The data sharing governance framework of the data space needs to enable each participant to control their data and the conditions of their access while facilitating data sharing agreements.
6.2.1. General governance of the data sharing #
The data space data sharing framework is not open data. Participants of the data space do not automatically get access to the data or services of other participants.
There are different steps before an organisation can access another organisation’s data or services.
Let’s take an example:
- An edtech wants to join a skills matching data space use case operated by a National Employment Agency to provide a skills matching service.
- It needs to access the skills profiles of people stored in different data providers in the ecosystem.
It will need to onboard the data space use case and the data space to prove compliance with the data space requirements (legal, ethical, business, technical) and with the precise requirements of that particular ecosystem.
- It will then need to agree on the terms and conditions, data usage policies, business model of that particular data space use case and of the concerned data providers.
- Once these agreements are in place between the ecosystem orchestrator, the data providers and the edtech; a consent will be asked of the individual end users to grant the edtech access to their data for the specific purpose.
- If the end user gives the consent, then the edtech will be able to access the data.
To put this into place, different levels need to work together to implement such a governance model.
6.2.2. The different levels of governance #
- Data space level: All governance aspects relating to the infrastructure that enables data transactions between different data space use case participants based on the governance framework of that data space. Data spaces should be generic to support the implementation of a variety of data space use cases, governance models and business models. One data space can be used for several data space use cases (see below).
- The body that is responsible for the governance of this level is the Data Space Governance Authority, preferably composed of public and private entities.
- Data space use case level: A specific setting in which two or more use case participants rely on a data space to create value. Value can be interpreted as business, societal or environmental value. The data space use case can have specific business and governance models.
- The body that is responsible for the governance of this level is the Data space use case Orchestrator.
- Use case participant: A data space participant that is engaged with a specific data space use case and may have one or more roles in it.
- The body that is responsible for the governance of this level is the Participant itself.
- Data Space Governance Framework: The set of principles, standards, policies (rules/regulations), agreements and practices that apply to the governance, management, and operations (including business and technology aspects) of a data space as well as to the enforcement thereof, and the resolution of any conflicts. This is defined by the Data Space Governance Authority.
- Contractual framework (Constitutive agreement): Main contractually binding document for the establishment of a Data Space Use Case or of a Data Space. This is defined by the Data Space Governance Authority for the data space level and by the Data Space Use Case Orchestrators for the data space use case level.
- Accession Agreement: Governs the admission of parties to the Data Space or to the Data Space Use case. This is defined by the Data Space Governance Authority for the data space level and by the Data Space Use Case Orchestrators for the data space use case level.
- Data space use case Description: detailing the technical, governance and business rules of the data space use case.
- Code of Conduct: Set of commonly acceptable norms that make cooperation between parties easier and more convenient inside a Data Space or a Data Space Use Case. This is defined by the Data Space Governance Authority for the data space level and by the Data Space Use Case Orchestrators for the data space use case level.
- Access and usage policies: The terms under which the Data & Service Providers grant a right to use their products to the Service Providers and/or End Users. This is defined by the participants.
Many stakeholders and layers are involved in this process and many topics need to be decided upon.
Across the three governance levels, the following topics require decision making:
- Standards: the technical, legal and business standards that can be used,
- Code of Conduct: the Code of Conduct to be applied,
- Roles and responsibilities: the roles and the responsibilities attached to each role,
- Use cases: the use cases allowed,
- Infrastructure: the tools and processes to operate the governance, legal and business requirements,
- Business and Pricing models: the business models allowed,
- Accession Rules: the conditions to join,
- Data and service usage policies: the conditions to use the data sets and services available.
The following section details for each of these topics what each of the 3 levels of governance decides upon.
As described, several topics (standards, code of conduct, roles and responsibilities, use cases, infrastructure, business and pricing models, accession rules, data and service usage policies) need to be decided upon for the data space to function. Moreover, each level previously defined (data space, data space use case, participant) decides upon different elements of each topic.
The following list of tables provides, for each topic:
- A table with the description of responsibilities for each decision level (Data space, Data space use case, Participant)
- A table with examples for each decision level. Examples are based on the EU-Dune use case.
Table 9: Governance decision levels for Standards
|Data Space||DSGA prescribes the usage of a minimal set of for the functioning of the dataspace. It may also propose a list of optional standards that may facilitate interoperability of the dataspaces. It bases its decision/choice on sector-specific standards and DSSC for enabling interoperability among data spaces and usage of generic building blocks.|
|Data space use case||On this level the selection of additional standards relevant for the Data space use case is conducted. Depending on the data space use case and its specific use cases, the applicable sectorial standards will vary. Furthermore, the guidelines, best practices, and examples relevant for the data space use case are set. On this level the on-boarding of new participants is carried out and a critical mass of users is achieved. Furthermore, a roadmap for the implementation of missing technical components could be proposed at this decision level (e. g., data space connectors supporting specific legacy systems).|
|Participant||Participants are responsible for the implementation of standards and adherence compliance rules. Participants decide themselves how to implement their solutions to support interoperability.|
Table 10: Governance decision levels for Standards – Examples
|Data Space||As generic standards, Fire-X recommends the application of interoperability standards (e.g., NGSI-LD and OpenAPI, JSON-LD or XML), access and usage control (e.g., SAML) and identity management (e.g. eIDAS2, OAuth 2.0, Verifiable Credentials Data Model). It also recommends the most important sectorial standards, like the ESCO (European Skills, Competences, Qualifications, and Occupations) classification, HR-XML and OpenBadges.|
|Data space use case||EU-DUNE prescribes the application of ESCO and HR-XML standards for the upskilling use case but does not make the usage of OpenBadges mandatory.|
|Participant||On the participant level, EU-Dune participants use InfraTrust to ensure a mapping of their skills data to ESCO.|
Table 11: Governance decision levels for Code of conduct
Table 12: Governance decision levels for Code of conduct – Examples
|Data Space||At data space level, generic ethical rules, like those from the Sitra Rulebook [SitraRulebook] Ethical principles would be enforced (e.g., Accountability and Auditability, Avoid harm, Human-centricity, etc.). These rules were negotiated at an early stage including large-scale users (UXschool) ensuring endorsement by those users.|
|Data space use case||The EU-DUNE Code of Conduct establishes supplementary regulations for safeguarding Matilda. SkillProfiX and SDAI are required to provide Matilda with clear and comprehensible information about the criteria upon which their AI is based, and they must enable Matilda to activate or deactivate specific criteria as needed.
SkillFast can either independently establish the Code of Conduct or opt to involve EU-Dune participants in its formulation.
|Participant||SkillProfiX and SDAI decide how to implement their obligations and send proof to SkillFast.|
Table 13: Governance decision levels for Roles & responsibilities
|Data Space||Data Spaces are about collaboration between many organizations and individuals. To this end, it is important to understand what roles exist in a data space and which roles are assigned to data space participants.
At this level all possible roles are defined and for each role a minimum set of responsibilities, technical and organisational requirements are set.
This allows enforcing rules and responsibilities for those roles through Data Space Building Blocks.
|Data space use case||Takes care of assignment of roles and responsibilities across participants and ensures compliance.|
|Participant||The participant takes a specific set of roles and complies with responsibilities for those roles.|
Table 14: Governance decision levels for Roles & responsibilities – Examples
|Data Space||The data space level defines a data provider role which defines rules for data access: in a Fire-X scenario it would entail, for example, data about employees and specific data access rules that would preserve their privacy. It also defines a service provider role, which must adhere to usage policies of data providers if they are using data from them: in a Fire-X case, a service provider providing matching employees with training providers would need to enforce the rule of neutrality – no job seeker or training provider should be given unfair precedence over another.|
|Data space use case||In EU-DUNE roles would be assigned to specific participants: service providers (SkillProfiX, SDAI, EU-DUNE), personal data providers (SkillProfiX, DigiFutUX, UXlife, UXschool), organisational data providers (JobRightNow, Jobijob and Jobo, FindTraining, YourTraining), infrastructure provider (InfraTech), individual end-users (Matilda, Francesco, Anita), organisational end users (DigiFutUX, IntelliAITraining), DSGA (Fire-X), and personal data intermediary (InfraTrust).|
|Participant||Participants, for example SkillProfiX or DigiFutUX, take care of the technical infrastructure that enforces the intended usage of personal data they are providing to EU-DUNE service providers. They also run regular audits of their systems to assure compliance.|
Table 15: Governance decision levels for Use cases
|Data Space||Proposes a list of use cases with a basic description, roles, and responsibilities. This is a list of potential use cases that have the potential to provide benefits to use case participants.|
|Data space use case||From all proposed use cases at data space level, a group of participants based on their organisation’s objectives and business interest. They prepare guidelines and definitions of roles for the specific use-case.|
|Participant||The participant joins use cases of interest and complies with roles and responsibilities.|
Table 16: Governance decision levels for Use Cases – Examples
|Data Space||Definition of several possible use cases for the Fire-X data space. One of those would be the definition of upskilling use case for employees: what does it mean to establish such a system, what purpose it serves, how it operates?|
|Data space use case||A shared aspiration among multiple stakeholders within|
|Participant||At participant level, a company that needs to provide upskilling to their workforce, DigiFutUX, decides to join EU-DUNE, as it will help them upskill their workforce.|
Table 17: Governance decision levels for Infrastructure
|Data Space||At this level, building blocks and infrastructure requirements relevant for the dataspace are defined.
The design and implementation of data spaces comprises of technical (like standardized APIs), organisational and business building blocks (like business, legal or operational agreements). All these must be clearly defined on the level of the Data space for the Data space use cases to have a catalogue of the possible building blocks to apply. As part of the governance framework there may exist a certification process to verify that candidate building blocks meet the specific criteria prescribed at data space level (security, reliability, application of standards, environmental and technical constraints, quality of service, functionality). Just like standards, generic building blocks should be proposed by DSSC.
In addition to those generic building blocks, (like those that deal with human centricity or with skills data interoperability) through a collaborative process. Typically, stakeholders will identify sector-specific needs that cannot be addressed by existing building blocks. Based on this assessment, they formulate proposals for sector-specific building blocks that aim to address the identified needs and challenges.
For each building block a set of requirements, specifications and standards is proposed, based on a DSSC Blueprint. According to the Data Space Asset Model from the DSSC Blueprint, each building block consists of a technical and functional specification. Furthermore, at this level also a list of open-source reference implementations is prepared.
|Data space use case||Defines which building blocks and services are deployed by each participant and decides how to implement the common services. At data space use case level, specific building blocks are customized for specific usage.|
|Participant||At this level the participant can either choose taking data intermediary services, compliant with the data space, that handle all functionalities, or they can choose to operate building blocks on their own.|
Table 18: Governance decision levels for Infrastructure – Examples
|Data Space||For example, would propose FIWARE Context Broker and FIWARE NGSI API as interoperability components with other sectorial data spaces, in addition to Prometheus-X specific building blocks for the Skills domain and for personal data sharing. Fire-X can also choose to develop their own open-source building blocks.|
|Data space use case||EU-DUNE orchestrator SkillsFast chooses which building blocks are mandatory for EU-Dune and which will be operated commonly for all EU-Dune participants, and which can be operated by each participant. For instance, EU-Dune needs a Personal Data Intermediary and SkillsFast has chosen InfraTrust. However, Interoperability building blocks are also needed so Skills Fast recommends to its participant to use Prometheus-X skills data interoperability building blocks, as proposed by Fire-X.|
|Participant||Each participant deploys Data Space Connectors customized for interaction with their internal databases, IT systems and services (e.g., DigiFutUX for connecting with their HR IT system) and for interacting with InfraTrust, the EU-Dune PDI building block.
SDAI chooses to operate a Prometheus-X interoperability building block itself.
Table 19: Governance decision levels for Business and Pricing Models
|Data Space||It defines business models and value sharing options considering the DSSC blueprint and sector-specific requirements of which human-centricity is most important. DSGA proposes standards and building blocks and is responsible for certifying trusted infrastructure providers that the participant use. This allows for a more open data space and more competition but requires that DSGA defines the pricing of certification at this decision level.|
|Data space use case||A Data space use case decides which business models can be applied (i.e., what are the value sharing mechanisms) for the particular use case. Concrete examples about value sharing are proposed in the business section of this report.|
|Participant||Decides which business models to apply and sets the parameters for that business model (e.g., pricing).|
Table 20: Governance decision levels for Business and Pricing Models – Examples
|Data Space||Subscription and transaction-based business models are defined on the level of the Fire-X Data Space.|
|Data space use case||The EU-DUNE use case decides to apply a transaction business model for data providers and a subscription model for service providers.|
|Participant||DigiFutUX, UXlife, UXschool decide to provide their data at no cost, while job boards set a price for each transaction.|
Table 21: Governance decision levels for Accession rules
|Data Space||Definition of accession rules (who can enter the data space) must include trust (ensuring that data exchange occurs in a secure, reliable, and controlled manner, respecting the rights of all parties involved), accession process, possible certification and different levels of sectoral labels.
The overall onboarding process is managed at the data space level, as well as on the use case participant level.
|Data space use case||It drives the accession process and checks compliance. It may impose additional accession criteria for a data space use case.|
|Participant||Participants must comply with accession rules and ensure continuous compliance.|
Table 22: Governance decision levels for Accession rules – Examples
|Data Space||Only legal entities established in EU Member States can join, on the other hand, natural persons that are EU citizens and non-EU citizens with a valid residence permit can also join the Fire-X Data Space.|
|Data space use case||EU-DUNE imposes further restrictions for secondary schools and universities: they must be registered with a responsible national authority as teaching institutions.|
|Participant||UXschool notifies SkillsFast about their registration as teaching institution with competent authorities.|
Table 23: Governance decision levels for Data & service policies
|Data Space||Prepares Data & service policy templates. At this level, a generic set of is prepared on access to and the usage of data and services (registration information, data sharing agreements, contractual frameworks). Restrictions are designed to ensure that data is used in a manner that respects the rights of the data owner, complies with legal and regulatory requirements, and maintains trust among all participants in the data ecosystem.|
|Data space use case||Defines technical and organisational for data policy enforcement and ensures compliance with those policies. Technical aspects can include access control policies, implementation of technical controls, encryption and data integrity checks. Organisational aspects can include formal data governance structures, administrative control and data protection policies.
It can also define some general rules on data policies, like which participant roles are allowed to access specific data types.
|Participant||Defines policies for their own data products based on general rules set by the DSGA. It also adheres to policies of other participants when using their data products. Special care must be taken in usage policies for derived products.|
Table 24: Governance decision levels for Data & service policies – Examples
|Data Space||Fire-X defines the templates and basic rules of the metadata the providers need to register.
A data provider of skills data should, for example, provide the following metadata: can they be used for job seeking, headhunting, proposing additional trainings; for how long can they be stored; does a data provider request payment; does the data provider set a limit to several curriculums requested?
Skills assessment service providers should, for example, provide the following data about their services: what type of service they provide, pricing model, usage rights on derived data products or any other restrictions of the service.
|Data space use case||As part of EU-DUNE, technical solutions are provided: to check if SkillProfiX that requested data to provide recommendations, has registered that usage (thus preventing other usage) and to log the transaction for auding and accounting purposes.|
|Participant||UXschool that provides diploma and skills certificates allows the usage of curriculums for upskilling and job search but not for headhunting. There is no payment requested. This is defined into the data policies templates provided by Fire-X and implemented through the access & usage control services provided by EU-DUNE.|