Rotterdam, the Netherlands, 4th of May, 2021.
If general company mandates are refined into micro-mandates that can adequately reflect company policies then these micro-mandates must be issued as verifiable credentials in order to minimize data disclosure
“Is Jasper still sick?” Inquiring about a sick employee is a day-to-day business operation that needs a matching level of efficient execution. Company policy might be in place to “take care of business” in any event, but obtaining the knowledge on Jasper’s condition is not so straightforward. Health data are considered sensitive personal data and are therefore extra protected by European law and regulated under GDPR. Agencies processing such data are under the obligation to verify the legal basis or mandates for employers enquiries into employees health status.
This paper examines the concepts of mandates and micro-mandates for Dutch companies,
and what would need to be done to turn a centralized data registry like the Dutch KvK service into a decentralized administrative service that meets SSI standards as defined in eSSIF-Lab, W3C and the Principles of Self-Sovereign Identity.
The current implementation of company mandates in the registry of the Chamber of Commerce is not always able to reflect the internal mandate hierarchy for these organizations. By using a more specific, flexible and time-dependent micro-mandate in the form of a verifiable credential, more granularity is possible, both for holders of this micro-mandate, as well as for verifying parties. Current centralized data registries will need to be transformed into decentralized administrative services, in order to make this happen.
In this paper, the micro-mandate is described by a use case.The use case describes what an employer, checking the status of a sick employee, should (not) be doing in the current setting. The current verification process is not only complicated and costly, it also makes all involved parties vulnerable to the risk of violating GDPR rules and leaving a trace of unwarranted data. The paper concludes that issuing micro-mandates in the format of self sovereign verifiable credentials, this problem would be solved.
The Dutch Chamber of Commerce, Kamer van Koophandel (KvK) is the Dutch national registry for companies. The KvK database contains company mandates: a company registration contains the names of the parties (persons) that are legally allowed to act on behalf of this company by using a mandate. These parties can then take the role of mandatee.
As an experiment, together with Bloqzone the KvK recently introduced the concept of micro-mandates, where mandatees can mandate others to act on the company’s behalf, for specific kinds of transactions with specific parties and within a specific timeframe. The need for this micro-mandate was expressed by the government agency Uitvoeringsinstituut Werknemersverzekeringen (UWV). Using the current company mandates, the UWV signalled a problem in delivering service via the call center.
Bloqzone developed a PoC that uses Bloqzones service ID-Call to provide a communication channel which sets up micro-mandates real-time in a GDPR compliant way, satisfying the needs that the UWV expressed.
The PoC showed a further need for an SSI based decentralized architecture. Bloqzone and TNO used this finding as a starting point for this analysis of the micro-mandate and a possible architecture choice for the solution.
We examined the existing situation around the use of the current general company mandate as it is used for mandatee verification in a call center situation handling privacy sensitive information on the health status of an employee. We found the following two problems:
4.The Use Case is “Is Jasper still sick?”
In this section, the use case “Is Jasper still sick?” is described. In the first part, the use case unfolds within the current setting, with the current rules on general company mandates. It is shown why this can go wrong: the mandate is not granular enough. In the second part, we add the micro-mandate.. We conclude that a micro-mandate can certainly be useful in this kind of scenario, but also allows for unwarranted shared data in a centralized setting. In the third part the ultimate solution is sketched: the use of a micro-mandate in the form of a verifiable credential.
The demonstrator will make use of the Party-Actor-Actions mental model. We will refer to agency as “scope of authority to act”.
Interaction between the parties
This data registry contains publicly accessible information such as KvK registration number, registration date, company name(s) etcetera. By law, the personal data such as the full name and date of birth of the company owner(s) (bestuurder) are listed according to the notarized original deed of incorporation.
KvK rules dictate that only a single form of mandate is allowed: the general mandate, which is unrestricted in scope and time. Another mandate type (volmacht) can be registered for a specific person with a certain role within the company, often an executive officer. The registration of this company mandate has a great disadvantage: the mandate type is in principle unrestricted in its scope and time.
4.1.Use case scenario 1: general company mandate and KvK issuer maintaining a company mandate register
4.1.1.What goes wrong:
According to Fleurop company policy, Sophie is the employer of Jasper, acting on behalf of Fleurop with the company mandate. Sophie may delegate the task of employee management to another Fleurop employee, in this case Aisha, who may execute this task on behalf of the employer, and inquire about sick employees at UWV. Aisha is hereby granted agency on behalf of the company, based on company rules.
UWV has a number of rules of its own. When an employer calls to ask for an update of a sick employee, UWV rules dictate that
The KvK manages company mandates through the Dutch official administrative registry for businesses. KvK rules dictate that only one kind of mandate is allowed: a general mandate, which is unrestricted in scope and time.
And this is where the process goes wrong. Although Aisha through Fleurop company policy has been legally enabled to request the information from UVW, UVW according to UWV rules is not legally allowed to provide the service to Fleurop. This is reflected in the Jurisdiction model by two Parties that need to collaborate but both have to adhere to rules in their own Jurisdiction. Through the eyes of UWV, the Fleurop mandate gives Aisha no agency.
The only way Fleurop could exercise its own policy of delegating employee management to Aisha, would be to add her to the KvK-register. This unfortunately would necessarily enable Aisha to act on behalf of the company in all matters, i.e. signing contracts or opening a bank account. The one mandate that UWV would accept gives Aisha too much agency.
Conclusion: the KvK mandate does not always satisfy the mandate structure that exists within a company, defined in business rules in a company policy. A more limited mandate is therefore needed: a micro-mandate. The extent and type of limitation of this kind of mandate may vary, but for HR manager Aisha would probably not include the opening of bank accounts:a micro-mandate would be specific as opposed to the general mandate.And of course, to make it work parties like the UWV need to update their rules to accept this micro-mandate.
4.2.Use case scenario 2: Micro-mandate and KvK issuer maintaining a micro-mandate register
Creating a micro-mandate would allow for the following situation:
4.2.1.What goes right:
This time, by creating a commonly recognised micro-mandate that is more specific and attuned to the situation, Fleurop is able to obtain employee information from UWV through its HR officer Aisha, in compliance with Fleurops’ rules. Likewise, UWV is able to brief Fleurops’ HR manager Aisha on the employee status, in compliance with its own updated rules which recognise micro-mandates as lawful mandate types. This micro-mandate gives Aisha just enough agency, and UWV can accept this micro-mandate.
4.2.2.What goes wrong?
Due to the limited scope of micro-mandates, the entity maintaining the register of micro-mandates is all of a sudden privy to some new information. The frequency with which the existence of Aisha’s micro-mandate is checked tells the maintainer (in this case KvK) about the health status of Fleurop employees and thus the working environment at Fleurop. Also, KvK may draw conclusions about the effectiveness of Aisha as an HR manager, and how she compares to other HR managers in comparable circumstances. The information gained does not fall within the original purpose for data processing, namely delivering a validation service; the information flow is thereby unlawful by GDPR standards.
While remedying the previous use case, a centralised registry of micro-mandates creates a new problem due to their specific nature: the usage of the registry harbours the potential of abuse. Therefore, a responsible implementation of micro-mandates requires something more: SSI.
4.3.Use case scenario 3: a micro-mandate is issued in the form of a verifiable credential.
Creating a micro-mandate and issuing it as a verifiable credential would allow for the following situation:
4.3.2.What goes right?
The mission is accomplished: Fleurop obtains the requested knowledge on the health status of Jasper from UWV. In delivering the service, UVW has complied with GDPR and checked the mandate of the request and the identity of the requester, thereby securing the sensitive personal health data of Jasper. The UWV operator Elwyn has not obtained any unwarranted knowledge about Aisha and neither Aisha nor Sophie has obtained any unwarranted knowledge about Jasper.
No third party such as KvK has obtained any correlatable data about the request from Fleurop to UVW.
4.3.3.What goes wrong?
Nothing goes wrong.
Whether Fleurop keeps its own register of micro-mandates or outsources this to a service provider, there is no longer a correlation between the use of the register and Aisha contacting the UWV. Conclusion: the potential of abuse has now disappeared.
5.Micro-mandates in detail
5.1.A micro-mandate is a mandate that is limited in the sense that it is:
As argued in use case 2, a centralised register of micro-mandates creates the potential of abuse, whether managed by KvK or a third party that acts as a service provider for the likes of Fleurop. Therefore micro-mandates should be implemented as verified credentials using SSI.
Using SSI means that company employees carry their own SSI-wallets with a mandate or a micro-mandate in it. This bars the micro-mandate registry maintainer from recording individual sessions of the employees. If feasible the wallet could be used to additionally carry the owners’ identity data, further reducing the risk of correlation.
5.2.An SSI micro-mandates register consists of
Schemas are typically public but can be private.
5.2.2.The registry and revocation registry of micro-mandates
The registry of micro-mandates exists solely for the purpose of revocation and can be managed by the issuer, in this case Fleurop or a service provider acting on behalf of Fleurop. The same goes for the public revocation registry, only to be used by the holder to obtain a proof of non revocation.
5.3.A basic set of governance rules of a registry of micro-mandates:
This structure of such registry would:
6.Compliance through SSI,protection against breaking the rules
When issuing the micro-mandates as specified above, advantages can be shown for all parties that are involved:
Outside of the scope of this paper, some areas of extended use of micro-mandates as verifiable credentials would be worthwhile to further investigate:
When presenting micro-mandates as suggested in 4.2.1., the third use case, tangible advantages are shown. Not only can a micro-mandate be used for specific kinds of transactions, within a limited time frame, but this micro-mandate can also reflect an organization’s specific mandate hierarchy. This micro-mandate does not have to be issued by the KvK, but might be specified by a third party. As a result, data can be issued more efficiently while privacy of all stakeholders is protected.
About the authors:
Alexander Blom is CTO at Bloqzone
Line Kofoed is CEO at Bloqzone
Sterre den Breeijen is Scientist self-sovereign identity at TNO