5.1 Data Governance Policy

• Accountability: Defined roles ensure that specific individuals or teams are responsible for different aspects of data management, from data quality to data security. This accountability helps ensure that tasks are completed effectively and that there is a clear point of contact for any issues that arise.
• Consistency: With clearly defined roles, procedures and processes can be standardized, which helps to maintain data integrity, ensure compliance with regulations, and facilitate smooth operations.
• Efficiency: When roles and responsibilities are clearly delineated, duplication of effort and gaps in coverage are reduced, leading to more efficient operations.
• Compliance: Many regulations and standards require organizations to have formal data governance practices, including clear role definitions. Compliance with these regulations is critical to avoid legal penalties and reputational damage.
• Risk management: Clearly defined roles help to identify and mitigate risks associated with data management, as well as designating individuals or teams to handle risk assessment, mitigation, and response.
• Improved decision-making: With clear roles, data governance activities such as data stewardship, data quality management, and data privacy are better managed, leading to more reliable and accurate data, which in turn supports better decision-making processes.

• Compliance and privacy: for handling personal data in compliance with relevant regulations and ethical standards, and the specific data security measures that will be utilized.
• Data sharing: for collaborative efforts and informed decision-making processes where the value of data can be maximized while adhering to legal and ethical standards.
• Data quality: for reliable and accurate data insights, which can significantly influence the success of interventions and its sustainability.
• Data access: for data handling practices—encompassing collection, storage, security and access—are not only efficient and regulatory compliant, but also safeguarded against unauthorized access and potential security breaches.

With consistent governance, data is better managed, which leads to higher quality data. This, in turn, supports more reliable, data-driven decision-making, giving you and your stakeholders a clearer understanding of the investment’s progress and impact.

• Purpose and scope: Define why the policy is needed and the boundaries it applies to within your investment.
• Data governance principles: Establish high-level principles that guide how data is handled, focusing on integrity, security, transparency, and FAIR principles.
• Roles and responsibilities: Clearly outline the roles involved, including data stewards, custodians and users, and their responsibilities for ensuring data governance.
• Compliance and privacy standards: Describe the approach to data privacy, informed consent, and adherence to legal frameworks like GDPR.
• Data quality standards: Define how data accuracy, completeness, and consistency will be ensured.
• Data access and control: Detail the methods for securing and controlling data access.
• Data security and risk management: Outline how data will be protected against breaches, including encryption and access controls.
• Data sharing and usage policy: Explain the rules for secure and compliant data sharing within the project and with external stakeholders.
• Monitoring and review: Set up a process for regular reviews of the policy and compliance checks.
• Training and awareness: Ensure all stakeholders understand their roles and responsibilities and are equipped with the knowledge to maintain high standards in data governance.

• Data stewards: A data steward is an individual or entity that has the ultimate responsibility and authority over a specific set of data within an organization, and is typically accountable for making decisions regarding the use, access, security, and overall management of data. Data stewards also ensure the appropriate handling of data, aligned to organizational policies and goals.
• Data custodians: The data steward, while ultimately responsible for creating linkages, will not act alone in facilitating the flow of data to those who need access. Data custodians are responsible for facilitating data access.
• Data users:  Those needing to use (or access) data, or ‘data users’, are a fluid group, as many people involved in the project will be stewards of certain data who also need to access and use other data.
• Data subjects: Those whose personal data has been collected and is the subject of processing.

Below is a list of various key members of a data governance team, and their responsibilities and roles in maintaining an investment’s alignment with the FAIR data principles. The list is exhaustive and is meant to represent the full breadth of positions that may be required for the most complex project. Remember that your investment’s needs may vary, and not all roles are necessarily held by distinct individuals, if at all. For example, should your investment include fewer data sources and entries, a single person could hold the role of both data governance manager and database administrator, among others.

• Grantee (steward, custodian and user): A grantee is likely to be the most familiar with the data (and outputs) of a project, and can share this knowledge with the data management team, making them the de-facto ‘data steward’ of the organization’s data related to this project. They will also be working directly with the stakeholders inputting data or accessing the organization’s data, and will need to be aware of the procedures that must be followed to inform those stakeholders.
• Data manager (custodian): A data manager is responsible for designing and implementing data architectures, as well as defining data structures to ensure data integrity and quality.
• Data engineer (custodian): A data engineer builds and maintains the systems and architecture for collecting, storing and analyzing data.
• Data analyst (user): A data analyst works with raw data to extract insights to inform decision-making, and to decide which data will be included in the final output.
• Data scientist (user): A data scientist applies statistical and machine learning techniques to analyze and interpret complex datasets, in addition to developing predictive models and algorithms.
• Database administrator (custodian): A database administrator manages and maintains databases to ensure performance, security, and availability, as well as performing routine recovery and backup operations.
• Data governance manager (custodian): A data governance manager develops and enforces data governance policies and procedures, in addition to ensuring internal compliance with data privacy regulations that have been developed by the compliance officer.
• Data quality analyst (custodian): A data quality analyst monitors and accesses the quality of data, while also identifying any issues with data quality.
• Security analyst (custodian): A security analyst focuses on securing and protecting data from unauthorized access or breaches, as well as implementing security measures for transmission and storage.
• Compliance officer (custodian): A compliance officer ensures that an organization’s data practices comply with the legal and regulatory requirements specific to the country or region in which they operate. Consequently, it is vital for them to stay informed about changes and updates in the regulatory environment affecting their organization.

• Informed consent: Obtain explicit consent from individuals before collecting their personal or sensitive data, clearly outlining the data collection’s purpose. Practice data minimization by collecting only what is essential for specified purposes, and maintain transparency by informing individuals about the data collector, the purpose of collection, and any relevant details concerning their data’s use
• Purpose limitation: Use personal data only for its original, consented purposes and avoid using it for anything else without extra consent. Keep personal data accurate and current by regularly updating it and quickly fixing any mistakes.
• User rights: Enable individuals to access their personal data and request it in a portable format when relevant. Offer options for correcting inaccurate data and erasing unnecessary information on request or withdrawal of consent. Additionally, establish processes for individuals to object to specific uses of their personal data, especially for direct marketing purposes. Should a party feel that their data has been misused, or if a privacy violation occurs (such as a data leak or hack), there should be grievance redress mechanisms in place for them to register these concerns. Policies around grievance redressal should designate a responsible person to address these issues. There should be a clear mechanism for complaint submission and a procedure for reviewing complaints. A timeline should be established for the swift resolution of complaints, along with a structure for corrective measures, depending on the type of complaint. This can include rectification of the grievance, policy updates, or even compensation in some instances. Additionally, there should be a mechanism for appeals if the party feels that the resolution was unjust.

• Define data quality dimensions: Ensure that all collected data accurately reflects the real-world scenarios it intends to represent, maintain consistency across various datasets and over time, and capture all necessary information while minimizing missing values. Additionally, keep data timely and readily available, and adopt data collection and processing methods that guarantee stability and consistency of results.
• Incorporate FAIR principles: Revisit the shared FAIR goal (developed in Step 4) and ensure data quality requirements are aligned to that goal.
• Establish data acquisition standards: Before collecting data, evaluate the reliability and credibility of sources to ensure the integrity of the data collected. Establish standardized data collection methods for consistent and reliable data gathering, and simultaneously collect detailed metadata to enhance the data’s findability and support its future reusability.

• Establish data collection protocols: Ensure you have a comprehensive understanding of data provenance. Then select the most appropriate methods for collecting data, whether through APIs, manual input, or other forms of integration, while rigorously ensuring that all practices comply with relevant legal and regulatory standards, such as GDPR or HIPAA.
• Incorporate FAIR principles: Revisit the shared FAIR goal (developed in Step 4) and ensure data access requirements are aligned to that goal
• Establish data security measures: Ensure data security by encrypting it and implementing access control mechanisms such as Role-Based Access Control (RBAC) to restrict data access to authorized personnel only. Conduct regular security audits and monitor access logs to promptly identify and address any unauthorized access or potential security risks.
• Facilitate data access: Set clear guidelines for accessing data through APIs and query interfaces for efficient access, and ensure users are strictly authenticated and authorized to access only the data relevant to their roles.

• Data storage systems: Outline the guidelines for storage solutions to ensure optimal security and accessibility, and establish clear data retention policies that dictate how long data is stored, including procedures for its secure archiving or deletion under legal obligations.
• Establish data security measures: Outline the high-level measures to be followed to ensure data security.

• Establish data sharing guidelines: Clear rules for when and how you can share the data with others, who those others are, and what agreements or rules you follow to do this safely and legally (sharing).
• Foster transparency and accountability: Enhance transparency and accountability in your data-sharing policy by committing to regularly publishing transparency reports detailing your data practices, including the types of data shared, the purposes for sharing, and the parties with whom the data is shared. You can also establish accountability measures by setting up mechanisms to address any issues or breaches related to data sharing. This includes creating clear procedures for reporting incidents such as data breaches, and outlining steps for their rectification.
• Consider data licenses: Consider licenses to ensure data is used legally and ethically. The type of license attached to the data being shared—whether open (e.g., Creative Commons), commercial or proprietary—dictates how the data can be used, shared and distributed. Consider usage rights specifying how the data can be used, and attribution requirements, which may require citing the original source. Attention to licensing is especially important for commercial or proprietary data, which often has stricter requirements than data intended for educational or research purposes.