Rating Assurance & Certification
Applications are rated and reviewed before they can go live
The Dataswyft Rating Assurance and Certification Standard is a set of principles for websites and applications built on Dataswyft’s Data Accounts that enable application developers, public institutions, businesses and the public to trust these applications and the way they handle personal data.
The Dataswyft rating standard aims to encourage innovation in Data Account applications and the development of privacy-preserving apps that are of high quality and fit for purpose, but also transparent about how they differ in their treatment of personal data. These apps can potentially change the way applications in the digital and data economy are delivered in the future.
The Dataswyft rating standard is primarily for users to understand how their personal data is stored by app developers and to define consistent, standardised criteria for applications integrating with Data Accounts. The Standard may also be used by:
- Public and private professionals selecting digital products and services to recommend; and
- Cross-sector organisations commissioning bespoke applications.
The emergence of websites, mobile applications, platforms, registries and repositories that hold personal data has created a new environment that enables Machine Learning-driven services with rich insights and user experience. However, such services may need to access private data such as payment transactions, health records and identity information. Holding such data is becoming a liability for organisations, increasing their risks.
Decentralized Data Server (DDS) technology give individuals the capability to have self sovereignty over their data. Enabling individuals to store their data and use it to create value for themselves is a step towards advancing the Internet. Indeed, deploying such a technology at scale would enable mass coordination and better markets for personal data usage to emerge, creating societal value. However, such technology can also cause harm if left unchecked, putting privacy up for sale to the highest bidder and incentivising behaviours that could be damaging to society as a whole. In short, the DDS technology would generate a new set of product opportunities as well as risks in personal data exchanges. This Rating Standard aims to bring together current good practices of data conduct to address these opportunities and risks.
Dataswyft's rating standard gives recommendations for developers of applications using the Dataswyft platform who intend to meet privacy and usability requirements for personal data handling. It includes a set of quality criteria and covers the application's data conduct and the way data flows are orchestrated on the platform.
An application is defined as a web or mobile application that has passed the development, testing, releasing and updating processes. This includes native, hybrid and web-based apps; apps associated with wearables, ambient; and apps linked to other apps.
The Dataswyft rating standard does not cover the processes or criteria for an app developer or publisher to establish whether an application is subject to regulatory control e.g. as a finance app or medical device. This rating standard only covers applications built on the Dataswyft infrastructure that has gone live or are intending to go live in production-level environments.
Every application generates data when a user interacts with it, resulting in the data being stored somewhere. For applications on the Dataswyft platform, the application owner chooses where to store the data; whether it is on a device, in the application’s server, or within a Data Account. The decision of what data, where, and how personal data is stored will be rated by the Dataswyft Rating system using three characters:
The first character specifies where the data is stored: either, on the Data Account, both on the Data Account and the app server, or only on the app server. This character also declares if any Personally Identifiable Information (PII), such as email address, is collected or stored on the app server. If the organisation has rights to retrieve the information e.g. through a contracted Data Account, it is still only for the designated namespaçe. All other namespaces of the database are still private to the Data Account holder. For example, an organisation – let’s call it “Wood Factory” – using Data Accounts for their HR records has C as its first character. This indicates that the organisation does have access to the PII inside their employees' Data Accounts as they have credentials for access into the Wood Factory namespace. Should any individual leave Wood Factory, the organisation credentials would be terminated but the individual as the Data Account holder may be allowed to keep the data within the namespace.
The second character specifies if the application imposes a condition on the user for the data's reuse and re-sharing. Some applications may choose to impose legal restrictions on re-sharing or technical restrictions for re-sharing (such as encryption).
The third character specifies how complete the data is within the Data Account. This includes what may not normally be personal data e.g. the app's metadata, but would still be user-generated.
Merchants declare their rating according to the rating system specified by the HAT Community Foundation when they submit their application for review. The ratings are shown to all Data Account holders on the screen where they agree to the data contract. The Rating Assurance provides individuals with confidence that the website/application displaying the assurance has declared their treatment of personal data on the basis of the standards set out below. This rating assurance is not verified by Dataswyft. Merchants may choose to go beyond the assurance and be certified by the HAT Community Foundation. To achieve the Dataswyft Rating Certification, websites/applications must subject their code to periodic audit to verify that it consistently adheres to the rating declared.