Towards the Ethical Publication of Country of Origin Information (COI) in the Asylum Process

This article addresses the question of how ‘Country of Origin Information’ (COI) reports—that is, research developed and used to support decision-making in the asylum process—can be published in an ethical manner. The article focuses on the risk that published COI reports could be misused and thereby harm the subjects of the reports and/or those involved in their development. It supports a situational approach to assessing data ethics when publishing COI reports, whereby COI service providers must weigh up the benefits and harms of publication based, inter alia, on the foreseeability and probability of harm due to potential misuse of the research, the public good nature of the research, and the need to balance the rights and duties of the various actors in the asylum process, including asylum seekers themselves. Although this article focuses on the specific question of ‘how to publish COI reports in an ethical manner’, it also intends to promote further research on data ethics in the asylum process, particularly in relation to refugees, where more foundational issues should be considered.


Introduction
'Country of Origin Information' (COI) is an umbrella term describing the diverse body of information used to support decision-making in the asylum process. COI is used both by governmental agencies to assess asylum claims, as well as by asylum seekers and their legal advisers, inter alia to substantiate the claimant's risk of persecution in their country of origin (or transit), and the credibility of their testimony.
The sources of COI vary. They include generic information (for example, news bulletins and maps) as well as reports specifically produced and compiled for use in asylum proceedings (hereinafter, 'COI reports'). 1 COI reports can be thematic, country-specific, or case-specific (produced on request for specific claimants). They are developed by a variety of organizations, but primarily by non-profit organizations (for example, the charity Asylos) 2 ; national government agencies (for example, the UK Home Office) 3 ; and regional and international governmental agencies (for example, the European Asylum Support Office (EASO) 4 and UN High Commissioner for Refugees (UNHCR)) (hereinafter, 'COI service providers'). 5 As such, COI reports typically provide detailed information on conditions in countries from which asylum seekers originate (or through which they transit)based on fieldwork and/or desk research (Van der Kist et al. 2019)-in order to substantiate claims for asylum in host countries on the basis of, inter alia, refugee and human rights grounds. 6 Notably, for the purposes of seeking asylum as a refugee, it must be demonstrated that the claimant is unable or unwilling to return to their country of origin due to a 'well-founded fear of being persecuted for reasons of race, religion, nationality, membership of a particular social group or political opinion '. 7 As things stand, however, there are evident procedural weaknesses in the development and use of COI for asylum decision-making. In particular, there is a lack of consistently applied standards for developing COI, especially with respect to the accuracy, relevance and reliability of information, and transparency of sources, as well as for the relative evidentiary value to be given to different COI sources by decision-makers in asylum proceedings. 8 Amongst other things, this lack of consistency enables claimants and national border agencies to 'cherry pick' different COI to suit their case, with claimants seeking to substantiate the risk of persecution or 1 For the sake of simplicity, we refer to COI 'reports', however in practice these can take the form (inter alia) of reports, fact sheets, responses to specific queries and documentation packages (see ACCORD (2013)

3
Towards the Ethical Publication of Country of Origin Information… human rights violation in their country of origin, and border agencies often seeking to downplay the gravity of the threat. 9 A further weakness, in the current system, is that asylum seekers and their legal advisers usually have more limited access to COI than host country authorities. This asymmetry of information aggravates the existing power imbalance between asylum seekers and host country governments, putting them at a disadvantage in presenting and substantiating their claims, and undermining the fairness of the asylum procedure, in particular the principle of 'equality of arms as regards access to information'. 10 Ultimately, lack of access to information to substantiate a claim impedes the fundamental rights of individuals to seek and enjoy asylum from persecution, as enshrined in the Universal Declaration of Human Rights. 11 One way to mitigate this problem is for COI reports to be more widely disseminated, including through wider publication. Whilst some COI reports are already made publicly available (such as those produced by dedicated public COI units), many COI reports-especially case-specific ones produced by non-profits-remain unpublished, and stay within the organizations that develop them. Wider sharing of COI reports could also help to reduce 'survey fatigue' of asylum-seeking groups due to repetitious assessment of the risks they face, and could furthermore reduce data security risks by significantly reducing the amount of data that needs to be collected and stored in relation to those groups (Hayes 2017). However, the publication of these reports also raises various ethical and legal concerns that must be addressed.
The rest of this article examines only the principal ethical concerns relating to the publication of COI reports by COI service providers and proposes a way for addressing them. The legal implications pertain primarily to restrictions on the processing of personal (sensitive) data-in the EU, pursuant to the EU General Data Protection Regulation (GDPR). 12 However, note that, in practice, many COI service providers are unwilling to risk publishing COI reports that disclose personally identifiable information (even on the basis of consent of the data subjects, as permitted under the GDPR), on the grounds that this could expose the subjects of the report to further persecution. 13 As such, our assumption in this article is that personal data would generally be anonymised or pseudonymised before publication of the report (by removing any identifiers from which natural persons can be identified, either directly or indirectly), in which case the obligations under the GDPR, which only apply to the processing of personal data, would cease to apply (in case of anonymisation) or apply only to a limited extent (in case of pseudonymisation). 14

Dual-Use Risk
One of the principal ethical concerns relating to the publication of COI reports is that the information contained in the reports could be misused. This could involve: misuse by (other) asylum claimants to support false claims (for example, by falsely co-opting a narrative of persecution described in a COI report); misuse by governmental or non-governmental actors in the claimant's country of origin to further persecute individuals or groups who are the subjects of the reports; and/or misuse by prospective host countries to deny meritorious claims-for example, by selecting only the negative portions of a report and using them out of context. Although the anonymisation of personal data mitigates these misuse risks to some extent, it is insufficient to eliminate the risks fully, e.g. in the case of co-option of an anonymised narrative, or because of proxy and secondary information that may enable re-identification of data subjects. 15 From an ethical perspective, the starting point in evaluating and managing the risk of misuse is the principle of harm prevention. There are two key considerations in implementing this principle: the foreseeability and probability of potential harm due to misuse, and whether such harm outweighs the reasonably foreseeable and probable benefits flowing from the widening of access to COI reports. On the one hand, categorically prohibiting the publication of all COI reports due to the possibility of misuse would curtail the potential beneficial uses of these reports-notably, helping to redress the asymmetry of information and power between asylum seekers and host country authorities. It would also contradict the ethos and expectations of openness and collaboration that underpin scientific and social-scientific research (as discussed further below), as well as the rights and duties of COI service providers to publish their research. 16 On the other hand, to commit categorically to the publication of COI reports in all cases may enable the occurrence of preventable harms due, inter alia, to misuse of the reports.
This dilemma calls for a more situational approach that balances, on a case-bycase basis, and in accordance with the principle of proportionality, the benefits and harms of publication. 17 This approach is in line with that generally taken by academic institutions when assessing the publication of dual-use research, for example, in the context of peer-review journals and institutional pre-publication review. 18 However, the potential for misuse is not solely an intrinsic property of COI reports, but also an imposed property (Bezuidenhout 2013). That is, the potential misuse of COI reports also depends on how they are used by other actors in the asylum claim and appeal process, in potentially new contexts unrelated to those in which the reports were conceived, and in combination with other information, possibly including other COI reports.
This imposed nature of the dual-use risk in COI research limits a COI service provider's ethical responsibility to mitigate potential misuse, given that the risk of misuse is highly context-dependent, and its foreseeability necessarily more limited. Accordingly, the principle of proportionality demands that COI service providers consider the potential negative uses of their research and take reasonable measures to prevent reasonably foreseeable and probable misuse, to the extent proportionate to the information known to the COI service provider at the time of the risk assessment. As such, it does not require that providers prevent misuse that is not reasonably foreseeable or probable, nor take unreasonable measures to prevent misuse (Kuhlau et al. 2008). 19 Ultimately, if misuse is reasonably foreseeable, and such misuse would likely outweigh the potential benefits of publication, granting full open access to the reports would not be advisable.
In this regard, the 'zones of risk' approach, proposed under the Common EU Guidelines for Processing COI, offers a useful framework for assessing the risks involved in the publication of COI reports. 20 For example, a COI service provider might take the view that, even with anonymisation of personally identifiable information, publishing COI reports detailing instances of persecution in particular countries still runs a high risk of the individual subjects of the report being re-identified and further persecuted (e.g. due to proxy information, combination with secondary information, and/or because they are a small ethnic minority whose cause is widely known). Alternatively, even if the individual subjects are not identifiable, it may be possible to easily identify and persecute the wider ethnic group to which they belong. The publication of COI in this context could thus result in group-level ethical harms (Floridi 2014). 21 17 Kuhlau et al (2008) describe this as a 'duty to consider whether to refrain from publishing or sharing sensitive information when the information is of such a character that it could invite misuse'. See further UNDG (2017) for an articulation of the situational approach to data ethics in the context of the UN Sustainable Development Goals. 18 However, Bezuidenhout (2013) notes that, at least as of 2011, no papers were refused publication, as part of the open science journal reviews, on the grounds of dual-use potential. 19 The scope of 'reasonable' measures must be assessed relative to professional and resource capacity. Thus, what is considered reasonable care or precaution by a volunteer COI service provider with limited financial resources will differ from the measures expected to be taken by a large, well-funded COI service provider (Kuhlau et al 2008). 20  On the one hand, if these risks are deemed to be reasonably foreseeable and probable, and the COI service provider could mitigate them by limiting access to its reports, it should either avoid publication or opt for restricted and carefully monitored publication, for example, through a subscription-based access policy. Alternatively, the reports could be shared on an individual basis with selected third parties, subject to a confidentiality agreement. On the other hand, if the COI service provider considers that these risks are highly unlikely, and do not outweigh the benefits to those vulnerable individuals or groups of publishing the reports (or, if the risk would not be mitigated by withholding publication), it would be appropriate to make the reports more widely available. Moreover, increasing access to COI for claimants through wider publication could itself counteract the potential for misuse of information by the host country government (for example, through cherry-picking information or using it out of context to deny meritorious claims), by strengthening the asylum claimants' evidence against such attempted misuse.
Publication of COI reports should furthermore be subject to ex post mechanisms to safeguard against unforeseen risks if the initial risk assessment proves to be wrong, or the risk assessment changes due to new evidence-for example, where following publication a COI service provider becomes aware that its published COI reports are being used to falsify claims. These mechanisms for accountability should also be made available to asylum seekers, who should be able to hold COI service providers and other actors in the asylum claim-handling process accountable for the use and sharing of their information (Kaurin 2019). It should be noted, however, that the duty to report ex post about activities of concern is not universally accepted, at least in the scientific research community, as it may be considered to demand treachery (Kuhlau et al. 2008). However, self-reporting of ethical misconduct appears at least to be encouraged in the academic context. 22 Finally, given the imposed and therefore inherently less foreseeable nature of dual-use risk in publishing COI reports, it is important to take a collective approach towards conceptualizing and apportioning ethical responsibility for such risk (Bezuidenhout 2013). In this sense, the asylum claims community as a whole, encompassing all actors that take 'custody' of published COI reports, assumes a collective responsibility to address dual-use risks. Inter alia, this should include collective discussion and educational efforts to develop a 'culture of awareness and responsibility' 23 within the field of asylum research and decision-making, including through the development and application of codes of ethics and practice relating to the dissemination of COI reports by COI service providers. 24 It should also include greater education of asylum seekers about the use of their information, and their rights to control such use through data protection mechanisms and to assess their own risks throughout the asylum process (Kaurin 2019

Open Access
The ethics of publishing COI reports must also be evaluated as part of the wider movement for 'open access' to research. The principle of open access encourages the global and free distribution of knowledge, in the form of publication (Mauthner and Parry 2013), and is based on the notion that information is a public good, which society and individuals have an obligation to make as widely accessible as possible, and which individuals should be able to access as a basic right (Willinsky 2006). 26 It could also be said that the advent of digital publishing and the Internet affords the practical tools and platforms by which to 'do the right thing' by granting open access to research, and a duty to share (if one is recognized) is rooted in this technological affordance (Willinsky and Alperin 2011).
This ethical duty to share research with the public, and the public's right to access research, is arguably stronger in the case of research that has been funded by the public (Arzberger et al. 2006). 27 That is, the public has a right to know what research outputs it has contributed towards financing, as well as to engage with the resulting outcomes (Bishop 2009). At the same time, certain forms of research may be considered, by their very nature, public goods that should be made publicly available, regardless of how they were funded. It could be argued that COI reports fall in this category, given that the protection of refugees is a public and humanitarian concern. 28 However, the principle of open access, where acknowledged, is not unconditional, with recognized exceptions, inter alia where there is a risk of misuse (as discussed above), national security concerns, and/or a need to protect confidentiality, privacy, and intellectual property rights. These exceptions are typically addressed through anonymisation of personal and sensitive information, license agreements specifying the rights and responsibilities of data depositors, archives and end users, and in some cases limitations on access to, and use of, the data (Bishop 2009). 29 In addition, the duties and rights of access to research embodied in the open access principle need to be balanced against the rights and duties of (co-)researchers, as well as the requestors and subjects of research (Mauthner and Parry 2013).
The latter set of responsibilities includes not only safeguarding the security and safety of both researchers and research subjects, but also honouring the trust and preferences of the research subjects. For example, researchers may use the promise of restricting further use of a participant's data as a way of building trust 27 See for example OECD (2007) noting that 'publicly funded research data are a public good, produced in the public interest'. Parker (2013) refers to the 'researcher's social licence' and the responsibility of 'those who spend public money to contribute to the dissemination of knowledge'. 28 By way of analogy, Langat et al (2011) refer to the 'public notion of health' as intimately tied to notions of social justice and equity. 29 Copyright laws generally permit 'fair use' of protected works for (personal or scholarly) non-commercial purposes. See SSRN's Copyright policy at question 11, https ://www.ssrn.com/en/index .cfm/ssrnfaq/#ssrn_copyr ight. and to induce participation in the research (Bishop 2009). Or, participants may simply not wish to have the reports published, even if their personal data is (technically) anonymised, particularly in light of the misuse risks described above. Thus, notwithstanding the absence of any legal obligations to obtain consent for the publication of personal data that has been anonymised, researchers arguably still have an ethical duty to obtain participants' consent to such publication and reuse. Obtaining 'informed consent' in this context requires data subjects to be given adequate information at the time of collection about the purposes and risks associated with sharing their data, including potential future uses of that data and unintended consequences, as well as powers to access the resulting COI reports and, where feasible, object to publication or further dissemination. 30 In this regard, the publication of COI reports raises further political and epistemic questions about the integrity of taking information out of its context of production and reusing and repurposing it. Inter alia, the inherent imbalance of power between the organizations and communities that produce and use COI reports, and the vulnerable individuals and communities that are typically the subjects of those reports, risks reproducing and/or exacerbating exploitative relations between nations, and between data users and data producers, as problematized by feminist and post-colonial scholars (Mauthner and Parry 2013). Reliance on the 'informed consent' of research subjects appears insufficient to assuage concerns of exploitation, in light of this unequal power dynamic (Kaurin 2019).
A related concern is the need to respect the right of research subjects to selfidentify the parameters of their population, rather than having them imposed externally by COI researchers (OHCHR 2018). On the other hand, the use of data for new purposes, and to reach different conclusions, is inherent to the nature of research and scholarly debate. As such, it can be argued that it is not necessary, from an epistemological perspective, for participants to have an ongoing role in the interpretation of their data or research conclusions (Bishop 2009). These questions certainly merit further and deeper consideration, but they are not within the scope of this article. 31

Conclusions
This article has highlighted some of the key ethical issues that should be considered when publishing COI reports relating to asylum claims. It has advocated for a situational approach that weighs the benefits and harms of publication based, inter alia, on the foreseeability and probability of harm due to potential misuse of the research, the public good nature of such research, and the need to balance the rights and duties of the various actors in the asylum process, including both the public as well as the requestors and subjects of the research. Of course, the feasibility of such an approach will depend on the resources that a COI service provider has at 30 On the importance of informed consent and information provision in supporting the digital agency of refugees, see further Kaurin (2019). 31 On the politics of knowledge production in the context of COI, see further van der Kist et al (2019). its disposal. For smaller organizations with a low volume of COI reports, a case-bycase approach is more likely to be administratively feasible. In contrast, for organizations with a large volume of publications, a more standardized policy for sharing COI may be required. 32 COI service providers should furthermore consider additional mechanisms for increasing the availability and visibility of their reports, beyond conventional publication. This includes collaborating with existing COI-sharing platforms to disseminate reports, for example ecoi.net 33 and the Refworld database, 34 and more generally engaging in outreach and educational efforts to increase awareness of, and therefore access to, COI research amongst asylum seekers and their legal advisers.