Governing data, not governed by data!

In this provocation, Anouk discussed where we are right now with data governance. Broadly, data governance forces us to ask ourselves how we make decisions about data, and who can make those decisions.

Before diving into some governance models, Anouk briefly reflected on some key recent events: this last decade has seen a lot of data leaks, we’ve opened our eyes to how workers are managed by algorithms and surveilled on the job, and news on how social media platforms have had influence over election outcomes.


All of this has spurred on a clear shift in attitude: recent iOS updates from Apple have given users the option to opt-out of ad tracking, and 96% of users do. This indicates that we now know what we don't want — we don't want to be governed by data, we want to govern it ourselves. But knowing what we don't want doesn't quite help us in understanding what we do want.


We need to get to a place where we're no longer just saying 'yes' or 'no' to a bunch of terms and conditions that an organisation has written. Instead, we should be shaping those terms and conditions ourselves. At the moment, this kind of participation is really lacking.

The last decade has also brought us new data protection laws. Now companies must, on some level, tell us what they are doing with our data, and as end-users we have certain controls – when we use web browsers, we can control which websites put cookies on our devices. There are also regulations on AI, which regulate who can control AI technologies, and what those technologies are allowed to make decisions about. But all of these new rules are very defensive — they're focussed on curtailing harms, rather than helping us figure out what we want for the future.


We need to get to a place where we're no longer just saying 'yes' or 'no' to a bunch of terms and conditions that an organisation has written. Instead, we should be shaping those terms and conditions ourselves. At the moment, this kind of participation is really lacking.


There are many people who are working on this problem. They're asking: if data rules are not enough, then what else can we do? We can roughly sum up this field as data stewardship.


Data stewardship should give us real collective agency over how our data is collected and used, as well as participation in decision-making processes. So for instance, we can't individually co-author terms and conditions, because that would be unrealistic— we need to do it collectively. To do this we can use a data steward model, and these work quite similarly to a trade union. Where the union fights workers' rights, a data steward model fights for and protects the rights of data subjects.


There are new models that pop up all the time. One could be a data trust, which is a legal model where trustees look after data on behalf of a particular data subject, or even society at large. Or you could have a data cooperative, where everyone who feeds in to the model benefits from it. All these models share common components:

  • Data stewards are independent intermediaries

  • Data stewards must act on behalf of, and be accountable to those the data is about

  • And finally, a data steward should do more than represent someone's interests: they should also find out what those interests are, by encouraging participation. Collective participation could be realised in any number of ways, from town hall style meetings to direct voting.

Lots of people have started experimenting with these models, but mostly these are ideas that live in fancy articles. Anouk then asked, if we — as in data ethicists, and people who care about this stuff — think data stewardship is such a great idea, then why haven't any of these models been implemented yet?


This is partially about rights. Just like we need labour rights to form trade unions, we need specific kinds of data rights to enable data stewardship models. But beyond rights, it's about the context in which data is collected. One key failing of these models is that they implicitly assume that all data can be treated equally regardless of the context in which it is collected. Context matters: data is collected by your bank, your smartwatch, in classrooms, by your doctor. All this data has different purposes, and represents different people and situations. The power dynamic in a classroom is very different to the one between you and your bank — teachers will happily fight for the privacy of their students, but a bank may not.


What this shows us is that good data governance is a lot more about good governance, than the data that underlies it.

So, whichever models we use, need to account for this context. A good example is how data is collected in the gig economy. Organisations like Worker Info Exchange are demanding that platforms, such as Uber, give drivers insight into the data that is collected about them via their app, and into the algorithms which govern their work. This is a great start, but good governance is about more than just transparency. Ideally, Uber drivers should also have a say in what data Uber collect, and what they do with it — just seeing the data isn't enough. In other words, they should have a say in how Uber manages them.


If Uber drivers were working under a data governance model that gave them decision-making power, it would actually be less about data governance, and more about the governance of labour. This is a large topic that exists outside of discussions that are solely about data, and therefore is far more complex.


What this shows us is that good data governance is a lot more about good governance, than the data that underlies it. So now the key question is: what does good governance look like? If we were to review an organisation's governance model, what criteria do we use?

There are some core principles of good governance we can look at. These are based on the work of Elinor Ostrom, an economist who has done extensive research into how people govern themselves without governments or markets. Ostrom found that with a few key principles in place, you would start to see a pretty healthy system. Those are:

  • The purpose, values, and stakeholders: figure out what you're doing, why you're doing it, who you're doing it for, and who you're doing it with. Once you establish this, you know what box you're working in. Then, if you were to ever do anything outside of that box — that's where people can start holding you accountable.

  • Decision making: who gets to make which decisions? There doesn't have to be consensus with every decision, but those affected by decisions should be the ones making those decisions. This doesn't just apply to data; decisions about anything should be made this way.

  • Rule setting: in the most democratic sense, rules should actually be more like shared agreements. But either way, they should help you decide things like who can collect data, and when it's collected.

  • Monitoring compliance: rules are no good if you can't tell if anyone is sticking to them, so you need a way of making sure rules are being followed. Transparency here is key — essentially, most people in the system should have a clear notion of whether or not those around them are complying.

  • Enforcing rules: you have to know what the consequences are when rules are broken. What do you do when someone does something wrong? Are their different levels of sanctions for different circumstances? E.g. if a rule is broken unintentionally, perhaps the response is less severe.

  • Resolving disputes: when people within an organisation disagree with one another, or with the rules and accountability structures that are in place, they need a cost-effective way to resolve these conflicts. The conflicts themselves could also reveal that a change in rules is needed and thereby inform the rule-making process.



The main thing to remember about good governance is purpose. Anouk pointed out that many companies already use great governance models, because their purpose is to make as much money as possible -- and they do that very well. But, if we instead care about agency and sharing benefits from data more broadly, these governance models are not fit for purpose.


Tying data governance models and regulations to specific contexts will help us better understand the underlying power dynamics and pre-existing norms and relationships that further inform how data is collected and used. In addition, by framing data collection and use as part of a larger goal (e.g. to halt pollution, or cure cancer) the relevance of data governance related conversations becomes more obvious.


_________________________________________________________________________


Want to keep up to date with the world of tech ethics?

 

@AnoukRuhaak

Stay up to date with the world of tech ethics by signing up to our newsletter here