Dear members of the IATI community,

Given the recent change of authorities in Afghanistan and Myanmar, a conversation about the balance between transparent and open development cooperation data and ‘doing no harm’ to implementing partners, including how data publishers are moving to edit, anonymise or otherwise restrict their data, has recently been gaining steam. As such, the time is ripe for a discussion on ‘responsible transparency’ more generally, but also in regards to implications for IATI and its community of publishers. 


Please read this background note on Responsible Transparency: Considerations for IATI  for further context. You can also download a .pdf-version of this report via the attachment below.


Guiding Questions for Discussion

Question #1

Where should the balance be between open, transparent, and relevant data, and the need to protect privacy and security more generally, but also in situations of fragility or emergency? Though individual publishers are responsible for ensuring that sensitive data is not released, how can IATI as an initiative facilitate and support those publishers?


Question #2

Is the mixed response to crisis situations and relevant restriction of data the result of an explicit policy from within IATI publishers’ own organisations? If yes, how do publishers decide which sensitive data will be covered in these exclusion policies?

  • Why do these policies differ across publishers and what can be learned from this? 

  • Further, why were different policies followed, for instance, during the transition of authorities in Myanmar and, more recently, in Afghanistan?


Question #3

Building on the above, should IATI provide additional information / guidance to publishers in regard to what types of sensitive information they might consider excluding from their IATI datasets? 

  • If yes, with a view to facilitating data management practices and promoting responsible data, would publishers find it helpful for IATI to, for instance, develop a classification system regarding what might constitute sensitive data (pre-publication), and guidelines on monitoring and evaluation for sensitive data (post-publication)?


Thank you for participating in this Discussion! A summary will follow shortly.

Files

Comments (13)

matmaxgeds
matmaxgeds

Hi - thanks for this work:

1. I think the issue has been discussed several times before, how can we ensure this time that it doesn't just end up as a discussion or a pdf somewhere - where could it officially go as a policy - or lead to a change in a tool?

2. I am keen that this also reflects the ongoing situations where this is an issue - perhaps they can be learnt from e.g.there are a lot of countries which are not officially in crisis where organisations would not like to be transparent about what/where/with who, they are working e.g. many democracy programs, human rights programs etc - in those places a practice of being very conservative with sharing data is ongoing - the problem comes when a situation changes

3. Perhaps one way forward is a reminder to publishers who are publishing certain categories of data to do regular checks in case the situation changes - this seems like the perfect job for the validator e.g. publishers can select a ruleset called 'potentially sensitive data' to get a regular report so that they are taking a known risk (especially important when publishing in an automated way from an internal database, but with very many staff adding data) - but the 'other rulesets' feature seems to have disappeared from the validator?

Melinda Cuzner
Melinda Cuzner Moderator

Thank you for jumping straight into the question!

1. I know that there will be session on this at the VCE (12-13 October) and the idea is that the discussions then and the responses here will lead to some concrete action points. 

2. Good point that it may not be data on entire countries, but sometimes it is a limited set of information that is sensitive. But do I understand you correctly that there may be an interest for the countries where activities are taking place to not be transparent about this detailed information?

3. This sounds like a pragmatic solution but I have some follow-up questions. Would this not also make it easier also for data users to identify where sensitive data is? And do you think members and publishers would be able to agree when information becomes sensitive, when it loses its sensitivity and if the information is only sensitive for certain time periods?   

 

leo stolk
leo stolk

Agree with Max that while this now emerges as a discussion focused on two countries, it is a tension in many other situations. And it becomes more evident when there is change.  Just as an example being associated with SRHR and more specifically right to abortion is risky in so many countries, incl IATI member countries (now, even in Texas). 
1.  For me this balance is not a universal nor static concept, it differs over time and differs by whom you ask. For instance Oxfam uses 'open unless' as guiding principle. Open unless openness and transparency puts people at risk (beneficiaries, partner organization staff and Oxfam staff).   Assessment of these risk should be a continuous dialogue as stakeholder/colleagues in different locations/perspectives often do not share the same assessment. Transparency comes with a responsibility to continuously check this, and above all before publication of an activity.
2. Policies differ because organizations assess effectiveness of strategies and associated risks differently. Often it is the individuals in leadership or the people in charge that define risk appetite. I suspect that it is also defined by aspects of culture, the importance of consensus versus hierarchy, being direct or polite etc. One size policy would probably not fit all. 
3. most important is the update status and frequency of IATI controlled and associated tools. When corrected or removed, a dangerous mistake in a published activity should be processed quickly. And the publisher should know the status of the update process. IATI could provide information and training material about the options a publisher has and hasn't, when information published is not longer deemed appropriate. Also sharing exclusion policies and discuss examples in training material would be valuable.
I'm pretty sure that AI rule sets are being used on open data, for good and not so good purposes, that is a given.  I really wonder if IATI can develop an agreed AI risk rule set, as even IATI members can have opposing views and interests.

Michelle Levesque
Michelle Levesque

I concur with Leo.  Security isn't a static concept and has to be continuously/periodically assessed and I have seen the definition of change depending upon who is in charge of making those assessments.  

I am not convinced that the standard should take on trying to define a rule set to check for sensitive data.  As Leo points out, it can change within a publisher's organization depending who is being asked, so to get all the publishers to agree seems ambitious.  I'm also not so certain it is necessary for IATI to be the arbiter of security/sensitivity.  Leaving this up to each publisher seems sufficient. 

For the record, because IOM did not already have implementing partner information published with our data nor do we have sub-national data in the location element, we did not have a real issue with our data related to AF.  What we did do is eliminate the references within our project descriptions to any sub-national location (city or province) where the projects were taking place and we only did this on our active project.  

David Megginson
David Megginson

My colleagues at UNOCHA's Centre for Humanitarian Data have done a huge amount of work on data responsibility over the past few years, and the IASC (Inter-Agency Standing Committee), which sets standards for the agencies and NGOs who collaborate in the UN humanitarian coordination system, have since adopted much of their work in its official (and detailed) guidance. There is no need to reinvent the wheel — start here.

Melinda Cuzner
Melinda Cuzner Moderator

Great, thank you for your input! leo stolk  , Michelle Levesque  & David Megginson, 

Do I understand you correctly that you do not think IATI should have the role to control or inform publishers of the risk their data might pose, but instead frequently update the data in their tools and encourage publishers to have an exclusion policy? 

What of the data that the IATI team och community finds that is questionable? As good citizens they can give feedback to the publishers, but they have no responsibility to do so? 

And how active and in what forums should IATI raise the issues of information security, exclusion policies and feedback loops? Leo, you had some suggestions when we last spoke. Do you wish to elaborate here? 

 

 

Michelle Levesque
Michelle Levesque

Melinda Cuzner  I think you have it but with one caveat.  I don't think the standard (the XML schema) should attempt to capture risk tolerances as Max laid out or as I understood what Max was saying.  But I do believe the IATI community can be a forum for it to be brought up as was done by the tech team's post when the question about tools refresh came up.  And I do believe the standard and the tools need to be nimble enough to refresh as quickly as technically feasible.  (I've lost track of how frequently each of the publicly available tools refresh. At one point it took a few days for the dashboard to refresh but I don't know if that has changed as I have stopped trying to monitor it.) Feedback loops on data would also be a way to bring it up bilaterally.  

I know we were contacted by a donor who asked us to review our data but that was a message not sent exclusively to us nor through IATI channels. I believewhomever received AF related funding from them got the same message.

I hope that helps clarify my input.

Melinda Cuzner
Melinda Cuzner Moderator

Hello again, seeing that the publishers that have responded here take responsibility for ensuring their data is correct I wanted to open up the discussion of the consequences if not all publishers share this view. They may lack an internal policy on information security or they may not be are not aware that they are responsible to ensure their data is safe. 

 If a large number of IATI publishers do not publish responsibly, could there be consequences for the trust in transparency in general and IATI in particular? That is, can there be reputational damage to the transparency initiative and should IATI act proactively to avoid this?

Melinda Cuzner
Melinda Cuzner Moderator

Dear all,

I thought I would re-energize this discussion with a recap from the VCE2 session on Responsible Transparency. In the session we discussed the balance between making data available to the broader community at the same time protecting sensitive data.

According to a poll taken during the session, 2/3 of the participants find that it is the responsibility of the publisher to protect sensitive data during emergencies or significant changes in circumstances. 1/3 thought the responsibility lays with both publishers and IATI. No participants expressed the opinion that the responsibility lays entirely with IATI.

US Aid described their role in making theirs and other US Agencies’ data open and easily accessible. Each agency is the owner of their own data and they are guided by laws and policies that outlines what data is to be published and what data should be redacted. But they find it would be useful to have guidelines or best practise for handling data in the case of sudden changes of the political context in a country. Following the recent events in Afghanistan they made the detailed data on activities in the country hidden for period of time to allow for the different agencies to review their data against compromising information.

UN OCHA had identified a similar need for guidelines and protocols to help publishers make consistent and well informed decisions on what information to publish or not. Data sensitivity is complex, context specific and seldom binary, so creating these guidelines and protocols are both time consuming and resource heavy. The goal is to have sector wide frameworks to support decisions on how to manage data with the purpose of sharing, balancing the risks against the benefits of publishing data. Guidance can be particularly important for colleagues and partners working in the field.

Currently IATI does not provide any specific guidance on managing sensitive data. Publishers have different laws, policies and guidelines for managing sensitive data. The IATI tools are however updated with greater frequency, from every 24 hours to every 3 or 6 hours, depending on the tool.

Some questions for the community to consider:

  • What role (if any)  does IATI have to make guiding documents easily accessible?
  • What role (if any) does IATI have to flag potentially sensitive data to publishers?
  • What role (if any) does IATI have to temporarily hide data in the case of a sudden onset of emergency situation?

Other things to consider

  • Some publishers do not want their data to be hidden or redacted.
  • Information sensitivity is not limited to data but can be found in titles, descriptions and documents.
  • Not all publishers have the same perspective on sensitivity information as the local implementors.
  • Can the reputation of IATI or open data be at risk if no or not enough precautionary measures are taken?

 

Some community members have already shared their views and opinions but I welcome everybody to contribute and for those who already have contributed, have your opinions changed after discussing the issue further?

Marie Maasbol
Marie Maasbol

Thank you for having this very relevant and useful discussion. This is something that we as well have discussions about internally at DG INTPA, most recently with the actions taken to protect implementing partners in Afghanistan. As mentioned by others in this discussion group, we agree that the concept of security is not static and has to be assessed on a continuous basis.

Question 1:

At the European Commission, the policy on access to data is an open one, but it does include exceptions, such as public security and protection of personal data. Depending on the situation, such exceptions can be implemented at the encoder’s level or can also be invoked retroactively as was the case in Afghanistan.

Our humanitarian assistance colleagues in DG ECHO have received requests by implementing partners to make data visible again in Afghanistan on EU funded projects they are implementing in high security areas. We would be interested to discuss this scenario with other publishers to exchange on what they consider the most responsible response? At the Commission side, we are currently exchanging on this.

Regarding the role of IATI, it is already really useful to have this open community where questions and solutions can be shared. However, it would as well be useful to have more clear guidance on how a publisher can improve on responsible data and perhaps consider launching criteria on what is considered responsible transparency?

Question 2:

In the case of DG INTPA, the decision on what data will be published is based on initial analysis by the operational colleagues working and managing projects on the ground, as they are closest to the project and the security situation in-country. In addition, we have consultations between thematic, geographic and policy colleagues across delegations and headquarters. This was indeed what took place recently with Afghanistan. These processes take place continuously and are adapted to the situations as they change.

As data users in the EU Aid Explorer, our Team Europe data visualisation portal, we decided proactively to apply our own data security policy to all the data published by the EU Member States in IATI as we were using it.

As mentioned above, our policy is to publish all the data available as long as this information does not fall within the exception criteria of our open data policy, such as security risks.

Question 3:

As mentioned above, IATI could provide information and guidance on how a publisher can implement policies that consider responsible transparency and what such activities could entail. This would be useful for publishers to refer to when having to implement responsible transparency both pre and post publication, and to support publishers in their ongoing efforts.  

This would also be useful for publishers that might not have such policies in place yet and could encourage overall improved responsible transparency for IATI publishers.

Melinda Cuzner
Melinda Cuzner Moderator

Key takeaways from IATI Community Discussion on ‘Responsible Transparency’

20 September - 5 November 2021

 

From 20 September to 5 November 2021, in response to demand from the IATI community to address ‘responsible transparency’ in the face of situations of crisis and fragility, the IATI Secretariat hosted an online Community Discussion on IATI Connect. This brief note summarises the main takeaways from community responses to the discussion questions, and sets out proposed next steps.

For additional information, please read the consultation background document ‘Responsible Transparency: Considerations for IATI’ or view the recap of the ‘Balancing Responsible Transparency’ Virtual Community Exchange session.

Question #1:  How can IATI as an initiative support the balance between open / transparent data and the need to protect privacy?

  • Acknowledge that the balance between transparency and privacy / protection is not static, but rather context-specific.
  • Taking these complexities into account, a ‘one-size-fits-all’ approach is not possible. The Standard / IATI itself should not operate as an arbiter, setting out restrictive rules, as the responsibility to protect sensitive data lies primarily with the publishers themselves.
  • However, IATI should provide relevant resources to enable publishing of data that has been considered for sensitivities, including potentially providing an open space for publishers to exchange views on questions and solutions to data sensitivity and providing clear guidance on how to improve responsible data, both from the outset of the publishing journey and once publishing is underway. 
  • IATI could guide publishers on how to find context-specific information and encourage and support publishers to work with risk assessments and decision-making processes on what data should be deemed sensitive, especially when sensitivities cannot always be seen from the outset.

Question #2:  Is the mixed response to crisis situations the result of an explicit policy from within IATI publishers’ own organisations?

  • There is a mixed response from publishers to the takedown of potentially sensitive information for a myriad of reasons, including factors such as risk / strategic assessments by publishers, a reflection of the local ‘appetite for transparency’, etc.
  • In determining what data to redact (if any) as a response to a crisis situation, publishers may be guided by laws, policies, and operational procedures in place.
  • For many publishers, operational colleagues managing the projects will assess and advise on the local situation and help determine what data is suitable for sharing.

Question #3: Building on the above, should IATI provide additional information / guidance to publishers in regard to what types of sensitive information they might consider excluding from their IATI datasets?

  • Currently IATI does not provide guidance to publishers on how to deal with potentially sensitive data (i.e. what facets to consider when publishing, how to regularly check data, etc.).
  • Although IATI should not become an arbiter of what denotes sensitive data, one way forward is to encourage publishers to set regular checks to assess situational changes.
  • In addition, IATI could play a role in providing information and training materials about publishing potentially sensitive data, including sharing exclusion policies or other instances of data removal, updating, etc.  
  • In order to enable responsive and responsible transparency, IATI’s tools, and its data Standard, need to be nimble, and should aim to refresh as quickly as possible.
  • Referencing the above, any next steps should build on existing resources, platforms, and policies guiding data responsibility, e.g. UNOCHA Operational Guidance

Proposed next steps:

  1. The Secretariat will set-up a follow-up exchange opportunity and / or forum where (interested) publishers can discuss their responses to responsible transparency issues, to enable peer learning and knowledge exchange. This could include sharing information on context-specific sensitivity issues; evaluation policies; and / or exclusion policies.
  2. The Secretariat will consider what types of guidance materials should be developed to respond to publishers’ needs when handling potentially sensitive data when preparing for publication and when data is already published.  

For any questions or further comments on this discussion, please reach out to the IATI Secretariat at connect@iatistandard.org.