Releasing our Responsible Data Science Policy Framework
Why Did We Build This?
FICO recently surveyed over 100 of the world’s largest, most sophisticated organizations; not even half of them reported having governance procedures related to “AI ethics” in place. When you realize that every single one of these organizations has a C-suite role dedicated to data, like a Chief Data Officer or Chief Analytics Officer, this statistic is even more remarkable.
Meanwhile, regulators and investors around the world are increasingly vocal and explicit about what they expect – and, in some cases, require – from organizations. Lawmakers and regulators, most notably in the US and EU, are drafting or enacting rules that will put in place new standards on data science. Not to be left out, investors wielding over $35T in assets are now including social and governance (ESG) considerations related to data science in their funding criteria.
So, what’s an organization supposed to do? If even mature organizations have been slow to integrate data science into risk management and compliance frameworks, how are smaller or less mature organizations supposed to keep up? How can they ensure that their data science activities are conducted responsibly from a technical, legal, and ethical perspective?
This data science compliance challenge is what motivated us to build a Responsible Data Science Policy framework – and what led us to open-source it. We want to help all organizations on their journey to build a better business, and, in turn, a better society.
This need isn’t actually new. Over the last 15 years, we’ve seen similar questions arise in many organizations, both large and small. Sometimes, the ask is for better internal risk management; in other cases, the real challenge is to build trust with customers or external stakeholders in the public. But, as time goes on, the volume of risks, opportunities, and questions related to data science and “AI” has only grown. In that light, our framework is designed around principles that have been chosen to produce technical, legal, and ethical processes that both internal and external stakeholders can agree to.
What Does the Framework Look Like?
There are many ways to write policies. For our framework, we tried to architect a modular system to cover a wide range of organizations as they change over time. In order to accomplish this, the policy is designed around a parent procedure that routes or “triages” specific use cases or project types through two types of sub-procedures:
- Prescriptive sub-procedures give data science teams guardrails and a path for low-friction compliance.
- Adjudicative sub-procedures centralize decision-making with an individual or group like a risk committee.
Organizations can mix and match prescriptive and adjudicative sub-procedures to meet their needs. In our experience, most organizations will begin with an adjudicative process based on a committee that overlaps with risk and information security; over time, this committee will become more specialized and will distill common use cases into prescriptive sub-procedures. The end result is an evolution towards increasing clarity, decreased friction, and decreased risk – in other words, more enterprise (and social) value. Figure 1 below provides a visual representation of this structure.
Many of the elements of this policy were designed to address laws and rules such as GDPR or CCPA or standards such as SOC2/TSC as part of broader compliance programs. However, it’s important to note that almost all organizations will need to decide how to integrate this framework into their existing compliance system. Luckily, we’ve included 10 pages of documentation and diagrams to go with the policy and procedure templates, which will help most organizations get going.
Why Open Source?
Our team has been releasing open source software and data for 21 years. Over the years, we’ve seen the strength that an open community can bring. By designing, drafting, maintaining, adopting, and communicating together, we have a much better chance of closing the gap between “should” and “did” for everyone.
Where Can I Get it?
This policy framework is available under a Creative Commons BY-SA-4.0 license. You can download the entire framework as a ZIP file from the Responsible Data Science Policy page. There’s a list of files and more detail there as well.
Updates and Support
We expect there will be changes, like policy corrections and enhancements, documentation updates, diagrams, and more examples. If you want to stay up-to-date when we identify issues or release new versions of the policy, please sign up for our Responsible Data Science Policy mailing list here. If you need support, we’ve also set up an email address: rdsp-support@licens.io.