Dear members of the IATI community,

We are pleased to announce the launch of an open discussion on 'responsible transparency', which will run until Friday 5 November. Given the recent change of authorities in Afghanistan and Myanmar, a conversation about the balance between transparent and open development cooperation data and ‘doing no harm’ to implementing partners, including how data publishers are moving to edit, anonymise or otherwise restrict their data, has recently been gaining steam. As such, the time is ripe for a discussion on ‘responsible transparency’ more generally, but also in regards to implications for IATI and its community of publishers. Your feedback ahead of the next IATI Virtual Community Exchange (12-13 October 2021) will help to focus a dedicated plenary discussion during the VCE as well as further work to define and deal with sensitive data within IATI.


Please read this background note on Responsible Transparency: Considerations for IATI  for further context. You can also download a .pdf-version of this report via the attachment below.

Share your views on the guiding questions via the comment-box before Friday 5 November.   


Guiding Questions for Discussion

Question #1

Where should the balance be between open, transparent, and relevant data, and the need to protect privacy and security more generally, but also in situations of fragility or emergency? Though individual publishers are responsible for ensuring that sensitive data is not released, how can IATI as an initiative facilitate and support those publishers?


Question #2

Is the mixed response to crisis situations and relevant restriction of data the result of an explicit policy from within IATI publishers’ own organisations? If yes, how do publishers decide which sensitive data will be covered in these exclusion policies?

  • Why do these policies differ across publishers and what can be learned from this? 

  • Further, why were different policies followed, for instance, during the transition of authorities in Myanmar and, more recently, in Afghanistan?


Question #3

Building on the above, should IATI provide additional information / guidance to publishers in regard to what types of sensitive information they might consider excluding from their IATI datasets? 

  • If yes, with a view to facilitating data management practices and promoting responsible data, would publishers find it helpful for IATI to, for instance, develop a classification system regarding what might constitute sensitive data (pre-publication), and guidelines on monitoring and evaluation for sensitive data (post-publication)?


Share your comments below and please refer to the number of the question you are responding to. We look forward to an interesting discussion and thank you in advance for your participation!

Files

Comments (11)

matmaxgeds

Hi - thanks for this work:

1. I think the issue has been discussed several times before, how can we ensure this time that it doesn't just end up as a discussion or a pdf somewhere - where could it officially go as a policy - or lead to a change in a tool?

2. I am keen that this also reflects the ongoing situations where this is an issue - perhaps they can be learnt from e.g.there are a lot of countries which are not officially in crisis where organisations would not like to be transparent about what/where/with who, they are working e.g. many democracy programs, human rights programs etc - in those places a practice of being very conservative with sharing data is ongoing - the problem comes when a situation changes

3. Perhaps one way forward is a reminder to publishers who are publishing certain categories of data to do regular checks in case the situation changes - this seems like the perfect job for the validator e.g. publishers can select a ruleset called 'potentially sensitive data' to get a regular report so that they are taking a known risk (especially important when publishing in an automated way from an internal database, but with very many staff adding data) - but the 'other rulesets' feature seems to have disappeared from the validator?

Melinda Cuzner Moderator

Thank you for jumping straight into the question!

1. I know that there will be session on this at the VCE (12-13 October) and the idea is that the discussions then and the responses here will lead to some concrete action points. 

2. Good point that it may not be data on entire countries, but sometimes it is a limited set of information that is sensitive. But do I understand you correctly that there may be an interest for the countries where activities are taking place to not be transparent about this detailed information?

3. This sounds like a pragmatic solution but I have some follow-up questions. Would this not also make it easier also for data users to identify where sensitive data is? And do you think members and publishers would be able to agree when information becomes sensitive, when it loses its sensitivity and if the information is only sensitive for certain time periods?   

 

leo stolk

Agree with Max that while this now emerges as a discussion focused on two countries, it is a tension in many other situations. And it becomes more evident when there is change.  Just as an example being associated with SRHR and more specifically right to abortion is risky in so many countries, incl IATI member countries (now, even in Texas). 
1.  For me this balance is not a universal nor static concept, it differs over time and differs by whom you ask. For instance Oxfam uses 'open unless' as guiding principle. Open unless openness and transparency puts people at risk (beneficiaries, partner organization staff and Oxfam staff).   Assessment of these risk should be a continuous dialogue as stakeholder/colleagues in different locations/perspectives often do not share the same assessment. Transparency comes with a responsibility to continuously check this, and above all before publication of an activity.
2. Policies differ because organizations assess effectiveness of strategies and associated risks differently. Often it is the individuals in leadership or the people in charge that define risk appetite. I suspect that it is also defined by aspects of culture, the importance of consensus versus hierarchy, being direct or polite etc. One size policy would probably not fit all. 
3. most important is the update status and frequency of IATI controlled and associated tools. When corrected or removed, a dangerous mistake in a published activity should be processed quickly. And the publisher should know the status of the update process. IATI could provide information and training material about the options a publisher has and hasn't, when information published is not longer deemed appropriate. Also sharing exclusion policies and discuss examples in training material would be valuable.
I'm pretty sure that AI rule sets are being used on open data, for good and not so good purposes, that is a given.  I really wonder if IATI can develop an agreed AI risk rule set, as even IATI members can have opposing views and interests.

Michelle Levesque

I concur with Leo.  Security isn't a static concept and has to be continuously/periodically assessed and I have seen the definition of change depending upon who is in charge of making those assessments.  

I am not convinced that the standard should take on trying to define a rule set to check for sensitive data.  As Leo points out, it can change within a publisher's organization depending who is being asked, so to get all the publishers to agree seems ambitious.  I'm also not so certain it is necessary for IATI to be the arbiter of security/sensitivity.  Leaving this up to each publisher seems sufficient. 

For the record, because IOM did not already have implementing partner information published with our data nor do we have sub-national data in the location element, we did not have a real issue with our data related to AF.  What we did do is eliminate the references within our project descriptions to any sub-national location (city or province) where the projects were taking place and we only did this on our active project.  

David Megginson

My colleagues at UNOCHA's Centre for Humanitarian Data have done a huge amount of work on data responsibility over the past few years, and the IASC (Inter-Agency Standing Committee), which sets standards for the agencies and NGOs who collaborate in the UN humanitarian coordination system, have since adopted much of their work in its official (and detailed) guidance. There is no need to reinvent the wheel — start here.

Melinda Cuzner Moderator

Great, thank you for your input! [~401] , [~325] & David Megginson, 

Do I understand you correctly that you do not think IATI should have the role to control or inform publishers of the risk their data might pose, but instead frequently update the data in their tools and encourage publishers to have an exclusion policy? 

What of the data that the IATI team och community finds that is questionable? As good citizens they can give feedback to the publishers, but they have no responsibility to do so? 

And how active and in what forums should IATI raise the issues of information security, exclusion policies and feedback loops? Leo, you had some suggestions when we last spoke. Do you wish to elaborate here? 

 

 

Michelle Levesque

[~567] I think you have it but with one caveat.  I don't think the standard (the XML schema) should attempt to capture risk tolerances as Max laid out or as I understood what Max was saying.  But I do believe the IATI community can be a forum for it to be brought up as was done by the tech team's post when the question about tools refresh came up.  And I do believe the standard and the tools need to be nimble enough to refresh as quickly as technically feasible.  (I've lost track of how frequently each of the publicly available tools refresh. At one point it took a few days for the dashboard to refresh but I don't know if that has changed as I have stopped trying to monitor it.) Feedback loops on data would also be a way to bring it up bilaterally.  

I know we were contacted by a donor who asked us to review our data but that was a message not sent exclusively to us nor through IATI channels. I believewhomever received AF related funding from them got the same message.

I hope that helps clarify my input.

Melinda Cuzner Moderator

Hello again, seeing that the publishers that have responded here take responsibility for ensuring their data is correct I wanted to open up the discussion of the consequences if not all publishers share this view. They may lack an internal policy on information security or they may not be are not aware that they are responsible to ensure their data is safe. 

 If a large number of IATI publishers do not publish responsibly, could there be consequences for the trust in transparency in general and IATI in particular? That is, can there be reputational damage to the transparency initiative and should IATI act proactively to avoid this?

Melinda Cuzner Moderator

Dear all,

I thought I would re-energize this discussion with a recap from the VCE2 session on Responsible Transparency. In the session we discussed the balance between making data available to the broader community at the same time protecting sensitive data.

According to a poll taken during the session, 2/3 of the participants find that it is the responsibility of the publisher to protect sensitive data during emergencies or significant changes in circumstances. 1/3 thought the responsibility lays with both publishers and IATI. No participants expressed the opinion that the responsibility lays entirely with IATI.

US Aid described their role in making theirs and other US Agencies’ data open and easily accessible. Each agency is the owner of their own data and they are guided by laws and policies that outlines what data is to be published and what data should be redacted. But they find it would be useful to have guidelines or best practise for handling data in the case of sudden changes of the political context in a country. Following the recent events in Afghanistan they made the detailed data on activities in the country hidden for period of time to allow for the different agencies to review their data against compromising information.

UN OCHA had identified a similar need for guidelines and protocols to help publishers make consistent and well informed decisions on what information to publish or not. Data sensitivity is complex, context specific and seldom binary, so creating these guidelines and protocols are both time consuming and resource heavy. The goal is to have sector wide frameworks to support decisions on how to manage data with the purpose of sharing, balancing the risks against the benefits of publishing data. Guidance can be particularly important for colleagues and partners working in the field.

Currently IATI does not provide any specific guidance on managing sensitive data. Publishers have different laws, policies and guidelines for managing sensitive data. The IATI tools are however updated with greater frequency, from every 24 hours to every 3 or 6 hours, depending on the tool.

Some questions for the community to consider:

  • What role (if any)  does IATI have to make guiding documents easily accessible?
  • What role (if any) does IATI have to flag potentially sensitive data to publishers?
  • What role (if any) does IATI have to temporarily hide data in the case of a sudden onset of emergency situation?

Other things to consider

  • Some publishers do not want their data to be hidden or redacted.
  • Information sensitivity is not limited to data but can be found in titles, descriptions and documents.
  • Not all publishers have the same perspective on sensitivity information as the local implementors.
  • Can the reputation of IATI or open data be at risk if no or not enough precautionary measures are taken?

 

Some community members have already shared their views and opinions but I welcome everybody to contribute and for those who already have contributed, have your opinions changed after discussing the issue further?


Please log in or sign up to comment.