Openness principles for organisations handling personal data

How data is accessed, used and shared exists on a spectrum. Data that needs to be private should be kept private. Sensitive or commercial data can be shared with some people or organisations. Data that can be open should be open. Openness about how organisations are securing and managing private data builds trust

null

The principles

Organisations should:

  1. Be open with people about what personal data they are collecting
  2. Be open with people about how they use personal data
  3. Be open with people about the way personal data is shared
  4. Be open with people about the way personal data is secured
  5. Explain to people how we make decisions about them using their data
  6. Be open about their accountability mechanisms for misuse of personal data
  7. Help people understand and influence how their data is collected and used
  8. If collecting or using personal data, make their analyses and outputs as open as possible

Being open about how personal data is used, and how privacy is protected, helps to build trust in organisations collecting and using personal data. Greater trust means less friction when developing new ideas and services, and greater use of existing ones. It facilitates more connections and network effects. It helps consumers feel empowered, and leads to more informed choices about services that involve collection of personal data. Openness makes things better.

The ODI’s privacy and openness principles set targets for organisations aspiring to build trust in how they manage personal data. The principles focus specifically on how organisations manage personal data, not data in general that they collect and/or use. They’re intended to be broadly applicable to organisations in the public, private and third sectors: organisations of any size who are collecting, storing, using and/or providing access to personal data.

We want to see organisations committing to the principles and incorporating them into their own organisational policies and processes.

The principles are not intended to be exhaustive. Some aspects of the principles are already reflected in data protection frameworks, such as the General Data Protection Regulation (GDPR) in the European Union, and will become a requirement for many organisations operating in the digital single market. Others extend on existing laws and aspire for greater openness in how personal data is managed. Data protection is sometimes seen as a compliance burden. Openness about how privacy is preserved builds trust, providing both compliance and wider service improvements.

The principles encourage organisations to commit to being ‘open’ in a number of ways. ‘Open’ means both sharing information (publicly online and directly to people), and being open to feedback from people about how things could be improved.

Note: these are guiding principles. Organisations should be aware of additional obligations under national data protection laws.

The principles

1) Organisations should be open with people about what personal data they are collecting

Organisations should be open with people about what personal data they collect from people and for what purpose – for example whether the data will be used to help deliver a service for them, be linked with other information about them, be shared with other organisations or be used for research purposes.

This may include:

  • Publishing clear and accessible information about what personal data they collect and the purpose of collection at the point at which people sign up for a service

  • Making a register of information available as open data about the personal data they collect, have access to, and why, including where they are receiving access from a third party

This principle is already reflected in some data protection laws (GDPR, for example).


2) Organisations should be open with people about how they use personal data

Organisations should be publishing information openly about how they use different kinds of personal data, for example to deliver a service, conduct analysis or simply maintain records. They should keep this information up to date. This information is to help people understand how their data is used at a high level, and the level of detail provided should reflect that.

This may include:

  • An open and regularly updated register of purposes for which they collect and use different kinds of personal data

  • Notifications provided to people who have provided personal data about any changes to how their personal data is being used


3) Organisations should be open with people about the way personal data is shared

When organisations share personal data with other people or organisations, they should be open about what data exactly they are sharing; with whom; for what purpose; under what conditions; and for what return (eg financial return, or because it’s a necessary part of providing a person with a service).

This may include:

  • An open and regularly updated dataset on their website detailing what personal data they are sharing; with which organisations or individuals; why; and with what limitations on use

  • Maintaining accurate individual records of how people’s personal data is being shared with other organisations and people – this will enable organisations to reply to requests from people about who has access to their data, and follow through any changes/deletion of that data (this is required, for example, under the GDPR’s right to be forgotten)


4) Organisations should be open with people about the way personal data is secured

Organisations should be open about the way personal data is secured, to the extent that is possible without increasing the risk of security breaches.

This may include:

  • Regularly publishing information online about security audits that are carried out, any data breaches that take place, and responses to those breaches.

  • Publishing the details of, and reports from any independent security auditors where it is safe to do so

  • Providing feedback mechanisms for people to get in touch regarding any potential flaws in their data security


5) Organisations should explain to people how they make decisions about them using their data

If organisations are using algorithms and data to make decisions that impact on an individual’s life, or target services to them in a particular way, they should commit to providing an accessible explanation of how such processes work and the data involved. They should provide a mechanism for people to challenge decisions made about them, or services targeted to them, in a way that is meaningful and involves human interaction.

This may include:

  • Providing information about how decisions are made, and what data has been involved, in any notifications to people (email, post, telephone etc) about decisions that impact them.

  • Creating an arbitration mechanism for people who want to challenge decisions, with information about how to do this publicly available and easily accessible on their website. In some sectors, this challenge mechanism may be best enabled via independent arbitrators.


6) Organisations should be open about their accountability mechanisms for misuse of personal data

Organisations should publish information about the governance and accountability processes they have in place to monitor best practice management of the personal data they hold.

This may include:

  • A publicly available overview of the internal decision making process, and the governance model in place, to monitor issues raised with management of personal data

  • Publishing minutes of meetings, and reports of decisions made via these accountability mechanisms

  • Identifying an independent, trusted third party to provide accountability mechanisms on their behalf (with the same requirements of openness)


7) Organisations should help people understand and influence how their data is collected and used

Organisations should commit to using clear, accessible language in their data policies and permissions to communicate with people what happens to their personal data. Wherever possible, the way they design their services for consumers should provide real choice for them in how their data is accessed, used and shared.

This may include:

  • Designing services with different options regarding the level of personal data that might be collected about a person, and who they could grant access and use permissions to

  • Providing individuals with mechanisms to access their own data (this is required by organisations that need to comply with the GDPR)

  • Providing individuals with mechanisms to approve access to their data held by one organisation to another organisation (this is reflected in the right of portability under the GDPR)


8) Organisations collecting or using personal data should make their analyses and outputs as open as possible

When organisations are undertaking research using personal data, and building or delivering services using personal data, they should as far as possible provide benefit back to the public to reflect the value being provided by them. In this way, organisations contribute back to the data infrastructure that underpins the services and outputs people use every day and help it create more value for society.

This may include:

  • Publishing aggregate, anonymised open data from services and research involving people’s personal data (eg Strava)