The Holistic Data Responsibility Framework

Author: Joanna van der MerwePrivacy and Protection Lead

In the digital age, data is pervasive. The possible insights and capabilities made available by contemporary data increase the importance of ethical considerations at every stage of the data life cycle1. At the Centre for Innovation, we are looking into the bigger picture: protecting the people behind the data. The key theme emerging from this approach is data responsibility.

What is data responsibility?

The 510 Initiative of the Netherlands Red Cross defines data responsibility as:

 “the responsible processing of data with respect to ethical standards and principles in the humanitarian context, bearing in mind potential consequences and taking measures to avoid putting individuals or communities at risk”2. UNOCHA’s Centre for Humanitarian Data states that data responsibility “entails a set of principles, processes and tools that support the safe, ethical and effective management of data in humanitarian response”3

However, as UNOCHA’s Sarah Telford has highlighted, the issues of data protection and privacy “are not unique to the [humanitarian] sector and have been gaining broader awareness due to data misuse by big-name technology companies”4. Given the potential of such misuse and the increasing need for high-quality data to inform decision-making in all sectors, the Centre believes that an emphasis on data responsibility is necessary for all organisations, even outside humanitarian contexts.

Misuse or ‘missed use’

As highlighted by the UN Global Pulse5, there are two interrelated challenges to the use of data. Both the misuse and missed use of data can have serious implications. While the misuse of data tends to be more understood, the missed use of data is often overlooked. 

Missed use describes situations in which data is not used to its full potential for good due to fears over its possible misuse. 

So, how can organisations balance the tension between the misuse and missed use of data? The Centre for Innovation develops data responsibility solutions that help organisations maximise the value of data while minimising the associated risks.

Toward a framework of data responsibility

In a 2016 white paper developed with NYU Govlab, the Centre made a call for a responsible data framework that assists in the implementation of “accepted data principles and institutionalise[s] responsibilities and procedures”6. Building on this work, the Centre has devised a framework that outlines the necessary elements that need to be covered when integrating data responsibility into any organisation that works with data7.

The Holistic Data Responsibility Framework

Through our research, we have identified six core Elements which form the foundation of data responsibility: Technology, Legal, Governance, Process, People, and Network. Crucially, shaping and determining each of the six core elements is the Dimension of Ethics.

The Holistic Data Responsibility Framework

The Ethics Dimension | Identifying and establishing the guiding ethical principles of the organisation. 

How do you navigate difficult decisions where other elements or legal ‘grey areas’ do not provide clear answers? By establishing core principles, an organisation can maintain a clear, ethical trajectory through its decision-making practices. This entails continual assessment of what are the ethical boundaries of the organisation and  if any data practices break these boundaries.

The six core elements should always support the organisation in achieving the ethical dimension of the data responsibility framework, thus ensuring that the organisation is designed around ethics rather than the other way around8. Applied at the project level, this ethical dimension requires an organisation, as a first step in data responsibility assessment, to ask: should we do this? 

Once the assessment has been completed across all of the core elements of the framework, it is essential to return to the ethical dimension and ask should we still do this?

The Elements of Holistic Data Responsibility

Technology | Organisations need to ensure that the technological aspects of working with data support their principles and obligations. This includes ensuring access control, encryption, and all other technological measures necessary to protect any data handled throughout the data life cycle.

Legal | An organisation has specific legal obligations based on its location, the type of data it handles, its legal status, and the context of a specific project. However, legal mechanisms can also help an organisation uphold and adhere to its principles. Therefore, this element aims to focus on what the organisation’s legal obligations are and what the legal aspects are that could and/or should be in place.

Governance | Each organisation should have formalised policies and governance structures that support and institutionalise each of the necessary requirements that have been identified from the assessment of the other elements. This includes policies that formalise the technological standards and legal procedures that need to be followed, as well as training mechanisms, data management, and so on.

Process | Although formal policies for the way in which members of an organisation should work may exist, informal processes tend to persist. The strength of this framework is that it acknowledges both formal and informal processes. For instance, if failures in provided tech systems occur, individuals already understand the importance of why those systems and policies exist in the first place. The focus is to enable individuals to react appropriately and responsibly, in order to enact steps to be as secure and ethical as possible. This is closely linked to the next element, people, regarding the human capacity needed to be data responsible. Establishing the ethical principles of the organisation will support this as it will foster a culture of data responsibility.

People | Incorporating data responsibility into an organisation requires that every individual understands and embeds it into their everyday work. Depending on the nature of the organisation’s work, and the differing roles of groups and individuals, the minimum general workforce capacity necessary will vary. It  will also impact the specialised capacity. Assessing this is key: the success of an organisation’s data responsibility relies on the ability of each employee to understand how it relates to their work, how they can implement it, and bring any issues and challenges to light.

Network | The data landscape is constantly evolving. Both positive and negative lessons need to be shared in each sector, but also across sectors. Networks allow expertise to emerge and transfer from organisation to organisation and from industry to industry, enabling both formal and informal learning in a manner that may be quicker than, for example, official assessments and publications. 

By assessing each of these elements, the Centre believes that any discussion around data, data security, and data privacy is not siloed. The Holistic Data Responsibility Framework encompasses all aspects that are needed to take a holistic approach to data responsibility.

    This piece is the first part of a two-part series explaining the Centre for Innovation’s approach to incorporating data responsibility into an organisation’s work. Part Two will provide an example of this framework being applied to the data life cycle and case studies. If you have any specific feedback, questions or thoughts, please contact our Privacy and Protection Lead, Joanna van der Merwe.

    blob-purple-1
    blob-turquoise-1

    References

    1. Data life-cycle: Objectives – Planning & Methods – Collection – Storing – Cleaning – Transfer – Analysis – Disseminating – Feedback & Evaluation – Retention & Destruction
    2. 2018. “Data Responsibility Policy.” November 12. https://www.510.global/wp-content/uploads/2018/12/510-Data-Responsibility-policy-V2.2-20181211-PUBLIC-USE.pdf
    3.  UNOCHA Centre for Humanitarian Data. 2019. “Data Responsibility Guidelines.” March. https://centre.humdata.org/wp-content/uploads/2019/03/OCHA-DR-Guidelines-working-draft-032019.pdf
    4.  Telford, Sarah. 2019. “Data Responsibility in Humanitarian Action: Building trust through dialogue.” UNOCHA. March 15. https://www.unocha.org/story/data-responsibility-humanitarian-action-building-trust-through-dialogue
    5.  Kirkpatrick, Robert. 2019. “Unpacking the Issue of Missed Use and Misuse of Data.” UN Global Pulse. March 18. https://www.unglobalpulse.org/news/unpacking-issue-missed-use-and-misuse-data
    6.  Berens, Jos, Ulrich Mans, and Stefaan Verhulst. 2016. Mapping and Comparing Responsible Data Approaches. June. https://www.thegovlab.org/static/files/publications/ocha.pdf
    7.  It is important to note that data responsibility is not limited to personal data but rather all data, including data that may not traditionally be seen as risky or sensitive.
    8.  Metcalf, Jacob, Emanuel Moss, and danah boyd. 2019. “Owning Ethics: Corporate Logics, Silicon Valley, and the Institutionalisation of Ethics.” Social Research: International Quarterly 449 – 476 . https://datasociety.net/wp-content/uploads/2019/09/Owning-Ethics-PDF-version-2.pdf