Module 6 Handbook
Site: | CABI Academy |
Course: | Data Sharing Toolkit Learning Materials |
Book: | Module 6 Handbook |
Printed by: | Guest user |
Date: | Sunday, 29 September 2024, 12:31 PM |
Introduction
This handbook is designed to help you to answer the Module 6 activity questions.
You are likely to find concerns about data security and privacy, and a mis-trust in data or others use of data, to be some of the biggest barriers to delivering FAIR and safeguarded data within investments.
It is critical that you understand risks and can evaluate real and perceived impacts in order to overcome these barriers. This will help you increase confidence in wider sharing of data while minimising harmful impacts.
This module will enable you to:
- identify risks and impacts of sharing or not sharing
- analyse likelihood and severity
- identifying risks in data
- manage risk
Terminology and control of risks
Terminology
To decide how you are going to minimise a risk, you first need to define some key elements. These are:
- An action: the thing we want to do
- A concern: something that might go wrong
- A cause: the reason it might go wrong
- An impact: the result if it goes wrong
All of these together make up the risk.
What can you control?
Many risks start as concerns about something that hasn’t yet happened.
You need to evaluate these concerns to identify if they are:
- Genuine
- Likely
- Severe
You can then address the causes and take appropriate action to minimise negative impact.
The impact is the only element of the risk that is NOT directly under your control.
Analysing likelihood and severity
To assess if something is a real risk it is important that you evaluate the likelihood and the severity of the impact.
You can do this by completing a risk matrix and assign a risk score. For those concerns that rate above a certain level you should then consider introducing minimising actions.
When completing the risk matrix you should remember:
- Likelihood and severity scores can differ vastly even with the same risk impact. For example, "damage to organisation's reputation" could vary dependent on the nature of the risk and its context in the organisation.
- Severity can vary widely depending on the organisation's attitude towards the risk. For example, is sharing poor quality data, which can often be likely due to errors in the manner of its collection, actually high in severity?
What are the risks of NOT sharing data?
- discrimination against people or groups
- damage to organisations reputation
- organisation being fined for breaking the law
When building a risk assessment you should always consider the impact of both sharing and not sharing data and take a balanced approach.
Categories of risks
You can categorise the potential real impacts of using data, and their solutions, in to the following:
- Legal and ethical risks to people
- Commercial risks
- Reputation risks
- Wider economic, societal and environmental risks
Find out more about each next.
Legal and ethical risks to people
Legal risks
Identify
Data you are sharing contains personal information that does not have a lawful basis for being stored or shared.
Reduce
You should always check you have a lawful basis for handling personal data.
Ask yourself: is the personal information necessary to deliver the service or could techniques like suppression or anonymisation be used?
Ethical risks
Identify
The collection, use or sharing of data could result in unethical outcomes, such as discrimination or exclusion. This can occur even if the collection, use, or sharing of data is lawful.
For example, an automated data model might make decisions about whether someone is eligible for benefits or subsidies, or what products they can be offered.
Reduce
You are most likely to introduce discrimination when using a limited amount of biased data. You can remedy this by:
- sharing data more widely - this will boost the variety of data available and potentially address biases
- putting in place ethical codes of practice
- publishing impact assessments
- communicating openly
- regularly reviewing practices
Commercial risks
Affiliation risks
Identify
A company you do not wish to be associated with is making use of your data or services.
Reduce
Make clear in your licensing that use of your data does not act as an endorsement and that your trademarks and logos are not to be used.
Revenue risks
Identify
Reduce
Imitation risks
Identify
Reduce
Copycat risks
Identify
A deliberate and targeted attempt to masquerade as another organisation, e.g. to sell fake goods and services.
Reduce
Make clear in your licensing that use of your data does not act as an endorsement and that your trademarks and logos are not to be used.
Reputation risks
Data quality risks
Identify
Data that can affect your reputation:
- is inaccurate
- contains personal information
- not updated regularly
- too suppressed
This can undermine the strategic benefits of publishing open data and may contradict legal or other policy requirements.
Potential users may not see you as a credible publisher and in turn avoid using your data and/or services.
Reduce
Develop a robust data management plan that includes being as open as possible with data. Your plan should detail:
- quality control mechanisms
- time schedules
- processes that ensure data is as open and accessible as possible
- channels of communication with consumers
Mis-use risks
Identify
Mis-trust in data, others’ use of data, or drawing ‘incorrect’ conclusions that might be attributed to the publisher. There is a perception that this will lead to reputational and potentially commercial damage.
Reduce
Wider economic, societal and environmental risks
Identify
1: The release of data can result in wider harmful impacts on society, the economy or the environment.
For example, publishing data that highlights the location of key food production and storage areas for internal use and export could make those locations a target in times of conflict.
2: The restriction of data can result in wider harmful impacts on society, the economy or the environment.
For example, not sharing data on crop disease can result in the disease becoming widespread before anyone is even aware it exists.
In this example, however, releasing the data may result in commercial harm. The choice of which risk is greater is often complex.
Reduce
- Put in place, or uphold existing and widely accepted ethical codes of practice
- Communicate openly
- Regularly review practices
Identifying risks in data
You can identify risks in data by asking the following questions.
1: Think about the sources of your data:
- Do you have the rights to collect, access, use and share the data?
- Is there any third party data in the data?
- Is there an existing ethical or legislative context you need to consider (e.g. in country and funder policies)?
- Is the data properly described, including its limitations, gaps, inconsistencies or biases?
2: Look directly at the data and establish:
- Could the data directly, or indirectly, identify individuals?
- Does the data contain sensitive information?
- Does the data contain any confidential information?
- Does the data contain free text fields? Have these been analysed in respect to the above?
3: Think about impacts (e.g. impacts of national security, organisations, people and society):
- What are you trying to achieve by collecting, sharing or using data?
- What positive impacts might there be?
- What negative impacts might there be?
Strategies to help minimise risks
You can take many actions to help minimise risks, including:
1. Increase data literacy
Work with your stakeholders to increase data literacy in key areas such as:
- data collection
- handling personal and sensitive data
- rights and permissions
2. Implement a data management plan
If you develop a good data management plan it can support the safeguarding of data. Your plan should set out the processes that support the policies including:
- how to store and share data
- data lifecycle and retention/deletion requirements
- when and how risks, legal requirements and ethical practices are reviewed
- how data users and external stakeholders are supported
Use this guide to help you develop a data management plan.
3. Use a variety of data licenses and data sharing agreements
You do not need to license all data the same way. Different versions of the same dataset can exist at different places on the data spectrum.
For example, if it is necessary to share a dataset containing personal data:
- use a data sharing agreement,
- make an anonymised version of the same dataset openly available in parallel
4. Document and communicate openly
- policies and processes
- impact assessments
- known data quality issues
- limitations of the data
Being open and welcoming feedback are essential to help you build a healthy ecosystem around the data.
Tools, guides and case studies
You can use the following tools and guides to help minimise harmful impacts from data sharing:
- Cheat sheet: Minimising harmful impacts from data
- Case study: Open Innovation Platform for Agricultural Data Ecosystems
- Guide: Sharing agricultural data: managing risk
- Toolkit: Tech Transformed Consequence scanning
- ODI Data Ethics Canvas
- Checklist: Developing a data management plan
Summary
You can find all the key points from this Module in the Cheat Sheet: Minimising harmful impacts from data
Don't forget to complete Module 6 activity questions to review your knowledge of this topic.