individual cannot expect information regarding their age or any other key factual piece of information to be changed so as to be incorrect, specifically in a way that will affect their eligibility for services.

[2] GDPR, as an example, limits data subject right to data portability and right to be forgotten to a narrow subset of the 6 legal bases of processing (consent and entering a contract).

Mechanisms

No examples are provided here of mechanisms that can meet these requirements as there are many alternatives for both data holders and PDIs.

For procurements, the vendors should be asked to show what mechanisms they use to enable their offerings to meet those requirements. For the development of local data spaces, participants should be required to show the mechanisms used to meet those requirements.

Interoperability Guidance

A detailed proposal for interoperability between Personal Data Management Operators was proposed to OASC in May 2021. This proposal has two pillars:

Pillar 1: One Connector for all Personal Data Management Operators.

Pillar 2: Legal framework governance

The proposal is described in the paper “Towards Interoperable Personal Data Management within Smart Cities: Minimum Interoperability Mechanism 4” that can be accessed at: References

Effectively, this defines a connector that enables any Personal Data Management provider that complies with the Legal agreement to be able to access data from any data source that is MIM4 compliant. In this way, each Personal Data Management provider can innovate freely around their technical solution, provided that it enables the capabilities defined in MIM4 while data providers only need to provide a single method for them to access the data.

While designed for the MyData network, the MIM4 proposal has now been reviewed in detail by MyData Global, Vastuu Group, Forum Virium Helsinki, RUDI (the Urban Data Initiative of the city of Rennes), the DataVaults and Kraken European Projects focusing on Personal Data Management and the CAPE personal data management solution developed by Engineering.

This review indicated that the proposed interoperability mechanism is a feasible way of enabling a level of interoperability between all of these and is likely to be relevant to all Personal Data Management solutions. All of the above initiatives have also agreed to work together over the next few months to develop demos to test the proposed MIM4 Part 1 in practice.

MIM4 Working Group members

Representatives of the following organisations:

  • Cities of Athens, Eindhoven, Poznan, Vienna.

  • European Commission: DG Connect and DG Digit.

  • Companies: ATOS, Engineering, NEC, Vastuu Group.