This is a guest post by Amy O’Donnell, adviser on applications of information communications technologies (ICTs) to support programming at Oxfam GB.
While applications of data have the potential to enable organisations like Oxfam to be more needs-driven and responsive, data also has the capability to put communities at risk if the related processes are not responsibly designed or managed. Adopting meaningful approaches to data security and ethical methodology is not a new effort within Oxfam, or in the broader development community. However, the rapidly changing digital landscape is presenting new challenges and opportunities that require Oxfam to react and alter the way we collect, store, manage, use and dispose of data responsibly.
That’s why we at Oxfam are working on a Responsible Data Policy, which is a starting point towards ensuring that our staff have appropriate guidance and support in order to adopt better data practice. I have been participating in a working group at Oxfam whose target has been to develop a policy that will encourage responsible data for all Oxfam programming from humanitarian, to campaign and long term development work.
I remember very clearly when the group who were developing the policy for Oxfam had a light bulb moment – you could sense the energy in the room. It came when rather than focusing on Oxfam’s commitments and responsibility, we reframed the whole question and policy in terms of the rights of those who data is about. As a rights based organization, Oxfam is committed to using data responsibly in order to uphold the rights of the individuals, groups and organizations with whom we work.
Oxfam’s Responsible Data Policy involves ensuring we obtain informed consent from those who have shared their data, not collecting unnecessary or potentially damaging data, and protecting privacy through anonymization, restricted access or encryption. Furthermore, it includes the responsibility to fairly represent the contributors of the data in analysis and perhaps involve them in the process of how data is used by adopting less extractive and more empowering methods.
We also added a statement that “This policy should not be seen as restricting or discouraging, rather to enable the invaluable contribution that data makes to the quality of our work, enabling accountability and allowing us to raise the voice of those with whom we work.“ This helps us communicate the importance of the policy to others. We also recognize that the policy has implications far beyond Oxfam – the way we employ our Responsible Data Policy has the potential to influence how our partners and other stakeholders with whom we work think about and manage data.
By sharing our process at Oxfam about how the policy has evolved and integrated into our methodology, we hope we can start a conversation to relate to other agencies going through a similar process. The development of the policy has been a multi-step process and the work is ongoing, but here’s a snapshot of what we have done so far:
1. Find out what already exists – First we did a review to figure out what resources and support are available. We often refer to ICRC’s Protection Standards, Save the Children’s guidance on working with children and UNICEF’s advice on research ethics. A number of relevant Oxfam guides already exist, but they need updating to ensure their relevance in light of new realities.
2. Define the scope – We knew the policy had to focus on good practice throughout the data cycle, from the design of the data collection process, through the storage analysis and use of results, and finally to the disposal of the data. We had to make sure we had clear focus and scope, so we decided not to cover ethical research methods that we already have guides around (for example on control and comparison groups). At first we called the policy Data Ethics, but we soon realized this placed too much emphasis on the methodology and not enough on the full scope of related data processes.
3. Check in with others – After we got a draft on paper, Oxfam went to RDFBuda, the M&E Tech Series in the US and The London Tech Salon on “Data for Development.” Not only did these events help us figure out where we can access the expertise we need; meeting others helped us feel like we are not alone as we engaged more deeply in the responsible data community. We helped to develop a working definition of responsible data at RDFBuda, which resonated so much that we named our policy the “Responsible Data Policy”.
The responsible data definition (produced at RDFBuda, September 2014)
The duty to ensure people’s rights to consent, privacy, security and ownership around the information processes of collection, analysis, storage, presentation and reuse of data, while respecting the values of transparency and openness.
4. Consultation and policy development – Immediately after RDFBuda, Oxfam colleagues met to work on the policy. It was crucial for us that this group was cross affiliate (Oxfam is made up of 17 groups) and had representatives of various roles within the organization (M&E, ICT, Researchers, regional perspectives) to include their support and insights from the outset. We included specific considerations for humanitarian response and gender issues.
5. Communication and buy-in – We used the opportunity of our existing Monitoring Evaluation and Learning (MEL) structure to jump on a meeting in Delhi where colleagues commented on the working draft. The group appreciated the rights based approach that underlies the policy elements, and recognized the growing need to put a policy in place. This meeting was a breakthrough – it showed the undeniable need and consensus this is something we need to work on – but also affirmed concerns about practical implications and accompanying guidance and support. Now we have a plan to tell the whole organisation about the importance of this initiative without using too much jargon. We are taking steps so that it can be embedded into existing guides on best practice methodology.
6. Ensure staff have support and guidance – Without guidance and support to enable staff to put recommendations into practice, the policy is relatively meaningless. The policy is just the beginning, our next steps include the development of minimum standards, operational guidance and drawing on the expertise of others to support the implementation of the policy in reality.
Responsible data is an undeniable issue affecting the way development is evolving and we’re sure that we are by no means the only agency facing responsible data challenges or the only agency with requirements for better guidance. So our next step is that we want to invite other like minded NGOs to work with us in an honest space to share approaches, challenges and concerns. We are hoping to organize an event with the engine room to host a conversation and to share learning on approaches to responsible data. So if you are thinking about similar challenges in your work or developing a policy along these lines, please get in touch through the comments.
Overall we have to remember that protection of data is not just an issue about technology and functionality, it is an issue about well designed content and methodology. Data has the potential to empower and allow us to be more responsive, as well as holds the risk of potentially damaging consequences. By designing effectively and responsibly, we can enable the invaluable contribution that data makes to the quality of our work, upholding accountability and allowing us to raise the voice of those with whom we work.
7 thoughts on "Developing an Organisational Policy for Responsible Data"
Amy, thanks so much for sharing your experience so far in developing a responsible data policy with Oxfam! You point out some really important milestones that should be considered for others interested in developing this kind of organizational policy. I’m eager to learn more about your next steps, and what lessons and advice you are taking away from those experiences.
One question that came to my mind while reading this is, who takes ownership of this initiative? I’m curious because I think it might relate to the sustainability of such an effort. Do you have a policy team within Oxfam that has the responsibility of keeping these processes going, and can continue to update them and keep the documents alive? I’m also curious to know the impetus for this effort – was it a responsible data champion from within the organization? Was it the policy team? Was it the tech team? Requests from the national office for more clarity? An outside consultant? We know that many practitioners struggle to get this topic on their organization’s agenda, so it would be helpful to know how you did it!
And if there are other organizations who are working on similar policies, or have developed them, or are struggling – please share your thoughts, questions and ideas here!
Kristin Antin – the engine room’s Community Catalyst
Great questions and its reassuring to know that we are going through similar phases to others and there are opportunities to learn from each other. I think socialisation of the policy and moving it into reality in practice is going to be the next major step. We need to have appropriate guidance and support to go with the policy when it comes to implementation. That’s why we’re so keen to work with others to scope what exists and what the gaps are so as much as possible we don’t have to reinvent wheels.
On ownership we have management structures including regional and country directors we hope will play a role in stressing the importance of the policy. We will be consulting executive directors on the formal structures next month. There is no formal team at the moment – people are offering resource from across the confederation from MEL, research, ICT teams but there is no dedicated function at the moment. We have agreed to update the policy in 2 years – albeit we have tried to keep the policy as timelessly relevant as possible – the resources and specific guidance are more likely to be time bound as technologies change. For sure the sustainability question needs to be covered – but overall responsible data is such an important issue there’s no question we have to confront it.
I would be interested to learn what others are doing?
Its interesting how you ask how this came about – its been an important issue for all sorts of staff for a long time but there has been strong motivation from MEL research and protection teams in particular to follow it through. I also think external events like RDF Buda, M&E Tech and others have helped push this agenda forward.
Thanks for the conversation!