Appendix A: Weighting of Questions

This question is designed to capture the point of view of the user, and does not impact their public value score.

Who will be using the data? If you are unsure or if more than two categories apply, please specify via the “Other” option.

This question refers to the primary activity of the data user. If the primary activity can best be explained by a separate category (or across two or more categories), please specify via the “None of the above” option. If you are unsure, please select “I don’t know.”

This question aims to capture the size of the data user relative to the public. A large data user (e.g. a multinational company) will typically have more resources at its disposal, and is therefore held to a higher standard regarding its ability to limit the risks and maximise the benefits of its data use. Moreover, its data uses are more likely to affect a greater number of people.

Please choose the option “small entity” if the data user has an annual turnover (or balance sheet) of less than €10 million or equivalent. Choose “large entity” if it is more than €50 million or equivalent in other currency per year. For anything in between, please choose “medium-sized entity”.

If none of the provided options are applicable, please specify via the "None of the above" option. If you are unsure, please select "I don't know.”

This question aims to capture how the data user finances its operations. A data user with more financial resources is held to a higher standard regarding its ability to limit risks and maximise benefits of its data use.

If none of the provided options are applicable, please specify via the "None of the above" option. If you are unsure, please select "I don't know.”

This question aims to understand if the data user shares information about its activities with the public. The more regular and public the data user reports on its activities are, the higher the data user's transparency and the higher, in turn, the public value created.

If none of the provided options are applicable, please select "None of the above" and specify your unique reporting requirements. If you are unsure, please select "I don't know."

In many jurisdictions public actors need to disclose information when someone files a Freedom of Information (FOI) request. For data users that do not fall within the scope of FOIs (e.g. privately owned businesses), their track record in providing information when requested by citizens or public bodies is taken into account.

If none of the provided options are applicable, select "None of the above" and specify your unique reporting requirements. If you are unsure, choose "I don't know.”

This question assesses if the data user has an established procedure for responding to requests to provide information to the public on its activities. No procedure will reduce the public value of an instance of data use as it does not signal a commitment to transparency, while an established procedure implies a greater transparency, and thus a higher public value.

If none of the provided options are applicable, please specify via the "None of the above" option. If you are unsure, please select "I don't know.”

This question aims at capturing the user’s motivation for the data use. For example, data use aimed at improving medical treatments is of high value to the public, provided that risks are minimised.

If none of the provided options are applicable, select "None of the above" and specify the motivation underlying the data use in question. If you are unsure, please select "I don't know.”

This question aims at understanding whether the data use will benefit individuals and/or communities in low and middle-income countries (LMICs, or “the Global South”). Multinational corporations frequently generate considerable profits in high-income countries from digital activity in LMICs while paying no tax there, which adversely impacts the public value they generate. Data use which helps reduce global inequality by ensuring benefits are shared equally will be of higher public value.

If none of the provided options are applicable, select "None of the above" and specify the data user’s record of distributing benefits to LMICs. If you are unsure, please select "I don't know.”

Certain marginalised groups are afforded special protection under anti-discrimination laws. The German Constitution (Basic Law), for instance, prohibits discrimination on the basis of sex, gender, origin, ethnicity, language, belief, religious and political views, and disability (Article 3 Basic Law). This question aims to assess if the likelihood that a given data use will benefit such groups. Data use which helps reduce inequality and which benefits these groups will be of a higher public value. This question should be answered in line with those groups protected in the relevant jurisdiction or, if inapplicable, in international Human Rights law.

“Some track record” indicates a few instances of strengthening the benefits for marginalised groups. A “strong track record’ indicates consistent and sustained efforts to ensure the benefits of data use are felt by such groups. If you are unsure, please select "I don't know.”

Future generations are likely to suffer from inequities in the distribution of wealth and income, as well as water scarcity, global warming and migration. Data use that serves a growing societal need, or is likely to benefit future generations in other ways, will have a higher public value.

If you are unsure, please select "I don't know.”

A key component of assessing the public value of data use is the (foreseeable) risk to individuals or groups, both directly and indirectly. Note that this is not an exhaustive list of potential risk categories. Please use the “Other” option to specify additional risks. Examples of the above include:

Financial Risk: Sensitive financial data (e.g., bank details, tax information etc.) carries a financial risk to data subjects. An indirect financial risk would be individuals denied insurance or loan applications on the basis of predictions made via the data use.

Health risk: If data use involves managing health records for example, there is a risk that mishandling data could lead to misdiagnosis or incorrect medical treatment, potentially causing physical harm to individuals. Data misuse can also risk the mental health of individuals.

Informational Risk: Informational risk is the potential for harm from disclosure of information about an identified individual. All sensitive personal data falls under this category, as well as anonymised data which can be conceivably re-identified.

Political Risk: Data that includes sensitive political indicators (e.g., voting preference, party affiliation, union membership) carries a political risk if they are mishandled or misused.

Social Risk: If the data use risks the social well-being of individuals or communities, and/or includes sensitive social descriptors, such as sexual orientation.

This question aims to capture the foreseeable likelihood of risk occurring to individuals and communities as a result of the data use. Data use with a higher relative risk will be of lower public value without sufficient harm mitigation measures in place.

Data use which in which the negative impact on the environment is limited will be of higher public value.

Relevant aspects here are: does energy used to store and process the data come from fully renewable sources? Does the data use in itself further climate protection (e.g. climate research?). If you are unsure, please select "I don't know."

In most jurisdictions, certain groups in society are afforded special protection under anti-discrimination laws. The German Constitution (Basic Law) for instance prohibits discrimination on the basis of sex, gender, origin, ethnicity, language, belief, religious and political views, and disability (Article 3 Basic Law). Adverse effects on groups who are afforded special protection under the law may also be generated incidentally and unintended (such as a loan application being denied). This question should be answered in line with those groups protected in the relevant jurisdiction or, if inapplicable, in international Human Rights law.

This question aims to assess the foreseeable risk of an instance of data use for such groups. The risk is "elevated" as it is impossible to remove all risk.

This question aims to capture whether or not the data user informs the public about risks related to their data use.

This question concerns the risk of dual use. Dual use, in this instance, refers to the potential for data to be misused by a third party for unintended or malicious ends. For example, medical data collected for research could be de-anonymised and used for targeted advertising, or data collected for a consumer survey could be used for illegal phishing scams. A useful question that can guide thinking is which other uses come to mind when examining the data user’s planned data use, how many are there and how likely are they?

This question aims to capture whether the data user routinely assesses risks emerging from their data use, and the format in which such assessment is conducted.

This question aims to capture how the data user responds to risk assessments, if they are in place. For instance, whether the results of risk assessments are non-binding recommendations (information), or whether data use may only proceed after having responded to the findings of the risk assessment (actions).

This question captures the background of the persons involved in any risk assessment. A person who is familiar with ethics may highlight and be aware of specific risks entailed in a specific instance of data use, thereby reducing overall risk and increasing its public value. Consulting those with a knowledge of data ethics increases the likelihood of as many risks as possible being included in the course of the risk assessment. Other professionals (e.g., lawyers, computer scientists) can also highlight important issues that pertain to public value.

If you are unsure, please specify via the “None of the above” option.

This question aims to capture whether the data user monitors harm emerging from their data use. For example, if a company uses personal data obtained from its website to improve its service, does it monitor and review potential harms to any individuals or communities affected by this data use?

This question aims to understand the data user’s ability to end their activity once unexpected harms occur. For example, if in the course of a medical study it is found that a patient’s data has been leaked, can the study be stopped?

This question aims to capture what complaint procedures are in place for individuals to report harm from data use. For example, if someone were to experience financial harm in the form of being denied a loan on the basis of a predictive algorithm, are they able to submit a complaint to the data user?

This question aims to capture how the data user responds to complaints from the public. A prompt response procedure which results in immediate action will improve accountability and trust, and therefore public value.