Mad@Work is the short name for the project ITEA3 Mental Wellbeing Management and Productivity Boosting in the Workplace. It's a VTT study project that focuses on the detection of mitigation of employees' poor mental health conditions to prevent associated health risks. The goal of the project is to develop new human resource management solutions to improve workplace conditions and employee wellbeing. The solutions will combine data from a range of environmental sensors and wearable data sources in a privacy-safe and unobtrusive way. Nixu is one of the companies participating in the project and focuses on privacy-by-design software development and personal data control with MyData principles.
A beginners guide to MyData
June 3, 2020 at 08:37
When it comes to modern identity management, and privacy-aware design, the term MyData keeps popping up. Also, in the Mad@Work research project that focuses on mental wellbeing management in the workplace, Nixu supports the implementation of MyData principles. But what does MyData mean in practice?
My data, my control
The purpose of MyData is human-centric control of personal data. The MyData principles state that individuals should be "empowered to give, deny or revoke their consent to share data based on a clear understanding of why, how and for how long their data will be used." MyData also drives portability and interoperability: it should be user-friendly and practical to reuse and transmit personal data to other services. Transparency and accountability are also essential: individuals should be able to understand how their data is used. You can read more about the principles in the MyData declaration.
In practice, these principles are implemented with the MyData platform. There are four types of stakeholders in the MyData concept:
- Data subject. The person, organization, or IoT device whose data is being handled can control what can be done with it in a fine-grained way. The data subject can manage their consent with the MyData Wallet application.
- Data provider provides the data about a data subject. A registry of license or certification holders is an example of a data provider.
- Data consumer. A service or an application that uses the data. A service that combines information about all your purchases and loyalty card usage could advise you of optimizing your budget or even your health. The data consumer can use the data if the data subject has given consent.
- Data operator. There can be one or several data operators. The data operator links everyone together. Data operators do not use the data themselves but provide the consent management services, the interfaces to the registered data sources and data consumers, and the linking of identity.
MyData brings more visibility into data usage
MyData is best suitable for controlling personal data when the legal basis for data processing is consent or contract. The GDPR defines other bases, for example, legal obligation, vital interest, or public interest. However, even if you were handling data based on something else than consent, the MyData principles can be useful to make data processing more transparent.
MyData in the Mad@Work project
One of Nixu's roles in the Mad@Work project is to help the data providers and data consumers with the integration to the MyData platform, security architecture design, and the implementation work.
In the Mad@Work project, multiple data providers create personal data and data that will be refined as such:
- Furniture with pressure sensors recognizing if people are sitting on them.
- Movement sensors in the building.
- Air quality and temperature sensors and air purifiers.
- Thermal cameras that identify how many people are in the room.
- Smart lights that customize the workstation lighting based on the user's preferences.
- Raw data from real estate automation.
Research partners in the project both use this data and provide artificial intelligence and machine learning models that cultivate the data into insights about the employees' wellbeing. Other data consumers in the project are the companies whose employees and premises are being measured.
The individual employees can control all this consumption and sharing of data with MyData principles. In the MyData wallet, the users can give or revoke their consent to using and sharing data from one place.
All this could be highly insecure and problematic for privacy without proper planning and securing the architecture of both data providers and data consumers. Privacy threat modeling is also needed to map out potential weaknesses.
Integrating to the MyData platform simplifies things for data providers in the project, so they don't need to implement consent management. To data consumers, some examples of the benefits are being able to implement data portability or pseudonymity more easily, and increased trust in the service because of the transparency of data.
Want to start using MyData?
Do you think MyData could be suitable for your services? First, consider what your role would be – a data consumer or a data provider? Next, think about what kind of privacy threats you would like to tackle or what privacy features could MyData implement for you.
Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.