Data at the Speed of Trust: Areas of Risk and Responsibility December 12, 2016

No Simple Rules to Follow CURRENT LANDSCAPE Technology Changes 1 No Simple Rules to Follow 2 Culture change around data and digital development 3 Real and perceived privacy & security risks 4 Unfortunately, there are no simple rules to follow that allows the foreign assistance community to adequately or easily address all aspects of responsible data; tradeoffs are usually required and will need to be periodically reassessed based on emerging contexts. The need for guidance is becoming increasingly felt across the foreign assistance community. Responsible data practices align with US Government, USAID and Global Development Labs values and vision. From directions from the White House and Congress promoting open data as a method of transparency and accountability, the instructions in FATAA and CLA initiatives in using data for improved performance and impact, as well as the strong do no harm ethical underpinnings of USAID, this project is needed to translate policy into practice across the Agency and implementing partner community. Ideally, it will be infused into how the Agency does business, and can be shared across the USG foreign assistance community. Cultural change across USAID and its IPs, where effective and safe data management and usage practices are infused throughout its work, is just beginning. This stage is the right time for responsible data practices as there are already real world examples of the challenges and the opportunities offered by such guidelines. The team has identified the following as specific challenges facing USAID due to a lack of consistent definitions and practices around responsible data. Technology change across the globe is creating new and emerging data situations. The increasing digitization of once paper-based processes opens up opportunities for improved data analysis and transparency, as well as increased risk of manipulation or privacy breach. The creation and assertion of a digital identity is also increasingly important to be a full citizen of a global economy; more programs are experimenting with identification tools such as biometrics to track participants across time. These technologies continue to spread and being used in unanticipated ways. Privacy risks, both real and perceived, present a real and current challenge to efficient use of data and data sharing in development programs. Without explicitly addressing privacy and security of the vulnerable populations USAID serves, the appropriate collection, storage, and use of data will be hindered in a desire to do no harm. USAID staff and IPs report practices which are ad hoc, highly variable, and not standardized across the industry. Different sectors have different levels of experience, expectations, and standard practices ranging from highly experienced to none at all. Some existing standards, such as the use of IRBs or informed consent, do not always cleanly apply for digital technologies such as social media or SMS, or cannot respond quickly in emergency situations. In addition, different countries in which USAID works have different legal landscapes related to data collected, stored, and used on their citizens, ranging from minimal to highly complex. In many countries, the legal system is only now creating laws, regulations, and legal infrastructures to address data on their citizens. IPs, especially local firms, are struggling to understand and follow unclear and in some cases, contradictory laws on data, while they also try to become more data driven in their decision-making. Currently, USAID offers limited guidance on policies, processes and practices for addressing these three goals, especially privacy protection in data collection and use in digital development programs, since existing USAID and USG legal policies apply only to a fraction of data collected by USAID and IPs and contain some contradictions. For example, the Privacy Policy only applies to US citizens and legal residence on US soil, but DDL policies address all data related to an intellectual work. DATA Act, FATAA, HR 5537 Section 6.3 or future version Current practices are ad hoc, highly variable, and not standardized 5 Different and evolving legal landscapes 6 Limited relevant practical guidance from donors 7

THE DATA LIFECYCLE Better data for decision making and accountability Integrate outside data sets Data quality expectations Data structured to standards Reusing data for new purposes

THE DATA LIFECYCLE RISKS Unintended usage Missing data Poor and uneven quality PII Different structures Too aggregated (hard to reuse) Redactions not tracked Analysis process not tracked (data used, not used, weighted)

Organization policies Host country LEGAL LANDSCAPE US Government Open Data, DATA Act, FATAA, Privacy Act USAID ADS guidelines, Research guidelines (IRB) Organization policies Host country Data protection Copyright/IP EU Data protection

USAID Global Development Lab FOLLOW UP Information USAID Global Development Lab mSTAR (FHI360) Sonjara, Inc. Subhashini Chandrasekharan, Project Lead Ana Maria Cuenca, Project Manager Siobhan Green, Project Lead schandrasekharan@allnativegroup.com ACuenca@fhi360.org sio@sonjara.com 919-931-4184 202-884-8498 571 297-6383 ext 101