X-Road is an open source data exchange layer solution used by the national governments in Estonia and Finland. This presentation explains a concept how X-Road can be used as a technical platform to exchange MyData. In addition to the technology, also common principles and guidelines required by the concept are discussed.

1. X-Road as a Platform to
Exchange MyData
PETTERI KIVIMÄKI, CTO
29TH AUGUST 2018

2. Table of Contents
u MyData Roles
u How Does X-Road Work?
u X-Road as a Technical Platform for MyData
u MyData via X-Road
u What X-Road Does and Does Not Provide

3. MyData Roles
Digital
Identity
MyData Operator
Data
Consent
Consent
Individual
Consent • Individual – a person who authorizes data flows with
consent.
• MyData Operator – provides a MyData accounts that
enable digital consent management.
• Data Source – provides data about individuals.
• Data Using Service – uses the data provided by data
sources.
Data Source Data Using Service
Access Logs

4. How Does X-Road Work?
Security Server Security Server
Service Consumer Service Provider
Signature and
time-stamping
of messages,
logging
Verify incoming
messages,
time-spamping,
logging, access
rights
Central Services
Registry of
trusted parties
(organizations,
servers)
Trust Services
Validity of certificates
(auth, sign)
Time-stamping
of messages
X-Road Core
Trust Services

5. X-Road as a Technical Platform for
MyData
Digital
Identity
MyData Operator
Access Logs
Consent
Consent
Individual
Access Logs
X-Road Security Server
Data
• Both consent and data are transferred via X-Road.
• X-Road logs all the requests and the logs are used for
providing a centralized view to access logs where the
individual can see who has accessed his or her data.
• X-Road provides
• Organization level authentication
• Machine to machine authentication
• Standardized messaging model
• Non-repudiation of messages
• Access rights management
• Address management and message routing
• Transportation level encryption.
Data Source Data Using Service

6. MyData via X-Road
Security Server Security Server
Data Source
3. Check
access rights
(global group)
MyData Operator
1. Check consent (*)
4. Return response
2. Send request
Access logs (*)
Data Using Service
3.1 Check consent (*)
(optional)
Access logs (*)
* Checking consents and transfering access logs is done via X-Road.
All the registered data using services have access to all the
registered data sources. Consents are used for managing
authorizations to access the data of individuals.

7. MyData via X-Road
u Consents are managed by the MyData Operator.
u Every data source and data using service must implement the required MyData
APIs and enable their services to be connected with MyData accounts.
u X-Road client/service identifier must be stored by the MyData Operator.
u Access rights to data sources are managed using X-Road global groups that
are centrally managed by the X-Road operator.
u Registered data using services are added as members of the global group by
the X-Road operator.
u Data sources grant the MyData global group access to their MyData services –
all the members of the group then have access to the services.

8. MyData via X-Road
u All the registered data using services have access to all the registered data
sources. Consents are used for managing authorizations to access the data
of individuals.
u Data using service is responsible for checking the consent before
sending a request.
u No consent is found => no request is sent.
u Consent is found => request is sent and the ID of the consent is included in the
request (with other required parameters, e.g. user ID).
u Data source trusts the data using service and does not re-check the
validity of the consent.
u Alternatively, data source may re-check the validity of the consent. Increases
trust – and overhead.

9. MyData via X-Road
u All the requests and responses are logged by X-Road.
u Information related to MyData requests/responses (consent ID, data
using service, data source, user ID identifying the individual,
date/time etc.) is made accessible to the MyData Operator.
u Individuals can view who has accessed their information through
their MyData account.
u Unauthorized use of individuals’ data can be
automatically detected by analyzing the logs and is subject
to penalties, e.g. exclusion from the service etc.

10. MyData via X-Road
MyData Operator
Data SourceData Using Service
Central Server
• Register data using service (subsystem):
FI.COM.12345-6.Client
• Add subsystem to MyData Clients global
group
• Publish data source:
FI.COM.65432-1.Service.getData.v1
• Register data using service:
FI.COM.12345-6.Client
• Register data source:
FI.COM.65432-1.Service.getData.v1
Certification Authority
(CA)
Security Server Security Server• Get auth and sign certificates.
• Check validity.
FI.COM.12345-6.Client FI.COM.65432-1.Service.getData.v1
MyData Clients (global group):
FI.COM.12345-6.Client
FI.GOV.XXXX.XXX
FI.COM.XXXX.XXX
.
.
Grant MyData Clients access to:
FI.COM.65432-1.Service.getData.v1

11. MyData Account and Consents
ID Individual Data Using Service Data Source User ID Validity
Label Consent ID
– random
string
Social
security
number
X-Road client identifier
of the data using service
X-Road service identifier of the data
source
The ID identifying the individual in the
data source, e.g. social security
number, Facebook ID, Google ID etc.
The period when the
consent is valid.
Example 619KOZDLS2 121275-123A FI.COM.12345-6.Client FI.COM.65432-1.Service.getData.v1 121275-123A 1.3.2018-31.12.2018
u Individuals manage consents through a MyData account.
u X-Road identifiers are used for identifyind the data using service and
data source (not visible to the user).
u If social media user ID is used, the social media account must be
confirmed and linked to the MyData account. In addition, the data
source must define the ID that’s used for identifying the user. By default
social security number is used.

12. X-Road Provides
u Organization level authentication
u Machine to machine authentication
u Standardized messaging model
u Non-repudiation of messages
u Logging of messages
u Access rights management
u Address management and message routing
u Transportation level encryption.

13. X-Road Does Not Provide
u Semantic interoperability
u Common business data models
u Standardized business APIs
u Implementation of the MyData Operator
u Consent verification.

14. Questions?

15. WWW.NIIS.ORG
petteri.kivimaki@niis.org
+372 7130 802