We need best practice templates for tech governance (just like we have a library of open-source licenses)

Ever learn things while being an invited “expert” on a panel at some conference? It just happened to me, again, at today’s Transparency By Design Summit.

We were discussing how to collect consumer healthcare data responsibly, for COVID-19 and beyond, and the challenges how to (justly) gain the trust of people whose data we would like to collect. Because if they don’t trust us, they won’t let us collect the data, or even poison what they give us. The core question is:

How do I know that you, the data collector/medical researcher/public health system, will indeed do what you promised? (About privacy, data retention, anonymization, sharing etc)

And the answer, as always, is “good governance”, followed by a bunch of hand waving: just what exactly does this mean? What is that thing called “good governance” of a system that includes a lot of technology and a lot of humans developing and operating that technology? Take a COVID-19 contact tracing app: there’s the code, and the release process, and the data sharing, and the employment agreements of people who touch the code or the data that hopefully will oblige them not do “bad things” and the legal enforcement and the audit trails and what have you. It’s not simple, and goes far beyond just “the code”.

First of all we have few examples where good governance is actually practiced. So we are not used to it. Worse, we have nothing resembling agreement on what that actually means, in detail. Just my example enumeration above is woefully lacking in detail.

It occurs to me it’s a bit like open-source licensing of code was about 20+ years ago, with everybody having their own software license (or none at all), many of which were homegrown and not very professional. Fortunately, the open-source world has since coalesced around a fairly small number of primary open-source licenses (like GPL, AGPL, Apache, MIT and a few more), which are fairly well understood.

We need the same thing for technology governance: a bunch of governance templates, which can be used by technology systems. They could, for example, include open-source licensing for their code component (but they don’t necessarily need to), but need to go far beyond, including questions such as:

  • What is the data retention period?
  • What’s the process to make sure the data is deleted after the data retention period?
  • How do we find out whether the process is or isn’t being followed?

… and many other related questions. If we had such a series of templates, innovation in governance was still possible (just create another template) but we could collectively understand what governance looks like for a given system, and, for example, fix governance problems one bug at a time. Something not possible at all today.

It would go a long way towards us all regaining trust in technology. By public health systems pushing COVID apps just as much as Facebook pushing the latest “trust us, we won’t spy on you” update.

Anybody working on anything like that? Would love to hear about it.