Earn, collect, save and use like money

Hannu Parkkisenniemi

When I first heard about MyData, I heard it presented with what I think is the best metaphor. MyData was explained to me with reference to currency, banks, mobile banks, payment terminals, bank cards and customers. This was a list of all the different processes and options through which my money is saved, transferred and managed.

These were then compared to the principles behind MyData. “Instead of putting your euros in there, you are putting the personal data collected about you”, I was told.

I think this metaphor is excellent because it is entirely different to what I had learnt up to that point about utilising personal data. I had indeed already learnt how to play with money. I earn, or collect. I save. And I use — sometimes even a bit too much. I follow and manage my financial situation also with the help of mobile banking. The starting point for that conversation may have been the report published by the Ministry of Transport and Communications in 2014 entitled “MyData — an introduction to human-centred utilisation of personal data”. An updated version of this report was published just a few weeks ago. The report provides an introduction to questions regarding human-centred processing of personal data and offers a multifaceted model for personal data processing which does not ignore views on how to make use of personal data. In addition, the entering into force of the GDPR in May has, at least for a period of time, increased discussion and awareness of the rights of data subjects and the appropriate processing of personal data. The purpose of this article is to open up a few different perspectives on MyData and the utilisation of personal data from an official point of view.

What is MyData? MyData is personal data which can be examined as a separate dataset and which has been made manageable by the data subject themselves. Not all personal data is MyData, however, but rather only that part of the personal data which has been made manageable by the data subject themselves. From the perspective of the Finnish Transport Safety Agency, MyData would include, for example, the driving rights data of a data subject that they themselves can manage. The Finnish Transport Safety Agency enables the data subject to access their own data. This does not only take place through computer windows that are part of digital services, but also, when needed, through interface solutions that enable data classed as MyData to be transferred from one system to another. This transfer creates the possibility for market-driven business activities to develop. In addition, this also enables the management of data transfer as well as, where needed, the authorisation of subsequent transfers with the data subject´s consent.

So I myself can manage the data about my driving rights, and about how this is saved and who accesses it. The data remains up-to-date through interface operations. I could share the data about my driving rights with different car-rental services, for example. What is worth noting is that, even after this, the Finnish Transport Safety Agency has the individual´s driving rights data saved as personal data in its register and can use this for fulfilling its legal duties. So the personal data made manageable as MyData is not removed from the Finnish Transport Safety Agency personal register. The first pilot is already under way. This pilot will also be on show at the MyData 2018 conference in August.

The main parts of the changes to the Act on Transport Services (Stage II) came into force at the start of July. The news coverage on big changes to taxi services meant that less attention was given to the fact that the changes to the law also enabled individuals to manage their own personal data. In practice, individuals would have the opportunity to request from the Finnish Transport Safety Agency that certain parts of their data be transferred in a machine-readable format to the individuals themselves or to some other party. The Finnish Transport Safety Agency´s task is to provide the interface for requesting machine-readable data. In practice, the Act on Transport Services now stipulates the data subject´s rights, in accordance with the GDPR, to transfer data from the Traffic Affairs Register maintained by the Finnish Transport Safety Agency from one system to another (Data portability). The regulations of the GDPR on data portability do not in themselves apply to authorities which process personal data in order to carry out their statutory responsibilities. In this sense, it is exemplary that there are regulations in special legislation (Act on Transport Services) that relate to MyData (and especially on opening interfaces for services based on MyData) and that seek to develop an operating model and promote the data portability concept. In the future, it would of course be necessary to examine the management of one´s own data more broadly in general legislation as well. From the consumer perspective, sector-specific special legislation is not an appropriate end goal. Hopefully, general legislation on data management will in future also take into account requirements to open interfaces for individuals to manage their own data. In this way, MyData will be enabled throughout the whole public sector.

Another legislative issue to consider is the handling of log data produced by personal data processing and the surrender of this log data to the consumer themselves. Who has processed my data and who are all the people that it has been handed over to? At the moment, it is not easy to get hold of this data, while case law has shown that, in situations where one’s data has been handled inappropriately, it is in practice possible to get hold of data about how one’s personal data has been handled by public authorities based on the right of access to information contained in the Act on the Openness of Government Activities. But why only in this situation? The basic principles of MyData also include the right to know how data is processed and who is processing it. In practice, this would require that general legislation on data management would oblige authorities to hand over data on the processing of personal data to the customer themselves. Such regulations can be found in some special legislation, such as healthcare legislation. In practice, this would enable us to integrate the data on how each person’s personal data has been processed into the online services so that consumers can view it when logged in. This would be a clear step towards implementing the MyData principles consistently in public administration as well.

A third perspective on this topic is to consider MyData data models as part of the modelling and interoperability of data held by public authorities. How is MyData presented as part of the data model and meta data system in such a way that it would be understandable to the consumer as well? In order to ensure semantic interoperability, it is important to have a common implementation and conception of MyData as part of official data resources. Also of importance are the data models and content related to giving consent, so that the consumer can manage their MyData with a correct understanding of what the different management tools really involve. Here, for example, is a description of the data model as part of the Suomi.fi consent management service. Comments on this version can be given here. The international licensing models for open data (Creative commons) are in my opinion an excellent example of this kind of standardisation, through which both those sharing the data and those using the data are sure of their rights and responsibilities. Through the same principle, a common understanding can be achieved in the MyData utilisation networks for consumers, data sources and also data users and/or operators. In general legislation for data management, it will probably be held as a requirement that official data resources be described using a standardised procedure (interoperability procedure). heIn this area, it should be further clarified that public authorities should describe and identify the data groups to whom they would in future be providing interfaces to offer MyData-based services for their data resources.

In the future, therefore, we will no longer speak of simply data controllers and data subjects, but instead more broadly on enabling the management of personal data processing and on the operating environments for this data management. It could be simply stated that there is just one set of personal data, that this data has a life-cycle, and that during the different stages of this life-cycle different parties are involved in processing the data. If through MyData the management of personal data processing would become something that the consumer can do themselves, this would mean that the mobility, protection and utilisation of personal data would become something that is managed jointly by multiple parties. The data subject themselves must be given a central role in the personal data management ecosystem. They are to have the opportunity to have an influence on and decide on the processing of their personal data and, what is more, the opportunity also to fully benefit from this data management whether as a commodity or a service.

Consumers (or at least myself) don’t really have much use for, or aren’t particularly interested in, machine-readable forms of their data. Unless, however, there would be opportunities to manage and make use of this data through services and applications. From the consumer perspective, therefore, it is not particularly relevant to market the availability of data in machine-readable form. The consumer is interested in the services or applications that use this machine-readable data and offer added value to the customer in an interesting way. In terms of personal data management, we are moving from an operator-centred world to a consumer-centred world in which the consumer has more rights and opportunities, but also more responsibilities. Before, the data controller’s responsibility was clear, but the data controller cannot really be responsible any more for what happens to the data or for what is done with the data once consent has been given to hand it over or transfer a copy of the data to a third-party. We know how to take care of and use our money in a responsible manner of our choosing, but as consumers do we know that our personal data is becoming a money-like, valuable commodity which needs to be managed? On the other hand, it is important not to get too perplexed by personal data management. The shift from cardboard boxes to digital data is also comparable to the shift from physical money to digital bank account money, and I at least am confident that my money is safely stored and available for me to use. It would be splendid if I would eventually think the same about MyData.

Hannu Parkkisenniemi

Head of Unit for the Finnish Transport Safety Agency’s Data and Statistics Services.