As part of our work with the Good Data Collaborative and others, a recurring conversation we have at CDT is how to help public interest organizations and nonprofit entities understand and address privacy and security issues. This can be a heavy ask. Nonprofit entities regularly must make tough calls on how to use limited resources, and it can be easy to view dollars spent on privacy training and technological solutions as money diverted from service delivery or an organization’s core purpose. Not every organization has staff that agonize over what VPN to use, even as nonprofits are as susceptible to the data risks, threats, and pitfalls that for-profit companies routinely trip over.
There is no shortage of guidance available, but it’s not certain whether nonprofits have the incentive to make privacy or data security a top priority. While funders have begun to take note of the seriousness of losing sensitive data due to accidents or aggressive hackers, the average nonprofit entity faces “chronic capacity limits with information technology.” Their donors and grantmakers can play an important role in improving privacy practices and considerations of larger ethical issues raised by data collection and use, but for-profit businesses might also lend a hand.
There is no question that public interest entities can benefit greatly through partnerships with industry. A recent report from the Governance Lab at the NYU Tanden School of Engineering calls for the creation of “data collaboratives,” envisioned as a new form of public-private partnership where information can be shared responsibly in order to give it public value. The report largely focuses on exchanges between large humanitarian organizations and and big social media giants, highlighting case studies involving public welfare campaigns using Twitter data, disaster predictions via Flickr photo tags, and disaster response efforts aided by Facebook. GovLab sorts these examples into general categories like situation awareness, knowledge creation, public service design and delivery, forecasting, and impact assessment. The report then highlights some of the serious privacy concerns posed by data sharing of this sort, and importantly, what might be done to mitigate the impact of bigger data breaches, biased and inaccurate data, and the erosion of existing privacy protections that come with increased sharing of sensitive information.
Companies have both carrots and sticks with which to cajole and encourage nonprofit entities to act. Building on this report and other discussions, we might recommend any public-private partnership include the following:
Companies can share much-needed expertise in data governance. While CDT may quibble with various companies’ approaches to privacy or data security, industry typically has dedicated staff expertise. As GovLab’s report acknowledges, any sort of corporate “data philanthropy” should also include sharing with nonprofits expertise in data management, including training initiatives and educational programs. Importantly, this also includes the development of affordable, user-friendly tools.
Companies can serve an important gatekeeper function. While this places significant responsibility onto individual businesses, companies can also incentivize better behavior by requiring sound data governance standards from the public interest organizations with which they engage. The degree of formality that exists in the relationships between nonprofit entities and corporate partners varies wildly; this is especially true when it comes to how public interest organizations might gain access to information held in corporate coffers. While Twitter has a famously open “firehose” of data accessible to researchers, other tech companies that are working more with nonprofits to share data or otherwise collaborate do so via relationships with only a few, trusted partners. It’s not always clear what the standards for collaboration are, or what nonprofit entities are worthy. In the case of social media companies, GovLab calls for the creation of public-facing data stewards that would establish due process to respond to interested civil society participants and to evaluate data requests and demands in the public interest. This sort of gatekeeper, however, could also put out public guidance for when and where companies might work with nonprofit entities; this could be useful in encouraging these organizations to establish some minimum privacy or security baselines in the long run.
Privacy and security must become an established part of public interest risk assessment. GovLab notes ongoing efforts by the Red Cross, the United Nations, and others such as Oxfam to create responsible data frameworks. For these frameworks to be broadly successful, however, GovLab suggests that they will have to incorporate meaningful risk assessments by data-hungry organizations. Assessing risks, whether privacy, ethical, or otherwise, is needed throughout the data lifecycle, and we were pleased to see GovLab further recommend resources such as CDT’s Digital Decision Tool to help developers and engineers incorporate responsible data principles into their algorithms.
Moving forward, the GovLab report calls for directing more energy toward developing collaborative networks and platforms, but doing so may ultimately require companies interested in cultivating relationships with nonprofits to get on the same page. Privacy, security, and using data responsibly are challenges for entities like nonprofits that have limited resources, and an industry-provided baseline and tools to help nonprofits with data management could prove invaluable.