In data governance, the question of principles- versus rules-based regulation is a knotty one: should best practice and operating standards be specified in regulation (rules-based), or should regulation provide the overall guidelines against which specific solutions can be measured (principles-based).  The former is compliance-focused and offers (notional) certainty, while the latter is outcome-focused and offers flexibility and adaptability to circumstances.

Both models come into and go out of fashion.  As research data governance was evolving as a topic at the end of the 20th century, rules-based regulation was more in favour.  However, this century has seen a move to principles-based regulation, as in the UK Digital Economy Act 2017 and the Australian Data Access and Transparency Act 2022.  European regulation provides a good example of this evolution: while the 1995 Data Protection Directive seeks to identify what is and is not anonymous data and what needs to done to it, the 2016 General Data Protection Regulation acknowledges a grey scale of data classifications, highlights the importance of technical measures and operational procedures in providing protection for data, and allows for much more flexibility in confidential data management.

There is a similar debate in regulation of financial markets.  UK and US financial regulation is more likely to follow a principles-based approach, whereas European regulation is more rules-based.  One would hope that a useful outcome of financial crises, such as those experienced by East Asian markets in the 1990s or the Western ‘global financial crisis’ of 2008 would be evidence for which is more effective, but apparently not…

Broader corporate governance also struggles with this issue.  How do you ensure board-level integrity and ethics, without overly constraining business operations or creating perverse incentives?  In 2018, the Risk Coalition was set up as a network of not-for-profit professional bodies and membership organisations committed to raising the standards of risk management in the UK.  The Risk Coalition has been strongly advocating a principles-based approach to risk governance and, in 2019, it first published its principles-based guidance, Raising the Bar, to raise standards of risk governance in UK financial services.

After an 18-month outreach exercise, the Risk Coalition has now produced Raising Your Game, cross-sector risk guidance for boards.  This is currently out for consultation but in its draft form it holds a lot of useful lessons for data governance.  The core message is ‘good ethics leads to lower risk’, but it also has a strong  emphasis on the need for decision-makers to have the training and information to use these principles effectively.  These are ideas which we at DRAGoN have been keen to promote as well, and many of the principles in the document can be directly related to good data governance.

One area where there is a difference between corporate governance and (public sector) data governance is the perception of risk as something to be managed or avoided.  The Risk Coalition is all about risk governance and risk management; that is, the normal activities of a business will involve risk and uncertainty, and the function of the guidelines is to prevent those risks becoming excessive.  In contrast, public sector research data governance is, as I have written many times before, predominantly default closed and concerned with risk avoidance.  Hence, for data governance the key principles also need to include “be clear about your goals and the value to society” and “always evaluate options as ‘how will I achieve my goals most effectively?’ and not ‘can I achieve my goal?’”.

Professor Felix Ritchie is Professor of Applied Economics at the University of the West of England (UWE).  He is also and Director of DRAGoN, UWE’s Data Research Access and Governance Network.  This blog updates one previously published as a DRAGoN blog.

The Risk Coalition invites stakeholders from all sectors to participate in the public consultation process for Raising Your Game.  The consultation closes on Monday, 16 September 2024.  Details of how to provide your feedback are set out in the consultation document.