In data governance, good policies aren’t enough
Digest #79
In 2018, I was the technical lead of a project focused on using mobile phone data for public good when the European Union’s General Data Protection Regulation (GDPR) came into force. The GDPR is one of the most comprehensive data governance laws in the world, imposing strict obligations on any organization that works with any form of personal data, which is defined as “any information that relates to an identifiable living individual”. The regulation was intended to better protect citizens from harm that can result from the use of their data. Our project team fully appreciated the value of the regulation; the problem was, we didn’t know how to comply with it.
It turns out that uncertainty about how to comply with data laws is a widespread problem, and even experts cite this as a challenge significantly hindering governments from using data to meet their development goals. Our project team navigated the challenge of GDPR compliance by contracting a technical expert who guided us through exactly what we needed to do. However, it was difficult, time-consuming, and expensive to find the right support. We were fortunate that everyone in our collaboration, especially our funding partners, was flexible in terms of funding and timelines. But that is not the case for many organizations and projects.
I’ve met staff in all sorts of roles, from many different organizations and even in government, who want their work to comply with data laws and best practices, but just don’t know how. In addition there are still many places where data laws do not even exist, and so there is a growing moral imperative to improve data governance, exemplified by initiatives such as Data Values and UNICEF’s manifesto for better governance of children’s data. Without improvements, poor practices will continue to lead to data being used in ways that pose more harm than benefit to citizens and communities, such as when the UN improperly shared data from Rohingya refugees with the Myanmar government. Or, we see scenarios where data is excessively protected to the extent that it cannot be used in ways that are beneficial, as illustrated during the COVID-19 pandemic. Both under and over governance are hindering development, and guidance on how to navigate data governance to best utilize and protect data is severely needed to ensure the exciting potential of data to achieve progress is met.
Moving from policy to action
Positively, what I’ve seen and heard is that there is generally buy-in to create policy guidance on data governance, just a lack of understanding about what the implementation entails. It is people’s actions, not simply the existence of a policy document, that produces real-world change and there must be a shift in focus towards support that enables action. I believe there are three key areas of action to realize this.
Creating policies that are context-specific
Data governance principles and policies are often abstract as they must be applicable in a broad range of scenarios. A 2023 review of international data governance frameworks summarized that there are a “plethora of practices”, but these are “often vague”. A lack of specificity leaves much room for confusion and a lack of clarity over the actions that need to be taken. Even principles designed for a specific domain, such as the Health Data Governance Principles for the sector in which I work, are not always straightforward to apply due to the wide range of realities for health organizations and companies involved in data use.
For example, implementing the principle ‘ensure adequate data security’ in a million-dollar healthtech company would probably require staff to navigate a multi-factor authentication process using an authentication app to access platforms with sensitive data. But this would not be effective in a rural health facility in East Africa, where there isn’t a reliable phone or internet connection and most data is stored on paper. Policies and principles need to be translated into context-specific guidelines that are relevant, understandable, and realistic to follow for everyone involved in collecting, processing, or using data. This requires both technical knowledge about data governance alongside a detailed understanding of the operating environment to suggest actions that can realistically be practiced in that environment.
Focusing on training and capacity development
A lack of human capacity is often a major reason for non-compliance with data governance recommendations. A study on digital health data ethics in Tanzania and Kenya found that ministries of health lack appropriately-skilled staff to oversee data ethics, and another GovLab review found that many data governance frameworks add responsibilities to existing positions “often without the required capacity and expertise-building”. Everyone involved in the process of collecting or using data needs training and support to ensure that they understand how to follow data governance practices and why it’s important to do so.
Unfortunately, evidence has shown us that this problem can be seen in many different countries and contexts, including some high-profile frameworks that ignore capacity building altogether. For example, the Responsible Program Data Policy by Oxfam explicitly states that overseeing the framework implementation must be executed by the Oxfam Country Directors as an additional task. But there are no details in the policy about how the Country Directors will acquire the knowledge and skills they need to be able to effectively oversee the implementation. Not embedding plans for capacity development into policies is setting organizations up to fail before they have even started.
Supporting knowledge sharing and peer exchange
We need to see broader dissemination of the knowledge and tools that enable critical and low-cost interventions, like proper data access management and data-sharing procedures and transparent data communication. Movements like Data Values can foster the sharing of learning and practical tools between peers, to drive much-needed progress at the operational level and make these practices the norm. One of the best examples I’ve found of this is World Vision’s Collaborative Cash Delivery team. They created a working group dedicated to addressing the operational details of data sharing in humanitarian settings, including the creation of templates to enable communication with frontline workers to ensure that they understand what data sharing practices they need to follow. Perhaps seeing more groups like this on specific topic areas to enable knowledge exchange would enable organizations to come together with shared challenges and objectives and also share the load of navigating the development and implementation of data governance protections. Movements like Data Values can play a key role here, by bringing together a community through which tools and lessons can be shared among practitioners who are then enabled to take high-priority concrete actions that will accelerate progress towards a better data future for everyone.
Ultimately, even small actions add up
Not every organization can afford a team of data governance experts to facilitate complete compliance with data laws and principles, but the ‘all or nothing’ mindset, where the options are perceived to be either to invest a huge amount to comprehensively address the issue from top to bottom, or to do nothing at all, must be addressed. It produces a state in which organizations with limited financial and technical resources - such as many low and middle income governments and smaller charities and community organizations - continue to collect, manage, and use data according to outdated practices that expose citizens to an unnecessary level of risk and deprive them of their right to control how their data is used. By prioritizing a few actions as outlined above, the data community can enable all organizations to take action to create fair, equitable, and inclusive data governance that protects the people the data concerns, while ensuring that they truly benefit from its use.
 | A guest post by
|