Launching the Data Autonomy Index (DAIX)
Date: | 03 July 2024 |
Author: | Oskar J. Gstrein |
Introduction
In its broadest sense, data autonomy describes the ability of individuals and organizations to make meaningful decisions about their data. In the context of the University of Groningen, Titus Stahl has drafted the following working definition:
‘Data autonomy is the effective capacity of the academic community of the University of Groningen to make meaningful decisions about access to data, data flows, the uses of data and the design of the informational environment, to the degree necessary to freely and independently pursue the university's mission, to promote knowledge dissemination and to protect the rights of its students and employees. This capacity is required to protect academic freedom and the independence of the university.’
An elaboration on the background of this definition can be found in this blog post here.
Launching the Data Autonomy Index (DAIX)
Despite the comprehensiveness of this definition, many colleagues have asked us to work on a less conceptual and more administrative approach to analysing the data autonomy of a cloud-based service. Therefore, starting in autumn 2023, a group of people including Jos Stoepker, Christiaan van der Kooi, Anouk Pelzer, Erika Chorén Iglesias, Daniel Vos and Oskar Gstrein worked on the design of the Data Autonomy Index (DAIX), which we are now happy to share with you (https://daix.web.rug.nl).
The aim of the DAIX is to move beyond a principled and abstract discussion to a more practical assessment, especially for administrators and decision makers in public and private organisations. The DAIX empowers entities to make autonomous decisions about their data without undue reliance on external entities and helps them to understand potential risks associated with data management, which is crucial for organisational resilience.
What can you do with the DAIX?
The DAIX is intended to be used as a self-assessment tool. It allows its users to calculate a 'data autonomy score' based on compliance with basic information security and data protection principles, as well as basic concerns related to the autonomous use and management of data. In addition, the DAIX can be used as a training tool to educate colleagues and staff on data autonomy principles and best practices.
Regardless of the actual score achieved, the result is intended to serve as a conversation starter within an organisation. The DAIX provides a comprehensive assessment of data practices, identifying strengths and areas for improvement. It encourages dialogue between stakeholders and promotes a collaborative approach to data autonomy. Insights from the DAIX can guide strategic decisions and help organisations align their data practices with their autonomy goals.
How does the DAIX work?
The DAIX has a questionnaire structure and is divided into four sections:
-
Control; addressing whether there is a general legal framework for data processing, whether basic cybersecurity measures are in place, such as data encryption, and whether monitoring capabilities are in place (e.g. to control/prevent the use of data for training of artificial intelligence models).
-
Privacy and data protection; addressing compliance with basic legal principles derived from data protection law, including data minimisation, accuracy of personal data used, storage limits, as well as aspects related to integrity and trust.
-
Autonomy; addressing issues such as the ability to migrate data to other platforms or cloud services, the existence of a clear exit policy (Plan B), infrastructure requirements, integration capabilities and influence on further development of a service.
-
Impact: assessing financial risks, cost management, reputational impact, governance burden and migration costs.
Scoring methodology
The DAIX uses a weighted scoring system where each section is weighted according to its importance: Impact (10%), Privacy and data protection (20%), Control (20%) and Autonomy (40%). This is a default that we use for the launch version. In future versions of the DAIX, we would like to develop a start-up questionnaire that allows users to adjust these weights according to their organisation's needs. For example, there may be different requirements when it comes to the importance of personal data protection or cybersecurity. Once entered, the individual responses are processed and weighted to calculate scores for each of the four sections, and a composite score is derived. We use the Dutch grading system as inspiration for the scale, meaning that a score of 5.5 and above represents a 'pass', while a score of 5.4 or below would represent a 'fail'.
Feedback and continuous improvement
Our vision for the DAIX is that it will become a catalyst for promoting data autonomy and fostering interdisciplinary dialogue within organisations. We encourage you to explore it, provide feedback and join us in our mission. We welcome feedback from users in order to continuously refine and improve the DAIX tool. Please share your insights and experiences via o.j.gstrein rug.nl.