DEPLOYING PERSONAL DATA STORES AT SCALE
An important change is beginning to sweep the world of personal data. For many years, people have debated the question ‘what if individuals — e.g. citizens, customers — were able to assert genuine control over their own data?’
Now the debate is moving on to how to make this happen, at scale.
Look at some recent developments. In recent weeks:
- The UK Government’s proposed legislation to reform UK data protection laws, includes (amongst many less positive things) new provisions for data intermediaries including for “Personal information management systems, which seek to give data subjects more control over their personal data.”
- The UK Department of Culture Media and Sport’s latest paper on its new National Identity and Attributes Trust framework specifically mentions citizens being able to hold verified attributes in their own personal data stores.
- The Scottish Government’s proposed Scottish Attribute Provider Service includes a provision “where people can choose to save their personal information securely to an individual ‘locker’ (a digital attribute store), in order to reuse when they wish to apply to other services”.
- The UK Government via its Government Digital Service is to provide a One Log-in for Government which includes the concept of a personal data store to enable citizen control over how their data is being shared across Government. Tom Read GDS Chief Executive Officer said that “One Log-in for government is currently the organisation’s most important piece of work.”
- Scottish Government has just signed a contract with Mydex CIC to improve recruitment of citizens to participate in projects to co-design public services that ensures privacy via the use of its Inclued platform and personal data stores.The UK NHS and BBC are now experimenting with personal data stores for health and media consumption records
In other words, multiple different parties and people are converging on the same solution — of providing citizens with their own personal data stores — to solve multiple different problems.
The big question now is how to enable this to happen at scale, safely, securely and efficiently. One key element of this is useful, easy-to-use interfaces, the taps and switches that mean people can use the infrastructure without having to think much about it. We’ve written about this here.
But operational deployment as scale presents its own challenge. It’s one thing to build something in a lab to illustrate an idea’s potential. It’s quite another to make the transition to 24/7/365 operations, working at scale in the real world. Answering the question ‘how’ requires robust answers to many hard questions relating to infrastructure resilience, security, system architecture, governance, trustworthiness, business model and legal compliance. Here’s a checklist of these questions in a little more detail.
Are its underlying design principles fit for purpose, robust and built to last?
We talk about this issue in detail here.
Is the individual’s data really secure?
It’s very easy to make promises about data security, but very difficult to keep these promises permanently, especially when a system is operating at scale. Here are some of the safeguards that need to be built.
- All data should be encrypted in motion and at rest
- Distributed architecture: every PDS is separately and individually encrypted (which means the system is not creating a massive centralised database that becomes a honeypot for hackers)
- No knowledge operations. Every individual should hold their own private key to their own data: the PDS operator does not have access to this private key, and cannot look into the personal data stores it provides or make any changes to who can send or collect data from it only the individual can.
- Everything the company does relating to the security of information management should be independently assessed and certified. To be legitimate, the PDS provider should be certified under ISO 27001 for information security Management.
The Mydex platform displays all these criteria.
How does the PDS operator cover its costs and make its money?
- Is the PDS’s business model open and transparent? Does it, for example, publish a public price tariff, where what organisations are paying, for what, is open for all to see?
- How does this business model affect the PDS provider’s incentives? For example, some PDS providers have generated business models where they take a ‘cut’ every time data is shared. This generates an incentive for the PDS provider to maximise the amount of data that is shared, thereby creating a potential conflict of interest between it and the citizens it is supposed to be serving.
To make their offerings attractive to organisations that want to retain control, other PDS providers have created halfway-house ‘personal data stores’ which remain inside the organisation’s operational boundaries, where the individual signs in using the organisation’s systems, and where the organisation places restrictions on what data the individual can share with who. Such faux personal data stores may generate revenue streams for the technology provider, but they generate a conflict of interest with the citizen that defeats the object of having a personal data store in the first place.
- Does the PDS provider’s business model create revenue streams that are stable, e.g. designed to last in perpetuity?
Mydex’s business model is designed to be open, to avoid conflicts of interest and to be stable. The model is very simple. Organisations pay a fee to connect to the platform, to enable safe efficient data sharing with individuals. There is no limit on what data can be delivered or accessed by who and for what purpose that is under the control of the individual at all times.
Does the PDS provider have governance structures designed to ensure its trustworthiness in perpetuity?
In a new ‘market’ like this, many would-be PDS providers are start-ups that are hungry for funding. Many of them seek funding from venture capitalists who, by definition, are seeking ‘an exit’ in the form of an IPO or trade sale.
This brings two dangers. First, it incentivises the PDS provider to create a business model that focuses on financial extraction — making money out of citizens and/or organisations — rather than genuine service provision.
Second, it means that any promises it makes in terms of commitments to privacy, data protection, business model or anything else may only last until the venture is sold. For a PDS provider to be legitimate, its business model and governance must include legally enforceable guarantees that mean it cannot simply go back on its promises in event of ownership of the organisation changing hands.
That is why Mydex has chosen to be a Community Interest Company — because CIC status builds in legal requirements on the company to stay true to its mission of empowering citizens with their own data.
Is the IT infrastructure robust and capable of operating at scale?
Many people operating in IT today have a ‘hacker mindset’. They love writing bits of code that do cool things, and every time they come across a new technical challenge they automatically start writing another, separate, bit of code. Hackers are often brilliant at creating cool point solutions. But as these point solutions add up, they generate complexity and chaos. People with the hacker mindset are not good at building robust, integrated, efficient solutions that operate at scale. For that, we need an engineering, infrastructure-building mindset that is always asking ‘how does this piece fit with everything else that has already been built? Will it work stably and reliably, at volume?’ This requires an engineering mindset, not a hacker mindset.
Can the system scale without generating mounting risks, costs or complexity?
- Providing a million personal data stores that are being used to store and share data, day in and day out, is very different to building a demo in a lab. Having robust software development, testing and deployment systems is essential if the flaws of the hacker mindset are to be avoided.
- If the system can only work on a particular device such as a smartphone, everyone has to have access to such a device, these devices need to be designed so that they can ‘talk’ to each other, and problems arise if the device is lost, stolen or malfunctions. The only way millions of people can access their data from multiple different devices is if their data is stored (safely) in the cloud.
- Some ways forward, such as Open Banking, envisage individuals giving permission for their data to be ported from one service provider to another without it being deposited in the individual’s personal data store. This, proponents claim, cuts out the unnecessary extra step of having a data ‘middleman’. The approach works fine for just one or two transactions. But it creates complexity and cost catastrophes as volumes rise. It’s why (for example) telephone exchanges were invented rather than every telephone line trying to create its own unique connection with every other line.
Independent scrutiny and certification
It’s very easy for start-ups to make grand claims about what their technology can do or what their beliefs are. Selling ‘brochureware’ and ‘vaporware’ is a time honoured practice in software: Step 1) sell what you intend to make. Step 2) Use the money made from these sales to actually make what you promised. But an operation that works day in, day out, at scale cannot be fed by ‘vision’ and the apparent confidence of the salesman. What’s needed is independent scrutiny and certification.
That’s why Mydex is independently certified for data management security under ISO27001 and with Fair Data and why it has met the requirements to be listed on UK Government procurement frameworks like G-Cloud and to gain an Open Banking licence.
Built-in regulatory compliance
For any system to scale efficiently it has to make it easier, not harder, for service providers to comply with data protection regulations. This requires dedicated tools and infrastructure that a) ‘designs in’ compliance with key principles such as data minimisation under GDPR and b) enables both citizens and service providers to manage related processes simply, quickly and where possible, automatically.
Leaving compliance to data protection regulations aside to a ‘different department’ — creates a gap and disconnect between ‘legal’ and operations and is not something that can work efficiently and effectively at scale.
Summary
We know, because we’ve been there. Bringing new ideas to life in a lab environment is a positive, necessary thing to do. But making sure they can be implemented at scale, robustly, reliably and resiliently involves another — very different — set of considerations. This blog sums up our experience of what these considerations are.