Developing standards for accountability in data stewardship

Minimum requirements

  • Code of Conduct — This serves as the main tool of self-regulation for the entity. Ideally, it must give an overview of the oversight mechanism, procedure for raising complaints/grievances, and whistleblower policy amongst others. It also serves as the main document that enlists the ethical considerations, principles, and objectives that guide the functioning of the organization.
  • Voluntary Disclosures — An Information Disclosure Policy customized to the nature of the data shared and work undertaken by the entity must be formulated. It must contain the nature of the disclosures, time durations between each disclosure, and commitment to making open, accessible disclosures (for ex. on the website of the entity or other easily accessible means).
  • Internal grievance redressal mechanism — This should include a mode or process for raising complaints and an internal procedure to investigate and resolve such complaints. A formalized complaint policy that defines a complaint, specifies the process and timeline from the moment the complaint is received to its resolution, references the code of conduct to determine what standards/safeguards the organization has committed itself to, and lays down the procedure mentioned above must be mandatory. There must be a dedicated email ID or submission form to register complaints/grievances. The complaints policy must be built to aid anonymous complaints without fear of reprisal and encourage whistleblowers to come forward. Tying this to the disclosures requirement, the nature and number of complaints received and resolved must be published by way of an easy access report without breaching norms of confidentiality.
  • Compliance with extant laws/procedures — The laws applicable to data protection and privacy are still evolving in India. However, any system of accountability will have to be compliant with the requirements specified in any national laws/rules/regulations or guidelines issued by the relevant regulatory organization. Attention must also be paid to applicable international agreements and covenants -while compliance with the agreements ratified by India is mandatory, compliance with other agreements not signed or ratified by India may be optional.
  • Internal audit/inspection — An internal audit/inspection to be conducted by an independent review panel (constituted with individuals from the employees on the payroll of the organization) to verify compliance with the organization’s policies and other applicable laws.

Additional requirements

  • External Audit — Annual audit to be conducted by an external expert(s). The scope of the audit will not only include compliance aspects but also (and more importantly) conduct a risk assessment and suggest means for mitigation.
  • Dispute resolution mechanism -While an internal mechanism for raising complaints has already been mentioned, it can be further strengthened by providing a procedure for escalation of disputes/complaints which could not be resolved internally. Reference of disputes to arbitration could serve as an expeditious means of resolving disputes.
  • Review — Considering the evolving nature of the data governance landscape, an annual or biennial review of disclosure norms, code of conduct and other pertinent policies will enable regular updating, review, and improvement of the standards to reflect the changing times/needs.
  • Participatory meetings — Engagement with the stakeholder(s) to ensure dynamic accountability.
  • Legal accountability mechanisms — Policies of organizations act as guidelines and do not have the same as a legally mandated requirement. Solidifying a requirement/standard by means of a contract or some similar legally binding commitment will strengthen accountability. Legal duties must be clearly spelled out wherein legal and formal institutions and mechanisms will hold the entities to account in the event of a breach or violation of the duty.
  • Sanctions/Remediation — In the event of any breach of legal duties/contract or violation of the standard of care in any manner, such conduct must invite sanctions. A mere statement of acceptance of wrongdoing in itself is insufficient, and a mechanism must be evolved whereby ways of remedying the breach must be provided for.
  • Internal Steering Committee — An interdisciplinary steering committee may be constituted to undertake the task of ongoing oversight of compliance to policies and rules.


  2. GDPR and accountability —
  4. On dynamic accountability —
  5. On feedback and complaints mechanism —
  7. The Accountability Cube: Measuring accountability c.f. —
  9. accountability for data stewardship in the cloud




At the frontier of tech and society

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cyber Detective OSINT CTF “Life Online” Writeup

Signs of phishing

How fishing looks, phishing looks another way.

What should I study to become Ethical Hacker

PAID v2 Lucky 7 Bonus

How Businesses Can Stop Phishing Emails with IRONSCALES

Community airdrop specifics

Open redirects: Easy to detect, Hard to fix

RCE via WebDav - Power Of PUT

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aapti Institute

Aapti Institute

At the frontier of tech and society

More from Medium

In the context of manufacturing, looking into the future or in simpler terms forecasting is an art…

Do you think your new discount will be better than your old one?

Hosts of Seattle — What the data tells us about Airbnb hosting in Seattle

Big Data