News

Key questions to ensure responsible data practice for funders

30 March 2021

By Dirk Slater

The Data Champions programme brings funders together to collaborate and learn how to grow a data culture in their organisations. In this blog, programme facilitator Dirk Slater shares insights about responsible data use from the workshop on January 27, 2021. 

Responsible data

What is meant by responsible data?

Data is power and with power comes responsibility. The Responsible Data Forum defines that responsibility as “…a collective duty to prioritise and respond to the ethical, legal, social and privacy-related challenges that come from using data in new and different ways in advocacy and social change.”

Why is it important for you and your organisation?

As grantmakers, our Data Champions are striving to empower beneficiaries and improve communities. Collecting and storing data responsibly and ethically is important, first and foremost, to protect and respect the rights of stakeholders. In addition, it is vital to maintain a funding organisation’s credible reputation and demonstrate their values and mission. This responsibility needs to be reflected in every step of an organisation’s data workflows – from getting consent when they collect data, to making sure they don’t include personal identifiable information when they share it.

Compliance with GDPR was a major hurdle for any organisation collecting data via the internet, and the regulations went a long way in raising awareness. But there are a lot of ethical considerations around data that go beyond consent. During the workshop, the Data Champions identified the data-related scenarios that kept them up at night. These included:

• Not being able to adequately mitigate confirmation bias
• Unauthorised access to data
• Accidentally sharing personal identifiable information
• Having people opt out of data use, but their data being used anyway
• Getting consent from children and vulnerable adults.

“I have left with ideas to make our responsible data policy more understandable and easy to implement, by using images and a list of top tips.” – Roxanne Wood, Two Ridings Community Foundation and 360Giving Data Champion

Questions to Ask Frequently

Responsible data policies are an important part of an organisation’s governance. However, one of the main concerns for participants was that staff within their organisations weren’t aware of these policies, couldn’t implement them easily and didn’t recognise the relevance and significance of responsible practice to them. The group highlighted the need to communicate policies to staff through examples, using simpler language, and setting out steps for how to implement good practice.

To help ensure good practice around responsible data use, we asked our Data Champions to generate questions that should be frequently asked. Here’s what they came up with, listed by topic:

🎯Data collection: the purpose

• What are we using this data for and has that been made clear to those involved? Is it for making decisions about applications, or for the funders own understanding?
• Why do we need this data?
• What questions are we not asking?
• At what point in the process do we need to collect this data?
• Is this data relevant and proportionate for the task?
• Is this data something we could monetise legitimately for “the greater good”? If so, how and what are the ways to protect it? Should we monetise the data?
• Is this data ambiguous – could it be used in a different way to give an outcome that is different from the original  question?

✔️Data collection: getting consent

• Do I have consent to collect and use this data? Is the person who shared this data aware of how it will be stored and used?
• Will we have to go back to subjects in future to seek further consent for sharing the data more widely?
• How much time will it take for subjects to provide data and is this burden on them reasonable, proportionate, e.g. surveys, and focus groups?
• Who will this data impact and do they need to be involved in the conversation?

💼Storage

• Where and how will the data be stored, and does that follow organisational policy?
• Considering the evaluation process and security needs, for how long do we need to store the data? How will we know when it is no longer needed?
• What do changes to our data policy or practice mean for the data we’ve already collected and are currently holding?
• Are we regularly reviewing what we have stored, and destroying what we should no longer be holding?

🔐Keeping data secure

• Is the data secure and whose responsibility is it to ensure this?
• Have all staff been appropriately trained in our data policies and practices?
• Do I have consent to access, process and share this data?
• Do we need external help to ensure our security is legitimate?

💂Accessing data

• Who has access and who is accessing the data? Are we limiting or controlling access?
• How will I ensure this data is saved correctly with permissions only given to relevant colleagues?
• If this data is passed on, how will I ensure its use continues to be compliant with our data protection policy?

🔍Being transparent

• Is the person who shared this data aware of how it will be stored and used? Has this been communicated clearly and have they given clear consent?
• What questions are we not asking?
• Have our policy and procedures been reviewed and updated?

📋Personal responsibility

• Do we have any legal responsibilities when it comes to this data? Who is responsible for managing this data?
• Have I considered possible biases at play, including my own bias and confirmation bias?
• How will what I am doing affect others? How would I feel if I was on the receiving end and directly feeling the impacts of this decision?
• How does data protection apply to my role, and the work of our organisation? What are the legal implications?
• Do the ‘Daily Mail Test’ – what would happen if a journalist found out we did ‘X’?
• Is everyone in the organisation aware of the importance of data protection, our organisational policy, how to implement it and what to do if they think there’s been a breach?

📊Analysis and processing

• Are we asking our application questions in the right way?
• What is our data not telling us? Why might this be? (Don’t know what we don’t collect)
• What is the result we want from this data, and are we sampling to get that in a biased manner?
• Which groups of people are missing from this data?
• Is the sample population robust enough/large enough for what we’re trying to answer?
• What is the final output and where will it be distributed now and in future?
• How do we process and deal with ‘dirty data’?
• How could this data be badly misconstrued?
• Have we considered all of the different ways data could come back to us (ie not just figures in a spreadsheet but use of pictures, narratives, films etc) and how we might use that in the future?

“I’ve been grateful to everyone on the call. It’s really helpful to listen to others from smaller and larger organisations. I work in a moderate size organisation but work with larger and smaller ones. This has been helpful to gain insight and inform how I work with them. – Kathryn Parry-Wilkes, SCVO, 360Giving Data Champion

Useful resources

The Data Champions shared the following resources which include actionable tools and more information about responsible data:

1. Sample of a data responsibility policy, 510, Netherlands Red Cross – Sample of data responsibility policy from Netherlands Red Cross 510 initiative as part of IFRC’s Data Playbook
2. Age of Surveillance Capitalism, Shoshana Zuboff (book). – This 2019 non-fiction book by Professor Shoshana Zuboff looks at the development of digital companies like Google and Amazon, and suggests that their business models represent a new form of capitalist accumulation that she calls “surveillance capitalism”. Read a good summary by the author.
3. The Social Dilemma (Netflix documentary) – This documentary-drama hybrid explores the dangerous human impact of social networking, with tech experts sounding the alarm on their own creations.
4. Data protection advice for small organisations, Information Commissioner’s Office – Resources for small organisations wanting to know more about data protection.
5. Data Protection Network – Resources and support for understanding data protection and privacy.
6. Have I Been Pwned.com – Resource to check if you email has been compromised in a data breach

Turning learning into action

Given the ‘Questions to Ask Frequently’ are meant as guidance for ongoing discussions around responsible data practices, many of the participants were anxious to make sure practice matched policy.

We asked them what next steps they planned to take as a result of this workshop. They said:

• Find out about our responsible data policy and request to set up a training session for all staff to cover: what the data policy covers, how we engage with it, how we are reminded of it.
• Start a conversation, initially with my manager, about our approach to data protection as an organisation. Question how we can start engendering a positive culture of data protection. It’s everyone’s responsibility, no matter what you do.
• Set reminders for frequent reviews of our stored data and anything which would need to be deleted.

Look out for blog 5: Data for Leaders

Our next blog will share insights from our Data Champions on getting leaders to use data to encourage growing a data culture. For more guidance on developing a data culture, read our previous blog on four steps to build a data culture.

If you have found this blog useful or have any feedback, we’d love to know! We also welcome ideas for blogs and other content from our community, to help enable better use of data for funding organisations. Drop us an email at comms@threesixtygiving.org.