Blog

In an increasingly digital world where data has become a critical asset, privacy and data security have emerged as fundamental rights and essential safeguards for individuals and communities. From healthcare systems and financial services, to educational platforms and humanitarian aid delivery, digital solutions handle vast amounts of sensitive personal information that require appropriate protection and responsible handling. For users of digital solutions around the world, robust privacy measures are not just important but an essential part of preventing exploitation, and mitigating harm.The Digital Public Goods Standard is a set of specifications and guidelines designed to maximise consensus about whether a digital solution conforms to the definition of a digital public good (DPG) as defined in the UN Secretary General’s Roadmap for Digital Cooperation. As part of this, in order to be considered a digital public good, solutions must be designed and developed to comply with privacy and other applicable laws (Indicator 7 of the DPG Standard) as well as to anticipate, prevent, and do no harm by design (Indicator 9). Recognising the importance of privacy and data security to achieve these aims, the Digital Public Goods Alliance is pleased to announce these updates to the DPG Standard. The updates introduce six new requirements as well as an annexure of privacy and data security best practices, which serve as a practical guide for applicants seeking to improve their digital solutions. These changes are the result of a consultative process and will strengthen the design and development of open solutions seeking DPG recognition. The criteria will apply to all new solutions seeking certification in the DPG Registry and will be collected from existing DPGs during their annual review. Formation of Privacy Expert Group for driving DPG Standard EnhancementIn April 2024, the DPGA Secretariat, in collaboration with the Open Knowledge Foundation, assembled a distinguished Privacy Expert Group comprising neutral privacy professionals from legal, technical and multilateral sectors. This expert group was specifically tasked with addressing critical gaps in privacy compliance within the existing DPG Standard and aligning DPGs with global best privacy practices.The expert group, co-led by DPGA Secretariat’s Standards Lead, Amreen Taneja, and Open Knowledge Foundation representatives, Renata Avila (CEO) and Patricio Del Boca (Technical Lead), worked alongside Thomas Shone from the Netherlands, Godfrey Kutumela from South Africa, Clarissa Luz from Brazil, Marie C. Bonnet from France, Puneet Bhasin from India, Emma Day from the United Kingdom and Aparna Bhushan from the United States. This geographic diversity ensured that the updated requirements could accommodate local legislation and regional privacy ecosystems while maintaining global applicability.The expert group focused on three objectives:1. Conducting a gap analysis and risk assessment to identify shortcomings in privacy compliance within the DPG Standard; 2. Defining clear parameters for privacy compliance under Indicator 7 to be embedded in the assessment process, with the aim of ensuring fair criteria for both small scale and larger DPGs; and3. Proposing an annex to Indicators 7 and 9(a) that sets out recommended best practices for privacy and data security, strongly encouraged for applicants to adopt.Privacy Requirements for the DPG StandardThe Privacy Expert Group's recommendations were submitted to the DPG Standard Council as part of the Standard's governance process. The Standard Council reviewed and adapted these recommendations, ensuring they could be effectively incorporated into the DPG review process while maintaining accessibility for applicants.The updated requirements, now mandatory for all DPG applicants, are structured around six fundamental privacy concepts that are be addressed through specific questions in the application process. These questions are designed to extract critical information traditionally found in extensive documentation such as Privacy Impact Assessments (PIAs), Data Protection Impact Assessments (DPIAs), and Data Retention Policies that would be required by the DPG Review team for assessing the design and development aspects of the product, while ensuring the process remains accessible to applicants ranging from large organisations to small scale innovators.Six New Privacy Considerations for DPG Applicants1. Data Minimisation: Applicants must now answer: ‘Is this the minimum amount of PII data required for your solution to function properly?’ This question ensures alignment with global privacy regulations like GDPR (General Data Protection Regulation), by demonstrating that DPGs collect only the minimum amount of Personally Identifiable Information (PII) necessary for functionality, particularly important when serving vulnerable populations.2. User Consent Mechanisms: The application process now requires responses to: ‘How does your solution communicate to the user that you are collecting their PII data?’ This addresses the critical need for transparency in obtaining and managing user consent, ensuring compliance with frameworks such as GDPR and the California Consumer Privacy Act (CCPA) while empowering users to make informed choices about their data.3. Data Usage Transparency: Two key questions in the application process address this aspect: ‘Please provide your privacy policy or any relevant documentation that outlines consent management procedures, the reasons for collecting and processing PII data, and any processes in place for handling subject requests.’ and ‘Where in the solution is PII data being processed or used? And which components of the solution allow access to this data?’. These questions ensure that applicants clearly articulate their data practices, demonstrating compliance with the principle of purpose limitation and operational transparency.4. Adherence to Privacy-By-Design Principles: Applicants must answer the question: ‘Which mechanisms does your solution provide to delete PII data?’ This question evaluates applicants’ readiness to handle data retention and deletion responsibly, highlighting mechanisms for addressing user requests and preventing indefinite data storage. Solutions with strong privacy-by-design features reflect a commitment to ethical data practices and regulatory compliance.5. Transparency Around Data Retention: Using the same question as privacy-by-design, this requirement ensures that solutions have clear data retention and deletion procedures, demonstrating compliance with regulations that mandate minimising risks associated with prolonged data storage while fostering trust among users, particularly in solutions serving marginalised communities.6. Data Governance and Access Controls: The question ‘Where in the solution is PII data being processed or used? And which components of the solution allow access to this data?’ also addresses the need for secure data management, ensuring that PII is protected against breaches and misuse through robust governance mechanisms that align with principles of data isolation and segregation.Best Practices Annexure LaunchedAlongside the mandatory requirements, we have released a comprehensive annexure of privacy and data security best practices that, while not mandatory, are highly encouraged for all DPGs. This detailed guidance document provides a practical roadmap for both small and large-scale open solutions seeking to align with industry standards.This annexure encompasses four critical areas of privacy and data security practices. 1. Privacy Governance and Accountability establishes policy-level best practices, including comprehensive privacy policies that align with international standards, consideration of non-PII and group data risks, and governance accountability measures such as designating Data Protection Officers and establishing independent ethics review processes.2. Compliance Documentation and Proofs provides guidance on essential documentation, including Data Protection Impact Assessments, data flow mapping, retention and disposal policies, security issue communication protocols, training records, and third-party vendor management. These documentation requirements ensure that DPGs maintain comprehensive records of their privacy practices and can demonstrate compliance when required.3. Technical and organisational safeguards outline best practices for implementation requirements for minimum data protection controls, including robust authentication and access controls with role-based access and multi-factor authentication, comprehensive logging and auditing systems, state of the art encryption for data in transit and at rest, systematic vulnerability management, data isolation and localisation measures, and privacy enhancing technologies such as differential privacy and federated learning.4. Lifecycle Management and Oversight ensures that privacy considerations are embedded throughout the entire data lifecycle, including ongoing risk monitoring, audit readiness, and change management processes that assess privacy and security implications during product updates.How Privacy Enhancements Strengthen the Digital Public Goods EcosystemThese enhanced privacy requirements represent a significant advancement in ensuring that DPGs anticipate, prevent, and do no harm in the design and development of their solutions. By embedding effective privacy safeguards into the design and development stages of DPGs, these updates enable DPGs to better serve users and communities while upholding critical privacy rights. The privacy-focused approach is particularly crucial for DPGs serving vulnerable populations, who face heightened risks from data misuse or unethical practices. Aligned with global privacy standards, these updates aim to strengthen the credibility and long-term sustainability of digital public goods, making them more trustworthy to partners, funders, and international initiatives. They also establish privacy compliance as an integral part of DPG evaluation, reinforcing both operational efficiency and ethical practice across the ecosystem.As DPGs play an increasingly vital role in advancing the UN Sustainable Development Goals, these enhanced privacy protections ensure they can fulfill their mission while maintaining the trust and confidence of the communities they serve. Through these comprehensive updates to the DPG Standard, we aim to lead the way in establishing ethical frameworks for digital development, ensuring that DPGs create maximum positive impact while upholding fundamental principles of privacy and security essential for sustainable global progress.

The Digital Public Goods Alliance is committed to the long-term success of digital public goods (DPGs), including helping those who run and maintain DPGs to make their voices heard. In response to a shifting funding landscape, DPG product owners have come together to issue an open letter reminding digital transformation supporters from different focus areas worldwide of the vital role DPGs play in advancing the Sustainable Development Goals.DPGs are already helping countries and organisations deliver public services more effectively and are serving as the solutions needed to address critical challenges—from climate change and healthcare to education, financial inclusion, strengthening information integrity efforts, and beyond. They are also enabling more effective digital transformation by helping countries and organisations avoid duplication, reduce costs, and scale impact through open, interoperable, adaptable technologies that can be tailored to local contexts. As development assistance models evolve, the cost, speed, and collaboration advantages of DPGs underscore why they are the solutions we need now more than ever.This letter, written and signed by more than 15 product owners, encourages governments, funders, civil society organisations, technologists—including system integrators and hyperscalers—and all others across the ecosystem to read and reflect on the important call to actions highlighted within the letter, and consider how they can help ensure the continued sustainability of DPGs.

This year’s Internet Governance Forum (IGF) in Norway brought together global leaders, technologists, and policymakers to build trust, resilience and digital cooperation to ensure technology and future innovation is sustainable, accessible, and rights respecting. The Digital Public Goods Alliance (DPGA) was proud to contribute to this momentum by spotlighting the role of digital public goods (DPGs) and open-source solutions as key enablers of IGF’s goals. At a time when countries are seeking ways to build digital systems that are both cost effective and equitable, the DPGA used its presence at IGF to make the case that DPGs—open-source, interoperable tools designed for public benefit—are not only viable, but vital for achieving safe, inclusive, and interoperable digital public infrastructure.

UNICC has joined the Digital Public Goods Alliance! The announcement happened during the UN Open Source Week side event “Accelerate SDG Impact, Scaling Open Source”, with Lucy Harris, COO, DPGA Secretariat; Emily Bennett, Head of Digital Public Solutions, UNICC; and Anish Sethi, Chief, Digital Solutions Centre, UNICC.As a member of the DPGA, The United Nations International Computing Centre marked a strategic step forward in its mission to enable inclusive and sustainable digital transformation across the UN system, other international organisations, and governments.“Joining the DPGA is a natural extension of our mission to support the United Nations’ digital transformation journey. Our technical and strategic contributions can help ensure that digital public goods are developed and deployed in a way that reflects the values, needs, and standards of the UN system.” said Sameer Chauhan, Director, UNICC.“We are proud to welcome UNICC to the DPGA. Their membership not only supports the United Nations’ digital transformation journey but also strengthens the DPG ecosystem by contributing potential new solutions to the DPG Registry. Beyond advocating for open, scalable solutions across the UN system, UNICC helps expand the adoption of DPGs where they’re needed most, ultimately accelerating digital cooperation efforts to achieve the SDGs.”, added Liv Marte Nordhaug, CEO, Digital Public Goods Alliance Secretariat.

Today the DPGA Secretariat, in coordination with twenty-four organisations, is launching the Global Open Source Policies & Practices Survey. Directed at governments and organizations, this survey aims to significantly improve understanding of the current landscape of open-source policies, principles, and frameworks among governments and organizations.

The DPGA is now accepting submissions for AI systems! This post provides a practical overview and detailed description of the requirements outlined in the DPG Standard that an AI system must meet to be recognized as a digital public good and listed on the DPG Registry.How we got here ?A digital public good (DPG) entails much more than simply being open software, open data, an open content collection, or an open AI system. DPGs are open-source solutions that must also be accessible, adaptable, and designed to do no harm. Therefore, to be recognised as a DPG, a solution must demonstrate adherence to the DPG Standard to ensure those important elements are embedded into the design of a digital solution and, by doing so, can facilitate more impactful and safe technology deployment. In 2023, recognising both the immense potential of AI for development as well as the risks associated with it, the DPGA Secretariat, in collaboration with UNICEF, convened a dedicated Community of Practice (CoP) on AI systems. This group was brought together to specifically examine how the DPG Standard may need to adapt to better determine what constitutes AI systems as a type of DPG and to explore the intersection between open and responsible AI. Alongside a set of recommendations from the CoP on AI systems, the DPGA Secretariat closely monitored and participated in relevant conversations that were also taking place. This included the OSI's Open Source AI Definition (OSAID), the Linux Foundation’s Model Openness Framework (MOF), and consultations with DPGA members actively working on AI, such as OpenFuture, Creative Commons, and the Open Knowledge Foundation.Following an open commenting period on GitHub, the DPG Standard Council carefully considered inputs surfaced throughout this process and, as part of a set of updates to the DPG Standard, introduced changes to strengthen the transparency and accountability of AI system DPGs while ensuring that they meet consistent requirements across all DPG categories.What's an AI system, anyway?Before diving into the specific updates, it’s valuable to provide an understanding of what is meant by “AI system,” as it has implications for the components that must be DPG Standard compliant. We recognise AI systems as machine-based systems designed to operate with varying levels of autonomy that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments, or generate outputs, such as text, images, or sounds.This understanding aligns with OECD guidelines on AI (Recommendation of the Council on Artificial Intelligence, OECD Publishing, Paris, 2019)In order to be recognised as a DPG status, AI systems must provide the following components, alongside the following requirements:

Over the past five years, there has been increasing recognition throughout the United Nations System of the pivotal role that open source can play in accelerating the advancement of the Sustainable De...

2024 was a year filled with numerous highlights for the digital public goods Ecosystem, underscoring the vital and positive impact that DPGs can facilitate across all of the Sustainable Development Go...

This article is co-written by the Digital Public Goods Alliance and NGI Commons. You can find another version of this article on the NGI Commons website. Digital Commons can be a fuzzy term to some, b...