Alaap Shah Quoted in "Opinion: Data Governance in the Age of AI: Beyond the Basics"

If you want some basic advice about launching a data governance program, it’s easy to find: Get leadership buy-in, appoint some data stewards or champions, and make sure everyone meets regularly to talk about it.

But there’s a lot more to it than that, especially in the age of data-hungry tools born from artificial intelligence. When you’re dealing with data on a machine learning scale, you’re dealing with “garbage in, garbage out” on steroids. …

The American Society of Clinical Oncology’s (ASCO) CancerLinQ initiative collects and analyzes massive amounts of data from patient encounters to give oncologists a quality monitoring system to ensure patients are getting the best care.

“As the representative body for oncologists we wanted to be able to build something that they can trust. Ultimately, you live and die on the trust that you have,” says Alaap Shah, an attorney at Epstein Becker Green, who was the ASCO’s chief privacy officer at the time. …

Step one was to develop a set of governing bodies to provide guidance on issues, to formalize them into policies, to govern how the organization operates and how it builds and uses technology, he says.

The data governance team delved into policy, ethical issues, and legal and regulatory requirements. Those were distilled into principal documents, then more fleshed-out policy statements.

“Those became the internal bellwether by which we operationalized a lot of this program,” Shah says. “They were living and breathing documents which we revisited from time to time, partly through those committees we formed but also through the staff that was operationalizing around it. We were essentially developing a culture of compliance, a culture of privacy, a culture of data protection, a culture of responsible data stewardship. All these are the high-level principles by which we started to operate and think and live and breathe.”

Step two was to “think about, internally and externally, what responsible data use and stewardship looks like and carry that out. We don’t want to say to participants ‘hey, give us all your data, we’re going to do great things with it’ and then go and sell it to some bad actor somewhere in the market,” he says. “The point is, what do we need to be thinking about and doing to make sure that we’re ... acting responsibly relative to the data we’re getting from participants in our network and also using that data for downstream purposes that are responsible from a public perception perspective?”

Setting boundaries means disclosing up front what the organization planned to do with the data and not deviate from that promise. “Ensure you’re safeguarding the data technologically and otherwise and then ultimately create something good with that,” Shah says. “You’ve been charged with this great responsibility because you have all this data; make sure that you don’t screw it up.”