Could audit and certification services increase trust between organisations when accessing, using and sharing data? And would these services ultimately help data ecosystems operate more safely, efficiently and effectively?
Sharing and increasing access to data is win-win. As well as the economic benefits, it also brings societal benefits. But for organisations to feel comfortable sharing and accessing data, they must be able to trust the organisations they are interacting with.
As data supply chains can involve many organisations and companies, an organisation accessing data often needs to be able to trust not only the organisation holding data, but also any other organisations who may have handled that data along the way.
Bridging the trust gap
Assessing the trustworthiness of others can be both time consuming and costly. At the Open Data Institute (ODI) we've embarked on a project that aims to identify which types of standards and independent assessments can have the most impact in bridging trust gaps in data ecosystems.
And we would like your help to do this. We want to hear from you about your experiences and insights around how standards and certifications can help to build, demonstrate or assess trustworthiness.
In particular this project will draw on recent work exploring the role of data stewards, intermediaries and data institutions in helping to document, craft and distribute common standards across data ecosystems.
To evaluate the trustworthiness of others, organisations use a wide range of legal, technical, commercial and ethical assessments. For instance, some assessment mechanisms focus on evaluating the technical capabilities of an organisation while others focus on evaluating ethical or commercial practices. Some assessment mechanisms utilise technical tools and systems to perform those evaluations; others use more traditional methods such as legal questionnaires, on-site visits or self-assessment worksheets.
There is no one-size-fits-all assessment. The most appropriate assessment mechanism will depend on the context.
Many organisations do not have the time, capability, expertise or desire to perform these assessments themselves. This is why third party, independent audit and certification can be so valuable. They help to reduce the time and effort it takes an organisation to demonstrate its own trustworthiness or evaluate the trustworthiness of others. In doing so, they lower the transaction costs involved in accessing, using and sharing data.
Example: a public sector organisation wants to share data with a private sector organisation to create a service or product
The public sector organisation needs to assess the trustworthiness of the private sector organisation, and the private sector organisation needs to demonstrate its trustworthiness. In the absence of any standards or established certifications, the public sector organisation would have to perform a series of ethical, technical, legal and commercial assessments in order to determine whether the private sector organisation is trustworthy.
But if standards and established certification schemes exist, the time and effort it takes is greatly decreased. The public sector organisation can simply look to see whether the private sector organisation has been certified against relevant standards, trained and accredited its staff or submitted to routine third-party audits.
The value of standards and assessments
Standards and independent assessments help to scale trust across an ecosystem. An organisation that is part of a data ecosystem does not need to assess the trustworthiness of every other actor in that ecosystem. It just needs to be able to trust the standards that those other organisations are expected to adhere to, and trust the parties charged with auditing and certifying organisations against those standards.
And, because many certification processes require an organisation to undergo training and improve its capabilities in order to be certified against a particular standard, certifications can actually build and improve an organisation’s trustworthiness.
Certifications and audits are therefore not only useful in assessing and demonstrating trustworthiness, but in building trustworthiness as well. Ultimately, standards and certifications can help organisations in data ecosystems to trust each other, thereby improving the sustainability and effectiveness of the ecosystem as a whole while reducing the risk of causing harm.
This project aims to identify the assessment mechanisms that are likely to have the most impact in building, demonstrating and assessing the trustworthiness of actors in data ecosystems. It will also explore whether some of these could serve as the basis for a certification, audit or professional accreditation scheme.
The research phase of this R&D project, which kicked off in May 2020, aims to identify ecosystems where organisations currently find it difficult to bridge trust gaps or where relationships between organisations could be improved through the provision of new assessment mechanisms. The development phase will focus on working with organisations in those ecosystems to develop practical guidance and experiment with new assessment mechanisms to address their needs.
At the moment, the discovery and scoping phase is focused on answering a few related questions:
- What standards and assessments already exist within data ecosystems? What methods, processes and procedures do organisations currently use in order to demonstrate and assess trustworthiness and are there any gaps?
- If we develop a new standard or certification, who should they be targeted at? If a basic data ecosystem consists of data providers, data stewards and data users, where can standards and assessments prove most useful in building, demonstrating and assessing trustworthiness?
- What aspect(s) of an organisation should be covered by these standards and assessments? Organisations are multifaceted, so when is it more important to assess/demonstrate the trustworthiness of an organisation’s structures and practices (for example, its ethical and commercial practices, legal structure or technical capabilities), its management and personnel (for example, the competency of its technical staff or composition of its board) or its offerings and services (for example, the products it sells or datasets it is willing to share)
- What lessons can we learn from current and past standards and assessments schemes? Can the long history of standards, certifications and auditing in sectors like health, finance and food safety teach us lessons that are applicable to data ecosystems? And can past successes and failures teach us how to avoid causing harm?
Over the course of the project we will work to answer these questions, using expert interviews, surveys and continued desk research. In particular, we will be engaging with members of data ecosystems such as data providers, data stewards and data users as well as certifying or auditing bodies.
If you are an organisation that collects, stewards, shares or uses data, we would love to speak with you about how you build, demonstrate or assess trustworthiness.
We are also interested in hearing from you if your organisation provides auditing and/or certification services to organisations sharing and stewarding data.
During the product and piloting phase of this project we will be experimenting with assessment mechanisms, such as training and guidance, and will be convening stakeholder workshops to test initial designs and gather feedback.
If you would like to take part in these workshops or serve as a ‘critical friend’ during this phase, please get in touch. We will be sharing regular project updates so do follow us on Twitter and LinkedIn, and visit our project page. Please email us if you would like to get involved.