Publications

Holistic Data Responsibility Framework in Projects: Effective and Ethical Implementation

Hannah Wood & Joanna van der Merwe
Author:Hannah Wood & Joanna van der Merwe

In 2019, our landmark Holistic Data Responsibility Framework mapped out ethical data management into seven elements. In this step-by-step guide, we’ve published our experience of effectively implementing the Framework to protect the people behind the data you process.

Introduction

For years now, the Centre for Innovation has developed expertise with a broad range of partners in the field of data management. We’ve worked with big players in the tech industry, government departments and global humanitarian agencies to prevent the misuse of data as well as its missed uses. Looking at the bigger picture, the exponential increase in data collection, processing, and analysis made available by contemporary technological capabilities brings both promise and risk. In 2016, alongside NYU GovLab, we made a call for data responsibility

Over the past years, we asked: how can we maximise positive impacts of large-scale data for society without exposing it to the risk of harm? Working with our partners we crafted a Framework for organisations and data-driven partnerships to ethically and responsibly use data, protecting the people behind it. The result: The Holistic Data Responsibility Framework, an emancipatory framework that embeds ethics into data management and sets out terms of engagement for both public and private organisations to responsibly maximise the potential of data. 

The Framework: a re-cap

Years of research broke down data responsibility into six core elements: technology, legal, governance, process, people, and network. Each of these areas is critical to implementation of data management. Moreover, cross-sectioning each of these elements is what we’ve called the dimension of ethics. This is a mode of thinking that provides a clear ethical trajectory for decision-making.

How to implement the Holistic Data Responsibility Framework

To advance this Framework, we’ve consulted and worked with partners who are eager to bring it into their projects. The outcome of this is a three-phase implementation model: a planning phase, an Implementation Phase (consisting of five steps), and a review phase. The planning and review phases allow organisations to establish the Ethics Dimension and maintain an agile data-responsible plan of action. In the Implementation Phase, a Five-Step Implementation Process enacts the ethics dimension across each of the elements.The three phases can and should be periodically repeated.

Planning Phase: Establish the ethics dimension

The Ethics Dimension operates as a set of principles that must be embedded in every element, decision and action. It is a check and balance; a threshold that maintains the project or activity’s data responsibility. 

Core to the Holistic Data Responsibility Framework is that, at each step of its implementation, relevant actors and decision makers must weigh the critical ethical considerations relevant to their sector. In order to weigh ethics during decision-making, an organisation must first decide on its guiding ethical principles. This could be enacted through a detailed set of guidelines, a mission or vision statement. Whatever form it takes, it must be sustainable, if it isn’t it may be that either the project cannot be conducted responsibly or the threshold must be adjusted.

In practicality, there is no common standard. There will always be competing priorities between different sectors, actors and fields. These priorities do not necessarily mean that the ethical foundations are different, it may just be the context in which actors face. For example, both police officers and municipalities have the aim of protecting citizens. However, their context may lead to prioritising different aspects of technological development. Police will focus on the aim of obtaining technology that helps them predict recidivism or crime so that they can conduct efficient and effective policing to protect people. On the other hand, the municipality that governs the police station has the aim to protect its citizens from technology that wrongfully targets minority or disadvantaged individuals. In this example, the municipality and the police force would need to establish a common ethical ground to implement the Framework, thus establishing the red lines around what is and is not possible. It may be the case that the police’s technology cannot meet the ethical standard of the municipality, therefore the digital partnership cannot be completed in a data responsible manner. Otherwise, the proposed technology must be adapted to meet the government’s ethical threshold. 

For organisations with established ethical principles to abide by, this is the chance to deliberately determine how your principles apply to data responsibility. For those who still need to establish a framework, ethics committees can create a set of guidelines that apply to the organisation as a whole and to implement a responsible data usage framework. 

Implementation Phase: Follow the Five-Step Implementation Process

This article outlines a governance-based approach to implementation. We start with the legal and policy-based limitations and move towards the more granular details afterwards. Notably, if decisions in an organisation revolved more heavily around technology-based decisions, it may be advisable to start with “Technology.” 

Legal

First, legal structures provide guidelines about the baseline requirements a group must meet in regards to handling data. Many of these legal requirements are regional or national — rather than universal. By laying out the relevant legal standards that an organisation is bound to, those implementing the framework can start to create a customised framework for decision-making. 

The General Data Protection Regulation (GDPR), the European Union’s version of the legal guidelines for proper data usage, is a simple example of legal requirements that all enterprises falling under its scope must abide by. 

However, many laws have grey areas or are new and lack implementation cases for guidance. It is important to have a practical ethical framework in place in order to guide decision-making when the legal obligations are not completely clear. 

Governance 

In the governance step, leaders decide what shape internal models of data responsibility will take at a higher level. 

Understanding the legal and ethical context provides a framework for analysis. So, in the governance stage, decision-makers can create more stringent data responsibility policies that highlight the ethical decision-framework decided upon and are best suited to the context of work the organisation is engaged in. 

Process

At the process level, the goal is to create an actionable “To-Do List” that lays out how the policies will be executed. At this stage, the plans will be outlined and explained in this stage to be ready for implementation in the following steps. 

Creating a Process from a Policy: Example Box

For example, when a policy claims that “they will respect the right to access data, delete data and allow the users to opt out of personal data collection”. In this case, the process step should include action items such as (1) develop/review process for submitting requests for data access to organisation and (2) draft/review a predetermined system of communications to send to people who request access/deletion of data. Without clear process steps it is hard to practically implement policies. This also allows one to determine what functionalities systems being used must have in order to uphold such an obligation.

Technology 

The technology step has two purposes. First, as defined: “organisations need to ensure that the technological aspects of working with data support their principles and obligations.” 

Second, technology can be used to help implement the “process” guidelines and action items. For example, if a user requests to delete their data, an organisation should be able to know if their technology is capable of deleting the data from all storage locations from a central location, or if it needs to be completed manually. 

It is also key to understand what using certain digital tools means for data collection. Using third party services or tools often means that they collect data, which must be factored into the decision-making process of selecting tools. These tools must be assessed in light of the ethical stance an organisation, legal obligations, but also ensure that this is accounted for in the governance and process steps.

People 

People fulfill significant roles in the data responsibility implementation process. It is vital that there are the correct people in place who understand the legal, policy, process and technology structures in order to facilitate each stage effectively. Furthermore, it is important that an organisation deliberately includes the empowerment of people in its data responsibility planning.

Part of the responsibility of “people” in this final step is also to fill in the gaps that the technology cannot fulfill when implementing the process guidelines. In the case that there is no centralised, technical way to implement the process, people will implement the gaps manually. 

Review Phase: Periodically review the ethical framework and Five Stages of Implementation and build a network of information sharing between similar decision-makers and organisations. 

Finally, both the ethical framework and implementation process requires intense vetting at every step of its creation, and it should also be created with the flexibility to adjust when necessary. This timeline can be determined by the relevant organisations and stakeholders, but we suggest that the process be renewed, at the minimum, with major transitions into new technologies. 

Network

The Holistic Data Responsibility Framework includes ‘network’ as a key element to being a responsible organisation. Building a network through which lessons can be learned is an ongoing activity and will feed information into the various categories discussed.

Conclusion

Ultimately, data responsibility standards are bound to change periodically, and the goals/priorities of an organisation will fluctuate, just the same. Furthermore, different projects may be conducted in different contexts requiring a careful assessment of each of the elements to see how they must be suitably adapted. This framework calls on organisations to take a more deliberate approach to all the factors of being responsible with data because the costs are too high not to pay attention.

Get in touch

Joanna van der Merwe
Joanna van der Merwe
Privacy and Protection Lead
j.s.van.der.merwe@sea.leidenuniv.nl