Q: What kinds of data can be transferred through DTP?

The terms of each organization’s API determine the data types that can be transferred between providers. This ordinarily includes data stored in a specific users’s account, but may not be limited to that data, depending on the organizations involved. Additional or substitute functionality outside of the Data Transfer Project would be necessary for data transfers requiring particularly high integrity (e.g. health records).

Q: Who is responsible for protecting data before, during, and after the transfer takes place?

Each organization is responsible for securing and protecting the data stored on its platform, regardless of whether it is supporting a transfer out or receiving a transfer from another organization. Generally, this includes established practices in securing access, authorization, and authentication to public APIs or other mechanisms. Additionally, this includes writing and enforcing policies governing access to that information through an API or other mechanism. Those specific terms govern the conditions of transferring data into or out of each provider. Additionally, there are baseline security requirements detailed in the White Paper, such as encryption in transit, that should always be adhered to.

Q: When data is transferred, do contributors to DTP or partners of the Data Transfer Initiative all get a copy?

No, when a user initiates a data transfer, their encrypted information flows from one provider directly to another that is chosen by the user. Only the source service, the destination service (and hosting provider, if it is not the source or destination service) have access to the data. No other contributors or 3rd parties have access to a copy of the data as part of the transfer.

Q: Are there common standards by which contributors to the Data Transfer Project should abide in performing transfers?

As described in the white paper, DTP adheres to the following principles:

We believe the following principles around interoperability and portability of data promote user choice and encourage responsible product development, maximizing the benefits to users and mitigating the potential drawbacks.