Governance Log, Decision Accountability Trail

1. Immutable Audit Log

Every prediction, export, and layer toggle is cryptographically logged with a SHA-256 hash chain, creating a tamper-evident audit trail for regulatory review and accountability.

How It Works

• Each audit entry includes: timestamp, user ID, event type, tile coordinates, model version, and feature hash
• Event types tracked: PREDICTION_SERVED, TOP_1_PCT_FLAG, EXPORT_PERFORMED, STALE_DATA_FLAG, LAYER_TOGGLE
• Logs are retained for 7 years per WHO data governance standards
• Exportable as CSV for regulatory review and bias monitoring

2. Model SHA Verification

All deployed models are verified against a signed SHA-256 manifest before serving predictions, preventing unauthorised model deployment and ensuring reproducibility.

How It Works

• Model artefacts are signed at registration time via MLflow
• Runtime verification occurs on every prediction request
• SHA mismatch triggers the circuit breaker and sends an alert to administrators
• Supports multi-model ensemble verification for XGBoost, Random Forest, and Logistic Regression

3. Circuit Breaker

An automatic failsafe that halts predictions when data quality or model integrity degrades, preventing the propagation of unreliable risk scores.

How It Works

• Triggers on: stale data (>90 days), SHA mismatch, error rate >5%, or manual override
• Graceful degradation: serves last-known-good predictions with a warning banner
• Auto-recovery with configurable cooldown period (default: 15 minutes)
• Alerts sent to Administrator role on activation via email and in-app notification

4. Human-in-the-Loop Sign-off

High-risk predictions (top 1% of risk scores) require epidemiologist review before downstream use, ensuring human oversight on the most critical alerts.

How It Works

• Automatic flagging of tiles in the top 1% risk percentile
• Pending → Approved / Dismissed workflow with mandatory review notes
• Role-based: only Public Health Officer and Administrator roles can approve or dismiss alerts
• Full audit trail for every sign-off decision, including reviewer ID and timestamp

5. Confidence Bands

Every risk score is accompanied by P10–P90 uncertainty quantification, communicating model confidence and preventing overconfidence in predictions.

How It Works

• Confidence intervals derived from ensemble model variance and bootstrap resampling
• Displayed in the Risk panel for every tile, with visual shading on the map
• Calibrated to historical spillover events: average width ±0.12 risk score units
• Wide bands flag high-uncertainty predictions for additional scrutiny

6. Role-Based Access Control

A three-tier access model aligned with WHO data sharing principles, ensuring appropriate permissions for viewing, analysing, and administering the platform.

How It Works

• Researcher: Read-only access to map, risk scores, and SHAP explanations
• Public Health Officer: HITL sign-off, data export, scenario modelling, and comparable tile analysis
• Administrator: Governance configuration, user management, audit log export, and circuit breaker override
• Enforced at the API layer via role claims and validated on every request

Privacy & Surveillance Safeguards

AqtaBio is designed to prevent misuse as a surveillance tool while maintaining public health utility. Our privacy-by-design approach ensures that the system serves disease prevention without enabling population monitoring or discriminatory practices.

Data Minimization Principles

• Aggregate-Only Analysis: All predictions operate at 25km grid resolution, with no individual-level tracking or identification
• Environmental Focus: Risk models use ecological and climate data, not personal health records or movement data
• No Persistent Identifiers: Community health worker reports are anonymized at ingestion; no names, addresses, or contact details are stored
• Purpose Limitation: Data access is restricted to public health use cases; commercial or law enforcement use is prohibited by terms of service

Access Control Safeguards

• Role-Based Permissions: Three-tier access model (Researcher, Public Health Officer, Administrator) ensures users only access data necessary for their public health role
• Audit Trail Transparency: All data access is logged with user ID, timestamp, and purpose, enabling accountability and misuse detection
• Institutional Verification: User accounts require verification of affiliation with recognised public health institutions (WHO, CDC, national health ministries, academic research centres)
• Data Sharing Agreements: Bulk data exports require signed data sharing agreements specifying permitted uses and prohibiting re-identification attempts

Equity and Non-Discrimination

• Bias Monitoring: Quarterly audits assess whether risk predictions disproportionately flag certain regions or populations (see Layer 8: Bias Audit)
• Contextual Vulnerability Indicators: Equity metrics (healthcare access, population vulnerability) are displayed alongside risk scores to prevent misinterpretation of high-risk areas as "dangerous" rather than "under-resourced"
• Community Consent: Community health worker reporting is opt-in; communities can request data deletion or restrict access to their reports
• Transparent Methodology: Model training data, feature definitions, and SHAP explanations are publicly documented to enable external scrutiny and challenge

7. SHAP Explainability

Every risk score is accompanied by SHAP (SHapley Additive exPlanations) feature attributions, providing full interpretability and enabling epidemiologists to understand model reasoning.

How It Works

• Top-5 drivers shown per tile in the Risk panel, ranked by absolute SHAP value
• Global feature importance available for model audit and bias detection
• Supports XGBoost (TreeSHAP), Random Forest (TreeSHAP), and Logistic Regression (KernelSHAP)
• Exportable as part of the governance report for regulatory review

8. Bias Audit

Quarterly bias audits across geographic, demographic, and temporal dimensions, ensuring fairness and detecting algorithmic drift before it impacts public health decisions.

How It Works

• Disparate impact analysis by region (Africa, Asia, Latin America) and income group (World Bank classification)
• Temporal drift detection across training windows using KL divergence and PSI metrics
• Calibration checks: predicted vs. observed outbreak rates from G-ZOD and WHO GOARN
• Results published in the quarterly governance report with corrective action plans

Governance Enquiries

For governance-related questions, audit requests, or data sharing enquiries, please contact: