What laws & regulation does Dataswift's infrastructure exempt its enterprise clients?
GDPR's Rights underpin Dataswift's ecosystem. Dataswift goes further and enlists a further 5 Ownership Rights for data owners allowing them to be both the Holder, Controller and Processor of data. Dataswift's Data Plugs are considered to be DSARs (Data Subject Access Requests) which the user utilises to request and transfer data, ensuring GDPR compliance.
Ultimately regulatory compliance rests upon the architectural design process on the client's side. This would set out the level of compliance attained and needed. Technically speaking, Dataswift is strategically placed to become compliant whichever industry or sector a client may fall within, hence why this question becomes one of architectural design. Regardless, the client needs to consider the following factors: industry, sector, operational activities and the geographical location of its clients and its business.
Though no legally necessary, there are several regulations that are in the works for Dataswift to achieve compliance to bolster Dataswift's commercial use-case from a Marketing & Sales perspective :
PSD2 - PISP
With Dataswift having already achieved certification / compliance to:
PSD2 - AISP
The aforementioned regulations are legally unnecessary, but they commercially bolster Dataswift's use-case and versatility; typically from a Marketing & Sales perspective.
Dataswift is out-of-scope of the following regulations:
Which industries/sectors are you compliant with?
As mentioned elsewhere, Dataswift is a relatively industry agnostic company as it provides a digital infrastructure that can be customised and designed to meet diverse security, privacy and compliance requirements.
However, Dataswift is focusing in addressing the needs of individuals, organisations & institutions within Health and Finance - specifically FinTech and HealthTech. Dataswift is working to achieve HIPAA compliance for the U.S. healthcare industry - HealthTech and "PCI DSS", "PSD2 - AISP" and "PSD2 - PISP" are all a work in progress and specifically cater towards the payments industry - FinTech.
Dataswift and Dataswift ONE are GDPR compliant with regards to data protection. This is a service that can be provided to customers, via providing DPIA and PIA assessments with regards to using Dataswift's products. Dataswift can also draft information regarding PDAs data within Privacy Policies for clients if the appropriate rating is attributed to the customer during their permission request process and review.
Who’s legally accountable for the data?
In short, the responsibility of the PDA owner's data lay with them as they are deemed as the Data Controller, making the individual accountable for their data, in most cases. However, processors of PDA owner's data needs to be lawful and contractually agreed upon through the HAT Microserver Instructions Contracts (HMICs).
Based on their ownership of their PDA and additional licenses, PDA owners are provided with a legal basis upon which to contract with third parties seeking access to their personal data - thus enabling PDA owners to realise the value of their personal data. PDA owners have legal ownership/control via database rights and through contractual assignment.
Through use of HAT Microserver Instructions (HMIs), the Dataswift One platform provides the means by which individual PDA owners can be deemed as making the necessary effort in order to own their PDA. PDA Owners therefore own the Intellectual Property of their own personal database.
Use of the HAT Microserver will involve the processing of personal data. As a result, the General Data Protection Regulation 2018 (“GDPR”) will apply and those involved in processing personal data will need to comply with the GDPR.
The GDPR imposes obligations on “controllers” and “processors”. A controller is someone who determines the purpose for which personal data is processed and the means of processing (i.e. how the data is processed). A processor is someone who processes personal data on behalf of the controller (i.e. following the controller’s instructions). The GDPR imposes most of its obligations on controllers who carry the main responsibility for compliance.
There are various parties involved in the processing of personal data as part of the Dataswift One Platform Services. It is important to understand the status of a party as that determines their legal obligations under the GDPR:
Lawful processing of personal data under the GDPR, controllers can only process personal data if they have a lawful ground to do so.
The GDPR sets out an exhaustive list of lawful grounds. For the processing of non-sensitive personal data in connection with the Dataswift One Platform Services.
The flow of data within and out of the PDA will designate Dataswift as the Controller under GDPR during the following events:
Dataswift receives the data in the data plug - Dataswift then carries out certain “activities” on the data which could include, analysing metadata or ensuring the transfer meets technical or other requirements, or complies with applicable policies.
Dataswift responds to the data subject’s Data Subject Access Request - Dataswift responds (as controller) to the Data Subject Access Request and sends the data to the data subject’s PDA.
Is our business absolved of responsibility?
No. Dataswift and its clients are always expected to follow compliance, with focus on GDPR or equivalent international standards with regards to data, especially personal identifiable data. Dataswift would expect any application to the Dataswift One platform to demonstrate their commitment to purpose, security and storage policies for data.
Dataswift carries out an onboarding review process for all new applications. This process includes the following:
Design and Product review
Legal and Contractual review
Data Conduct review
It is useful to note that there is ongoing governance and auditing throughout the relationship between Dataswift and its clients.
If there are security breaches, who’s accountable and what happens?
We take all reasonable steps to protect your information, Internet data transmission, computer system, or wireless connection.
In the event of a data breach notification (when considered the controller) experiences a personal data breach involving the PDA owner’s data, Dataswift will notify the ICO and the PDA owner.
Dataswift, as a matter of good practice, will carry out a privacy impact assessment (PIA) of all its processing of personal data. In certain cases, where the processing is more risky, it will also need to carry out a data protection impact assessment (DPIA) – which is a requirement under the GDPR.
When would an application have to submit an Impact Assessment?
Usually, when (1) the application is asking for data in the PDA that they have not generated e.g. asking banking data, FB data etc. (2) when location (GPS), or Bluetooth data or other potentially sensitive data is taken from a device and pushed into the PDA, and/or (3) when a third party data is being put into the PDA.
When does an application not have to do an impact assessment?
Usually, when the data generated from the application is generated by the users themselves e.g. keying in content etc. or when the duration and purpose of use has reasonable grounds and have low risks.
How do PDAs work with GDPR?
GDPR Rights are:
Right to be informed. Right to be told how their data would be used in a clear and transparent manner.
Right of access. Right to ask for their data (although the format is not stipulated so firms can give them an entire spreadsheet or PDF file).
Right to rectification. Right to ask firms to correct the information.
Right to erasure. Right to ask firms to delete their data.
Right to restrict processing. Right to ask firms to restrict its usage.
Right to data portability. Right to ask firms for their data in such a way that is machine readable.
Right to object. When users feel the firm is doing something to their data they disagree with, they have a right to object.
Rights in relation to automated decision making and profiling. Right to know what information is used to create their profile and where the firm gets its data from.
PDAs provide 5 more “ownership” rights to enable greater data mobility:
Right of possession. Having their data stored in a place where they are the only ones who have access to the data.
Right of control. Being the only ones deciding who gets to use their data and when.
Right of exclusion. Deciding who doesn’t get to use or see their data.
Right of enjoyment. Being able to use their data for their own purposes whenever they wish to.
Right of disposition. Being able to monetise, exchange, profit, license their own data because they own the rights to it.
PDAs enable individuals to become data controllers and processors in their own right. It created, for the first time, the capability of holding, processing and controlling their own data for themselves. Such an “edge node” is critical legally and economically because it is important that its contents fell under existing legal frameworks of licensing digital media and content.
How does the PDA handle children’s data?
The default PDA issuer (Dataswift) would not know when a PDA owner is a minor. PDAs are created on request by a merchant application often with just an email address. However for merchant applications that are for children, Dataswift would set up its governance process for children HATs that are still created but through their guardian. This set of governance was created from the DROPS project.
Any PDA owner who is younger than 16 can still store their personal data in his or her own PDA. Normally, a PDA owner must give rights to access (through what we call a data debit) before any personal data goes out of that PDA (like direct debit of your money).
The requesting organisation (the data acquirer) calls for the pre-approved, auto-generated contract with a data debit request on specific data points e.g. ‘I would like your location data, name and photo’;
The individual (PDA owner) reviews the contract, agrees, and instructs the Dataswift to execute, thereby giving rights of the data use to the data acquirer;
Dataswift facilitates the data exchange between the PDA owner and the data acquirer
Dataswift records the meta of that exchange.
The governance process for children allow a parent or legal guardian of the PDA owner to take control over process no. 2 — that is, to allow the parent to authorise the right to access on behalf of the child PDA owner and agreeing to the contract through a “redirect”. By gaining control over this process, the parent can also exercise other rights such as disagreeing with the contract, in case the parent deems the exchange risky.
More importantly, the parent at this stage, only sees the meta data: the data points in concern, instead of all the actual value behind each data point, to make a decision on the consent. For example, ‘name, age, songs listened in the last hour’, instead of ‘Joe Adams, 7’, and a long list of song titles. This ensures the protection of the child’s privacy as well, and avoids any breach of access to the child’s data, even for the parent. Of course, should the parent require the whole data set (both meta and actual data behind) to make the consent decision, the child can allow such visibility via the permission for parental access, a feature that will be developed in the future.
There is growing realization that we need to do a much better job of managing the death of our digital identities. Are there any special provisions to manage death?
A PDA owner has “sui generis” database rights over her/his data and a PDA is fully portable, so on death, the PDA follows the same rules as any other property an individual owns and upon death being verified, the database and all its contents will pass on to whomever manages probate and the estate of the deceased, according to the will (if it exists) and the law (if it doesn’t).
Under what circumstances can data stored in the PDA be accessed?
Any access to PDA-stored data is fully controlled by the individual. Data within a PDA can be accessed for “processing” (read performing computations) only with individual’s permission, through a legal consumer contract (see PDA owner agreement). Dataswift cannot view nor access PDA data. There is an override mechanism for cases when Dataswift has to comply with authority requests, but it can be invoked only by a select number of vetted staff members and done so only through oversight of the HAT Community Foundation. Such access would also be automatically logged within the infrastructure logs which are kept for audit purposes. Dataswift would need to obtain a legal reason to execute the override mechanism as the company would otherwise be in breach of the law.
On controls, data is stored in an encrypted format and only accessible to the PDA owners themselves through password-based authentication methods. Dataswift does not store or ever log plaintext passwords of the users, it has infrastructure-based restrictions in place to ensure that company employees do not obtain access to any of the PDA databases. Any sensitive changes to the infrastructure have to be pre-approved by multiple stakeholders in the company under oversight of the HAT Community Foundation.
How regulated are PDAs - how easy would it be to comply with future regulations?
PDAs are technologically secure and private, and they are individually owned by the individual; their property, legally. The PDA infrastructure is regulated by the GDPR, the ICO and the FCA. While the HAT Community Foundation (HCF) regulate and govern Dataswift and the entire PDA infrastructure system which is combined with stringent encryption standards (AES-256 encryption), read more about encryption here.
Future compliance ultimately depends on the regulation. Different regulations have wildly different requirements. Regardless, Dataswift has principles of decentralisation, legal digital ownership, data openness (mobility, interoperability, etc.) that it wishes to uphold now and in the future.
Do we pay HCF to be our regulatory body? If we do, isn’t that a conflict of interest? Doesn’t that mean, they exist only because we exist?
THE HCF is a separate legal entity organised and established as a company limited by guarantee (a for-profit, non-stock enterprise with no beneficial ownership), acting as an impartial and legitimate non-statutory regulator. HCF receive funds from a variety of research funds/grants and private donations. HCF has multiple different board members to Dataswift and in fact owns a guardian share and sits on their board. In its regulatory role, HCF leads on making policy and setting the boundaries or standards, and monitoring and enforcing compliance with these standards. Generally speaking, HCF owns the licensing of the PDA (i.e., HAT Microserver) technology and operates under principles regarding PDA owners.
Do PDA owners give consent for PDA Functions inherently in the ToS, SLA or contract with the enterprise?
What the PDA owner agrees to is listed in the HMI Contract between the PDA owner and PDA accessor. The rules of data exchange are listed there and accepted or declined there. PDA Functions are not automatically permitted without PDA owner consent.
What is meant when it is said that 'a user owns their data'? / How do users own their data?
Dataswift enables an individual to contract and license their data directly. The Dataswift One platform gives them full legal rights to store, compute and share data allowing individuals to enter into contracts for usage of their data.
How does Dataswift value users data?
The technology that enables the user to enter into legal contracts with data, is embodied in the Dataswift One platform. The platform tracks the “flows” of data i.e., demand and supply, and through these flows, value of the data can be ascertained.
Where does a PDA owner stand regarding legally owning their data?
Just as bank account owners own their own money in bank accounts and can pay others contractually, PDA owners own their data in PDAs database rights and can agree to the contractual assignment of the data. This enables a PDA owner to have their rights preserved while being able to realise the value of their personal data.
What does Data ownership mean?
While people cannot truly ‘own data’, they can own the entity within which the data is stored and the Database rights within the HAT Microserver is what enables control to access, retention and distribution of data.
How does this work commercially?
PDA owners have the functionality to contract with third parties seeking access to their personal data, this enables PDA owners to realise the value of their personal data. Dataswift sets up the contracts, coordinate the exchanges and monetises the transactions. In short, Dataswift technology enables a PDA owner to monetise their data (turn it into currency) and Dataswift earns from the transactions.
Does the Dataswift platform provide regulatory data protection coverage?
Dataswift enable individuals to own, store and control their data. Since the data is stored with the individual, Dataswift’s technology is outside the scope of data regulation, as data regulation seeks to regulate centralised data. Hence, our technology is similar to a user downloading his data onto his PC and is a data controller and processor of his data on the PC - which is not a regulated activity. This is why Dataswift has its own governance and regulatory system, and has oversight from our own regulator - because individuals need to be protected even from Dataswift through robust regulatory controls. Confirmation of individuals as data processors and controllers has been provided by the legal firm Magic Circle Pinsent Mason establishing Dataswift’s position and requirements as NOT being the data controller and data processor of the user’s data within the PDA.
To provide our clients with additional comfort we have also gained ICO/ GDPR (General Data Protection Regulation) approval since April 2020 and FCA compliance for financial data as AISP.
In the US, our technology falls outside the CCPA since the individual is a data controller and data processor for his data in the PDA. Dataswift is data controller and processor for the PDA hosting, but not the data within PDAs. This makes our technology out of scope of HIPAA.
How can I (as a client) become compliant as a controller and processor of user data?
We advise clients not to be the data controller, but instead put the data into individual ownership. This means your users are the data controllers. However, you can be data processors on the app and the contract can be set up by Dataswift. By not storing users data and yet have the ability to process and use it, you will then be out of scope (and therefore compliant) with data regulation.
Personal Health Records are HIPAA’s way of giving individuals autonomy over their health information, and once information is in a PHR it is generally outside HIPAA (much would also depend on how it gets into the PDA). See personal health records” under HIPAA in the white paper produced by HHS.
Apps that put health-related information (e.g. ShareTrace.org) or even if the health and medical data that is obtained through an integration with a EHR system would normally not be HIPAA implicated since it is the individuals themselves requesting the health and medical records and/or reporting symptoms.
Depending on how an app integrates with Dataswift’s Personal Data Accounts, the data within PDAs should not be PHI, but should be disclosed by the covered entity (e.g., hospital or other health care provider) through an authorization confirmed by the patient before the data moves into the patient’s PDA.
Please contact Dataswift for more information on HIPAA, FCA and other compliance information.
Is the Dataswift platform HIPPA compliant?
Dataswift is out of scope of HIPPA compliance, guidance of this has been provided by the legal firm Wilson Sonsini Goodrich & Rosati, they have confirmed that as Dataswift’s PDA structure means that data is retrieved via a data plug (and not an app) through data access request all rights to the data are preserved by an individual PDA owner from originating source through to the destination (the PDA).
How does the data plug ensure all rights to the data are preserved by an individual PDA owner from originating source through to the storage destination (the PDA)?
A data plug is a legal instrument, this legal instrument that enables a PDA user to carry out a subject access request to retrieve data from source API’s (for example from a clinic or physication) into a PDA. During this process all rights to this data are preserved by the PDA owner, from source to the PDA Namespace without interruption to those rights of the data throughout the subject access request via the data plug. Data plugs do not ever see or hold PDA data.
Does this not make Dataswift a Business Associate to covered entities under HIPAA?
No. Data (which can include Personal Health Information (PHI) and Personal Health Records (PHR)) is directed into the PDA either by the owner directly, via a third party contract established by the PDA owner, or by a third party, or by both. Through these contracts, a data plug is enlisted to perform a data access request on behalf of the owner. This segregates us from being considered a Business Associate under HIPAA.
When you say you are FCA compliant what does it mean?
Dataswift is generally out of scope of FCA compliance as Dataswift’s PDA architecture means that data is retrieved via a data plug (and not an app) this means that all rights to the data are preserved by an individual PDA owner from originating source through to the destination (the PDA).
Is Dataswift considered the 'Data Controller'?
As with anything to do with GDPR, it is complex. It ultimately depends upon the flow of data, the parties involved in the data supply chain and the type of data being handled from PDA owner to PDA accessor and the method of data exchange/interaction. There are cases where Dataswift can be both, either or neither Processor/Controller.
Can dataswift see the data in the PDA?
The general role is that only the PDA owners can see the data. However, there are two occasions in which Dataswift may have sight of data within:
Sandbox developer environment
When performing maintenance within the PDA
When requested to break into a database by law enforcement
Explain your processing of the data and reassurance that OUR (client) data cannot be seen?
Datawswift may access client Data and/or Metadata for the following purposes in the processing of data:
to set up, operate and administer your PDA
to provide a service or feature your request (including operating and managing data plugs and data debits)
to supervise your compliance with policies that apply to the Services, such as the Acceptable Use Policy, and your compliance with the PDA Owner Agreement
to provide maintenance and technical support
to understand the way you use our Services so that we can improve your experience and offer the most relevant communications, services and experiences
to protect the security of our network and prevent abusive behaviour
to better understand our PDA owners, which may include analytics and/or carrying out analysis based on interactions with your PDA and our Services
to comply with our obligations under applicable law and to prevent fraud and other prohibited or illegal activities
otherwise with your separate consent
for billing purposes - IP address and transfer pricing
How does a PDA owner give consent to their data being stored?
Once a user’s PDA is set up and ready for use, they decide what data goes into and out of the PDA. A user can allow third parties to transfer data into their PDA, or they may transfer data into the PDA themselves. The PDA owner decides the types of personal data that goes into their PDA.
How long does a PDA owner give consent?
A PDA user has full control over the access of their data, they can withdraw their consent to the access of their PDA data to any or all third parties at any time.
How does a PDA give back the control and ownership of the data to a PDA owner?
Once a PDA has created for the user, they decide what data goes into and out of the PDA through legal contractual permissions set up by Dataswift. A user can allow third parties to transfer data into their PDA or if they change their mind, disable access from the PDA Dashboard.
Can a user restrict communication via the PDA from the client even though the client is compelled to send this information by law?
The user and client both contractually agree to particular permissions & terms prior to exchanges [of interactions & data] and so an infringement by either party would be a legal violation and thus liable in a court of law. Further to that, if there is a risk of this happening in the enlisted circumstance then it would preferable to use a Contract PDA set-up, which can be read more about here: https://docs.dataswift.io/reference/contracted-pda.
Does Dataswift support PIPEDA (Canadian GDPR law)?
Dataswift are GDPR compliant. GDPR is the world's first all encompassing modern data protection law and has been the basis and/or model for many other data protection laws which followed.