Index
Assurance helps improve the quality and transparency of information for decision-makers.
Trust Frameworks (TF’s) codify and make public the technical and non-technical (‘sociotechnical’) rules for data sharing agreed by their member organisations (such rulebooks are called Schemes). One function of a Trust Framework is to provide appropriate levels of verification and assurance of member organisations and the datasets they publish, covering both Open and Shared data publication.
Organisations are responsible for verifying that they and their data meet the assurance level requirements, including ensuring accurate and complete data. This may subsequently be ratified by machine testing and/or third-party audit.
The assurance approach and needs may vary. For example, Open Energy may draw on specific regulatory requirements such as UK Ofgem’s Open Data Best Practice, whereas Perseus may draw on the specific needs to enable data assurance for compliance reporting.
Click here to review and comment on the open discussion document
You also contact us at partners@ib1.org with comments or if you can’t access Google Docs
Organisational Assurance
Level 1
This is the minimum requirement for organisations to join the Trust Framework. At this level, organisations have:
- Signed the IB1 Membership Agreement
- This includes endorsement of the Icebreaker Principles
- Paid their membership fees
- Demonstrated a current entity legal registration (GLEIF or Companies House) that matches their website and their IB1 membership information
- Registered with the Information Commissioner’s Office (ICO) if a UK entity, or international equivalent
- Have named individual(s) within their organisations registered as a “Trust Framework Licence Controller”. This individual has legal authority in the organisation to sign, or provide consent to, Open Data or Data Sharing licences on behalf of the legal entity.
- Have named individual member(s) as “Trust Framework Data Controller”. This individual is responsible for the technical security and integrity of data sharing (including consent-based access controls where relevant).
Level 2
The organisation meets all the requirements of Level 1, plus they have:
- For Shared Data, publishers or consumers
- Agreed the Operational Guidelines addendum to the IB1 Membership Agreement
- Published a data strategy that commits to meeting IB1 Dataset Assurance Level 2 for all published data
- Agreed corporate communications to be used for the promotion of the data being shared
- Have commercially reasonable cyber security standards for processing data.
Level 3
The organisation meets all the requirements of Level 2, plus they have:
- Provided 3rd party documentation (e.g. an auditor) to externally confirm/assure ownership and company control.
- Published a data strategy that commits to meeting IB1 Dataset Assurance Level 3 for all published data
- Provided a forum or mailing list for data users (e.g. via an IB1 or 3rd party operated forum)
Level 4
The organisation meets all the requirements of Level 3, plus they have:
- Published a data strategy that commits to meeting IB1 Dataset Assurance Level 4 for all published data
- A dedicated team-building user community
Dataset Assurance
Each dataset published by a member of a Trust Framework is assessed against the following assurance levels:
Level 1
Assurance that:
- The metadata is available publicly on the web in a location recorded in the organisation’s IB1 Registry entry
- Both metadata and underlying data use a machine-readable format
- The dataset contains no personal data and is not subject to GDPR
- For Open Data
- The dataset is published on the web with a licence that is compatible with Open Data
- The metadata specifies IB1-O for the Data Sensitivity Class
- For Shared Data
- The metadata specifies the access conditions for the data
- The metadata specifies IB1-SA or IB1-SB for the Data Sensitivity Class
Level 2
The dataset meets all the requirements of Level 1, plus assurance that:
- Legal
- Metadata includes definitions of usage rights for derived data (e.g. a URL to the conditions for derived data)
- Metadata includes commercially reasonable citations and/or provenance
- Metadata includes definitions of potential risks (e.g. a URL to such a definition)
- Where relevant or required, ensure privacy issues addressed within the published data and the data publication mechanism(s)
- Practical
- Metadata includes dates of creation and publication
- Where a dataset covers a temporal range, this is defined in the metadata
- That the dataset will be maintained and available for a minimum of one calendar year
- Technical
- Data is published in content-appropriate formats that enable data to be used in an interoperable manner by machine-based systems
- For Shared Data, the dataset is immediately available via a FAPI endpoint to any IB1 Trust Framework-registered application that meets the terms of that Trust Framework implementation.
- Social
- Data is documented on publicly available URLs
- A mechanism is available for people to provide feedback and ask questions (e.g. human technical support)
Level 3
The dataset meets all the requirements of Level 2, plus assurance that:
- Practical
- A schedule is published at a public URL documenting the process of maintaining the data’s availability
- Commercially reasonable backups are in place
- A document is published at a public URL detailing the process or data collection, curation, quality assurance and publishing
- Technical
- Inclusion in the metadata of citation(s) to, the underlying open standard(s) used in publishing content-appropriate data is published in machine-readable format(s)
- Publication of a single consistent URL, or clear rules for how URLs are constructed, are made to access the dataset
- machine-readable metadata describing the contents of the dataset is provided (e.g. JSON-LD, CSVW)
- where data is provided by an API, the API has a machine-readable definition (e.g. OpenAPI)
- Assurance that the dataset has availability of at least 99.5%.
Level 4
The dataset meets all the requirements of Level 3, plus assurance that:
- Legal
- The licence terms themselves are machine-readable and available at a persistent URL in a consistent manner
- Practical
- Quality parameters and processes shall be published in a machine-readable format at a persistent URL in a consistent manner
- Technical
- Provenance shall be published in a machine-readable format at a persistent URL in a consistent manner
- URIs shall be used as identifiers within data
- The dataset has availability of at least 99.9%