DATA SHARING WORKING GROUP
Who owns an individual's personal data? This is a big question in today's world. The working group was formed to address the lack of transparency of how organisations collect, store, and share beneficiary data with the goal to:
provide thought leadership, research, and problem definition
convene discussions with key actors
work collectively across the network to develop a framework for possible solutions
facilitate others to provide solutions
provide a testing ground for possible solutions
provide a channel for widespread adoption and critical mass
advocate for systemic changes to that would support a preferred solution or direction of travel.
CCD's data sharing working group's workstream includes agreeing on:
what data the CCD members will share
definitions of the data (each data field)
criteria for access the shared data
use restrictions for the shared data
options for the mechanics of sharing (e.g. methods, requirements, pros and cons, etc.)
recommendations and guidance for country-level consortia.
Lead: Amos Doornbos, World Vision
Members: Open to any staff members of CCD member agencies
As CCD works to ease collaborations globally, data sharing and interoperability have been raised as a significant barrier to expanding cooperative efforts. CCD has been prioritising how we can resolve these issues in our joint operations and guidance for others since June 2018 when we started working with the user-focused company, Pivotal, on how we can remove obstacles preventing data sharing between CCD members.
In October 2019, a working group, led by World Vision, was formed to address these concerns in a transparent manner while ensuring interoperability between NGOs, partners, UN agencies, and beyond while maintaining our responsibility to protect and better support our beneficiaries.
As of April 2020, the working group has agreed to:
focus on de-duplication and creating unique identifiers that can be used for case referrals as well
a model to use: one that relies on standards, is tech agnostic, involves very limited data being shared, and includes enabling recipients/beneficiaries to also access their data
initially share data with only the unique ID stored in a communal registry
use a system/model that can flag potential duplicates and the agency that created the original record (the resolution and determination of whether it is a duplicate will be done offline between agencies involved using a pre-agreed standard process).
The group will work towards establishing
various standards and methods for:
creating a unique identifier
defining the process to resolve the potential duplicate
defining the process for an agency to refer a recipient/beneficiary to another organisation.
The legal component of data sharing was identified as the most complex part to solve and without a resolution, tech solutions could be inappropriate. Thus, data sharing guidance and accompanying data sharing template was produced by Dentons Law Firm for CCD member, CARE. It is to be used as a starting point to develop data sharing standards suitable for the country and context of the data sharing.
The guidance and template are based on the highest data standards (the EU's General Data Protection
Regulation (GDPR)). CCD members’ legal counsels, data specialists, and programme teams provided feedback on the guidance and agreement to ensure that it can easily be used by CCD members in the field.
Both the guidance and the templates are being piloted in CCD-supported collaborations in Ethiopia and Colombia.
DATA SHARING TOOLS
PRACTICAL GUIDANCE ON DATA SHARING
Protecting personal data and privacy in field work: A guide for data sharing between humanitarian organisations
DATA SHARING AGREEMENT TEMPLATE
This template is intended to promote responsible data practices and sharing between organisations in the nonprofit sector, and, where applicable, their private sector partners. It borrows from corporate best practices and approaches, and is intended as:
a transactional roadmap for responsible data sharing in a given context
an educational tool for organisations to understand obligations in this area
requiring early and deep discussion and due diligence of expectations around approaches, policies and procedures and related roles and responsibilities amongst the parties
a starting point for negotiations of an eventual written agreement between the parties.
Each provision must be carefully considered, and it is not just appropriate but necessary for modifications (both additions and deletions) to be made based on context and the views of the parties. Footnotes should be deleted. Nothing in this template is fixed or predetermined and it is intended only to assist the parties by providing them with a basis for discussion.
This template agreement contemplates considerable ethical, programmatic, and legal responsibilities and should only be utilised in close consultation with appropriate country office management, information technology/digital teams, and local and home office legal counsel at each participating organisation/company. This agreement requires discussion and modification, and application to each specific context and party.
While the parties signing the agreement will generally be sharing personal information that has already been collected, a basic consent form has been provided for organisations who may wish to consider adapting for use when collecting personal information. Like the agreement itself, the form of consent is a mere template that should be carefully reviewed and modified to ensure its suitability for the specific context in which it is being used.
Whilst sharing data between organisations is an important component for agencies to be able to collaborate, we also need to ensure that way that the sharing is done is in the best interest of the people whose data we hold. Indeed, aid actors have been hosting data on the world’s most vulnerable people for a very long time, but generally they are given little to no access to their own data. It is also problematic that the data is held for an indefinite period of time and contains more information than necessary, putting already vulnerable people even more at risk of exploitation.
One solution CCD is evaluating provides vulnerable people access to their data; sets limitations to the type of data that is collected, how that data is shared, and how long it is stored; and offers a common framework to organisations who don’t operate within the same data protection regulations – is the data trust.
Data trusts are legal entities that exist externally to the organisational partner agencies and offer an opportunity to manage political and liability issues using a different approach as they can have a very narrow, well defined, transparent scope and allow beneficiaries to have a say in their data.
Given this, a data trust could be established in a community or location to host the wallets or personal data stores of people who are unable to host the information themselves. A trust can take on the liability for hosting the data, while the liability for accessing the
wallets is shared by the individual and the wallet provider. It has no political, financial, or social interests to pursue other than the provision of hosting spaces for wallets and funding to maintain operations. The funding required for continued existence would be quite minimal and likely easily secured from multiple sources.
What is a data trust? by Jack Hardinges, Policy Advisor, ODI (10 July 2018)
The data trust option by Amos Doornbos, Director of Strategy & Systems, Disaster Management, WVI (12 September 2019)
Beyond “mine’s bigger than yours” datasets by Amos Doornbos (17 September 2019)
DIDs & trusts: Small, but powerful containers by Amos Doornbos (18 September 2019)
Trustee power dynamics by Amos Doornbos (19 September 2019)
Data trust questions to clarify by Amos Doornbos (14 October 2019)
Whilst we have already imagined what a few of the features that would be inherent to data trusts, we need to research more how such trusts would work. We are planning researches and pilots in 2020.