This is the second in a series of posts that will cover the various design elements that underpin robust, participatory data governance models. Last week we considered the basics of data governance, we discussed how a good data governance system is more about governance than data, as well as the limits to what good governance can solve. This week we’ll explore some of the core components of a governance system.
As the title suggest, this post will be all about governance and to get us all on the same page, let's start with a definition. There are many definitions of governance, but this is what I mean when I use the word:
Governance encompasses the structures and processes that describe how decisions are made within an organisation and by who, as well as the body of rules and norms that guide actions within an organisation and the enforcement of those rules
In simpler terms, governance is the answer to the question: who decides what and how, and how are those decisions enforced? Of course, the answer to these questions will vary widely depending on context, objectives of the organisation as well as personal preferences. So what does good look like?
Fortunately, we do not need to invent this particular wheel ourselves. In fact, we have a large body of research to draw from and to help us identify some of the core components of good governance design. Here, I specifically consider the design principles for the commons defined by Elinor Ostrom. Ostrom, a Nobel-prize winning economist, spent most of her professional life studying the dynamics of Common Pool Resource management systems, colloquially referred to as the commons. These are bottom-up governance systems in which groups of people come together to collectively steward a shared resource. From her many case studies, Ostrom identified eight principles that need to be in place for a commons to thrive. While we here discuss governance more broadly, the various components identified below are inspired by Ostrom’s principles.
Defining the boundaries
A great governance system is a bounded one. Boundaries, in the context of governance, refer to the demarcation lines around the resource that is being governed (e.g. data) as well as those between the organisation and its many members and stakeholders and the rest of the world. To understand what the boundaries of your governance system are or should be, start by answering the following key questions:
WHY are we doing this?
Many books have been dedicated to the importance of this question and I will not rehash them here, except to say that a clearly defined purpose informs your actions down the road and allows you to make hard trade-offs when the time comes. This is especially true for data governance related questions. Your purpose informs what data needs to be collected and communicates to your stakeholders what it might be used for. A good purpose is one that can be observed and allows others to hold you accountable. For instance: ‘improving human wellbeing’ is too vague, whereas ‘improving cardiovascular health of adults in the United States’ is both clear and can be measured.
WHAT are we doing and HOW are we doing this?
Many problems can be solved in a multitude of ways, understanding your approach helps you identify what governance questions you need to answer down the road. For instance, let’s say you are looking to improve the cardiovascular health of adults in the United States. You could do so by creating an online platform where patients can share their health data with researchers, in which case you’ll likely have to tackle questions around individual privacy concerns and secure storage. Alternatively, if your approach centers on making academic research on cardiovascular health more widely available, your data governance questions would be far more focused on data licensing.
WHO are we doing this with, or for?
These could be specific individuals, groups of people or personas you have identified as being either directly involved in your organisation, or affected by your activities. When it comes to data related endeavours this group can get quite large and some stakeholders might be hard to identify. Here again, a clear purpose and scope will help you better identify specific stakeholders.
Specific questions that may help you at least get closer to a full set: Who might benefit from our endeavour? Who might be impacted by us doing this in this way? Are there individuals or groups that are actively excluded from participating in this? Who will help us build this? Who will finance these activities?
Finally, the boundaries around your organisation and around the resources themselves will likely change over time. External conditions change, as do internal cultures and informal norms. Answering these whats, whys and hows is therefore not a one time event but an ongoing process.
Deciding who decides and how
Decision-making sits at the core of any governance model. It’s also where power dynamics are most visible. Who decides and how decisions are made determines which voices sound loudest and which ones are inaudible, which interests are prioritized and which ones are ignored. As a principle, Elinor Ostrom’s work tells us that ‘those affected by the rules should have a say in bringing them about’. That still leaves a lot of room for specifics.
The answer could range from one appointed steward making all the decisions, to all the stakeholders deciding together, all the way to leaving decisions with those who do the work of implementing them. Importantly, we should also ask: who decides who decides?
HOW are decisions made?
Of course, the question of who decides does not yet answer how decisions are made. Do you opt for full consensus? Or is it enough for your stakeholders to consent to a decision?
WHAT is decided on?
You do not have to settle for just one model either. Whenever a decision needs to be made, you may ask yourselves: how are we going to make this decision? Who should be in the room? Those choices will be informed by the specifics of what you are deciding on.
WHEN are decisions made?
Is there a timeframe within which specific decisions need to be made? Or specific meetings or other moments in which folks can expect to decide on things? Do you have all the information you and they need by that time?
You will quickly find that not every decision needs to be made in the same way and you’ll likely implement different processes for different types of decisions. For instance a decision that can be easily reversed or has limited impact on the organisation might not require the same level of agreement as one that would define your core activities. Some of the elements that will help you decide what decision-making models to opt for include whether a decision is reversible, whether you have a high amount of trust within your organisation, existing power dynamics, the number of stakeholders and their preferred mode of participation (e.g. do they meet online, or do they prefer meetings in person), the impact of the decision on the stakeholders and the organisation as a whole and, finally, how easy it is to opt out of being subjected to a rule or governance system.
In my next blog post I will discuss these dynamics in greater detail and explore specific decision-making models and mechanisms.
Setting (fair) rules
Rules define what actions are permissible or encouraged within your organisation and how the resources under your governance are to be accessed and used. Ideally, the rules you create within your organisation are shared agreements that are widely held, are deemed fair by the stakeholders in your organisation and easy to look up. In addition, when the rules you create hand specific responsibilities to specific actors, those actors should both agree to take that responsibility and be aware of what that entails.
Before we move on, a quick word on what it might mean for rules to be fair. Any answer to this question is bound to be subjective, but there are two main areas where questions of fairness are generally most pronounced:
- Fair use: the rules governing the use of the resource (e.g. data) aim to prevent harm and unwanted exploitation
- Fair outcomes: over time, the rules put in place ensure that your contribution to the organisation and its resources match the benefits one derives from their participation.
To ensure rules are upheld and the trust in your governance system is maintained you need to monitor compliance to the rules you set and ensure information about compliance is shared with your different stakeholders and/or members of your organisation. How compliance is monitored and by who matters as well. In principle, we would want those affected by the compliance to rules to have a role (whether actively or passively) in monitoring such compliance. This way we better align incentives of auditors and the stakeholders of a governance system.
Fair accountability mechanisms
Without enforcement your rules will quickly become meaningless. Fair accountability mechanisms impose sanctions on those who violate the rules you agreed on, while simultaneously ensuring that the punishment fits the crime. For instance, first time offenders are perhaps merely made aware of the offensive act, while repeat offenders may be banned from your organisation. You may have different sanctions for those who intentionally violated a rule and those who did so accidentally. Finally, to ensure wrongdoers can learn from their mistakes you may want to have processes in place that allow those who broke the rules to earn back the trust of the community.
Dispute resolution mechanisms
In any organisation or governance system, conflict is inevitable. These could be conflicts about the rules themselves, about the enforcement of the rules, or they could arise in areas where no appropriate rules are set. How you choose to handle conflict helps determine the overall health of your organisation. What dispute resolution mechanisms are in place to handle conflict within the data governance arrangement, as well as between the organisation and external parties? When is conflict resolved internally and when is a dispute delegated to an external party (e.g. court of law)? Generally, dispute resolution mechanisms need to be inexpensive and easily accessible by your stakeholders.
Setting, monitoring and enforcing rules
Governance involves setting rules, monitoring compliance to the rules, holding rule breakers accountable and handling disputes. As portrayed in figure 1 below, I envision this as a circular process. The rules you set determine what you will monitor and how, which will give you the information you need to hold stakeholders accountable for their actions. Finally, you need a way to safely and effectively handle conflicts within your organisation. The dotted arrow between dispute resolution and rule setting indicates a common reality wherein disputes themselves indicate the need to establish additional rules or refine existing ones.
No human is an island and, similarly, no organisation exists in a vacuum. We are all nested in larger ecosystems. As such, awareness of the dynamics of those ecosystems and the rules that exist within them is vital for the success of your organisation. As such, your legal, economic and cultural environment acts as a second container (figure 3) that will influence and guide your own actions and decisions. Two critical questions should be addressed:
Do we have the legal right to do this?
Not all organisational forms are legal and neither are all uses of data. If you plan to cover multiple jurisdictions the legal questions tend to get more complex and you may find yourself having to change your governance model to accommodate different legal realities. I personally find it helpful to first decide what you want to do and then figure out how to make it legal.
How do we relate to and interoperate with other organisations?
The data you govern may be retrieved from many different platforms, or your own data platforms may interoperate with third party services. This alone creates numerous interdependencies and may imply a need to coordinate with various other communities to establish shared rules. In addition, you may also rely on certain third party tools and platforms for the storage and processing of your data. Changes to those tools and infrastructure may influence your range of motion. Understanding these interdependencies and how they influence your governance system - that is your ability to make your own decisions and set your own rules - is crucial.
You now have a rough sense of the various elements involved in a governance system and how they relate to one another. In future blog posts I’ll dive deeper into each of them, explore what good looks like and how all of these governance components apply to the governance of data specifically. But before all that, our next installment will address the data in data governance, have a look at the data lifecycle and examine the specific questions and challenges the governance of data sets and databases gives rise to.
In the meantime, if you are struggling with these issues and want help, we’re here. We offer a workshop to help you get started with data governance! Want to know more, let us know you’re interested by filling out this short form!