To support civil society’s access to responsible data (RD) resources, the Good Data Collaborative completed a responsible data literature review, consultations with stakeholders (summarized in a consultation report), UX testing and redesign of ResponsibleData.io, and an initial assessment of the landscape of responsible data guidance for nonprofits.
The Good Data Collaborative seeks to identify gaps in resources to support civil society’s responsible approaches to data collection and use, and address ways to bridge those gaps.
Digital tools have empowered nonprofits and civil society actors to collect, store, and process more data, and sometimes particularly sensitive data, in the course of their ordinary service delivery. Organizations have new obligations to protect and responsibly handle client data, and are exposed to new risks, as the interaction between data and societal challenges potentially harms vulnerable groups.
The discourse and management practices around the use of data must expand from a narrow set of issues – information security, privacy rights, and legal requirements – to a broader set of criteria such as dignity, ownership, transparency, control, and consent. Civil society organizations are not equipped with the tools or expertise to identify and mitigate the risks that accompany digital data practices. Existing resources are overwhelming for newcomers and need to be made easier to find, better organized, and presented in a more useful and actionable way.
Grantee Profile: Good Data Collaborative
Good Data Collaborative: Defining Responsible Data for Nonprofits
Laura Walker McDonald presented the Collaborative’s work at the Data on Purpose conference at Stanford University in February 2018.
- Beyond high-level frameworks, guidance resources are duplicative and confusing, with little authoritative practical advice. Little is suitable for small- to medium-sized organizations just beginning their RD journey. Many of the most useful responsible data/data management resources exist in a somewhat informal format that is not persistently maintained or updated, such as a blog post or an unfinished resource. This can make it difficult to take inventory of existing guidance.
- RD is complex in large organizations, with no clear ‘owner,’ no compliance mechanisms and poor understanding. Individual actors are largely left to police themselves, therefore — but no practitioner we interviewed felt they were compliant with RD, citing lack of knowledge, infrastructure, and capacity. Many noted fear of legal consequences but felt the best thing to do was to keep their head down. Many felt ‘real harm’ is already happening. Some theorized that this was the only thing that would create change.
- RD is only moving forward in organizations with BOTH ethical drive and legal compliance pressures.
- There is a disconnect between organizations moving towards human-centered RD principles, pushed by regimes like GDPR and led by human rights and humanitarian principles; and organizations interested in data monetization business models that can grow to exponential scale in low-income countries and transform lives through markets. We should be acknowledging this and talking about what it means for our practice and our philanthropy.
- Many of the organizations in our target audience face a basic lack of funding and human capital to focus on responsible data. These fundamental challenges likely cannot be overcome with written resources. The role of foundations and other funders is key to incentivizing and facilitating better data practices. All practitioners felt they were driven by donor policy – but no donor recognized this dynamic. Donors themselves are challenged to provide guidance and investment in a complex area.
Tools and resources
The literature assessment revealed clear opportunity (and need) to develop resources that focus more on protecting individuals’ privacy and other rights as opposed to narrowly focusing on cybersecurity or data security issues. There is also an important and timely need to address nonprofits’ data use internationally and cross-border as the new European data protection regime (the General Data Protection Regulation) takes effect in May 2018.
Below are some of the ideas we have for resources that could be developed. Where indicated, some of this work is already underway — the rest is contingent upon available funding.
- 101-level: online, machine-readable, and designed for people who are new to the content.
- Diagnosis: helping practitioners to assemble their own RD documents, identify where they are and where they’d like to be, and generate tools and policies to help them bridge the gap.
- Legal: Produce a short brief on the legal exposure inherent in data management. Although we would not provide legal advice, we may consider partnering with law firms who do pro bono work in the field, to provide additional avenues for organizations that need more specific help. More ambitious levels of this work might include mapping what we know about the law on this in different countries, and available guidance and advisors.
Understanding drivers of organizational change
A key gap in the research to be addressed is looking at the organizational level to understand where and how investments could most usefully be made to build RD practice at the organizational level. One idea is to run several three month ‘sprints’ punctuated by lightweight ‘audits’ to put cohorts of organizations through three different approaches:
- Cohort 1: Toolkits. Participants are provided with tools and guides and encouraged by the organization to implement them in their work
- Cohort 2: Organizational compliance & culture-building. We support the organization to roll out a responsible data policy. This is combined with work with the management team to envision what a values-based approach to including RD in their work would look like in practice. RD is included in job descriptions, person specifications and employee evaluations; it is included in organizational risk registers and project management; and project monitoring.
- Cohort 3: Individual capacity-building. Individual staff members become ‘champions’, are provided with mentors and training, and encouraged to change the culture of their organizations.
By the end of the project we should be able to make informed statements about which approaches have most successfully improved responsible data practices within practitioner organizations.
Coordination, reality checks and frank conversations
Our research during phase I of this work revealed confusion and lack of knowledge about this issue not just among practitioners, but among donors too. Some had no one covering this issue on their staff, and referred us to potential interviewees who are only tangentially related. None provided systematic support to grantees for responsible data practice.
There is significant work ongoing in this area, though, and some is not as coordinated as it could be. The excellent Responsible Data listserv run by the Engine Room tends to be used to report out, not to coordinate upfront, as competition for funds means that organizations don’t share plans ahead of proposals.
- Map people working on this, by sector, and ensure they come together at one of the existing events: for example, those run by Stanford PACS. Run policy-level side events for progress-sharing, coordination and frank discussion.
- Develop two-page explainers for donors, sharing existing tools and proposing additional support for RD beyond digital security, focusing on grantees and not just donors.
- Share research findings and provocative messaging through videos, social media, blogging and op-eds linked to relevant themes. Raise with IRIN News, Reuters AlertNet, and the Guardian Development desk among others, to support investigative journalism around the potential breaches and dangers here.
- Look ahead to identify potential future and emergent risks and issues relating to data. For example, an interesting angle would be to examine what, if anything are the implications of AI and algorithms as emerging tools for social change work on grassroots implementers? How will they and their clients be subject to them, and to what extent can or should they make use of them?
Get involved with the Responsible Data Forum and join the listserv. The RD community is a place for those who are using data in social change and advocacy to develop practical approaches to deal with the ethical, legal, social and privacy-related challenges they face.