As part of its efforts to build trust through dialogue, the Centre for Humanitarian Data hosted two Community Calls in March 2019 on topics requiring deeper exploration in this space: critical incident management and data responsibility in public-private partnerships.

We provide a summary of the discussion below. You can also watch a recording of the call on Critical Incident Management and on Data Responsibility in Public-Private Partnerships.

Critical Incident Management

Critical incidents related to humanitarian data are events such as a data breach exposing affected communities to harm. In the humanitarian sector, there is no standard definition of what constitutes a critical incident related to data management, and incidents such as the above often go unreported given there are no established protocols for managing them. This can lead to recurring preventable errors, missed learning opportunities, and failure to protect vulnerable populations and the humanitarians working to serve them.

The Centre brought together the following panelists, with moderation from Centre staff Sarah Telford and Stuart Campo:

  • Amy O’Donnell, ICT in Programme Lead, Oxfam
  • Andrej Verity, Team Lead, Digital Services Section, OCHA
  • Eddie Lamb, Independent Data Security Expert
  • James Devine, Senior Solutions Architect, Amazon
  • Nathaniel Raymond, Lecturer, Yale University

Based on the discussion, below are five recommendations for improving Critical Incident Management in the sector:

  1. Define ‘critical incidents’ in broad terms. The biggest threats to data security do not always involve malicious intent or a breakdown in tools. Risk results from technical and non-technical causes, intentional or accidental through uninformed behaviors inside an organization. To foster accountability and prevent or mitigate future risks, panelists recommended establishing data responsibility as a core pillar from the outset of tool and process design: a proactive approach rather than retroactive compliance. Importantly, affected communities should be included in detecting and understanding critical incidents and the harms they can produce.
  2. Identify potential risk across multiple categories. The following five risk categories were listed by panelist Nathaniel Raymond as areas to examine:
    • ‘Normal’ use case function: What are the unintended consequences of a system’s intended use?
    • Malicious actors: How and where could a bad actor gain access or do harm?
    • Governance gaps: Where are the systems working but governance is not?
    • Systematic disparities: What are the differences in data management at different levels of the organization?
    • Practitioner and/or Platform Negligence (PPN): What oversights are creating a potential pathway for a critical incident to occur? How does the organization proactively discover points of potential failure?
  3. Establish a culture of reporting. Just because an incident is not reported does not mean an incident did not occur — nor does it mean that the threat will go away on its own. Along with enhancing procedures to detect and assess risk, staff need to feel empowered to flag an issue and escalate as needed. Leaders must prevent potential retribution and model the kind of self-reflective behavior they wish to see. Channels to report suspicions and concerns should be easily available, and it should be clear who deals with critical incidents within an organization. “Silence in our community is quite worrying,” reflected panelist Amy O’Donnell. Absence of reporting should be an indicator of failure, not a feature of ‘successful’ programs.
  4. Routinize and rehearse processes in advance of an incident. Learning how to react during an incident is too late. Instead, panelists suggested preventative action, such as testing detection mechanisms, and rehearsing critical incident scenarios and contingency plans. They also suggested having regular meetings at the field-office level. Introducing and upholding sector-wide processes is an important preventative measure that humanitarian organizations should work towards.
  5. Understand and accept risk in order to stay vigilant. Part of minimizing harm when using humanitarian data is acknowledging and accepting the likelihood that some sort of incident will occur. Hold team debriefs after something goes wrong to understand why and how it occured, and to determine what to do next. A team that resists the impulse to write off incidents as aberrations will both advance its protection mission and improve its discovery capacity for future flaws.

Data Responsibility in Public-Private Partnerships

Nearly all digital programmes in the humanitarian sector leverage private sector tools, processes, and strategic partnerships in some capacity. To discuss this issue, the Centre brought together the following panelists, moderated by Centre Data Policy Team Lead Stuart Campo and Linnet Taylor, Lead Researcher, Global Data Justice Project, Tilburg Institute for Law, Technology, and Society (TILT):

  • Bill Hoffman, Head of Data-Driven Development, World Economic Forum
  • Kidus Asfaw, Partnerships Manager, Office of Innovation, UNICEF
  • Laura Walker MacDonald, Senior Director, Insights and Impact, Digital Impact Alliance
  • Manja Vidic, Business Partnerships Advisor, OCHA

Below were some of the major takeaways from the call.

  1. Build trust with legally binding contracts. One of the strongest ways to protect the parties involved is to write contracts that clearly outline opportunities, needs, and risks for the partnership. Contracts create accountability and act as a tool for researching and testing future data-sharing agreements. These contracts can often be repurposed for different contexts. Bill Hoffman pointed to work being done at the WEF to create a repository for standard legal clauses.
  2. Address issues at a system level. Public-private partnerships pose certain operational, reputational, and legal challenges to those involved. These issues must also be assessed at a broader institutional and system level. At each step of the process, from licensing datasets to using data to inform action, panelists recommend taking a holistic approach to building secure and sustainable relationships.
  3. Define the need for a partnership upfront. Design public-private sector programmes with strategic needs in mind, rather than working backwards to find worthwhile applications of a potential partner’s existing tools and processes. Start first with a problem statement, then develop an approach to solve that specific problem with the right supplier. Acknowledging where gaps continue between problems and existing solutions could produce a new partnership standard, mapping future anticipated needs from the outset rather than attempting panacea treatments.
  4. Undertake due diligence to manage risks and opportunities. Even without direct evidence of a challenge, it is important to assess and mitigate the risks of a partnership by establishing required security criteria and documenting threats. Due diligence helps protect against issues that should be considered at the onset of a project and repeated across the engagement.

Next steps

Thank you to the panelists for bringing their expertise to these calls, and to the participants for posing important questions about managing data responsibly. We will continue to explore these issues at our upcoming event at Wilton Park (20-22 May 2019), and plan to organize more community calls later this year to continue building trust through dialogue.

Send feedback or ideas to centrehumdata@un.org or reach us on Twitter @humdata. Join our Data Policy mailing list here.

Data Policy data responsibility