This post is by Christopher Wilson.
In March, the Responsible Data Forum and Oxfam GB coordinated a closed roundtable for organizations developing and implementing organizational responsible data policies. The group was carefully chosen to include people who have been advocating and leading thought on responsible data issues within their organizations.
Participants primarily represented large multinational organizations working in the development, humanitarian and human rights fields, as well as three small organizations that also work internationally or regionally. Their organizations were at all stages of policy development – from initial conversations to implementing a policy – and all stages of adoption, with some actively pursuing progressive policies and others resisting.
Image by HikingArtist
The roundtable lasted a full day, and was held according to the Chatham House Rule. Here are some highlights:
We started by mapping out some of the most pressing issues for participants and the community of organizations at large. Unsurprisingly, these issues were quite broad.
Regarding the content of policies
- Terminology – (how) do we search for common terms for responsible data issues? For example, terms like those used in the European regulatory framework have very precise implications (ie “data controller”), whereas ethical standards can be more subjective.
- Protection vs. communal good – How do we move data ethics and privacy discussions beyond a desire for self-protection (protecting an organization’s or individual’s data or security) to thinking about public goods and the agency of data subjects? Also, how do we consider group rights – especially when those groups are often heterogenous?
- Consent – how can it be operationalized in a digital context? How can we ensure truly informed consent?
- Scope: who’s a responsible data policy for? – What kinds of people and teams in an organization should be committed to a responsible data policy? How should they influence its development? Do they have different needs and roles? Who should be bound to the policy? Can all these factors be mapped out as building blocks for policy templates that work for different organizations?
Process for developing a policy
- Co-operation across organizations – what opportunities are there for learning and sharing policy development processes between organizations? Should this be organized according to sectors, like the humanitarian sector? Is it desirable (or even feasible) to standardize policies across organizations?
- Implementation – what mechanisms can help bring responsible data policies into existing workstreams? Most organizations and teams lack the capacity to conduct the risk assessments that any progressive responsible data policy requires. How do organizations anticipate and meet this capacity gap?
- Compliance and accountability – so you have a policy. So what?
Opportunities & Obstacles
Time constraints meant that we couldn’t discuss the above issues thoroughly, but participants did highlight a number of common opportunities and obstacles.
- Many organizations’ overpowering institutional urge towards transparency is a powerful obstacle, meaning that any discussion of the risks that accompany openness or data sharing can be seen as a threat to the norm of ‘open’. Several participants described this as a fundamental position that frustrates their work. As one participant suggested, “people have drunk this kool-aid.”
- Rhetoric is important for creating incentives, both inside and outside an organization. It’s easier to start a conversation about protecting “refugees” than one about protecting “people”, because we understand a priori that refugees require protection. For many organizations, it can be useful to emphasise the risks and harms that irresponsible data practices can lead to. For others, it can be more important to emphasise the advantages of more efficient programming, protecting mandates over the long term, and being seen as “first movers” on the cutting edge of responsible data practices.
- Many large, established organizations already have too many policies governing aspects of responsible data. Adding another policy to this mix can frustrate staff and prevent them from adhering to it. Policies are also often tailored to very specific needs – this makes them useful, but can hamper conversations across the organization. Without doing a policy review, it can be difficult to know where the resources are in an organization.
‘Standards’ by xkcd
The roundtable did not produce any definitive solutions, but participants are continuing to think about how to move these issues forward and create a climate where such work is easier and more effective. If you’d like to hear more about upcoming plans, get in touch.
Food for thought
Perhaps the most productive part of the roundtable was framing some open questions that we will all need to continue grappling with:
- There is a tension between the abstraction and applicability of a policy. Abstraction and generality are useful because they make policies and issues accessible, and demonstrate utility to a wider selection of people and processes. Abstraction is often also the product of processes in which several perspectives must agree on definitions for slippery concepts like consent or data ownership. However, high levels of abstraction can implementing policies difficult because they tend to include little instruction and guidance that is applicable to specific challenges.
- There is a challenge inherent in creating static policies for changing contexts. Policies often need to be fixed and specific to ensure accountability, especially in large and distributed organizations. Fixing policies “in-stone” stands in stark contrast to the fast-moving, dynamic contexts in which these policies are to be implemented. It’s critical to be conscious of local laws and norms, but power relationships and political challenges in countries can change suddenly and with little warning, dramatically altering the kinds of responsibilities and risks posed to development, humanitarian and advocacy organizations. The world of technology develops rapidly too: tools for communicating and sharing information go out of date, as do security protocols and the strategies for managing them.
- There’s an open question as to whether responsible data policies should apply outside of organizations. In particular, large organizations often outsource data collection and management to partners and companies in the countries where they are working. Smaller organizations also often rely on third parties for data management, either formally or informally. Can separate agreements be used to ensure that third parties adhere to data policies, or do they need to be adapted on a case-by-case basis?
- Who should “own” responsible data policies? For some organizations, there is a clear advantage to having a data officer or other dedicated position for developing and implementing responsible data policies (in much the same way that academic institutions have ethical review boards). There is a danger in concentrating these responsibilities in a single role, however. Lawyers will, for example, often have a very different set of preconceptions regarding responsible data to those of IT experts, program staff, ethicists or social scientists. Establishing a single role can also make it challenging to keep all the different people and departments responsible for implementing a policy engaged in its development and review.
- Organizations and individuals might not understand how much data is actually involved in their work, or might have an unrealistic understanding of their own capacity to handle responsibility challenges. Sometimes, specific teams will argue that they already have solutions to these problems in their work, frustrating efforts to understand and address challenges as they manifest across an organization. If recognized, how can these mis-perceptions be managed and engaged to make policies and their implementation stronger?
- So many responsible data challenges are similar across organizations and contexts, but require small adaptations. Could there be any building blocks for responsible data policies, which could be adopted and adapted on an a la carte basis?
- Producing and implementing a policy is not the same as socializing a policy. At the end of the day, for a policy to have impact the people using it and bound by it must understand its importance, and know where to find help in adhering to it. This has implications for resource allocation, and organizational principles. How can policies be mainstreamed and embedded into existing guidance instead of introducing new tools, resources or people? This requires careful thought and engagement with organizational management.