Assurance of data and data practices is really important for organisations to build trust, manage risks and maximise opportunities, but how can organisations assess, build and demonstrate trustworthiness with data? We’re carrying out research and exploring tools that will make it easier for data to flow and create value.
What is assurance?
In this blogpost, we’ll be talking about data assurance. To understand what this is and what it means, we first need to understand the concept of ‘assurance’.
Being assured is about having confidence in an action, result or process. One way to assure people they can have confidence in you is to show that you are reliable or trustworthy, which might require evidence.
Let’s use the example of renting a car to show two sides of this.
Firstly, the person who is looking to rent a car wants to know:
- Is it suitable for their use? Is it a 4×4, sports car, van, family car? What fuel does it use?
- When was it made? Is it old or new? Are there any newer models available?
- How has it been looked after? When was its engine checked? Have the tyres been rotated?
- Where are the known issues? Are there existing dents or cracks? Is the paintwork in good condition? Do all the lights work?
But the company renting out the car also needs to know:
- Does this person have a driving license? Is it valid for the type of vehicle? Do they have any driving convictions?
- What are they planning on using the car for? Will it stay within the same country? Does the vehicle fit their purpose?
- Are they able to pay for it? Are they paying in cash or on credit?
In this case, both parties need to access relevant evidence in order to assure themselves, and each other, they are making the right decision. Some of these factors will be subjective values (both reasonable and unreasonable) that may affect our ability to trust: our experience, our personal beliefs, our prejudices, our motivations – but some aspects are more objective and can be documented more thoroughly.
How does this relate to data?
Similar conundrums arise when we want to access, use and share data. People’s expectations of responsible and ethical data handling have increased, and we are seeing a growing acceptance of the value of collecting, using and sharing data for public good, the environment and the economy. But people and organisations want to know that they can have confidence and trust in these practices and in the data itself – they want assurance. For example:
- Organisations sharing data need to be able to provide assurance that it is suitable for others to access it, use it and share it. They might do this by providing licences that stipulate who can do what and under what conditions, or by being transparent about quality control procedures.
- Organisations reusing data need to be able to assure others that they are trustworthy in their use of data from third parties. This might be through demonstrating data governance mechanisms are robust or that they meet certain standards.
- Organisations need to be able to assure themselves that data is suitable for their own use, this might be through assessing or auditing their data practices.
- As a city planner, I want to use data from a mobile phone company to better understand how people are moving around, but I want to make sure that citizens can be assured their data is safe and their personal movements aren’t being tracked. I need to seek assurance from the mobile company that citizens know data about them will be used in this way, and that the data is shared in such a way that individuals cannot be identified within it.
- As a biobank, I want to share the data I hold with some researchers, but I’m not confident they have the processes and infrastructure in place to access and store the sensitive data securely. My lack of assurance about their data management practices means I am reluctant to share. I may limit the data I provide in order to protect my company from legal or reputational damage.
- As a regulator, I have difficulty understanding (or feeling assured about) how certain data was collected or the methodology used – was there a standard approach or did it vary in different locations, or demographics? This lack of assurance about consistency means I might find it difficult to have confidence in the accuracy of the data and this affects my willingness to use it to compare and evaluate a sector.
The ODI’s role in data assurance
The ODI’s work in this area is not new. Over the years, we have worked with companies and governments to both help them assure data, and be assured by the quality of the data provided by others – we just haven’t used the label ‘data assurance’ before.
Our past work has included:
Assurance of data. Through our R&D programme we researched user needs in open data publishing and prototyped tools to help publishers meet the needs of users. This included a data validation tool (CSV Lint) to help publishers check CSV files are machine readable, and a GitHub application (Octopub) that provides a simple way for users to publish data easily, quickly and correctly. We also prototyped Open Data Certificates, an online assessment tool that allows publishers to self-assess the quality of their data publishing and display a badge (bronze, silver, gold, platinum) to communicate this to users. Depending on market needs, we may revisit these tools, or develop new ones in the future.
Assurance of data practices. In 2015 we worked with the Department for Environment, Food and Rural Affairs to create and prototype an ‘open data maturity model’ for organisations to assess how well their internal data management supports the sharing of data. As ethical use of data became increasingly important, we built the Data Ethics Canvas to enable organisations to understand the ethical dimensions of data related projects, and have continued to invest in data ethics services to support organisations in this important area. In 2019, we began thinking about alternative approaches to data stewardship and found that independent governance of data could be a mechanism to help provide assurance of data practices and increase access to data. Finally, our most recent work exploring mechanisms for building trust through audit and certification found that trust and trustworthiness are highly context dependent and that third party assessments are useful, but only to a degree and within certain contexts.
Based on this body of work and experience, we learned that when trust in data and organisations stewarding data increases, there is a related increase in data flow. This often leads to the creation of value in the form of products, services, insights and analyses from the data, and better decisions by governments, companies and communities, informed by data.
Data assurance – our new programme of work
Using this work as our foundation, we are now progressing our research and assessing the need for further tools and guidance. These will help organisations to assess, build and demonstrate the trustworthiness of data and data practices; looking specifically at the concept of data assurance and how it can help improve data sharing.
We know that data assurance can mean different things to different people. For some it means legal compliance or meeting industry standards (such as ISO27001) and for others it can be about demonstrating a certain level of skill or knowledge. With this in mind, one of our first tasks is to explore data assurance in the context of our vision of ‘a world where data works for everyone’ and where we can best support organisations to assure themselves and others of the data they access, use and share.
We are in the early stages of this new programme of work, and we are keen to work with others to develop our hypotheses, learning and approaches so please do complete our form (below) if you:
- want to be part of stakeholder groups to support development of thinking, tools and services we might develop
- want to partner with us to accelerate and help steer the data assurance programme towards delivering value to industry and furthering the ODI’s mission to make data work for everyone