Information Policies

Information Policies

Ten HAT Information Policies support the five HAT operating principles. These are the key features of the HAT Trust Framework and the Terms of Use of the HAT. The HAT Information Policies are necessary for all HAT Participants to successfully implement the HAT vision. The HAT Information Policies define the responsible actions and outcomes required by HAT Service Providers in order to achieve HAT Certification. The specific HAT Information Policies that implement the HAT Principles are the following rules. These policies apply to HAT roles such as HAT Platform Providers (HPP), HAT Application Providers (HAP), HAT Developers and other HAT Service Providers.

HAT INFORMATION POLICY 1 – Definition Of Personal Information & Usage Data

The data defined as personal data will be described by a HAT personal data use taxonomy. This is the definition of what data will be stored and collected by the HAT User and recorded by the HAT on the behaviour of the HAT User.


The personal data use taxonomy will be an auditable record that will be visible to a HAT User. A HAT User will be able to see the usage of their HAT Data by HAT Service Providers. The HAT User will be able to access the audit record of their HAT Data. This includes a record of HAT-to-HAT Service transaction exchanges. A HAT Service Provider can record all HAT transactions collected or generated for a HAT User. A threshold can be set for how the HAT transaction may be chargeable by the HAT Service Provider.

HAT INFORMATION POLICY 3 – Visibility Of Data & Services

The HAT User will be able to control the visibility of HAT Personal Data to other HAT Users and/or HAT Service Providers. A HAT Service Provider may make their HAT Services visible to one or many HAT Users, but only HAT Personal Data that has received explicit consent from the HAT User owner of that data. This is to enable visibility to the HAT Ecosystem of HAT Services, HAT Devices and HAT Service Providers, HAT Applications and HAT Users within the conditions of the HAT User’s consent to access and use their personal data.

HAT INFORMATION POLICY 4 – Personal Data Access Control

Definition of Access means “View only HAT Data” – A person can control access to their personal HAT data, controlling what is transmitted from or to other parties. This access control is provided by the HAT Service Provider to the HAT User over their HAT Data.

HAT INFORMATION POLICY 5 – Personal Data Usage Control

Definition of Usage means “able to add, update and change HAT Data” A person can control their personal HAT Data use for a general or specific usage scenario for matching and general use. For example, the control of the use of HAT Personal Data that is for general sharing or private to access and use by HAT Service Providers, such as general interests and services. Or scenarios that involve specific personal data usage and choices for a HAT User, for example HAT User activity, user specific preferences, likes and dislikes to share with HAT Providers.

HAT INFORMATION POLICY 6 – Personal Authorisation Control

Definition of Authorisation means “able to set a permission level” A person can control the access and use of their HAT Data by controlling the authorisation of its use. The HAT Service Provider will provide Opt—in and Opt—out choices for HAT User authorisation permissions of their HAT Data.

HAT INFORMATION POLICY 7 – Personal Data Release & Notification Control

Definition of Release means “able to control what is broadcast as notification” A person can control the release of their HAT data to HAT Users and HAT Service Providers. The HAT Service Provider enables the HAT User to control the release of what HAT Personal Data is made available to HAT Service Providers. Notifications will be provided to the HAT User of when HAT Data has been accessed and used by the Hat Service Provider and between HAT Services transactions, including any security violations notifications of HAT Data that affect the HAT User. HAT Personal Data that is shared and used will be based on the HAT User Authorised Permissions.

HAT INFORMATION POLICY 8 – Personal Data Security

A HAT user is able to determine the security of their personal data by the HAT Service Provider that is hosting their HAT Data. This includes safeguards in managing HAT Personal Data such as firewalls and data encryption, physical access controls to HAT data centres, secure transmission and information access authorisation controls and monitoring, detection, notification, escalation and prevention of fraud and misuse of HAT Data.

HAT INFORMATION POLICY 9 – Personal Data Geolocation

All Personal HAT geolocation data tagging must be visible and controlled as an option of anonymity by the Personal HAT User as part of the HAT personal authorisation permissions.

HAT INFORMATION POLICY 10 – Personal Data Removal

HAT Data would be removed after transactional use by the HAT Service Provider. The HAT Service Provider conducts data sanitation to ensure that HAT User data privacy is maintained after the data is used by HAT-ready Devices and HAT-ready Services. HAT Data that ceases to be hosted by a HAT Service Provider is removed from their HAT Hosting service and no longer accessible by that HAT Service Provider. HAT Data may only be retained based on compliance with local legal requirements.

How to obtain certification