Review: OCHA Data Responsibility Guidelines

Last week, OCHA’s Centre for Humanitarian Data released its Working Draft of the OCHA Data Responsibility Guidelines, a landmark document based on internal analysis of UN data protection standards and practices. Written as an internal guide and set of minimum standards for OCHA, the Guidelines offer a template that any organization — especially complex humanitarian response operators — could adopt as their own.

Inclusive design| By generating the Guidelines using field-inclusive and transparent processes, OCHA’s Centre for Humanitarian Data followed its own best policy design practices. Written as an in-progress working draft — i.e. designed for input rather than a closed loop — the Guidelines authors also drew on strong prior data protection reviews. ‘Mapping and Comparing Responsible Data Practices,’ produced in 2016 by the Centre for Innovation at Leiden University and NYU’s GovLab, provided a clear roadmap that the Centre for Humanitarian Data could build upon today. Such an inclusive model is essential for a field that tends to drag behind the speed of data responsibility innovation while insisting that emergency requirements outstrip current capacity. For those struggling to bring their organizations in line with future-oriented protection concerns (e.g. use of biometrics, AI, and predictive modeling), the Guidelines offer at least one set of standards to benchmark their efforts against.

Adaptation required| The Guidelines don’t offer a universal standard set — and this could be a good thing. Organizations that adopt this model should consider the ways in which OCHA’s structure, operations, and workflows influence its needs and impact the overall design. A universal minimum standard set might, at best, offer only a process by which organizations should generate their internal policies.* The Guidelines’ authors show us what an end product could look like, giving the sector a chance to watch their principles in action.

Management made elegant| Data management policies and practices rarely evoke interest beyond the nerdiest among us, cuddled up to our spreadsheets. But any senior-level decision maker can understand the flow of information between the stages these Guidelines set out:

OCHA’s Data Responsibility Guidelines outline the data lifecycle with key actions, outputs, and processes. Source:

This kind of practical elegance is essential to any organization’s ultimate success. From budget and personnel requirements to infrastructure needs and training gaps, managers at every level must be invested in their part of the overall chain. An organization’s best specialists may not always hold management responsibilities, and no single specialist can protect an entire complex organization. The Guidelines should inspire teams throughout OCHA to identify and invest in their part of the greater chain of responsibility, elevating these tasks from frustrating chores to opportunities to excel in OCHA’s mission.

Room for debate| Where the Guidelines introduce room for debate — also known as ‘passionate disagreement and Twitter flame wars’ — is in its Recommended Tools. From project management platforms to different cloud-based storage systems, the humanitarian sector already uses a range of competing tools, apps, platforms and technical minimum specifications. The Signal team suggests that, for now, practitioners focus on a core set of security practices regardless of tool choice:

· Secure password creation and management

· Two-factor authentication

· Minimization, i.e. “don’t collect what you don’t need”

For a platform to be considered viable for the humanitarian practitioner, two-factor authentication (2FA) should be a minimum requirement — and it cannot utilize SMS, which has proven vulnerable to attack. (Recent reports show that Facebook uses phone numbers obtained for 2FA in ways that make users even more vulnerable.) Secure password management is somewhat more complex to manage, but with strong onboarding practices and dedicated audits, it is achievable at an affordable scale for OCHA and small organizations alike. As for data minimization, the Guidelines aptly incorporate this principle into their guidance.

The Data Sensitivity Classification table outlines what degree of security is required for different components of an organization’s information assets and practices. Source:

Missing a theory of harm | It’s easy to dismiss anything starting with “theory” as overly academic — but in this case, it’s as essential to defining how change will happen by using these Guidelines. The Guidelines illustrate how to classify data and information along increasing levels of potential harm (see table above). However, they fail to define how that potential is determined. Who decides what is likely to produce a negative impact? Who evaluates errors along the way? What redress is available if people have been harmed? If OCHA requires the same field-forward, inclusive methods for forecasting harm that they used to design the Guidelines, they’ll likely succeed — but not every organization challenges its own assumptions or questions the potential for design bias.

Overall, the Guidelines offer a much-needed practical application of humanitarian principles to a specific, complex organization. It doesn’t hurt that OCHA sits at the heart of UN data coordination, helping train and reinforce these standards among others while it implements them internally. Any organization would be wise to assess how well they practice data responsibility based on this model — and flag the needs, challenges, and debates that come up in the process.

*Disclosure: The Signal Program plans to continue its Signal Code: A Human Rights Approach to Information During Crisiswith a series of minimum technical standards to guide humanitarian practitioners in the field. The scope and design of that guidance is still in development.

Want to continue the conversation? Connect with the Signal Program @HHI_Signal and join our community of practitioners, experts, and scholars.