Governance and Oversight

This section covers:

  1. Background

  2. Why is oversight necessary

  3. How Dataswift is regulated

  4. Being a HAT Owner: your rights

  5. Being a HAT Merchant

  6. Being a HAT Issuer

  7. Compliance


Background

HAT: About and Purpose

The HAT Microserver is a new, fully scalable and advanced technology that enables individuals to have full ownership rights to their data and content through their ownership of a dedicated database, wrapped with containerised microservices. The HAT Microserver is fully portable across devices, but is commonly hosted in the cloud. It is issued by a HAT Issuer and by way of its legal, economic, technology architecture and through decentralised databases, the Intellectual Property Rights of personal data within can be legally owned, controlled and processed by individuals without an Issuer having any ability to view the content of the database (“zero knowledge” solution). The HAT is fully open sourced but services in the HAT ecosystem are built by commercial as well as non-profit organisations.

While data rights are given to individuals through open sourced HAT Microservers, data mobility (the movement of data to and from HATs to/from certified HAT Merchant applications) is enabled by the HATDeX Technology Services, collectively known as the HATDeX platform, operated by Dataswift. With Dataswift’s HATDeX platform, individuals can install “data plugs” to bring their data in from the Internet, exchange data with applications through “data debits” and install tools in their microservers to have private analytics and algorithms for insights into their data, their health, their history and their memories. Dataswift’s HATDeX platform also operate the on-demand, scalable legal contracts issued and logged between HAT owners and applications and execute the instructions of HAT owners and HAT merchants for data exchange under a set of governance rules set by Dataswift that is aligned to the trust framework of the HAT Community Foundation (HATCF).

Who is Dataswift Ltd

Dataswift is a commercial enterprise based in the U.K. that built the HATDeX platform and implemented the HAT Microserver as a Cloud based SaaS service under the oversight of the HAT Community Foundation, a members’ organisation that sets the top-level requirements for the trust framework. Dataswift also maintains the baseline technology of open sourced HATs. Dataswift and HATCF work together to promote the adoption of HATs. Dataswift as a commercial organisation has a guardian share held by HATCF and is mission locked within its articles of incorporation - that of operating a personal data exchange infrastructure for societal benefit.


Why is oversight necessary

The HAT ecosystem transcend national boundaries. An individual i.e. a HAT owner, is a member of the Internet. Only the individual can allow websites and applications to interact with his/her own HAT, including websites and applications belonging to governments and industry. The HAT owner has the freedom to reveal or not reveal any data held within the HAT. However, Issuers of HATs can put restrictions on HATs that they issue e.g. when they issue children’s HATs and the HATs of the deceased. Issuers therefore set rules for the HATs they issue. While merchants and issuers are reviewed, rated and certified by Dataswift, these rules may, on occasion, require discussion and oversight. Similarly, HAT Merchants may put constraints on the way the data they put into HATs can be used. These constraints may or may not be reasonable. Dataswift as the commercial entity that execute the data contracts according to what parties wish to contract on, do so without a value judgement of what should be allowed/disallowed or what should be constrained for most of the cases. For some marginal cases, Dataswift will refer on to HATCF for advice. HATCF therefore oversees the HAT ecosystem as its governing body. HATCF represent HAT owners, HAT Merchants and HAT Issuers to ensure that the rules everyone operate on are fair and transparent while preserving the freedoms and data rights of individual HAT owners.


How Dataswift is regulated

Dataswift, as a UK company, is regulated by the Information Commissioner’s Office UK under registration number ZA244725 as the lead data protection authority globally only for Dataswift Account data (email and HAT URL) used to create HAT Microservers.

Once the HATs are created, Dataswift is neither the data controller or data processor of HAT Microserver data. The individual HAT owner is the only entity that is able to control and process data within his/her HAT. This means that the HAT owner’s data rights are protected. However, whenever data from HATs move e.g. shared with HAT merchant applications, Dataswift’s HATDeX platform service executes the instructions from HAT owners and HAT merchants. This means that data mobility is the responsibility of Dataswift.

Dataswift is therefore regulated by the HATCF as a “HAT Platform Provider”, a certified technology provider for the provisioning, issuance and vending of HAT Microservers; for creating new contracts between HAT owners and websites/applications and executing them; the recording and logging of all contracts and permissions between HAT owners, HAT Merchants and HAT Issuers; for the execution of data exchanges between HAT Microservers and HAT-enabled applications; for reviewing, rating and certifying HAT Merchants and Issuers and for general data conduct in the HAT ecosystem.

From 16 August 2019, Dataswift is also regulated by the Financial Conduct Authority (FCA) in the UK as an account-information-service-provider (AISP) registered to integrate with banking APIs for payment transactions to go into HATs.

The HATCF regulates Dataswift  through the following legal frameworks:

A. Statutory rights through Guardian Share

HATCF hold one guardian share of Dataswift Ltd for the preservation of its mission and social purpose, even while it seeks to provide returns to shareholders.

As guardian shareholder and regulator, HATCF is entitled to guardian share rights over Dataswift and also ensuring that Dataswift is mission locked and that the board of directors have a fiduciary duty to uphold the mission and purpose of Dataswift which is personal data exchange for public benefit.

B. Contracts and Definitions

HATCF approve changes to the following contracts and definitions on Dataswift’s HATDeX platform.

1. HAT Terms of Service

The HAT Terms of Service, along with the HAT Privacy Policy, the HAT Acceptable Use Policy on the HATDeX Platform set out the Terms on which Dataswift offers individuals access to and use of Dataswift’s HATDeX Platform, services, products and applications. Major changes to these agreements must seek the foundation’s approval.  

2. End-User Licence Agreements (EULA) of HAT Dashboard App

The EULA regulated by the foundation is the HAT App EULA as the HAT app is an “owner application” service provided by Dataswift and is used to browse and view all data within the HAT and also contain special functionalities for the owner to operate the HAT.

HAT Application (HAT App) End-user License Agreement is made between Dataswift and the user of the HAT Dashboard Application (HAT App), and its terms govern the provision of the HAT app and its services. Major changes to this agreement must seek the foundation’s approval.

3. Definitions

Legal definition of HAT and HAT owners is approved by HATCF, together with the glossary of terms. These terms are incorporated into legal contracts and documents wherever necessary. Major changes to these definitions must seek the foundation’s approval.

Glossary of Terms can be found at: https://www.hatcommunity.org/hat-ecosystem-glossary

C. Usage of trademarks

The use any of HAT, trademarks, service marks, logos, domain names, or other distinctive brand features cannot be used without the Foundation’s prior written consent. It is not permitted to remove, obscure, conceal, modify or otherwise alter any proprietary rights notices, signs, trademarks, service marks, trade names, logos or other marks of HAT. Any such signs, trademarks, service marks, trade names, logos or other marks of HAT, HAT's affiliates or any third party cannot be used in a way that is intended to, likely to or foreseeable to mislead others or cause confusion about the owner, license holder or authorised user, as the case may be, of such marks, names or logos.

D. Technology

The baseline technology of the open-source HAT Microserver is AGPL license and is available at https://github.com/Hub-of-all-Things/HAT2.0. The technology is maintained by Dataswift under the oversight of HATCF.

E. Certification as HAT Platform Provider

Dataswift is given 10 years as the exclusive “HAT Platform Provider” within the Foundation after which time the Foundation shall at its sole discretion appoint other operators able to provide alternative platforms (alternative technologies to Dataswift’s HATDeX Platform) for HAT.

F. Membership

Dataswift shall ensure that Certified HAT Issuers and HAT Merchants that create apps, tools, plugs or other services on the HATDeX platform are members of the Foundation.

G. Review and Ratings of HAT Merchant Applications and constraints imposed by HAT Issuers

Dataswift reviews, rates and approve HAT Merchant Applications based on the HATDeX Rating System, with special cases being referred on to the Foundation Ethics and Governance Board (see below).

H. Approval of new protocols

HATCF and Dataswift work together to continuous improve the governance and operation of the ecosystem and the platform. The Foundation will be referred to for approving any protocols on HATs before they enter into force IF the protocols are not in line with the ethos of the open sourced HAT technology and the ecosystem

I. Ethics and Governance Board

Dataswift, it’s Merchants, Issuers and network of organisations are subject to oversight by the Foundation against the Foundation’s Trust Framework, Code of Practice or other standards established from time to time at the Foundation’s sole discretion. Issues raised are discussed at the Ethics and Governance Board.

For more on the governance and oversight of Dataswift, visit https://www.hatcommunity.org/resources/#regulation


Being a HAT Owner: Your rights

All HAT Merchants and HAT Issuers providing services on the HATDeX platform must be certified by Dataswift, so as a HAT Owner, you should always check that any HAT Merchant or HAT Issuer is on the HATDeX platform partner register before using it. You can check the list of partners at https://hatdex.org/partner-pages

The Merchant website or application that accept HAT data should have this badge on their website:

 
IMG_0678.jpg
 

Whenever a HAT owner puts in his credentials (password etc), he should see this icon:

 
hatdatarights_rgb_navy.png
 

Your rights to your data

As a HAT owner, you have the right to request data into the HAT as subject access request, wherever the laws permit. HATDeX platform data plugs enable you to exercise that right by enabling the data plug.

As a HAT owner, you have the right to transform your own data. Dataswift’s SHE (Smart HAT Engine) on the HATDeX platform enable you to do so by uploading pre-trained tools created by data scientists.

As a HAT owner, you have the right to use your data for your own benefit. Dataswift enables you to do so through the HAT dashboard App.

AS a HAT owner, you have the right to exchange your data for services and other benefits. Dataswift enables you to do so through HMIs and data debit contracts with third party applications created by HAT Merchants

As a HAT owner, you have the right to deny access to your data. Dataswift enables you to do so through the cancellation of data debits on your HAT dashboard app.

You may find that some issuers of HAT may impose restrictions on the way HATs are used. If you are unhappy with the restriction placed upon you by an issuer, you have the right to port your HAT to other issuers (this functionality is available when there are 2 or more HAT issuers).

Be alert – before you use one of these services make sure you are confident that:

  • organisations you share your information with are who they say they are

  • you understand the service and the data they are requesting from you.

Right to Complain

You have a right to complain to your HAT Merchant or HAT Issuer if you have a problem with the service they are providing. They must respond to your your complaint within 15 days unless there are exceptional circumstances.

If you are not happy with the firm’s response, they reject your complaint or you do not hear from them, you have the right to take your complaint to the HAT Community Foundation contact@hatcommunity.org.

If your complaint is about something your HAT Merchant or HAT Issuer has done, for example if a HAT Merchant or HAT Issuer have used your data inappropriately, you should contact the HAT Merchant or HAT Issuer to make a complaint. You have the same right to take your complaint to us at contact@hatdex.org or HAT Community Foundation contact@hatcommunity.org.

How to Complain

If you are unhappy with a product or service, you can complain.

To make the process easier, follow these three steps to making a complaint:

Step 1: Contact the firm directly

  • If you have a complaint, it is best to first ask the firm involved to put things right.

  • Contact the firm as soon as possible. It is usually best to write to them so you have a record of what you say.

  • The HAT Merchants and HAT Issuers we regulate must respond to your complaint in writing within 4 weeks, telling you whether the complaint has been successful or why they need more time to look into it.

  • Firms are also required to respond in writing just to let you know they have received your complaint. So be sure you have a final response or it has been 4 weeks since you complained before you contact the HAT Community Foundation.

 Step 2: Contact the HAT Community Foundation

If you are not happy with the firm’s response, they reject your complaint or you do not hear from them within 4 weeks, the HAT Community Foundation may be able to help you.

The HAT Community Foundation will ask the HAT Merchant or HAT Issuer to explain what it thinks happened and then decide whether to uphold your complaint.

It is important you contact the HAT Community Foundation within 6 months of receiving a final response from the firm, or it may not be able to deal with your complaint.

Step 3: Take the matter to court

If you do not want to accept a decision by the HAT Community Foundation, as a last resort you may be able to take your case to court.

You would usually start civil legal action in the county courts or High Court (in England, Wales and Northern Ireland), depending on the circumstances of the case. In Scotland, most small claims are started in the Sheriff Courts.

How to protect yourself

We want HAT owners to enjoy the full benefits of their HAT Microserver, however there are some important things you should be aware of. 

  • Be alert – It is the responsibility of HAT owners to protect against any unauthorised access to your HAT Microserver.

  • Keep your password or other access information secret. Your password and log-in details are personal to you and should not be given to anyone else or used to provide shared access.

  • Do not share -  Ensure that no-one else uses your HAT Microserver, and that you do use any account data or account of any other HAT Owner or person than yourself without permission of the HAT Owner or person holding the respective account.

  • Make sure to update regularly - Keep your data in the HAT Microserver database useful and accurate through available HAT tools, apps and plugs and updating the said tools, apps and plugs when necessary.

  • Maintain good internet security practices.


Being a HAT Merchant

What are HAT Merchants?

HAT Merchants are organisations that have created HAT-enabled applications, plugs and tools. HAT merchants may also write data into a HAT Microserver depending on the permission given by the HAT owner. Merchants may request data to

  1. give recommendations or to personalise their offering.

  2. Store their applications user profile and activities when they outsource their user accounts to the HAT

HAT Merchants that create applications that request data pay Dataswift for data transactions (API calls) whenever they read/write data from/to the HAT after receiving the necessary permissions and entering into a contract with HAT owners

Dataswift execute data exchange instructions as permitted by HAT owners based on the contracts.

Certification: what’s involved

HAT Merchant Applications that read or write data from/to HAT Microservers have to be certified by Dataswift. Here’s a summary of what you need to know:

Becoming a HAT Merchant

You’ll have to begin with a partner enrolment form at Dataswift Sandbox. You will then receive a welcome kit consisting of all documentation and signposts needed to build your application on the HAT. You may then create your application with the help of the HATLAB sandbox team.

When your application is ready to go live, the HATLAB sandbox team will prepare your application for the review, rating and certification by the foundation team. Assuming all goes well, your application would go live and be listed on the HAT Dashboard App and on HATStore. Depending on your understanding of the HAT, this process may take 1 week to 3 months depending on your familiarity with HATs. You will also have to pay a certification fee to the foundation and become a member.


Being a HAT Issuer

What are HAT issuers?

HAT issuers are organisations that use the HATDeX platform to issue HAT Microservers as a “personal data account” to their customers. They may do so directly through an email, or through a HAT Merchant Application. Issuers obtain a share of revenue from data transactions when the HATs they issue transact with HAT Merchants. These revenues are fully scalable while ensuring their end-users data rights are preserved. HAT Issuers require no technical knowledge, and yet benefit from the personal data economy through the advanced technology, economic and data governance of the HATDeX platform.

Issuers have the right to set restrictions on HMIs e.g. for children or deceased persons and set also set other governance rules for their HAT owners. New protocols and governance rules are approved by HATDeX but on occasion, they may require the approval of the HAT Community Foundation.

Who qualifies to become a HAT Issuer?

HAT Issuers are usually large B2C organisations within a particular sector that have a large customer base and want to benefit from the data they hold of their customers by enabling their own customers to re-use and re-share their data. HAT Issuers can also be a B2B organisation with a network they can leverage on to be merchants vending HATs issued by them.

Becoming a HAT Issuer

Please book a call with Dataswift.


Compliance

All HAT Merchants and Issuers must comply, before submitting their application and on a continuing basis, with the requirements and standards of personal data exchange under HATDeX platform policy.

What being ready and willing means

We expect firms to take data conduct seriously and plan how they will meet the standards of Dataswift’s HATDeX platform policy and HATCF trust framework before they apply. When we consider the extent to which a firm has planned ahead we ask ourselves whether the applicant is:

Ready

The review team will consider what the applicant has done when preparing to submit their application. Positive indicators can include:

  • Understanding the HAT and legal, economic and technological aspects of Dataswift’s HATDeX platform

  • making enquiries on the HAT slack channel

  • seeking legal/compliance advice when necessary

  • Understanding what is good data conduct, ethical and privacy preserving when requesting for HAT data

Willing

The review team will consider the attitude of the applicant during the certification process. Positive indicators include:

  • being open and honest in all their dealings with Dataswift in terms of their requests for data from HAT owners

  • being proactive about getting information to us to assess the application’s intention

  • demonstrating initiative to understand their responsibility in handling personal data

  • timeliness and availability of staff to deal with queries about the application