Micro-mandates

Why companies need micro-mandates and micro-mandates need SSI

By Alexander Blom, Line Kofoed and Sterre den Breeijen

Rotterdam, the Netherlands, 4th of May, 2021.

If general company mandates are refined into micro-mandates that can adequately reflect company policies then these micro-mandates must be issued as verifiable credentials in order to minimize data disclosure

1.Summary

“Is Jasper still sick?” Inquiring about a sick employee is a day-to-day business operation that needs a matching level of efficient execution. Company policy might be in place to “take care of business” in any event, but obtaining the knowledge on Jasper’s condition is not so straightforward. Health data are considered sensitive personal data and are therefore extra protected by European law and regulated under GDPR. Agencies processing such data are under the obligation to verify the legal basis or mandates for employers enquiries into employees health status. 

This paper examines the concepts of mandates and micro-mandates for Dutch companies, 

and what would need to be done to turn a centralized data registry like the Dutch KvK service into a decentralized administrative service that meets SSI standards as defined in eSSIF-Lab, W3C and the Principles of Self-Sovereign Identity.

The current implementation of company mandates in the registry of the Chamber of Commerce is not always able to reflect the internal mandate hierarchy for these organizations. By using a more specific, flexible and time-dependent micro-mandate in the form of a verifiable credential, more granularity is possible, both for holders of this micro-mandate, as well as for verifying parties. Current centralized data registries will need to be transformed into decentralized administrative services, in order to make this happen. 

In this paper, the micro-mandate is described by a use case.The use case describes what an employer, checking  the status of a sick employee, should (not) be doing in the current setting. The current verification process is not only complicated and costly, it also makes all involved parties vulnerable to the risk of violating GDPR rules and leaving a trace of unwarranted data.  The paper concludes that issuing micro-mandates in the format of self sovereign verifiable credentials, this problem would be solved.

 

2.Introduction 

The Dutch Chamber of Commerce, Kamer van Koophandel (KvK) is the Dutch national registry for companies. The KvK database contains company mandates: a company registration contains the names of the parties (persons) that are legally allowed to act on behalf of this company by using a mandate. These parties can then take the role of mandatee.

As an experiment, together with Bloqzone the KvK recently introduced the concept of micro-mandates, where mandatees can mandate others to act on the company’s behalf, for specific kinds of transactions with specific parties and within a specific timeframe. The need for this micro-mandate was expressed by the government agency Uitvoeringsinstituut Werknemersverzekeringen (UWV).  Using the current company mandates, the UWV signalled a problem in delivering service via the call center.

Bloqzone developed a PoC that uses Bloqzones service ID-Call to provide a communication channel which  sets up micro-mandates real-time in a GDPR compliant way, satisfying the needs that the UWV expressed.

The PoC showed a further need for an SSI based decentralized architecture. Bloqzone and TNO used this finding as a starting point for this analysis of the micro-mandate and a possible architecture choice for the solution.

 

3.Existing situation

We examined the existing situation around the use of the current general company mandate as it is used for mandatee verification in a call center situation handling privacy sensitive information on the health status of an employee. We found the following two problems:

  1. The company mandate is inadequate in reflecting the actual mandate situation as expressed in business policies.
  2. Once adapted to a more specific mandate, the information flow in a centralized situation allows for unwarranted shared knowledge.

 

4.The Use Case is “Is Jasper still sick?”

In this section, the use case “Is Jasper still sick?” is described. In the first part, the use case unfolds within  the current setting, with the current rules on general company mandates. It is shown why this can go wrong: the mandate is not granular enough. In the second part, we add the micro-mandate.. We conclude  that a micro-mandate can certainly be useful in this kind of scenario, but also allows for unwarranted shared data in a centralized setting. In the third part the ultimate solution is sketched: the use of a micro-mandate in the form of a verifiable credential.

The demonstrator will make use of the Party-Actor-Actions mental model. We will refer to agency as “scope of authority to act”.

The parties

  • Fleurop is a Dutch company
  • Jasper is an employee, who is ill
  • Sophie is an employee and the CEO of Fleurop.
  • Aisha is an employee and the HR-manager in Fleurop
  • UWV is the government agency which has knowledge of the health status of Jasper. 
  • Elwyn is the call center operator with UVW.
  • KvK is the company registry which has knowledge of company mandates. 

Interaction between the parties

  • UWV registers the health status of sick employees. Employers may contact the UWV call center to obtain information regarding the health status of their employees. In order to comply with the Dutch privacy law AVG protecting health data of the individual employee, UWV has a certain verification procedure in place. When an employer calls to ask for an update of a sick employee, the UWV is legally obligated to check the mandate and the identity of a caller before sharing knowledge about the health status of the sick employee. Part of this procedure may be a verification of the KvK registry to ensure that the caller has been mandated to represent the company.
  • KvK, the Dutch Chamber of Commerce, is the Dutch national registry for companies and as such, plays a central role in providing a KYC and GDPR compliance function. The KvK database contains a trove of company data, such as company mandates: a company registration by law contains the names of the parties (companies or people) legally authorised to act on its behalf.

This data registry contains publicly accessible information such as KvK registration number, registration date, company name(s) etcetera. By law, the personal data such as the full name and date of birth of the company owner(s) (bestuurder) are listed according to the notarized original deed of incorporation. 

KvK rules dictate that only a single form of mandate is allowed: the general mandate, which is unrestricted in scope and time. Another mandate type (volmacht) can be registered for a specific person with a certain role within the company, often an executive officer. The registration of this company mandate has a great disadvantage: the mandate type is in principle unrestricted in its scope and time. 

4.1.Use case scenario 1: general company mandate and KvK issuer maintaining a company mandate register 

  1. The employer Fleurop, through its CEO Sophie, wants to check the health status of employee Jasper. 
  2. Sophie delegates the task according to Fleurop policies to HR-manager Aisha and instructs her to find out more about Jasper’s health status.
  3. Aisha calls the UVW and gets Elwyn on the line.
  4. Elwyn asks Aisha for proof of mandateship by verifying her identity.
  5. Aisha provides her own name.
  6. Elwyn checks the KvK register for the company mandate and only finds one with Sophie’s name.
  7. Elwyn denies access for Aisha
  8. The knowledge regarding the health status of Jasper is not shared with Fleurop

4.1.1.What goes wrong: 

According to Fleurop company policy, Sophie is the employer of Jasper, acting on behalf of Fleurop with the company mandate. Sophie may delegate the task of employee management to another Fleurop employee, in this case Aisha, who may execute this task on behalf of the employer, and inquire about sick employees at UWV. Aisha is hereby granted agency on behalf of the company, based on company rules.

UWV has a number of rules of its own. When an employer calls to ask for an update of a sick employee, UWV rules dictate that 

  1. the identity of the caller must be checked
  2. the caller’s mandate to represent the company must be verified in the KvK registry

The KvK manages company mandates through the Dutch official administrative registry for businesses. KvK rules dictate that only one kind of mandate is allowed: a general mandate, which is unrestricted in scope and time. 

And this is where the process goes wrong. Although Aisha through Fleurop company policy has been legally enabled to request the information from UVW, UVW according to UWV rules is not legally allowed to provide the service to Fleurop. This is reflected in the Jurisdiction model by two Parties that need to collaborate but both have to adhere to rules in their own Jurisdiction. Through the eyes of UWV, the Fleurop mandate gives Aisha no agency.

The only way Fleurop could exercise its own policy of delegating employee management to Aisha, would be to add her to the KvK-register. This unfortunately would necessarily enable Aisha to act on behalf of the company in all matters, i.e. signing contracts or opening a bank account. The one mandate that UWV would accept gives Aisha too much agency.

Conclusion: the KvK mandate does not always satisfy the mandate structure that exists within a company, defined in business rules in a company policy. A more limited mandate is therefore needed: a micro-mandate. The extent and type of limitation of this kind of mandate  may vary, but for HR manager Aisha would probably not include the opening of bank accounts:a micro-mandate would be specific as opposed to the general mandate.And of course, to make it work parties like the UWV need to update their rules to accept this micro-mandate.

4.2.Use case scenario 2: Micro-mandate and KvK issuer maintaining a micro-mandate register  

Creating a micro-mandate would allow for the following situation:

  • The employer, through its CEO Sophie, registers a micro-mandate for its HR officer Aisha in the micro-mandate registry (of KvK). This mandate allows said officer to represent Fleurop in all personnel related issues at UWV.
  • Aisha contacts UWV to inquire about Jasper.
  • Elwyn asks Aisha for proof of mandateship by verifying her identity.
  • Elwyn checks the KvK register for an appropriate mandate or micro-mandate has been registered in Aisha’s name.
  • Since the micro-mandate registry contains an applicable micro-mandate, Elwyn is able to brief Aisha on the status of Fleurops’ sick employee, in compliance with UWV’s updated rules to accept these micro-mandates.

4.2.1.What goes right:

This time, by creating a commonly recognised micro-mandate that is more specific and attuned to the situation, Fleurop is able to obtain employee information from UWV through its HR officer Aisha, in compliance with Fleurops’ rules. Likewise, UWV is able to brief Fleurops’ HR manager Aisha on the employee status, in compliance with its own updated rules which recognise micro-mandates as lawful mandate types. This micro-mandate gives Aisha just enough agency, and UWV can accept this micro-mandate.

 

4.2.2.What goes wrong?

Due to the limited scope of micro-mandates, the entity maintaining the register of micro-mandates is all of a sudden privy to some new information. The frequency with which the existence of Aisha’s micro-mandate is checked tells the maintainer (in this case KvK) about the health status of Fleurop employees and thus the working environment at Fleurop. Also, KvK may draw conclusions about the effectiveness of Aisha as an HR manager, and how she compares to other HR managers in comparable circumstances. The information gained does not fall within the original purpose for data processing, namely delivering a validation service; the information flow is thereby unlawful by GDPR standards.

 

4.2.3.Conclusion

While remedying the previous use case, a centralised registry of micro-mandates creates a new problem due to their specific nature: the usage of the registry harbours the potential of abuse. Therefore, a responsible implementation of micro-mandates requires something more: SSI.

4.3.Use case scenario 3: a micro-mandate is issued in the form of a verifiable credential.  

Creating a micro-mandate and issuing it as a verifiable credential would allow for the following situation:

  1. The employer Fleurop through its employee Sophie issues a micro-mandate as a verifiable credential to its HR officer Aisha, who stores it in her digital wallet. The credential proves that registered company Fleurop has mandated said officer to represent Fleurop in all personnel related issues at UWV.
  2. Aisha contacts UWV to inquire about Jasper and gets Elwyn on the line.
  3. Elwyn checks the identity of Aisha and subsequently verifies the credential that Aisha presents. The credential complies with SSI standards and is issued under the correct governance and therefore, verifying the credential does not entail consulting a register of micro-mandates. 
  4. Since the credential proves to be issued by Fleurop and has not been revoked, Elwyn is allowed to brief Aisha on the status of Fleurops’ sick employee Jasper, in compliance with UWV’s updated rules.

4.3.2.What goes right?

The mission is accomplished: Fleurop obtains the requested knowledge on the health status of Jasper from UWV. In delivering the service, UVW has complied with GDPR and checked the mandate of the request and the identity of the requester, thereby securing the sensitive personal health data of Jasper. The UWV operator Elwyn has not obtained any unwarranted knowledge about Aisha and neither Aisha nor Sophie has obtained any unwarranted knowledge about Jasper. 

No third party such as KvK has obtained any correlatable data about the request from Fleurop to UVW.

4.3.3.What goes wrong?

Nothing goes wrong.

 

4.4.Conclusion:

Whether Fleurop keeps its own register of micro-mandates or outsources this to a service provider, there is no longer a correlation between the use of the register and Aisha contacting the UWV. Conclusion: the potential of abuse has now disappeared.

 

5.Micro-mandates in detail

5.1.A micro-mandate is a mandate that is limited in the sense that it is:

  •  vis a vis a certain third party
  • only for certain actions
  • within a limited period of time

As argued in use case 2, a centralised register of micro-mandates creates the potential of abuse, whether managed by KvK or a third party that acts as a service provider for the likes of Fleurop. Therefore micro-mandates should be implemented as verified credentials using SSI. 

Using SSI means that company employees carry their own SSI-wallets with a mandate or a micro-mandate in it. This bars the micro-mandate registry maintainer from recording individual sessions of the employees. If feasible the wallet could be used to additionally carry the owners’ identity data, further reducing the risk of correlation.

 

5.2.An SSI micro-mandates register consists of

5.2.1.Schemas

  • Schemas follow W3C’s Verifiable Credentials JSON Schema Specification
  • A micro-mandate schema is typically authored by the verifying entity, who may follow some form of standardization of their own. In our example UWV may choose to issue a standardized UWV schema for the delegation of all HR related tasks.
  • Micro-mandate schemas may vary. A micro-mandate schema for the delegation of all HR related tasks could be entirely different from a micro-mandate schema for the delegation of insurance related tasks.  
  • A micro-mandate schema typically contains 
    • the author
    • the version
    • a common name
    • a legal description
    • mandater, the mandating company, in our example Fleurop
    • mandatee, in our example HR officer Aisha
    • The party the mandate is valid towards: Aisha may only be authorised to represent Fleurop in HR matters when consulting the UWV.
    • The requirements for the identity credentials of mandater and mandatee
    • The revocation mechanism

Schemas are typically public but can be private.

 

5.2.2.The registry and revocation registry of micro-mandates

The registry of micro-mandates exists solely for the purpose of revocation and can be managed by the issuer, in this case Fleurop or a service provider acting on behalf of Fleurop. The same goes for the public revocation registry, only to be used by the holder to obtain a proof of non revocation.

  

5.3.A basic set of governance rules of a registry of micro-mandates:

  • The registry or registries of micro-mandates are managed by the issuer(s) or by specialized service providers.
  • Schemas are issued and managed by schema owners, which represent the verifying party/parties or by specialized service providers on their behalf. 
  • micro-mandates are typically issued by entities maintaining a client-provider relationship with a schema owner, or by specialized service providers
  • Revocations can be issued by issuer entities or schema owners.

This structure of such registry would: 

  • protect the employers mandatee when carrying out his tasks
  • secure privacy protection for sick employees
  • protect the registry maintainer and the UWV employee in delivering the service (knowledege) from violating GDPR.

 

6.Compliance through SSI,protection against breaking the rules

When issuing the micro-mandates as specified above, advantages can be shown for all parties that are involved:

  • The Chamber of Commerce needs to issue one type of mandate: a claim of representing an organization, and this representative can be a part of this organization. This claim includes the right to issue micro-mandates on behalf of this organization; these micro-mandates can reflect the organization’s delegation hierarchy. By providing this claim in the format of a verifiable credential satisfying the W3C standards, the Chamber of Commerce is protected against inadvertant trespassing of the GDPR
  • Organizations using the micro-mandate, can use the claim of representing the entire organization, to issue a micro-mandate to an agent to act for a specific transaction. This delegate is more flexible and situation specific, without needing intervention by the Chamber of Commerce, and can be issued real-time. On top of that, when using a micro-mandate on behalf of the organization, the holders – both of the mandate and of the micro-mandate(s) – are protected in their function. For example, the holder only learns information of the health status of an employee, if the holder has the rightto do so.. The company mandate holder stays within company rules whendelegating the task as this right corresponds with company policies. Also, the employee whose health status is shared, is protected. Information is only shared when needed, meaning that this is GDPR-compliant.
  • UWV can help clients in a faster and more compliant manner. Decisions on how to help are made using qualified data. Employees in the call center are more protected, since they know that the decisions are correct, based on the policies by the UWV. Also, these decisions can be made faster and more efficiently.
  •  

7.Future work

Outside of the scope of this paper, some areas of extended use of micro-mandates as verifiable credentials would be worthwhile to further investigate:

  • Use of UVW micro-mandates for other parties that handle health data insurance companies
  • Use of micro-mandates where companies perform legal actions i.e.insurance companies, notariat, contracts between companies.
  • Use of micro-mandates for customer support for other sectors that handle sensitive personal information i.e. telecommunication, religious administrative services.
  • Use of micro-mandates in any action that requires a mandate: requesting information, signing documents. 
  • The possible need for a NL or EU micro-mandate register
  • Replacing central registers with Verifiable Credentials (generally)

 

8.Conclusion

When presenting micro-mandates as suggested in 4.2.1., the third use case, tangible advantages are shown. Not only can a micro-mandate be used for specific kinds of transactions, within a limited time frame, but this micro-mandate can also reflect an organization’s specific mandate hierarchy. This micro-mandate does not have to be issued by the KvK, but might be specified by a third party. As a result, data can be issued more efficiently while privacy of all stakeholders is protected. 

About the authors:

Alexander Blom is CTO at Bloqzone

Line Kofoed is CEO at Bloqzone

Sterre den Breeijen is Scientist self-sovereign identity at TNO