Developing standards for accountability in data stewardship

Aapti Institute
4 min readOct 30, 2020


By Preethi Sundararajan

This article follows “The role of data stewards in enhancing accountability”, to chart an imagination of standards for accountability in data stewardship.

A two-fold framework for accountability is envisaged herein-first is the minimum standards which are either the bare minimum protections/responsibilities or legally mandated requirements. Secondly, enlisted below is a set of standards that serve to reinforce and strengthen the basic accountability standards already laid down as minimum standards. While meeting the minimum standards of accountability may be sufficient for anonymized, aggregated, non-sensitive data, a higher threshold for accountability by way of additional standards may be insisted upon for entities handling sensitive data such as health-related data, personal data (sexual orientation, ethnicity, religion, political beliefs, etc), genetic data and biometric data.

Minimum requirements

  • Code of Conduct — This serves as the main tool of self-regulation for the entity. Ideally, it must give an overview of the oversight mechanism, procedure for raising complaints/grievances, and whistleblower policy amongst others. It also serves as the main document that enlists the ethical considerations, principles, and objectives that guide the functioning of the organization.
  • Voluntary Disclosures — An Information Disclosure Policy customized to the nature of the data shared and work undertaken by the entity must be formulated. It must contain the nature of the disclosures, time durations between each disclosure, and commitment to making open, accessible disclosures (for ex. on the website of the entity or other easily accessible means).
  • Internal grievance redressal mechanism — This should include a mode or process for raising complaints and an internal procedure to investigate and resolve such complaints. A formalized complaint policy that defines a complaint, specifies the process and timeline from the moment the complaint is received to its resolution, references the code of conduct to determine what standards/safeguards the organization has committed itself to, and lays down the procedure mentioned above must be mandatory. There must be a dedicated email ID or submission form to register complaints/grievances. The complaints policy must be built to aid anonymous complaints without fear of reprisal and encourage whistleblowers to come forward. Tying this to the disclosures requirement, the nature and number of complaints received and resolved must be published by way of an easy access report without breaching norms of confidentiality.
  • Compliance with extant laws/procedures — The laws applicable to data protection and privacy are still evolving in India. However, any system of accountability will have to be compliant with the requirements specified in any national laws/rules/regulations or guidelines issued by the relevant regulatory organization. Attention must also be paid to applicable international agreements and covenants -while compliance with the agreements ratified by India is mandatory, compliance with other agreements not signed or ratified by India may be optional.
  • Internal audit/inspection — An internal audit/inspection to be conducted by an independent review panel (constituted with individuals from the employees on the payroll of the organization) to verify compliance with the organization’s policies and other applicable laws.

Additional requirements

  • External Audit — Annual audit to be conducted by an external expert(s). The scope of the audit will not only include compliance aspects but also (and more importantly) conduct a risk assessment and suggest means for mitigation.
  • Dispute resolution mechanism -While an internal mechanism for raising complaints has already been mentioned, it can be further strengthened by providing a procedure for escalation of disputes/complaints which could not be resolved internally. Reference of disputes to arbitration could serve as an expeditious means of resolving disputes.
  • Review — Considering the evolving nature of the data governance landscape, an annual or biennial review of disclosure norms, code of conduct and other pertinent policies will enable regular updating, review, and improvement of the standards to reflect the changing times/needs.
  • Participatory meetings — Engagement with the stakeholder(s) to ensure dynamic accountability.
  • Legal accountability mechanisms — Policies of organizations act as guidelines and do not have the same as a legally mandated requirement. Solidifying a requirement/standard by means of a contract or some similar legally binding commitment will strengthen accountability. Legal duties must be clearly spelled out wherein legal and formal institutions and mechanisms will hold the entities to account in the event of a breach or violation of the duty.
  • Sanctions/Remediation — In the event of any breach of legal duties/contract or violation of the standard of care in any manner, such conduct must invite sanctions. A mere statement of acceptance of wrongdoing in itself is insufficient, and a mechanism must be evolved whereby ways of remedying the breach must be provided for.
  • Internal Steering Committee — An interdisciplinary steering committee may be constituted to undertake the task of ongoing oversight of compliance to policies and rules.


  2. GDPR and accountability —
  4. On dynamic accountability —
  5. On feedback and complaints mechanism —
  7. The Accountability Cube: Measuring accountability c.f. —
  9. accountability for data stewardship in the cloud

This article was written by Preethi Sundararajan. Preethi is a second-year M.A. (Public Policy and Governance) student at the Azim Premji University. Her interests lie in governance issues pertaining to accountability/transparency and the financial sector, and the rule of law in India.

To learn more, visit Aapti’s Data Economy Lab.