2.1. Global coordination to prevent harmful fragmentation

As the world becomes increasingly interconnected, it is ever more urgent to build systems of cooperation that allow multiple and diverse actors to collaborate and make use of a dedicated framework for sharing information, expertise, and experience. It could seem particularly crucial to develop a standardized approach to data in certain sectors or at certain moments, such as in times of humanitarian crisis, as this will ultimately enable more coordination and prevent potentially harmful fragmentation. Given the multiple and complex interactions between regulations and asymmetries at local, national, and international levels, fragmentation may have profound implications on individuals and businesses, both intended and unintended, for virtually all aspects of our daily lives (Fay, Reference Fay2022).

Further, the absence of a systematic global approach to data governance may create inequitable consequences for low- and middle-income countries as it would be harder for them to participate in the global digital economy and develop their own frameworks responsibly (Pisa and Nwankwo, Reference Pisa and Nwankwo2021). Even more ambitious approaches argue that a “new Bretton Woods-style agreement” is necessary to redefine the global governance model in a digital and hyper-globalized world (Medhora and Owen, Reference Medhora and Owen2020). By enhancing cooperation and shared standards and principles, global data governance might allow nations and organizations to collectively take advantage of the potential data harbors to face common challenges and respond to collective needs.

2.2. Advancing global principles and values

A global data governance framework would enable international cooperation and coordination to promote globally shared principles and values, such as human rights, and to further anchoring frameworks such as the Universal Declaration of Human Rights or the SDGs. In fact, data are playing an increasingly important role in the humanitarian field. From the United Nations to private non-governmental organizations (NGOs), organizations across the world are starting to adopt data on ever larger scales to enable more agile, efficient and evidence-based decision-making to promote human rights and other global values.

For example, the World Economic Forum (WEF) has proposed a new data governance model called Authorized Public Purpose Access (APPA), defined as “a model for realizing value by permitting access to data for specific, agreed public purposes (…) through processes that do not rely exclusively on explicit, individual consent as a means of protecting human rights” (World Economic Forum (WEF), 2021). The ultimate goal is guaranteeing individual human rights regarding data use, not limited to privacy rights. Also, as part of the 2030 Agenda, the UN reaffirmed its commitment to international law and emphasized that all efforts shall be implemented in a manner that is consistent with human rights (United Nations High Commissioner for Human Rights, 2018). Given the international and often borderless nature of these objectives, and considering the key role data has in achieving them, a global data governance framework is essential.

2.3. Using data as a common resource to advance global public goods

Increasingly, data are a resource for supporting global public goods. It is crucial that no single entity has sovereignty over data and that these collective public goods are managed responsibly, in a manner that secures and preserves them for all of humankind. Lately, there has been a debate on treating data as “commons” when the economic characteristics of data define it as an intangible non-rival asset, which may suggest an opposite definition. However, it is a practical approach when considering data governance and regulation.

Ostrom’s principles (Ostrom, Reference Ostrom2012) for managing shared resources (commons) offer insightful guidelines to reach an agreement about rules for accessing data when some individuals may need to sacrifice personal benefit for the greater common good (Coyle et al., Reference Coyle, Diepeveen, Wdowin, Kay and Tennison2020). The principles help understand the asymmetries of information and incomplete agreements that characterize the data economy and provide innovative ways to govern shared resources. For example, defining the rights of different entities to control, access, use and share data, and establishing monitoring and auditing mechanisms for data use and sharing (Coyle et al., Reference Coyle, Diepeveen, Wdowin, Kay and Tennison2020) might help to address the governance challenge of preventing misuse of sensitive data while fostering the reuse of data to create social value and potential “knowledge spillovers” (Coyle, Reference Coyle2020; Aaronson, Reference Aaronson2022).

3.1. Sampling strategy

In conducting this research, more than 100 data governance documents were identified, of which 58 were curated and surveyed in detail, across 37 organizations (non-governmental, intergovernmental, and independent), 8 national or local government entities, and 4 regional bodies. Appendix A of the Supplementary Material includes the full list of the frameworks analyzed in depth, while the Template of Analysis in Section 3.3 provides a detailed assessment strategy of the frameworks considered. In addition, Appendix B includes the link to the public repository of cases.

This article was first initiated as a report to inform the United Nations High-Level Committee on Programmes (HLCP) and has subsequently evolved to provide insights to other intergovernmental and governmental institutions, NGOs, academic and research institutions, and other stakeholders that aim to use and govern data.

The sampling strategy took into account the following considerations:

Timeframe: To ensure relevance and validity, this research focused on frameworks created within the last 10 years (2013–2022; Figure 1).

Figure 1. Number of publications per year.

Variety of frameworks: This research aims to represent the variety and heterogeneity of existing data governance frameworks and approaches, and thus includes a wide range of examples and formats, encompassing principles, guidelines, and regulatory frameworks and standards (Figure 2).

Figure 2. Types of frameworks.

Types of organizations: The research prioritized public sector efforts over private-sector-oriented ones, cognizant of how the public sector plays a critical role in setting policies and regulations for data governance. While private sector efforts are also important in this regard, to maintain the scope of the research manageable, they were not the primary focus of this research. Thus, the sample prioritizes governmental and intergovernmental institutions, NGOs, academic and research institutions, and international independent (sectoral) coalitions (Figure 3).

Figure 3. Type of organization.

Geographical scope: When considering the geographical scope, this research aims to cover various levels of jurisdictions, including global, regional, and national frameworks. Although diversity and comprehensive representation across regions was sought, a stocktaking of various data governance frameworks and practices from the Global South is still largely missing. On the one hand, that is due to a lack of a clear and widely spread understanding of the frontier of data governance best practices. This might limit some governments from finding a suitable reference when building and prioritizing their own (Chen, Reference Chen2021). On the other hand, sometimes legal and regulatory frameworks for data are inadequate in lower-income countries, which too often face substantial gaps in safeguards and shortages of infrastructure. Indeed, as the World Development Report 2021 by the World Bank notes, “less than 20 percent of low- and middle-income countries have modern data infrastructure […]. Even where nascent data systems and governance frameworks exist, a lack of institutions with the requisite administrative capacity, decision-making autonomy, and financial resources holds back their effective implementation and enforcement” (World Bank, 2021, 13) (Figure 4).

Figure 4. Geographical scope.

Sectoral diversity: As mentioned previously, this research was initially conducted to inform the UN HLCP Group, which is primarily focused on issues related to the UN’s programs and strategies for sustainable development. Given the group’s focus on humanitarian and development issues, the research prioritized frameworks and policies that were most relevant to those areas (Figure 5).

Figure 5. Sectoral diversity.

3.2. U.N. agencies sub-sample

Given the initial intent to inform U.N. decisions on global data governance, it is worth declaring the weight the UN-system agencies represent in the sample. Of the frameworks analyzed, 26 correspond to UN-system data governance frameworks. Twenty-five of those have a global scope except for the Pan American Health Organization’s (PAHO) National Data Governance Framework, since PAHO serves as the Regional Office for the Americas of the World Health Organization. Of the U.N. agencies sub-sample, 69% are conceptual frameworks or guidelines, of which 42% are in the humanitarian sector (Figure 6).

Figure 6. Types and sectors of UN-system data governance frameworks.

3.3. Analytical framework

Once the empirical sample was assembled, the frameworks were analyzed through a conceptual prism consisting of the following “Template of Analysis.”

3.4. Limitations

Despite the comprehensive nature of this research, there are several limitations to consider.

Firstly, for feasibility, the study focused on data governance frameworks created within the last 10 years (2013–2022), potentially missing out on valuable insights from earlier frameworks that could inform current practices. However, the research team considers that analyzing recent frameworks would offer the most pertinent and current insights on data governance practices. While the exclusion of older frameworks may omit some valuable insights, this limitation is deemed acceptable given the study’s goal to provide current and relevant information.

Secondly, while the research aims to provide a comprehensive representation of data governance frameworks, the geographical scope is limited in terms of representation from the Global South. This may impact the generalizability of the findings, particularly for low- and middle-income countries.

Thirdly, the research prioritized public sector efforts over private-sector-oriented ones, cognizant of how the public sector plays a critical role in setting policies and regulations for data governance. However, the importance of the private sector in this area cannot be overlooked, and further research may be necessary to fully understand data governance in the private sector context.

Finally, the research was initially conducted to inform the UN HLCP Group, which is primarily focused on issues related to the UN’s programs and strategies for sustainable development. While the sample includes a wide range of frameworks and approaches, encompassing principles, guidelines, and regulatory frameworks and standards, the prioritization of frameworks and policies relevant to humanitarian and development issues may limit the applicability of the findings to other sectors.

In conclusion, the study remains relevant to a wide range of stakeholders interested in data governance. Indeed, while the study’s focus and limited scope may restrict the generalizability of the findings, the research team implemented a systematic and rigorous approach to provide valuable insights into contemporary practices and challenges in data governance. As such, the study’s outcomes can inform and guide future research and policy-making endeavors in this critical field, demonstrating its significance and usefulness to various audiences.

4.1. Purpose

All of the reviewed data governance frameworks include an explanation of the overall purpose of the document. From the sample, there is great variety in the scope of the purposes identified by the different frameworks. This research identified two types of purposes: those that refer to specific cases and sectors where data are used, and those that aim to improve data governance in general. Often, the latter are pursued by national or local governments seeking to achieve responsible use and reuse of data.

As for the former, for instance, the International Committee of the Red Cross (ICRC)’s “Handbook on Data Protection in Humanitarian Action” seeks to raise awareness and assist humanitarian organizations in ensuring that they comply with existing personal data protection standards in carrying out humanitarian activities specifically. As for the latter, on the other hand, the Personal Information Charter developed by the Foreign, Commonwealth & Development Office (FCDO) in the United Kingdom has very data-focused objectives that do not refer to one specific field (e.g., the humanitarian sector). Indeed, the charter provides the standards people can expect from the FCDO when they ask for, or hold, people’s personal information.

Overall, an overarching purpose this research identified across all frameworks, regardless of their scope, is to balance the tension between the importance of protection against unauthorized collection and potential misuse of data versus the wider promotion of data for advancing various public interest goals. In fact, the frameworks identified often stemmed from the dual realization that data are indeed very valuable and potentially beneficial for public purposes, on the one hand, and that at the same time it poses a series of challenges and risks across its life cycle. Indeed, the promotion of data has the potential of bringing about a series of public benefits, spanning from more efficient mobility (Lau, Reference Lau2020) to personalized healthcare (Morgan, Reference Morgan2021), from improved waste management (Abdallah et al., Reference Abdallah, Talib, Feroz, Nasir, Abdalla and Mahfood2020) to more accessible education (Marchant, Reference Marchant2021). However, the misuse of data can result in potential issues including social exclusions (O’Neil, Reference O’Neil2016) and injustices (Couldry and Mejias, Reference Couldry and Mejias2019), wasted time and resources (Redman, Reference Redman2016), as well as privacy (Cohen, Reference Cohen2012) and legal concerns (Rodrigues, Reference Rodrigues2020).

As a result, many governance frameworks seek to develop a variety of approaches aimed to leverage the new opportunities data presents, while avoiding the risks of its misuse. This appears to be a balancing act that is necessary but difficult to accomplish. Indeed, these efforts can result as being fragmented and difficult to operationalize.

One way to tackle such fragmentation is through data stewardship, which The GovLab defines as “policies, functions and competencies to enable access to and reuse of data for public benefit in a systematic, sustainable, and responsible way” (Verhulst, Reference Verhulst2021a). Similarly, the Ada Lovelace Institute defines it as “responsible use, collection and management of data in a participatory and rights-preserving way” (Ada Lovelace Institute, 2021). The concept of stewardship has been used by Nobel Prize-winning economist Elinor Ostrom to describe the governance of common resources (Ostrom, Reference Ostrom2012). When considering data as a common good, Ostrom’s design principles and conceptualization of stewardship can be a useful tool to find a balance between data protection and data promotion. Data stewards can play a crucial role in steering the process of using data and the insights it can generate by deciding who has access to data, for what purposes and to whose benefit (Open Data Institute, 2022), ultimately addressing society’s biggest questions and challenges in a systematic and responsible way (The GovLab, 2018).

4.2. Principles

4.2.2. Most used principles

This research identified the following three findings with regards to principles for data governance used in the frameworks examined in the sample: (a) lack of clarity and harmonization of meanings, (b) different meanings in different countries, and (c) association with Fair Information Practice Principles (Federal Privacy Council, n.d.) (Figure 7).

Figure 7. Most used principles.

As for the former, this research identified a lack of clarity and harmonization of meanings among the principles analyzed. A large number of the frameworks include similar principles, but use different nomenclature (thus increasing the challenges of cross-framework comparison and analysis). For instance, the principle of “equity” is absent in many frameworks, but it seems to be implied under the principles of “fairness” or “nondiscrimination.”

Moreover, a large number of frameworks do not separate principles, but group them together. Examples of principles often mentioned together are “necessity and proportionality” and “legitimate and fair processing.”

As for the second, this research found that principles can have different meanings in different countries. The difference in nomenclatures—and substantive definitions of similar concepts—is especially noteworthy across countries and geographic regions. For instance, “privacy” is defined and applied differently in different countries. How can that difference be reconciled under a global data governance framework?

Finally, many of the most used principles are associated with the Fair Information Practice Principles. Among those, this research found: confidentiality and security, purpose specification, transparency, accountability, data and information accessibility, data quality, proportionality, and participation.

4.2.3. Processes, governance, and handling principles

This research identified different categories of principles that sought to inform and steer different aspects of the data governance life cycle that is processes, decisions, and data handling (albeit there is overlap): Principles for processes include principles whose aim is to shape the processes followed to arrive at certain governance decisions. Principles for decisions include those principles that aim to shape the governance decisions themselves. Principles for data handling aim to influence the way that data are processed and handled (Figure 8).

Figure 8. Categories of principles.

4.3. Anchoring

Overall, 63% of the frameworks analyzed mention anchoring documents that they built on and referred to as a point of reference. Of those, 59% built on international human rights norms and principles. This means that only 39% of the analyzed approaches explicitly mention universal human rights frameworks. This research observed that anchor documents are mainly referred to as starting points instead of binding documents to comply with. In this sense, none of the analyzed frameworks mention roles or groups responsible for overseeing compliance with said anchor document. However, there is a relevant caveat in this context since many actors that authored the analyzed frameworks are international and supranational organizations that might possess specific privileges and autonomy to act and decide (Reinisch, Reference Reinisch2009) and, therefore, have freedom in compliance with potential anchor documents.

Overall, the analysis identified three main types of frameworks in relation to anchor documents:

First, there are the frameworks that refer to international data and/or human rights protection standards as anchoring documents. An example of a framework that refers to international data protection standards is the “Data Strategy of the UN Secretary-General for Action by Everyone, Everywhere with Insight, Impact and Integrity,” which emphasizes respect for human rights as well as international standards, such as the “UN Personal Data Protection and Privacy Principles” (United Nations, 2020, 60). Another example is the “Signal Program on Human Security and Technology” at the Harvard Humanitarian Initiative, which builds on rights identified in the Universal Declaration of Human Rights (UDHR), the International Covenants on Civil and Political Rights (ICCPR), and other instruments of humanitarian law rights that apply to all people “regardless of the use of any specific technology” (Harvard Humanitarian Initiative, 2015, 8).

Second, certain frameworks refer to previously established privacy legislation as anchoring documents. An example of a framework that builds on pre-existing privacy regulation is the Australian Information Commissioner’s Guide for Privacy Impact Assessment, which evaluates compliance to previously established privacy legislation such as the Privacy Act 1988. Another example is the United Kingdom’s Personal Information Charter, which seeks to ensure that all personal information is treated in accordance with the UK General Data Protection Regulation and the Data Protection Act from 2018.

Finally, a minority of the frameworks considered did not specifically refer to any legal basis. These were mainly collections of principles and general data governance guidelines, such as the “Data Privacy, Ethics and Protection: Guidance Note on Big Data for Achievement of the 2030 Agenda” developed by the United Nations Development Group (UNDG). This document sets out general guidance on data privacy, data protection and data ethics for the UNDG concerning the use of big data collected in real time by private sector entities, and was shared with UNDG members for the purposes of strengthening operational implementation of their programs to support the achievement of the 2030 Agenda. The guidelines do not refer to any legal basis, and provide a minimum base for self-regulation.

4.4. Data description

This research conducted an analysis of the definition and treatment of data within various frameworks, focusing on data description and the data lifecycle. Regarding the classification of data, the findings are as follows:

Among the frameworks examined, 51% clearly specify the type of data they intend to govern. A significant majority of these frameworks primarily deal with the oversight of personal data, with approximately 90% of them focusing on personally identifiable information. While there is no unanimous consensus on a standardized data definition, several frameworks adopt a definition similar to that proposed by the UN World Food Programme, which states that “Personal data is any information relating to an individual that identifies the individual or can be used to identify them” (UN World Food Programme (WFP), 2016, 2). This definition aligns with the definitions used by other U.N. agencies such as UNICEF, UNFPA, and the International Organization for Migration.

On the other hand, 49% of the frameworks have an ambiguous or incomplete definition of data. These frameworks often provide a general definition of data but do not offer a specific definition tailored to the data they oversee. For example, the Responsible Data Management Training Pack by Oxfam adopts the definition formulated by the United Nations Economic and Social Commission for Asia and the Pacific (UNESCAP), which defines data as “the physical representation of information in a manner suitable for communication, interpretation, or processing by human beings or by automatic means. Data may be numerical, descriptive or visual” (Oxfam, 2015, 6).

In general, the analysis reveals that the governance frameworks lack recognition of emerging data definitions and types. Particularly, important concepts such as sensitive data and synthetic data are often absent from these frameworks. Furthermore, there seems to be a lack of exploration of relational data, which would necessitate a more comprehensive discussion on collective or community rights.

4.5. Data lifecycle

When understanding data as a global asset, the concept of the “data lifecycle” is helpful for estimating the value of data. Value emerges in data transformation, from data collection, processing, and analysis into digital intelligence so that it can be monetized for commercial purposes or used for social objectives (UNCTAD, 2021, 17). This process identifies the particular characteristics and requirements when managing data in each stage. The decisions at every stage of the data life cycle will vary, depending on the type of data and their proximity to features of public goods. Therefore, addressing data governance through a data lifecycle approach is helpful because it enables a comprehensive analysis of how data should be overseen at various stages and create value from data use and reuse in a safe and equitable manner. Figure 9 presents a graphic representation of the data lifecycle.

Figure 9. Data lifecycle by The GovLab.

Upon analyzing the selected frameworks from a data lifecycle perspective, it was observed that only 24% of the frameworks recognize the significance of the data lifecycle approach. These frameworks actively develop and provide specific recommendations for each stage of the data lifecycle while acknowledging the distinct requirements associated with each stage. A notable example is the ASEAN Data Management Framework, which was formulated to support the Data Life Cycle & Ecosystem, one of the strategic priorities outlined in the ASEAN Framework on Digital Data Governance. This framework delineates data governance principles across various stages of the data lifecycle, such as data collection, use, access, and storage. It also offers appropriate recommendations for safeguarding different types of data within organizations throughout the data lifecycle.

Similarly, the International Civil Aviation Organization (ICAO) has incorporated the data lifecycle concept into its Doc 8126 Aeronautical Information Services Manual from a sector-specific perspective. This manual acknowledges distinct stages within the Aeronautical Information Management concept, encompassing data acquisition, processing (including validation, verification, and management), provision of access to aeronautical information through information services, and consumption of aeronautical information by end users. The framework provides specific recommendations tailored to each stage.

Another illustration is the Responsible Data for Children Synthesis conceptual framework developed jointly by UNICEF and The GovLab. This framework delineates the data lifecycle across six broad stages: planning, collecting, storing and preparing, sharing, analyzing, and using. It offers actionable insights to facilitate responsible practices when working with children’s data throughout the data lifecycle.

Among the analyzed frameworks, an additional 38% mention the data lifecycle approach either directly or implicitly but provide only partial or general recommendations. In some instances, the coverage of the data lifecycle stages is limited. Typically, existing governance frameworks primarily focus on data usage for the intended purpose during the planning stage. Conversely, only four of the analyzed frameworks address data localization requirements during the processing stage. There is also a notable absence of frameworks that address the data reuse stage comprehensively.

For example, the Data Security Law of the People’s Republic of China recognizes the data lifecycle by including data handling activities such as collection, storage, use, processing, transmission, provision, and disclosure. However, this law does not provide specific recommendations or guidelines for each stage of the data lifecycle.

Similarly, the General Data Protection Regulation (GDPR) does not explicitly differentiate between the stages of data processing, as it defines processing as any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction. Although the GDPR covers various phases of the data lifecycle within the processing definition, it does not offer stage-specific recommendations. The exception to this is the chapter on “transfers of personal data to third countries or international organizations,” where the focus is on data sharing.

Among the frameworks with limited scope, the Data Sharing Policy of Médecins Sans Frontières, a NGO, stands out. While this policy acknowledges the different stages of the data lifecycle, its sole concern is the data-sharing stage.

Lastly, 38% of the frameworks neither explicitly identify nor acknowledge the data lifecycle and its distinct stages as a basis for their approach to data governance.

4.6. Processes

A well-functioning data governance framework should define the roles, responsibilities, and associated compliance procedures to safely share, use, and reuse data by all stakeholders. This research identified three types of processes: (a) process to develop the governance framework (b) process to identify and create new professions and functions, and (c) processes to monitor and evaluate.

Regarding the process to develop the governance framework, this study has observed notable advancements toward more participatory approaches, especially from a multisectoral perspective. Among the sampled frameworks, approximately 18% demonstrated the utilization of multi-stakeholder and multisectoral approaches in the formulation of their frameworks, particularly prevalent within intergovernmental institutions and international coalitions. For instance, the OECD’s Recommendation of the Council on Health Data Governance was the outcome of a collaborative effort involving the Committee on Digital Economy Policy, the Health Committee, the former Working Party on Security and Privacy in the Digital Economy (now the Working Party on Data Governance and Privacy), and the former Health Care Quality Indicators Expert Group (OECD, 2016).

Nevertheless, it is worth noting that data subjects were often not included in these participatory processes. In fact, it is worth noting that only 5% of the frameworks followed a participatory process that included data subjects when defining the data governance approach. Among these, particularly illustrative example of greater participation and inclusiveness of data subjects is the Data Governance Framework for New Zealand, wherein the government engaged in co-designing the framework with the Māori community (data subjects) to ensure the incorporation of Māori needs and interests in data governance. Similarly, UNESCO’s Internet Universality Indicators underwent a comprehensive development process involving multiple phases, rounds of consultations, and consultative meetings and workshops at international, regional, and national events, actively engaging a diverse array of stakeholders, including civil society and individuals.

However, in general, the remaining frameworks displayed shortcomings with regard to inclusivity, highlighting a need for improvement in this aspect.

Moving on to the process of identifying and creating new professions and functions, it seems that there is a pressing need for the establishment of specific roles and binding responsibilities within data governance frameworks. Approximately, 22.4% of the frameworks have implemented dedicated governance bodies with distinct functions to oversee the implementation and enforcement of the frameworks. These bodies assumed various titles, including Data Protection Officers and Chief Data Officers. For instance, the Guidance on the Protection of Personal Data of Persons of Concern to United Nations High Commissioner for Refugees (UNHCR) introduced novel roles and responsibilities such as the Data Controller, Data Protection Officer, Inspector General’s Office, and Ethics Office, each tasked with specific duties to ensure compliance with data protection policies (United Nations High Commissioner for Refugees [UNHCR], 2018). The GDPR, as another example, mandates that each member state appoint an independent public authority responsible for monitoring compliance with the regulation. Additionally, a European Data Protection Board, comprising heads of supervisory authorities from each member state, was established. Furthermore, the California Consumer Privacy Act (CCPA) established the California Privacy Protection Agency, empowered with comprehensive administrative authority to implement and enforce the CCPA, alongside the specification of a five-member board with expertise in privacy, technology, and consumer rights (CCPA, Reference Act2018).

However, it is worth highlighting that a considerable proportion of frameworks (24.1%) simply appended additional data governance functions to existing agencies or authorities, often without adequate capacity-building and expertise development. Notably, frameworks such as the Office for the Coordination of Humanitarian Affairs (UN OCHA) data responsibility guidelines and Oxfam’s Responsible Program Data Policy assigned the responsibility of overseeing framework implementation to existing entities, including OCHA Centre for Humanitarian Data and Oxfam Country Directors, respectively (OCHA, 2021; Oxfam, n.d.). Similarly, UNICEF’s Procedures for Ethical Standards in Research, Evaluation, Data Collection and Analysis by UNICEF states that Country Representatives, Regional Directors, and Heads of Divisions must ensure and maintain the highest ethical standards in all evidence generation endeavors (UNICEF Division of Data, Research and Policy, 2015, 2) by implementing the procedures laid out in the framework.

A small number of other frameworks (19%) recommend the establishment of new roles and governance bodies, but they often do not actually include provisions for creating them as part of nonbinding recommendations. For instance, the OECD’s Recommendation of the Council on Health Data Governance provides vague instructions to existing governance bodies given its supranational nature. It recommends governments engage with relevant experts and organizations to develop mechanisms to implement the framework. The document also encourages NGOs to follow the recommendation when processing personal health data for health-related purposes that serve the public interest. Another example is the Association of Southeast Asian Nations (ASEAN) Data Management Framework (DMF) advises members to define roles and responsibilities for implementing each action described in the framework: “To develop and implement the 6 foundational components of the DMF, an organization is required to identify and determine different roles and responsibilities in order to ensure adoption, operation, and compliance, in accordance with business needs” (Association of Southeast Asian Nations (ASEAN), 2021, 12). However, in both instances, the recommendations are not legally binding for member states or non-governmental institutions.

From the sample, another category of frameworks (34.5%) emerges wherein information about governance mechanisms and the proposition of new roles or tasks are entirely absent. However, this absence can primarily be attributed to the nature and scope of the documents in question. Typically observed in principles-based frameworks, such as the Gemini Principles, the CARE Principles for Indigenous Data Governance, or the UN High-Level Committee on Management Personal Data Protection and Privacy Principles, these frameworks prioritize articulating values and principles for data management rather than explicitly outlining governance roles. For instance, the Risks, Harms and Benefits Assessment by UN Global Pulse is primarily focused on serving as a compliance mechanism for data privacy and protection, which limits its role to providing governance recommendations within its defined scope. As a result, these frameworks do not specify or suggest the establishment of governance roles, as their primary emphasis lies on guiding principles and values.

Lastly, with regard to processes related to monitoring and evaluation, 41.4% of the frameworks failed to establish or mention the need for monitoring mechanisms, which are vital components for the effective operationalization of any framework. For example, the “Handbook on Data Protection in Humanitarian Action” acknowledges that international organizations possess complete autonomy in data processing and compliance monitoring, essentially constituting their own jurisdiction (International Committee of the Red Cross [ICRC], 2021).

A smaller portion of frameworks (29.3%) recommend the establishment of monitoring mechanisms, yet often lack clarity regarding the responsibility for their implementation. For instance, the International Organization for Migration’s (IOM) Data Protection Manual, for instance, underscores the significance of oversight and compliance. However, the manual only advises the creation, without explicit appointment, of “an independent body to oversee the implementation of these principles and to investigate any complaints, and designated data protection focal points should assist with monitoring and training” (International Organization for Migration, 2015, 12). Similarly, the International Civil Aviation Organization’s (ICAO) Aeronautical Information Services Manual suggests the establishment of monitoring and evaluation mechanisms but falls short in providing concrete instruments or mandates for their execution (ICAO, 2021): “States must implement well-documented surveillance processes by defining and planning inspections, audits, and monitoring activities on a continuous basis” (International Civil Aviation Organization, 2021, Section 2.8.1).

Conversely, the remaining 29.3% of the analyzed frameworks explicitly outline supervisory authorities responsible for overseeing and monitoring compliance. Some of these frameworks may correspond to regulatory frameworks or laws. For instance, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), for instance, establishes that the Office of the Privacy Commissioner of Canada will oversee compliance with the PIPEDA legislation. Further, the Commissioner may audit an organization’s personal information management practices if the Commissioner believes that the organization has not followed a recommendation set out in the Act; it may ask for additional resources to monitor implementation. Similarly, the GDPR establishes in Articles 41 and 42 that a supervisory authority for monitoring compliance may be carried out by a body with an appropriate level of expertise in relation to the subject matter of the code and is accredited for that purpose. That way, the Member States, the supervisory authorities, the Board, and the Commission shall encourage compliance with this regulation of processing operations by data controllers and processors (General Data Protection Regulation, 2016). Another noteworthy example is the recommendation of the OECD council on health data governance. In this case, the framework provides detailed guidelines to implement monitoring and evaluation mechanisms, such as assessing whether the uses of personal health data have met the intended health-related public interest purposes and brought the benefits expected by (a) pursuing a periodic review of developments in personal health data availability, the needs of health research and related activities, and public policy needs; and (b) following a systematic assessment and updating of policies and practices to manage privacy, protection of personal health data and security risks relating to personal health data governance.

In addition, it is worth noting that none of the frameworks under study established evaluation mechanisms, which makes it difficult to assess their impact or effectiveness.

4.7. Practices

This benchmarking exercise examined the sample frameworks for their practices, which aimed to analyze their practical approach, and how they translate the theory, values, and principles into practice. From applied templates and checklists to the description of processes, sometimes imprecise, four trends were observed:

First, there is a plethora of practices but they often remain vague in terms of implementation. Indeed, 38% of the frameworks analyzed recommend and describe, often in a detailed fashion, good practices for data governance. However, in most cases, the frameworks do not include specific recommendations or guidelines for who, how, and when these practices should be implemented. For instance, The California Consumer Privacy Act (CCPA), for example, provides guidance to businesses on how to inform consumers of their rights under the CCPA, how to handle consumer requests, how to verify the identity of consumers making requests, and how to apply the law as it relates to minors. It stipulates the processes businesses need to implement to follow the CCPA while making it easier for consumers to exercise their CCPA rights (California Consumer Privacy Act, Reference Act2018). Similarly, the UNICEF and UNFPA Policy on Personal Data Protection. The policy describes good practice when collecting data from individuals and explains how to notify the data subject. It presents the information that shall be provided to each identified data subject within a reasonable period when personal data are collected by UNICEF or UNFPA (as controller), taking into account the logistical constraints both organizations face (UNICEF, 2020). Another example is the Privacy Impact Assessment Toolkit from the Office of the Australian Information Commissioner describes a detailed 10-step process for undertaking a privacy impact assessment to apply the toolkit. Likewise, the data responsibility guidelines of the UN Office for the Coordination of Humanitarian Affairs (UN OCHA) recommend eight actions to be implemented at the system-wide, sector, and organizational levels. The framework guides OCHA Staff to implement these processes at different levels. However, there is no clarity regarding the timing and the ways in which the actions should be implemented.

Second, there seems to be a need for developing practical tools, such as templates for sharing agreements. Data collection and data sharing are key components of the data life cycle, but rife with potential minefields (e.g., potential regulatory or privacy violations). Organizations, especially if they are under-resourced technically or financially, can greatly benefit from detailed guidelines such as templates and checklists to help guide their decisions. In the sample, only 29% of frameworks provided tools such as templates, checklists, or assessments.

One example is the International Organization for Migration’s Data Protection Manual that provides a number of practical tools: templates and checklists. Templates of model consent forms, general contractual clauses to be inserted into contracts, and request forms for data subjects seeking access to their personal data; and checklists for data quality, data security, and data protection. Moreover, the USAID’s Considerations for Using Data Responsibly offers applied tools for how to help guide discussions or navigate areas of responsible data practice that may be unclear. The tools range from the key events planning table to the benefits risk assessment, a worksheet to track and protect copies of sensitive data and IT security highlights checklist.

In the case of the United Nations Development Programme’s (UNDP) Data Principles, although they primarily comprise guiding principles, they also provide practical resources to support the implementation of their recommendations. For instance, resources include an explanation of informed consent for safeguarding personal data, the Responsible Development Data Book for managing data responsibly, and the Mozilla Science Data Reuse Checklist for planning reusability and interoperability. Another example providing practical tools is the WFP Guide to Personal Data Protection and Privacy, which presents a Self-Assessment Compliance Checklist enabling personnel to gauge compliance with each element of the guidelines. Additionally, the guide offers Model Consent Forms that can serve as a basis for developing localized templates for obtaining informed consent and responding to beneficiaries’ requests for accessing their data.

Third, noteworthy examples of best practices emerge in the realm of risk assessments and compliance mechanisms. Among the processes and tools delineated in the analyzed frameworks, a subset of risk assessments stands out as exemplifying responsible data management practices.

For example, the Risks, Harms and Benefits Assessment of the UN Global Pulse develops a two-steps assessment: the first one is a checklist, which is used as an initial assessment tool that identifies potential risks and helps evaluate whether a more comprehensive review should be conducted; and the second one consists of a detailed measurement of the likelihood, magnitude, and significance of impacts of a data innovation project if a medium or high risk was identified in the initial assessment. Furthermore, the Handbook on Data Protection in Humanitarian Action by the Brussels Privacy Hub (VUB) and ICRC offers a Data Protection Impact Assessment (DPIA) tool to identify, evaluate and address the risks to personal data arising from a project, policy, program, or another initiative. It includes a step-by-step guide for humanitarian organizations to conduct it. It also has a template for a DPIA report. Likewise, within the suite of tools provided in the Considerations for Using Data Responsibly at USAID, a benefits risk assessment tool is developed. This tool serves the purpose of assessing the potential benefits and risks associated with data collection, use, and sharing. A key aspect of conducting a thorough evaluation of risks and benefits lies in ensuring the involvement of relevant stakeholders, including those from whom data are collected.

Finally, this research found predominantly nonbinding frameworks. With few exceptions (e.g., data protection regulatory frameworks and laws), most recommendations are not binding. This may limit their effectiveness and the extent to which they are operationalized. Their list of recommendations and good practices are “suggestions” or “proposals.” Furthermore, 34% of the data frameworks reviewed do not provide detailed processes or explicit practical tools.

4.8. Key takeaways

This section presents the key takeaways from the research article’s analysis of the data governance ecosystem within sectors closely related to international development. The findings provide insights into six key elements: purpose, principles, anchoring, data description and lifecycle, processes, and practices (see Section 3.3). The analysis revealed a series of patterns within each element, shedding light on the current state of data governance frameworks. These findings lay the groundwork for the final recommendations illustrated in the following and final section.