The Data Autonomy Index (DAIX) is a tool developed with the objective of enhancing data autonomy within an organisation. As a component of the Data Autonomy initiative, the DAIX aims to examine questions relating to data control, privacy, autonomy and impact. The intention of this tool is to serve as a basis to start a conversation about institutional autonomy when it comes to using data-based services such as cloud computing. In particular, it should facilitate an interdisciplinary discussion involving people with different backgrounds and experiences. In this spirit, the DAIX questionnaire serves as a tool of assessment. We are happy to receive feedback from users via v.t.toma@rug.nl.

Preliminary Questions

Organizational Importance

Control mechanisms such as access rights management, compliance with legal frameworks such as the General Data Protection Regulation or the EU AI Act, cybersecurity measures, and (technical/organisational) monitoring options.

Autonomy refers to your ability to manage and control your data independently. This includes aspects of keeping data confidential (e.g. business secrets, strategic knowledge), avoiding vendor lock-in, flexibility in data migration, having a documented exit policy, adherence to open standards, and the ability to influence future development.

Privacy involves ensuring lawful, transparent processing of personal data, minimizing data collection, maintaining data accuracy, and implementing strong information security measures. It also includes managing cookies and usage data responsibly.

This relates to potential financial, reputational, and operational impacts that your organization might face in case of data management failures. Think of things ‘going wrong’ because your organisations has made under considered or negligent choices and just went with the easiest option without thinking everything through.


Control

Legal framework

A data processing agreement is a legal contract that outlines the terms and conditions under which data is processed. It typically includes details about the purpose, duration, security measures, and the rights and responsibilities of both parties involved in data processing.


Cybersecurity

Granularity in permissions refers to the degree of detail in assigning access rights to users or systems. It involves specifying precisely which actions or data each user or system is allowed to access, providing a more fine-grained control over security.

This refers to the methods and techniques used to convert data into a coded format to protect it from unauthorized access.


Monitoring Options

The Software Bill of Materials (SBOM) is a detailed inventory or electronic document that outlines the components and origins of a piece of software, providing transparency to enhance cybersecurity risk management.

Can the assessed tool or platform integrate with existing monitoring systems which are already being used in the organisation?

Is your data used to train AI systems? Select 3 if none of your data has been used for AI training


Privacy

AVG

This covers treating the personal data of individuals fairly, being transparent about processing activities, and having a lawful basis (e.g. informed and specific consent or legal requirement) for data processing.

Ensuring that data is used for specific, pre-defined and clearly limited purposes.

Collects and processes the minimum amount of data necessary to fulfill its intended purpose.

Evaluates whether there are measures in place to ensure the accuracy and correctness of the processed data.

Implementing storage limitations helps organizations to avoid retaining personal data longer than necessary. This reduces the potential for misuse or unauthorized access.

Is the envisaged data use adhering to ethical standards (e.g. non-discrimination, fairness, etc.)


Information Security

Significance of certain information in achieving organizational objectives, emphasizing the need for robust security measures.

Crucial for privacy considerations and ensuring responsible data handling.

Transparency and user consent are essential to comply with privacy regulations.

Clarifying the scope of cookie tracking helps manage user expectations and privacy concerns.


Autonomy

Data Migration Flexibility

How long will it take to migrate to another comparable platform or service?

Does the migration require specialized knowledge?

Can you accommodate data migration? Do you have specific infrastructure requirements?

Do you have storage options for data migration?


Exit Policy

The presence of a documented exit policy outlines procedures and requirements for transitioning away from a service or system.


Integration Capabilities

Adhering to open standards facilitates integration and reduces dependence on proprietary solutions.


Say in Further Development

A contributor licence agreement (CLA) defines the terms under which intellectual property has been contributed to a company/project, typically software under an open source licence. This establishes transparency.

Is it possible to influence the direction of development? If yes, this allows to align technology with specific organisational needs, promoting data autonomy principles.


Impact

Evaluates the financial implications if data management fails, from significant losses to negligible impact.

The Consumer Price Index is a measure that examines the average change in prices of goods and services over time, depending on inflation.

Potential for reputational damage associated with the system.

0-Individual, 1-Team, 2-Domain, 3-Faculty, 4-Organization.

This covers administrative and compliance responsibilities associated with managing and overseeing the application.

How high are the costs that would have to be faced as a result of migration to another comparable service or platform?


Special Thanks

Special thanks to Jos Stoepker, Christian van der Kooi, Anouk Pelzer, Erika Chorén Iglesias, Daniël Vos, Victor Toma and project supervisor Dr. Oskar J. Gstrein.

This project is part of the Data Autonomy initiative of the University of Groningen.