HAT Community Foundation (HCF) is developing a rating system for applications and services “powered by HAT”. The main criteria for certification and ratings for data would be SECURITY, CONFIDENTIALITY, OWNERSHIP, TRANSPARENCY & TRUST (SCOTT). Since HATS are private by default, any sharing of data with a third party will mean some loss of privacy. It is however, important for users to know what to expect in terms of degree, how applications are processing and using their data from SCOTT basis. The rating scheme will be an empirically driven, community-agreed, market system to rate the LEVELS of SCOTT (e.g. AAA to EEE) and to document the best practices of applications taking data from the HAT.
As it matures, the scheme will be akin to the credit rating scheme in financial services, but in the case of HAT it will represent the “credit worthiness” of data buyers, either directly, or through applications, to be granted access to an individual’s data. It will provide a rough indication of care, from a SCOTT basis, the application takes for the personal data that sits within the application/data buyer’s system.
Any organisation providing HATs or services “on the HAT” is able to operate only if they comply with a minimum standard SCOTT set out in the HAT Code of Practice maintained by HCF. This provides all users within the ecosystem assurance that their data transactions are subject to a basic but comprehensive level of compliance to a standard level. The rating scheme goes beyond this to give users an “at a glance” indication of the quality of data offers posted by accredited data shoppers. The rating system is empirical, evidence-based and evolving.
Incentives and Alignments
It is also important to check how and why the HAT data leaves the platform. Some apps may require you to give the data away, for example, when you do a survey, fill in forms etc. It is important that the rating checks if the business model of the provider is aligned with the data they receive. For example, giving you a flashlight app for your phone does not give the provider the right to hoover up all your personal data.