Responsible data is not meant to be a vague concept. Responsible Data moves us beyond the technology and more data and outlines the collective challenges to address the ethical, legal, social and privacy-related challenges that arise in effective data management. It is a set of principles, key elements, tools and guidelines.
When we think about it as a team or organisation, here are questions about key principles to consider:
- How does the way we use data uphold the Humanitarian Principles?
- How do we ensure we ‘Do No Harm’ or uphold/increase inequality?
- We should expect different types of illiteracy – linguistic, digital, data, identity.
- What are the rights of the people we work with
- Right to be counted and heard
- Right to dignity and respect
- Right to make an informed decision
- Right to privacy
- Right to not be put at risk
- Right to be forgotten
- How will we specifically protect and address children, minors, and other specific vulnerable groups?
- What are potential unintended consequences of data?
- (re) Identification
- Surveillance – the care & control spectrum
- Requiring beneficiaries to Trade data for aid
As you work through the above, some of you deliberations and answers may not fit at a principle level. You may feel they are better placed as key elements or in a definition of terms section. This is fine as there is no one way to do it. This next section is another series of questions to consider to tease out key elements.
- What the current awareness and capacity of both staff AND the communities we work with regarding data and technology? What will the minimum requirement be for our projects?
- How can we ensure access to the data by the people about whom the data is? How can we always ensure there are alternatives to digital data capture so people have a choice and are not penalised for it?
- What is our data governance model? How can we improve out transparency about it so people know how their data is being used?
- Who is accountable for what? We should have the most accountability, we need to own it and no hide behind consent and the current legal frameworks
- Who are our data partnerships? Are we transparent about them?
- What is our view on data ownership and data guardianship?
- How will we/do we identify and classify data? Be specific and clarify.
- Do we know data privacy rights? How can we enable each context and each individual to tell us what data they consider sensitive?
- Do we consider consent as a legal obligation or as a right? Something we desire to ensure happens?
- What are our policies and guidelines on data security, privacy, protection & GDPR?
- Do we know what legal frameworks we must adhere to in which contexts? Which ones we will voluntarily adhere to?
- How will we assess and mitigate risk? Beyond privacy impact assessments and data protection impact assessments?
- Are we aware of bias (gender, ethnic, sexual orientation, disability, etc.) that exists in our data and technology? How will we reduce this?
- How will we adhere to the data minimisation principle?
- Who will we share data with and how? What is our view on open data?
- How will we deal with the challenge of re-identification and that anonymised data is no longer anonymous? How we will address the issues of the mosaic effect, big data analytics, and machine learning?
- What is our policy on data retention and destruction?
- How will handle data breaches?
- What is our view on biometrics?
I’ll end with a plea. When considering how to improve your responsible data practices, please please please, do not go alone. Do not reinvent the wheel. There are lots of good resources and people out there who can help. Here are a few:
- Oxfam’s Responsible Data Management Toolkit
- CARE’s maturity model
- USAID Considerations for using data responsibly
- The Engine Room’s Responsibledata.io
- Doing No Harm in the Digital Era
- ICRC’s data protection handbook
- OCHA’s Data Responsibility Guidelines