Get in touch
555-555-5555
mymail@mailservice.com
Framing the purpose of a company as beyond making profits for shareholders alone is age-old, but the move to state corporate purpose explicitly is newer. Stating purpose is part of a deeper transformation of a growing number of companies–from being product-driven to becoming purpose-driven.
Data governance is now a well-established domain of knowledge systemizing the rules on how data flows over a data life cycle within organizations. In essence, the DPI approach is all about managing digital data in a safe, effective and principled way for public good. Therefore the governance of DPI is essentially the same as data governance, right? Wrong. The relationship between data governance and governance of DPI can be likened to that between hygiene practices and a hospital. The hospital needs to have hygiene practices in place at a very exacting level to function effectively and safely; but a hospital is much more than its hygiene practices alone. A hospital has to serve patients, manage billing, procure supplies, operate secure buildings–all sorts of functions which are part of operating essential social infrastructure. Governing DPI is similarly complex. It is true that governing DPI will include governing data , and as I have sought to understand the older domain of data governance, I have been struck by some parallels for DPI. Here’s one: just as hygiene practices and protocols have evolved over the decades, so too has data governance. We can only hope that governance of DPI will also evolve from today’s rudimentary understanding. If you read recent books like “Disrupting Data Governance” by Laura Madsen (2019), several more echos emerge: “Data governance is one of the keys to effective data management, yet there’s a lack of shared definition”—I have been on record arguing that it is unnecessary, and maybe even futile, at this early stage to have too precise a definition of DPI, yet some boundaries are needed if DPI is to avoid this same judgment as data governance in twenty years’ time. “Data governance is about trust”—so too, ultimately, is DPI even when citizens are required to use one. “Balancing the forces of protection and promotion (of the use of data) will take some effort, each needs to be well defined and managed to avoid losing focus on their respective needs”—indeed, balancing these forces in the operation of a DPI is a critical function, maybe the critical function, of DPI governance. All those similarities should not conceal one big difference between these two fields: data governance is about the usage of data as a valuable asset within an organization , while DPI is all about supporting flows of valuable data across organizations . This is obvious for payment systems, but even digital ID systems exist to provide forms of secure authentication or verification to relying parties. Optimizing the interoperability of data for public purposes is at the heart of the DPI approach. DPI governance can therefore be framed as a form of ‘meta-data governance’, where the DPIs are themselves stewards of sorts of types of data within digital data ecosystems. That makes the task of DPI governance more challenging, but also potentially more interesting and rewarding. How long will it be before we have textbooks for DPIs with sub-titles like the standard Data Governance text by doyen John Ladley: “How to design, deploy and sustain an effective [data] governance program.” ? I hope we can accelerate the learning cycle with DPI.
There is general agreement that good governance matters for Digital Public Infrastructure (DPI). There is much less agreement at this stage about what governance means in a DPI context. One way to explore building consensus is to explore whether existing widely accepted frameworks could be adapted to the DPI context. Since DPI at its heart is all about exchanging digital data for different purposes–from payment to identification– it seems appropriate to consider the original ‘by design’ framework which was developed for data privacy. This framework was built around the concept of Privacy by design. Since its first use in 1995, privacy commissioners and data protection authorities around the world have recognized privacy by design as an international standard which they intended to promote and incorporate in policy and law. It was originally articulated as seven principles which together signaled an intention to embed privacy considerations proactively throughout the data use cycle. While the privacy by design framework is agnostic about the organization handling the data, the operators of DPIs are types of institutions with a particular purpose which demands specific governance features. The comparison of data to DPI is somewhat akin to that between blood and the heart in the human body–blood, like data, is widely distributed but the heart is the ‘essential infrastructure’ responsible for pumping it. Privacy by design is about protecting the ‘blood chemistry’; governance by design for DPIs is about ensuring that the ‘heart’ functions well, including but not only protecting the unique blood chemistry. So, governance is really the means which connects to ends like this. With that contrast in mind, how well might the principles of privacy by design inform governance by design? The table below maps privacy by design principles in the first column to my suggestions of counterpart principles for governance of DPI in the second column. You will see that the majority of principles (those numbered 1,3,5 and 6) map across pretty easily to governance of DPI. This isn’t surprising, considering a concern for ways of using data is at the heart of both.