Ti | = | |
/0.0.sec | = | Document Field Document Value |
Title.Ti | = | Title |
Title.sec | = | Responsible Data Science Policy (“{DefT.Policy}”) |
DocID.Ti | = | Document ID |
Version.Ti | = | Version |
LastUpdate.Ti | = | Last Updated (date) |
LastReview.Ti | = | Last Reviewed (date) |
ResponsibleBody.Ti | = | Responsible Body |
Title. | = | [G/Z/Base] |
DocID. | = | [G/Z/Base] |
Version. | = | [G/Z/Base] |
LastUpdate. | = | [G/Z/Base] |
LastReview. | = | [G/Z/Base] |
ResponsibleBody. | = | [G/Z/Base] |
Introduction.Ti | = | Introduction |
Principle.Ti | = | PRINCIPLES |
Principle.0.sec | = | {Principles.Three/Four} principles guide the responsible use of data and models by {Organization.Name.Full} (“{DefT.Organization}”). When the policy or related procedures are unclear, these Principles can be used to guide decisions. |
Principle.1.sec | = | Principle 1: The {_Organization} should continuously identify and understand risks arising from its data science activities, regardless of whether the harm might be external or internal. |
Principle.2.sec | = | Principle 2: The {_Organization} should use data science to contribute positively to the people, processes, and performance of the {_Organization}. |
Principle.3.sec | = | Principle 3: Whenever reasonably possible, the {_Organization} should manage risks arising from its data science activities, such as through risk avoidance, reduction, or offset, regardless of whether the harm might be external or internal. |
Note | = | Optional |
Principle.4.sec | = | Principle 4: Whenever reasonably possible, the {_Organization} should use data science to contribute positively to people, societies, and environments more broadly. |
Principle. | = | [G/Z/ol/s4] |
Purpose.Ti | = | PURPOSE |
Purpose.sec | = | The {_Organization} desires that its data science activities be conducted in a responsible manner that aligns with the Principles above. The objective of this {_Policy} is to ensure that the {_Organization} works to achieve these Principles from a technical, legal, and ethical perspective by establishing the standards, restrictions, and procedures that govern data science activities within the {_Organization}. |
Purpose. | = | [G/Z/Base] |
Scope.Ti | = | SCOPE |
Scope.0.sec | = | This {_Policy} applies to: |
Scope.1.sec | = | All data science activities, including those commonly described as statistical analysis, business intelligence, analytics, machine learning, artificial intelligence, or any other similar activities (collectively, “{DefT.Data_Science}”) |
Scope.2.sec | = | All {employees/employees_and_contractors} that manage or perform {_Data_Science} (“{DefT.Personnel}”) |
Scope.3.sec | = | All data that is used by {_Organization} in the context of {_Data_Science} (“{DefT.Covered_Data}”) |
Scope.4.sec | = | All models that are used by {_Organization} in the context of {_Data_Science} (“{DefT.Covered_Models}”), whether used on a continual basis or not |
Scope. | = | [G/Z/ol/s4] |
Procedure.Ti | = | PROCEDURES |
Procedure.0.sec | = | {PolicyOwner.Name.Full} is responsible for establishing a parent Procedure and one or more Sub-Procedures to govern the process of executing on this {_Policy}. Two types of Sub-Procedures are supported under this {_Policy}. |
Procedure.1.Ti | = | Prescriptive Sub-Procedure |
Procedure.1.0.sec | = | A Prescriptive Procedure defines the following: |
Procedure.1.1.sec | = | Clear criteria regarding the transparency, use, provenance, and general nature of {_Covered_Data} and {_Covered_Models} |
Procedure.1.2.sec | = | Minimum standard of transformation for attributes or {_Data_Subjects} |
Procedure.1.3.sec | = | Minimum acceptance criteria for release, such as differential privacy metrics |
Procedure.1.00.sec | = | When these standards and restrictions can be met, projects can generally proceed with little to no additional review. |
Procedure.1. | = | [G/Z/ol/s3] |
Procedure.2.Ti | = | Adjudicative Sub-Procedure |
Procedure.2.0.sec | = | An Adjudicative Procedure utilizes the following: |
ReadersNote | = | "Submitter" is defined but not used in this Policy. |
Procedure.2.1.sec | = | A Data Science Proposal Form, to be completed by the requesting party (“{DefT.Submitter}”) |
Procedure.2.2.sec | = | A Data Science Adjudicator (“{DefT.Adjudicator}”) responsible for evaluating such Data Science Proposals |
Procedure.2.00.1.sec | = | Submitters complete Data Science Proposal Forms, which are then sent to the responsible {_Adjudicator} for review. The {_Adjudicator}, which may be an individual or a larger group such as a committee or board, may reject the proposal, request further information or modification, or approve the proposal upon review. |
Procedure.2.00.2.sec | = | {PolicyOwner.Name.Full} is responsible for the establishment of one or more adjudicators, who must possess relevant experience and qualifications to support the assessment of technical, legal, and ethical considerations. {PolicyOwner.Name.Full} may create a single {_Adjudicator} to review all Proposals or may create multiple {_Adjudicators} to address one-time or recurring use cases such as industry, regulation, or geography. |
Procedure.2.00. | = | [G/Z/paras/s2] |
Procedure.2. | = | [G/Z/ol/s2] |
Procedure. | = | [G/Z/ol/s2] |
Conform.Ti | = | REGULATIONS AND STANDARDS |
Conform.0.sec | = | This {_Policy} contemplates and is intended to be compatible with the following regulations and standards, but is not intended to fully address all requirements of them: |
Conform.1.sec | = | General Data Protection Regulation (GDPR), EU 2016/679. |
Conform.2.sec | = | California Consumer Privacy Act of 2018 (CCPA), AB-375 or as otherwise codified and amended under the California Civil Code. |
Note | = | Optional 3rd section. |
Conform.3.sec | = | list other regulations and standards |
Note | = | Optional extro. |
Conform.00.sec | = | Additional information on related regulations and standards can be found at {PolicyKnowledgeBase.Hyperlink}. |
Conform. | = | [G/Z/ol-bullet/s3] |
Responsible.Ti | = | RESPONSIBILITY |
Responsible.sec | = | {PolicyOwner.Name.Full} is responsible for developing and maintaining this {_Policy}. The initial {_Policy} and all subsequent updates must be approved in writing by {PolicyApprover.Name.Full}. {PolicyOwner.Name.Full} is responsible for monitoring technical, legal, and ethical trends related to this {_Policy} and must review the {_Policy} in its entirety at least once per {PolicyReviewInterval.Period}. |
Responsible. | = | [G/Z/Base] |
Guidance.Ti | = | GUIDANCE |
Guidance.1.sec | = | {_Personnel} may contact {PolicyOwner.Name.Full} with questions, comments, or concerns regarding this {_Policy} and related Procedures at {PolicyOwner.ContactInfo.cl}. |
Note | = | Optional sentence on Additional information: |
Guidance.2.sec | = | Additional information on data handling can be found at {PolicyKnowledgeBase.Hyperlink}. |
Guidance. | = | [G/Z/para/s2] |
Comply.Ti | = | COMPLIANCE |
Comply.1.sec | = | {PolicyOwner.Name.Full} is responsible for verifying compliance with this {_Policy} and related Procedures in a manner of their choosing, including, but not limited to, hiring or contracting people or implementing processes or technology. |
Comply.2.sec | = | For {_Covered_Data} and {_Covered_Models} that are used on a continual basis or released into continuously-operating software, {PolicyOwner.Name.Full} is responsible for implementing an audit strategy to verify ongoing compliance, such as by contracting third-party auditors. {_Covered_Data} and {_Covered_Models} should be audited at least once per {PolicyReviewInterval.Period}. |
Comply. | = | [G/Z/ol-none/s2] |
Exception.Ti | = | EXCEPTIONS |
Exception.sec | = | Any and all exceptions to this {_Policy} and related Procedures must be approved in writing by {PolicyExceptionApprover.Name.Full}. Such exceptions, including supporting justification, must be documented in {PolicyExceptionLog.Hyperlink}. |
Exception. | = | [G/Z/Base] |
Violate.Ti | = | VIOLATION |
Violate.sec | = | {_Personnel} found to be in violation of this {_Policy} or related Procedures are subject to disciplinary action as outlined in the {DisciplinaryPolicy.Hyperlink}. Additionally, given the nature of risks related to {_Covered_Data}, {_Personnel} in violation of this {_Policy} or related Procedures may be subject to additional action, including, but not limited to, termination of employment. |
Violate. | = | [G/Z/Base] |
Restriction.Ti | = | Standards and Restrictions |
Transparent.Ti | = | TRANSPARENCY |
ReadersNote | = | "be noticed of" ??? |
Transparent.1.sec | = | {_Data_Science} should be transparent in its intention. If the {_Data_Subject} is an individual, they must {consent to/be noticed of} {_Organization}’s specified purpose and potential use of their data. If the {_Data_Subject} is not an individual, then the Data Owner should {consent_to/be_noticed_of} {_Organization}’s purpose and potential use of their {_Covered_Data}. {PolicyOwner.Name.Full} is responsible for ensuring that such {consent/notice} is sufficiently documented. |
Transparent.2.sec | = | {PolicyOwner.Name.Full} is responsible for ensuring that the {_Organization} can establish when {_Data_Science} occurs, who is performing the activities, what {_Covered_Data} or {_Covered_Models} are being used, and how the activities being performed relate to a permissible purpose. |
Transparent.3.sec | = | If the {_Organization} desires to use {_Covered_Data} for a purpose other than specified to the {_Data_Subject} or Data Owner, {consent/notice} must be {obtained/provided} prior to performing activities. |
Transparent. | = | [G/Z/ol-none/s3] |
DataUse.Ti | = | DATA USE |
DataUse.0.sec | = | {_Covered_Data} must only be used, disclosed, or otherwise made available for the specified purposes, except as: |
DataUse.1.sec | = | ● Consented to in writing by the {_Data_Subject} and, if applicable, by the Data Owner, or |
DataUse.2.sec | = | ● Required by law, regulation, or court order, or similar governmental compulsion. |
DataUse. | = | [G/Z/ol-bullet/s2] |
Provenance.Ti | = | PROVENANCE |
Provenance.sec | = | {_Data_Science} should establish and maintain clear provenance for {_Covered_Data} and {_Covered_Models}. {PolicyOwner.Name.Full} is responsible for ensuring that Procedures exist to determine and document such provenance. Provenance is required to establish facts related to technical, legal, or ethical risk assessments, including information such as the means of collection or the {_Data_Subject}/Data Owner. |
Provenance. | = | [G/Z/Base] |
Ethic.Ti | = | ETHICS |
Ethic.sec | = | The {_Organization} desires to avoid activities that are either unfair or unethical in their means or ends. The {_Organization} acknowledges that {_Data_Science} can meet legal standards and requirements while still involving unfair or ethically-undesirable processes or outcomes such as bias. {PolicyOwner.Name.Full} is responsible for ensuring that Procedures exist to identify, understand, and manage ethical concerns in a manner consistent with other risks. |
Ethic. | = | [G/Z/Base] |
SupplyChain.Ti | = | SUPPLY CHAIN |
SupplyChain.sec | = | Whenever reasonably possible, the {_Organization} should align standards, restrictions, and procedures under this {_Policy} with the standards, restrictions, and procedures of its supply chain. {PolicyOwner.Name.Full} is responsible for working with {Contracting/ProcurementOwner.Name.Full} to monitor and manage towards this goal. |
SupplyChain. | = | [G/Z/Base] |
Concept.Ti | = | CONCEPTS AND TECHNIQUES |
ReadersNote | = | "found in this policy under" is now Policy. |
Concept.sec | = | {PolicyOwner.Name.Full} is responsible for researching and documenting concepts, especially those related to privacy and fairness acceptance criteria, and techniques, especially those explicitly prohibited or approved from a privacy or explainability perspective. Whenever reasonably possible, the {_Organization} should align the technical concepts and techniques used under this {_Policy} with leading standards and research in privacy and fairness generally. Such documentation can be found in this {_Policy} under the Concepts and Techniques Inventory. |
Concept. | = | [G/Z/Base] |
= | [G/responsible-data-use-policy/PrOb/RDSP/Outline.md] | |
CodersNote | = | Defined Terms: |
_Policy | = | Policy |
_Organization | = | Organization |
_Data_Subject | = | Data Subject |
_Data_Subjects | = | Data Subjects |
_Data_Science | = | Data Science |
_Personnel | = | Personnel |
_Covered_Data | = | Covered Data |
_Covered_Models | = | Covered Models |
_Submitter | = | Submitter |
_Adjudicator | = | Adjudicator |
_Adjudicators | = | Adjudicators |
Def.Policy | = | {_Policy} |
Def.Organization | = | {_Organization} |
Def.Data_Science | = | {_Data_Science} |
Def.Data_Subject | = | {_Data_Subject} |
Def.Personnel | = | {_Personnel} |
Def.Covered_Data | = | {_Covered_Data} |
Def.Covered_Models | = | {_Covered_Models} |
Def.Submitter | = | {_Submitter} |
Def.Adjudicator | = | {_Adjudicator} |
CodersNote | = | Dummy Params |
Principles.Three/Four | = | Principles.Three/Four |
Organization.Name.Full | = | Organization.Name.Full |
employees/employees_and_contractors | = | employees/employees and contractors |
PolicyOwner.Name.Full | = | PolicyOwner.Name.Full |
PolicyKnowledgeBase.Hyperlink | = | PolicyKnowledgeBase.Hyperlink |
PolicyApprover.Name.Full | = | PolicyApprover.Name.Full |
PolicyReviewInterval.Period | = | PolicyReviewInterval.Period |
PolicyOwner.ContactInfo.cl | = | PolicyOwner.ContactInfo.cl |
PolicyExceptionApprover.Name.Full | = | PolicyExceptionApprover.Name.Full |
PolicyExceptionLog.Hyperlink | = | PolicyExceptionLog.Hyperlink |
DisciplinaryPolicy.Hyperlink | = | DisciplinaryPolicy.Hyperlink |
consent to/be noticed of | = | consent to/be noticed of |
consent_to/be_noticed_of | = | consent_to/be_noticed_of |
consent/notice | = | consent/notice |
obtained/provided | = | obtained/provided |
Contracting/ProcurementOwner.Name.Full | = | Contracting/ProcurementOwner.Name.Full |