Certifying trustworthiness

Certification and auditing are important mechanisms in the assessment and demonstration of trustworthiness in a number of professions and sectors. A question we explored within this project was whether they should be a focus for data ecosystems too. This section provides an overview of our findings in this area.

An idea that was often expressed to us during our research for this guidebook is that, once an organisation has worked through this guidebook, they should be able to submit evidence of this process to an independent body. At this point, the body could assess the evidence and findings and award a certification mark or seal to that organisation. The certification mark could be used to: certify that an organisation has gone through the process of assessing its trustworthiness; to certify the trustworthiness of a new data-enabled service or project; or even to certify the trustworthiness of the organisation itself.

During our research for this project, we spoke to a number of people who were enthusiastic about the potential of a certification or a scheme around trustworthy data and data practices. For instance, we surveyed 60 organisations from across the private, public and third sector about how they demonstrate and assess trustworthiness when sharing data. When we asked respondents to rate the usefulness of things like third-party assessments, audits and certifications in helping them demonstrate their trustworthiness to others, the average rating was 7.8 out of 10 (10 being ‘very useful’). And there are a few similar schemes being developed in related areas, such as the Responsible AI Certification Program.

Despite the interest and potential benefits, there are issues with certification schemes. As we discussed in our interim research report, our interviews and surveys identified three types of problems or concerns.

First, the people we interviewed and surveyed felt that third-party assessments are useful, but often not as useful as imagined or hoped, because:

• while certifications and certification marks are an indicator, they are not a guarantee

• they only provide a baseline level of trust

• they are often not enough on their own – to truly engender trust, a range of different approaches need to be deployed in tandem.

Second, some of the people we spoke to felt that certifications and assessment schemes are sometimes unproductive or unsuitable, for a range of reasons, including:

• a belief that certification or audit processes often cannot keep up with the pace of change in the domain, especially the pace of technological change

• a concern that some assessment schemes can become ‘tick-box exercises’ that lack robustness

• a concern that some certification and auditing schemes are easily gamed or become ‘certification theatre’, where both parties know that the certification or audit is inadequate but have no incentive to improve it

• a feeling that some complex technologies or data flows, for instance machine learning algorithms or a system with millions of new data points daily, may be hard – if not impossible – to adequately assess.

Finally, there was a belief that in certain cases, certification and assessment schemes can actually be harmful. In particular some of the people we spoke to noted that certification and auditing schemes can hinder innovation if they are costly and time consuming. This was seen to lock some smaller organisations out of the market, especially if the schemes are mandatory.

As work in this area continues, best practice for trustworthy data stewardship may emerge across a range of contexts and use cases. This could enable the creation of standards built upon those best practices. Eventually, it may be possible to create assessment schemes built around those standards to help provide assurance around data and data practices.