What safeguards can be put in place to ensure that public sector organisations use data responsibly?
The public sector is very focused on risk management when it comes to data since a lot of the data it collects and manages is highly sensitive and could cause harm if used inappropriately. There is, however, a fine line between risk mitigation and risk avoidance. Avoiding things because they seem too risky can stop new initiatives and innovations being developed, and multiple redundant layers of governance can smother new ideas and create bottlenecks in the system.
Some of the most effective safeguards which can be put in place are building the right culture and capability across digital, data and technology professionals so they can use data responsibly. Enable them to ask better questions and come up with better solutions, so they don’t run afoul of data governance risks.
There’s a concept in software architecture called ‘paved paths’, the idea is to make it easier to do the right thing. For example, when you pave a path over an open space, most people will default to taking the path. Departments should invest in paving data paths to help unlock responsible innovation. Test data sets provide one such opportunity. By engaging experts in privacy and data security to create and publish a variety of test data sets, departments can be sure the test data their teams need to develop their services is properly anonymised, securely encrypted, valid, useful and safe.
Another example is secret storage, when passwords are saved in an open format, hackers are aware of this and scan public repos to gain access to this data. Creating paved paths around secret storage will ensure that teams won’t fall foul of this risk. Effectively safeguarding data can be done by applying good practices that have worked well in other parts of tech delivery to the data space.
How should we balance the potential benefits of technological innovation against potential risks like privacy violations, security issues, runaway energy consumption, etc.?
There is no easy answer, very few things are unambiguously good. Any change or innovation involves trade-offs between cost and benefit. Teams should approach innovation holistically, so you are making informed choices. And by thinking a bit more deeply, you’ll often uncover new ideas for how to achieve your outcome without causing unintended harm. For example, it is very common for one service to require information from another service to make a decision eg before offering you a loan a bank will check your identity, credit score, etc. Often, data that is transferred between services is copied across, creating a risk that during transit it can be attacked, and also creating more data to manage, sync and secure. If the user value and social benefit of allowing services to talk to one another is really high, how do you cope with those tradeoffs? Tackling this question led our teams to the technological innovation of Anonymesh. A data sharing service that allows you to connect sensitive data sources to answer questions, with privacy and security built in, and is GDPR compliant. This innovation underlies decision making without data sharing. Thinking holistically, and thinking of all of those factors, may uncover technological innovations.
If you liked this content…
Other areas to focus on are identifying potential threats early, assessing their likelihood and impact and prioritising them. Implement security controls like access control, encryption and multi-factor authentication. Follow secure development practices, including code reviews and security testing. Integrate security throughout the development lifecycle, ensure continuous updates and training, and promote collaboration and communication among developers, security experts and stakeholders.
Technology teams are used to thinking about “non-functional” aspects of their solution like performance, scalability, etc. It’s a quite natural extension to consider ethics and the environment in technology development by assessing potential harms to individuals and perpetuation of biases. Misuse of personal data could breach privacy, while biased algorithms may lead to unfair treatment of certain groups. Additionally, developers should consider the environmental impact of resource consumption during the application’s lifecycle. Prioritising ethical considerations and environmental sustainability ensures equitable treatment and minimises harm to both people and the planet.
How could you cultivate a responsible tech mindset?
You have to make people believe that this is important. They’ll have to learn new tools, techniques and perspectives. People are more likely to change the way they think if they know what the motivation is. Sharing first-hand stories where unintended harm has happened from well-intended people provides the motivation to learn a better way.
Another way is to share your own experiences and discuss it with your teams. For example, let’s say you couldn’t fill out a form because some aspect of your identity was not available in the list of choices or a form field didn’t allow for accents or special characters used in your surname. In the Responsible Tech playbook, you will find tools that can be used to expand your perspective, build empathy, and identify / de-risk unintended consequences. Think about this as a mindset that takes time to develop and is not a checklist of things to do. By continuing to ask questions, learn and explore, you’ll think beyond reaching the intended goals and consider how to mitigate the hidden pitfalls of the solution.
Can you name an example where Thoughtworks has helped an organisation use data responsibly?
Bahmni is an open source hospital information system that Thoughtworks created and has nurtured since 2012, supporting over two million patients in low resource settings. In 2023 SNOMED International and the Bahmni coalition, led by Thoughtworks, came together to enhance Bahmni’s support for SNOMED CT — a Clinical Terminology dictionary that helps ensure consistency and accuracy in healthcare data for providers. As part of this work, bulk patient data exports are required. With a responsible tech mindset, the Bahmni and Thoughtworks team ensured that the private and sensitive Patient Data was exported in a responsible manner via anonymisation as a default, while remaining useful for analytics.
