OPEN DATA ARCHITECTURE PLAN Clause Samples

OPEN DATA ARCHITECTURE PLAN. ‌ The core system architecture uses a centralized data store that will be hosted in the European Union (to be decided if this will be on the premises of one of the partners, or using a cloud solution provider such as Microsoft Azure or Amazon AWS). However, student personal identification data will be decoupled from the main data structures and will be made available as a separate Personal Data Store (PDS) component with a specialized API layer that implements access control rules and performs extensive auditing of all access requests. Personal data in the central repository will be stored using de-personalized identity tokens that cannot be traced back to a real person without access to the PDS. The architecture allows personal data to be split across multiple PDS components, each stored in a different location (country or on the premises of the educational institution) so that it is separately administered and controlled. Finally, administrative roles in the system will be created using separation of duties principles, which allows implementing scenarios where a single administrator does not have access to both personal identification data from personal data stores and the actual data contents stored in the main data store. This will prevent malicious administrators from circumventing regular access interfering with access auditing policies. Using standardized API interfaces for personal data access also allows existing systems that already track student data (e.g. LMS) to be extended in the future and act as a PDS themselves. The table below (Table 1) presents a detail of multiple deployment scenarios using this approach. These can be mixed depending on each implementing entity requirements. 1 Personal data is stored using the same central infrastructure as the rest of the system, in an EU datacentre. Simplified and reduced cost rollout to countries and entities that adhere to common EU privacy laws. Reduced infrastructure and personnel required from the implementing entity side. Specialized team that handles system security and maintenance. The administration team should be correctly vetted, with separation of duties and access to private data on a need to know basis only.