Posts

Talking about threats and protection (Part 5)

This is the fifth in a series of blogs sharing lessons learned from a collaboration between DataShift and the SPEAK! campaign and the resulting conversations about data management practices among diverse organisations working to overcome social divisions around the world. The series aims to show that sound data management is built on common sense and available to everyone, no matter their level of technical expertise; to get readers thinking and talking about data; and to encourage conscious decisions about its creation, use, protection and disposal. Click here to read the earlier blog posts.

During SPEAK! 2018, campaign partners organised dialogue events to overcome division around the world. We used a loose script of questions designed to get them talking about how they work with data and to help us design support that would meet their needs. The following questions from the script deal with assessing the risks we expose our data to and taking appropriate measures to protect it.

Where is the real threat?

It is very common to exaggerate rare risks and downplay common ones. We overestimate risks outside of our control, such as having webcams hacked while underestimating those within our control, such as forgetting our passwords. Human rights organisations working in repressive contexts with powerful adversaries need to take advanced security, but for many organisations, the main risks are in their own policies and practices, and thus within their own control.

What happens if a device breaks or is lost, stolen, or seized?

Is the data on the device protected, by a password, encryption, or other means? Do you have a high risk of device seizure or theft? Knowing in advance what steps to take if a device is compromised (such as withdrawing its permissions to access email accounts, changing passwords, or blocking the device) will reduce the harm caused and give intruders less time to try access your data.

If you are at high risk of device seizure or another attack, please get in touch with our digital security experts at datashift@civicus.org for more tailored advice.

What about back-ups?

Is the data backed up somewhere else? Automatically or manually? Where are the backups stored? Has anyone checked that they are working lately? As a general rule, manual back-ups tend not to function well because of human error and forgetfulness. Backed up data is often forgotten about until it is needed, so corrupted files or non-functioning back-ups aren’t discovered until it is too late.  Setting a reminder to check back-ups at regular intervals is wise.

Whose devices are used?

Are staff and volunteers using their own laptops or mobile phones to collect or work with data? It is increasingly common for personal devices to be used for work purposes, but this means organisations have less control over the security of these devices. Organisations may want to consider a Bring Your Own Device (BYOD) policy – an agreed set of rules regarding how personal devices can be used for work purposes and what support is available for them. 

Just talking about back-ups can be enough to prompt action. One organisation in Syria made daily backups, but stored the backup flash drive in the same place as its only laptop – so if the computer were lost or stolen, both would be lost. By taking the time to reflect on how they used and stored data, the organisation was able to identify this concern and make immediate improvements with minimal effort, simply by storing the laptop and the backup separately. Similarly, being asked about back-ups and data storage made several partners in Africa and Latin America realise that they had none. This meant that they could start to address this issue now, rather than waiting for disaster to strike.

Do you have tech support or IT person?

Most of our partners did not have any dedicated IT support and were working with varying levels of computer proficiency. Knowing how much technical expertise is available in the organisation will help you to work out what kind of solutions or changes are feasible.

Dealing with apathy

Not all of our partners wanted to talk to us about data. Some were too busy, saw it as a low priority, or were comfortable with taking data-related risks. Any ‘solution’ seen as being imposed from outside is anyway unlikely to work, but a useful tactic for those who are less than enthusiastic about change is to make them aware of the risks in their practices, especially those that could expose third parties to harm, and ask if they are comfortable with those risks.

The next blog in the series will look at the final stage of the data lifecycle: disposal and archiving.

These blogs are based on the publication How to talk about data? Learnings on responsible data for social change from the SPEAK! campaign, and this work was made possible through a Digital Impact Grant by the Stanford Center on Philanthropy and Civil Society.

 

SPEAK! event in Albania uses art and social media to break down prejudice against Roma communities. Photo credit: Build Green Group

What data do you have? (Part 4)

This is the fourth in a series of blogs sharing lessons learned from a collaboration between DataShift and the SPEAK! campaign and the resulting conversations about data management practices among diverse organisations working to overcome social divisions around the world. The series aims to show that sound data management is built on common sense and available to everyone, no matter their level of technical expertise; to get readers thinking and talking about data; and to encourage conscious decisions about its creation, use, protection and disposal. Click here to read the earlier blog posts.

 

Once data has been created or collected, it is used for running an organisation’s programs. It needs to be adequately protected and used responsibly during this process. And in order to protect something, you need to know what it is, where it is, and how valuable or sensitive it is.

During SPEAK! 2018, campaign partners organised dialogue events to overcome division around the world. We used a loose script of questions designed to get them talking about how they work with data, and to help us design support that would meet their needs. The following questions from the script dealt with the next stage in the ‘data lifecycle’ – dealing with data responsibly while it is in active use.

These conversations made us reassess some assumptions. Perhaps due to our team’s biases (we are all digitally literate and based in the global North), we had been thinking of data primarily as digital data, but conversations with partners in Syria, Turkey, Uganda and Argentina showed us that paper is still used by many organisations, for simple ease or because of a lack of funds to buy computers or low computer literacy among some staff. Most of the principles in these blogs will apply equally to paper files as to digital ones.

 

 

 

What policy, if any, do you have in place to deal with your data?

Policies can be formal or informal. Even if there is no written policy in place, are your partners thinking about how to deal with their data responsibly? Conversely, there may be a beautiful policy that is stored in a cupboard and ignored. Discussing the policy can be a way to formalise and validate it, or to notice if it is illogical, not fit for purpose, or is being disregarded.

Where is your data stored?

On the organisation’s computers and mobile phones? At an onsite server, or rented server space, elsewhere? On staff members’ own devices?  At internet café computers? In cloud services, or email and messaging applications? What about paper files? Is it in the public realm? Data tends to spread to more places than one might expect, and once it has left your organisation, it is very difficult to have any form of control over it.

Who can access the data?

Can all staff access all data? What about volunteers? What data is available to the public? Overall, sensitive data should be accessible on a need-to-know basis: that is, only staff who need a piece of data to complete a task should be able to view it, for the amount of time they need it for that particular task. Furthermore, staff or volunteers need to understand for what purposes they are allowed to access the data. In a large organisation, the IT department may have a sophisticated access control system, or in a more paper-based organisation it may be as simple as the manager keeping hold of the keys to the filing cabinets.

Data mapping

It is a good idea to have a clear conception of where your data is located, how important it is and who has access to it. A data mapping exercise can help you achieve this by getting a grasp on what data you have and where it is kept, which in turn will help you to protect it and to plan for archiving or deletion when it is no longer in use – check out our online course for more on how to carry out a data mapping.

The next blog in the series will look at assessing the risks your data is exposed to.

These blogs are based on the publication How to talk about data? Learnings on responsible data for social change from the SPEAK! campaign, and this work was made possible through a Digital Impact Grant by the Stanford Center on Philanthropy and Civil Society.

Why invest time and effort in talking about data? (Part 2)

This is the second in a series of blogs sharing lessons learned from a collaboration between DataShift and the SPEAK! campaign and the resulting conversations about data management practices among diverse organisations working to overcome social divisions around the world. The series aims to show that sound data management is built on common sense and available to everyone, no matter their level of technical expertise; to get readers thinking and talking about data; and to encourage conscious decisions about its creation, use, protection and disposal. Click here to read the first blog post.

Data Journey Talks: Why?

Time and resources are stretched. Why invest time in conversations about data that at first glance may not seem your highest priority? First and foremost, we share a responsibility to mitigate the risks that come with careless use of data. Investing time in assessing the risks helps to make more informed decisions about what data to publish, and how to protect non-published data from loss or attack.

During SPEAK! 2018, campaign partners organised dialogue events to overcome division around the world. SPEAK! staff used a series of open-ended questions to get partners thinking and talking about more responsible data use.

What are the risks?

Data published by organisations in reports or other materials can be damaging, especially if consent was not properly obtained to do so. Even if not made public or used maliciously, lost, accidentally changed or deleted data can obstruct workflows and prevent organisations from meeting their commitments. Data can be used maliciously to target the data subjects.

Unexpected positives

In addition to the responsibility to minimise these risks, there are added bonuses that can emerge from discussions around data. Firstly, media coverage of sophisticated cyber-attacks can be overwhelming, giving the impression that data issues are dauntingly complex and causing organisations to disengage. Practical conversations with real-life examples help to demystify data, put the risks in context, and build confidence to make informed decisions that minimise those risks.

Talking about data management doesn’t have to mean tearing up current policies, buying expensive software or taking up disproportionate amounts of time and energy. Instead, it will often validate existing practices, empower partners to identify areas where changes should be made, and make informed and deliberate decisions to do so. It also leads to collecting leaner and more targeted data in manageable quantities, improving efficiency and use of staff time.

For example, our conversations around data management with an organisation working with Syrian refugee women in Turkey served to validate many of the informal policies they had already developed to protect their beneficiaries’ data, such as only providing access to the organisation’s files to volunteers for specific purposes. Only a few small improvements were needed, but the conversation reassured staff that they were already ‘doing it right’ and made them more confident in their ability to improve where needed.

Before you get to the data…

Before diving into detailed discussions about data with your partners, consider your approach to the conversation. The human factor is vital in bringing people on board with steps to improve data management, and in instilling a sense of agency over decisions: if the partner feels ownership over their decisions, they will be much more likely to commit to and follow through on them than where they perceive a policy as being imposed on them.

  • Self-reflect – Ask yourself the same questions you plan to ask your partners. Taking time to think about your practices will help you understand your partners better as they deal with the same questions.
  • Consider power imbalances – If you are a funder, or you are in any other position of power in comparison to your partner, your questions about data may be perceived as interrogatory rather than supportive and put people on the defensive. 
  • Be transparent – Explain upfront why you are asking questions and explain to partners how you use their You may need to refer partners to an expert in some cases (please email us at datashift@civicus.org if you would like to be referred to an expert).
  • Trust is crucial – We found that partners with whom our staff had already built a trusting relationship over time were much more receptive to improving data practices with our support.

The next in our series of blogs will start exploring the questions we used to get people talking about data.

These blogs are based on the publication How to talk about data? Learnings on responsible data for social change from the SPEAK! campaign, and this work was made possible through a Digital Impact Grant by the Stanford Center on Philanthropy and Civil Society. 

Syrians, Lebanese and Palestinians cook together during a SPEAK! event in Lebanon. Photo credit: URDA