Towards Organizational Readiness for Data Responsibility: A simple framework for responsible data champions
This blog is the third in a series on cash and voucher assistance (CVA) and risk. While the first blog busted some myths around misappropriation and fraud in CVA, the second blog looked into a specific risk for recipients of CVA: the risk of misuse of personal data. This third, guest blog from Linda Raftree zooms in on the question of organizational readiness for data responsibility.
Concerns about tech and data are on the rise in the humanitarian and development space, where partnerships with technology and data firms have been criticized, and the capture and sharing of sensitive data such as biometrics on vulnerable populations is being more widely questioned.
Thoughtful approaches centered on the careful and responsible collection, use, and sharing of data in the humanitarian space have been around for several years, however, and more humanitarian agencies and funders have started to pay attention as of late. The EU’s General Data Protection Regulations (GDPR) came into force in May 2018, spurring EU-based funders to get themselves GDPR-ready. This has in turn encouraged organizations receiving funds from EU funders to move more quickly towards better data management policy and practice. Likewise, In 2019, USAID published their “Considerations for Using Data Responsibly at USAID” in an effort to provide guidance on responsible data management for program implementers. CaLP’s Cash Week meetings in December 2019 will have an entire morning centered on Risks and ethical dilemmas surrounding data responsibility and protection in humanitarian cash and voucher assistance programming as well.
Being more responsible with data collected from vulnerable or historically marginalized groups can feel overwhelming, since most not-for-profit organizations have tight budgets, limited capacity, and outdated systems. Legal frameworks are also hard to interpret because they differ from country to country, making it tricky to develop policies and procedures that work across operating environments.
But here are some steps that responsible data champions can take:
- Talk with individuals and teams to find out what their knowledge, attitudes, practices, needs, strengths, and capacities are, and make a long-term improvement plan based on reality.
- Find champions at the project, consortium, organization and sector levels.
- Understand what motivates people (e.g. financial risk, reputation risk, compliance risk, or values and ethics) and build out conversations based on what would incentivize them.
- Enhance data literacy to help people see that responsible data practices are not limited to the IT team or the M&E team – data changes how we market, how we engage, how we fundraise, how we recruit, how we target, and how we partner.
- Integrate responsible data practices into existing policies and processes rather than creating new silos of technical expertise.
- Review existing policy and practice to see where responsible data approaches can be added, for example, the next time a policy is up for review.
- Include a strong data privacy component when doing training on new or innovative approaches or platforms.
Offer framing and guidance
- Set indicators or “markers” for progress across the organization to help advance over time.
- Create a set of Responsible Data Principles to help build a values-based approach.
- Create Responsible Data guidelines and other tools, or adapt existing ones.
- Get past the “checklist mentality” by mentoring, coaching and accompanying teams and helping them develop their own “responsible data intuition.”
Don’t overwhelm or accuse people
- Consider your organization’s reality and build responsible data capacities and practices incrementally and according to context.
- Open attitudes (rather than accusatory ones) help bring people on board. People will be more inclined to share data failures or areas of risky practice if an open and understanding environment is created and you can work together to improve.
Take stock and take action
- Conduct a data inventory to get a sense of the data your organization holds and where it lives.
- Make a list of the third parties who have access to your data, review their Terms & Conditions and Privacy Policies to see if your data is protected.
- Check to see if there is old data sitting with third parties in systems that are no longer being used and see if it could be deleted.
- Run new initiatives through a data risk/benefits/burdens review to see if there are ways to mitigate risks. Document the process and actions that will be taken to mitigate risk (and follow up by taking them!)
- Seek legal support if needed, for example, in understanding country-level laws, adapting language for contracts and agreements, and assessing potential partnerships that involve data.
Funders play a critical role
Funders need to support organizations to move towards more responsible data practices. This is not an overnight journey. It requires long-term investment, anthropological approaches to organizational behavior change, wider systems changes, and shifts in incentives.
Funders can help by:
- Enhancing their own awareness and expertise on the benefits and risks associated with data.
- Getting their own houses in order in terms of how they manage data internally, especially sensitive individual, group, and partner data.
- Using their power and influence to encourage grantees to manage data more responsibly and supporting grantees with funding to improve data practices. (This will need investment.)
- Incentivizing ethical data partnerships and disincentivizing risky, harmful or unethical collection and use of data from vulnerable and historically marginalized individuals and groups.
I look forward to a deeper dive around the questions of organizational readiness and data responsibility with the CVA community at a webinar in late November (more details to be shared soon). CaLP will also be holding a series of regional events on the topic, including an event in Cameroon on 29 October, and a series of closed-door events in the MENA region from 27 October to 12 November. The discussions will feed into the event CVA, Data Responsibility and Risks, taking place on 4 December as part of Cash Week 2019.
Author profile: Linda Raftree is an independent consultant focused on the ethical uses of technology and digital data in international development, humanitarian, and human rights work. She writes the Wait… What blog and organises the annual MERL Tech Conference.
Main image credit: Jeppe Schilder – Oxfam Novib