Data Debits

What are Data Debits?

Data Debits are the cornerstone of the permission-based, data contracts platform. As the rights to the PDA database are fully owned by the PDA owner, any data acquisition from the database would require permission. When permission is granted, a legitimate contract is agreed upon. This is not the same as consent. The PDA Data Debit process flow enforces a strictly-defined format defining the specific data requested for the owner to review and confirm. Once the data-sharing permissions are given, the contract between the PDA owner and the application provider is logged and Data Debits becomes the only way data can be retrieved from a PDA by anyone other than the owner.

The standard approach is for applications to have access to a single designated namespace. It is possible to have data access to other unrelated namespaces. This can be achieved through a domain-specific data debit mechanism. By default, all applications have read and write access to the namespace specified upon creation but if for example, the application needs to read users' facebook posts, then a data debit will have to be created by the application developer and be accepted by the users.

For example Notables application has a data debit in order to fetch and display the PDA profile information.

Data debit confirmation process is incorporated into the application's Permission Contract request and agreement screen that details which application can access what data. Users have to agree in order for the application or Data Plug to function as intended.

The more general process of creating a Data Debit is:

  • Propose a Data Debit specification to a PDA

  • The PDA owner sees the Data Debit as a pending request, reviews and approves it by confirming it or rejects it.

Dataswift's Platform will log the contract and the Data Debit becomes enabled.

The general process of getting the values from a Data Debit is:

  • Request Data Debit values from the PDA

  • Optional: If any changes are required to the Data Debit request, submit a request to update it

Data debit proposal

The first step in retrieving private data from a PDA is to submit a Data Debit request — POST /api/v2.6/data-debit/$dataDebitKey. Where dataDebitKey can be any valid URL path, however it needs to be unique on the HAT. The request will fail otherwise.

The general schema of a Data Debit is:

{
"bundle": "[DataBundle]",
"conditions": "Optional[DataBundle]",
"dataDebitKey": "[String]",
"purpose": "[String]",
"period": "[Int]",
"termsUrl": "[String]",
"cancelAtPeriodEnd": "[Boolean]",
"requestClientName": "[String]",
"requestClientUrl": "[String]",
"requestClientLogoUrl": "[String]",
"requestClientCallbackUrl": "Optional[String]",
"requestApplicationId": "Optional[String]",
"requestDescription": "Optional[String]",
"start": "[String]"
}

Parameter

Type

Meaning

dataDebitKey

URL Path

ID of the data debit — any valid URL path

conditions

Data Bundle Object

Optional Data Bundle specification — covered in a separate guide

bundle

Data Bundle Object

Data Bundle specification — covered in a separate guide

start

ISO8601 Date

When data sharing should start

period

Int

The period that the data debit will be active. Value in seconds

purpose

String

The purpose of the data debit. Description of what it does and why it is needed

cancelAtPeriodEnd

Boolean

A value indicating if the data debit will continue after the specified period elapses

termsUrl

URL

A URL for the terms and conditions for that URL

requestClientName

String

The name of the company that created the data debit

requestClientUrl

URL

Company's website URL

requestClientLogoUrl

URL

Company's logo URL

requestClientCallbackUrl

URL

A callback url to be notified for new events

requestApplicationId

URL

Application id of the app requesting the data debit

requestDescription

URL

A description that accompanies the data debit request

As a concrete example, the below request asks for user profile together with location data.

{
"bundle": {
"name": "testbundlename",
"bundle": {
"profile": {
"endpoints": [
{
"endpoint": "rumpel/profile"
}
],
"limit": 1
}
}
},
"dataDebitKey": "testdatadebitkey",
"purpose": "This is description of what the data debit is for",
"period": 3600,
"termsUrl": "termsurl",
"cancelAtPeriodEnd": false,
"requestClientName": "Data Debit Creator Name",
"requestClientUrl": "https://data-debit-creator-website",
"requestClientLogoUrl": "https://data-debit-creator-logo-url",
"requestApplicationId": "applicationId",
"requestDescription": "A short introduction for what the data debit is",
"start": "2019-11-06T14:40:44.267Z"
}

If your request is valid and hence accepted by the PDA, the response will be 201 CREATED status, with the full specification of the data debit in the request body. Please note that both the Data Debit ID and the Bundle name must be unique — Data Debit key identifies the relationship between the user and an application, while the Bundle name identifies the specific data being exchanged. The request will fail otherwise.

Approve Data Debit

An application developer is not authorized to approve data debits, this is managed using an API call: GET /api/v2.6/data-debit/$dataDebitKey/enable. Where $dataDebitKey can be any valid URL path, however it needs to be unique on the PDA, and $bundleName can be any valid name. Specifically, it requires both the Data Debit key and the bundle name to be set to accurately identify the data that is being shared.

{
"dataDebitKey": "testdatadebitkey",
"dateCreated": "2019-11-06T14:43:36+0000",
"permissions": [
{
"dateCreated": "2019-11-06T14:43:40+0000",
"purpose": "This is a new description of what the data debit is for",
"start": "2019-04-02T09:32:47.000Z",
"period": 360000,
"cancelAtPeriodEnd": false,
"termsUrl": "https://newtermsUrl.com",
"bundle": {
"name": "testbundlename",
"bundle": {
"profile": {
"endpoints": [
{
"endpoint": "rumpel/profile"
}
],
"limit": 1
}
}
},
"accepted": true,
"active": true,
"end": null
}
],
"requestClientName": "Data Debit Creator Name",
"requestClientUrl": "https://data-debit-creator-website",
"requestClientLogoUrl": "https://data-debit-creator-logo-url",
"requestApplicationId": "applicationId",
"requestDescription": "A short introduction for what the data debit is",
"active": true,
"accepted": true,
"start": "2019-11-06T14:40:44.267Z",
"end": null,
"permissionsActive": {
"dateCreated": "2019-11-06T14:45:53+0000",
"purpose": "This is a new description of what the data debit is for",
"start": "2019-11-06T14:40:44.267Z",
"period": 360000,
"cancelAtPeriodEnd": false,
"termsUrl": "https://newtermsUrl.com",
"bundle": {
"name": "testbundlename",
"bundle": {
"profile": {
"endpoints": [
{
"endpoint": "rumpel/profile"
}
],
"limit": 1
}
}
},
"accepted": true,
"active": true,
"end": null
},
"permissionsLatest": {
"dateCreated": "2019-11-06T14:45:53+0000",
"purpose": "This is a new description of what the data debit is for",
"start": "2019-11-06T14:40:44.267Z",
"period": 360000,
"cancelAtPeriodEnd": false,
"termsUrl": "https://newtermsUrl.com",
"bundle": {
"name": "testbundlename",
"bundle": {
"profile": {
"endpoints": [
{
"endpoint": "rumpel/profile"
}
],
"limit": 1
}
}
},
"accepted": true,
"active": true,
"end": null
}
}

Request Data Debit Values

Once a DataDebit has been both proposed and approved by the PDA owner, it is achieved with a simple GET /api/v2.6/data-debit/$dataDebitKey/values request. Where $dataDebitKey can be any valid URL path, however it needs to be unique on the PDA.

If the data debit is enabled, the response is exactly the same as if you were using Data Bundles directly:

{
"bundle": {
"profile": [
{
"endpoint": "rumpel/profile",
"recordId": "9b136020-372a-4777-81f9-2c4ce6925aea",
"data": {
"profile": {
"website": {
"link": "https://example.com",
"private": "false"
},
"nick": {
"private": "true",
"name": ""
},
"primary_email": {
"value": "testuser@example.com",
"private": "false"
}
}
}
}
]
}
}

If, on the other hand, you try to request data from a Data Debit that has not been enabled, you will receive an error:

{
"message": "Bad Request",
"cause": "Data Debit testdatadebitkey not enabled"
}

That's it! You have now successfully received data from a PDA owner using a Data Debit agreement.

Update data debit

Data requirements may change over time. It may be required to update an existing data debit. There are two solutions to this problem:

  1. Request a new Data Debit with the updated requirements

  2. Update an existing Data Debit

Updating an existing data debit has the benefit of building on an existing relationship with the PDA owner: they see the scope of your request increasing, however they will recognise your application as an application they have already agreed to share data with. The request for updating an existing data debit is: PUT /api/v2.6/data-debit/$dataDebitKey. Where $dataDebitKey can be any valid URL path, however it needs to be unique on the HAT.

The example below requests 10 recent profile records, up from 1 in the previous example:

{
"bundle": {
"name": "testbundlename",
"bundle": {
"profile": {
"endpoints": [
{
"endpoint": "rumpel/profile"
}
],
"limit": 10
}
},
"dataDebitKey": "testdatadebitkey",
"purpose": "This is a new description of what the data debit is for",
"period": 360000,
"termsUrl": "https://newtermsUrl.com",
"cancelAtPeriodEnd": true,
"requestClientName": "Data Debit Creator Name",
"requestClientUrl": "https://data-debit-creator-website",
"requestClientLogoUrl": "https://data-debit-creator-logo-url",
"requestApplicationId": "applicationRequestingDataDebitID",
"requestDescription": "A short new introduction for what the data debit is",
"start": "2019-11-06T14:40:44.267Z"
}
}