Posts

Self-reflections from the SPEAK! campaign (Part 7)

This is the seventh and final blog in a series sharing lessons learned from a collaboration between DataShift and the SPEAK! campaign and the resulting conversations about data management practices among diverse organisations working to overcome social divisions around the world. The series aims to show that sound data management is built on common sense and available to everyone, no matter their level of technical expertise; to get readers thinking and talking about data; and to encourage conscious decisions about its creation, use, protection and disposal. Click here to read the earlier blog posts.

While considering your partners’ responses to the conversation starters covered in these blogs, you may well find yourself asking the same questions regarding your own organisation’s data practices.  Within the SPEAK! team, we tried to apply the same principles we shared with partners to our own work within the campaign. Though there is still room for improvement, we learned a lot through the process, were able to make some immediate improvements, and will be able to make more in 2019’s campaign as a result.

Survey design

To monitor and evaluate the results of the campaign, we used two surveys: one for event organisers and one for event participants. We set up the online participant survey to not collect unnecessary personal data such as IP addresses, email addresses, or names. We were less successful in the survey for organisers, where we inadvertently requested some duplicative or superfluous data (such as physical addresses or repeated descriptions of the events), unnecessarily increasing the reporting burden on our partners. We also provided a paper version of the participant survey, and encouraged organisers to adapt it and our other campaign tools so as to fit their needs. This resulted in some messy, or incomplete data which was not always easy to process or use for direct comparisons. Though not always convenient, this was nonetheless a better outcome: instead of having organisers bend to fit around a rigid demand of a uniform dataset, the organisers had ownership of what they collected and why, and the slightly messier data actually met their needs.

Consent

Our online and paper surveys had simple, one-sentence explanations of the purpose for which data was being collected so as to obtain respondents’ consent, and our communications to event organisers reminded them about asking consent for photography. When writing these blogs report, we went back to the organisations cited in the examples to confirm they were comfortable with us using their experiences for a new purpose and appearing in the public realm. Where they preferred to remain anonymous, we confirmed they were happy with the way we described them. Once again, we did not always get it right. During the campaign days, some event organisers did not ask permission before taking photos or videos, making participants uncomfortable, and we did not explain how long we would store the survey data for.

Data mapping and planning for disposal

We noticed that data related to the campaign is kept in many places: laptops and mobile phones (both personal and CIVICUS devices), email folders, the campaign website, CIVICUS’ monitoring and evaluation software, and in WhatsApp, Google Drive, Survey Monkey, Skype, and WorkPlace accounts. That’s not to mention all the campaign data relating to individual events stored by scores of event organisers all around the world.

There were some steps we could take immediately within the team: planning to remove access to Google Drive for staff no longer working on the campaign; archiving the best video and photo material and securely deleting; keeping material that can be used or adapted for future iterations of the SPEAK! campaign. Others will take longer and require buy-in from the rest of the organisation, and might include a Bring Your Own Device (BYOD) policy for staff using personal devices for CIVICUS work. A BYOD policy regulates how personal devices are used for work purposes. This may include which devices are or are not allowed, the extent of IT support for personal devices, password requirements, removal of access to data for old employees, and the level of security required for personal devices.

We also thought about the nature of data we had, and the level of risk if it were to be compromised. Much of our data was uncontroversial – descriptions of public events that were already in the public domain. Nonetheless, we also held personal data such as contact details for organisers, and banking details for those who received microgrants, which needed a higher level of protection.

These blogs are based on the publication How to talk about data? Learnings on responsible data for social change from the SPEAK! campaign, and this work was made possible through a Digital Impact Grant by the Stanford Center on Philanthropy and Civil Society.

Disposal (Part 6)

This is the sixth in a series of blogs sharing lessons learned from a collaboration between DataShift and the SPEAK! campaign and the resulting conversations about data management practices among diverse organisations working to overcome social divisions around the world. The series aims to show that sound data management is built on common sense and available to everyone, no matter their level of technical expertise; to get readers thinking and talking about data; and to encourage conscious decisions about its creation, use, protection and disposal. Click here to read the earlier blog posts.

During SPEAK! 2018, campaign partners organised dialogue events to overcome division around the world. We used a loose script of questions designed to get them talking about how they work with data, and to help us design support that would meet their needs. The following questions from the script deal with the final stage of the data lifecycle – responsible disposal of old data.

The last stage of the data lifecycle is the most likely to be forgotten or given insufficient attention. It is common for organisations to become less vigilant in protecting data that is no longer in daily use, or for old data to be lost through poor maintenance or simply being forgotten about, yet it can still be harmful and still needs to be protected. We found that very few partner organisations had considered how to deal with old data.

What happens to your data once it’s no longer in daily use?

Is there a plan for data archiving or deletion? In our experience, this question is often met with silence. Deletion and archiving both demand resources: staff time, software or server costs, physical storage space, archive maintenance, and so on. Factoring these tasks and resources into written project plans from the start means that data disposal will be ‘officially’ on the agenda and more likely to occur and can be included in budgets submitted to donors.

Do you need to keep the data? For how long?

Think carefully about whether the data will be needed in future. Will it help improve future project design? Could it have historical value? Are there any legal or contractual obligations to retain it? Do you need to keep all of it, or just key parts? Indefinitely, or for a certain period? What resources (human, technical, financial) are needed? An archive can be paper or digital, technically simple or complex, according to the needs of the organisation. But in all cases, archives must be maintained, and resources assigned to this maintenance, even if just to check that everything is in order at regular intervals.

Check out these options from The Engine Room if you need assistance with archiving.

How do you delete data that’s no longer needed?

Data that has become obsolete should be deleted securely. You may also find yourself under a moral or legal obligation to delete data if the data subject asks you to do so. As seen in earlier blogs, data is often spread through multiple locations and in various formats, so knowing where things are is crucial when it comes to deletion. Pressing delete does not always fully delete data, as back-ups can be stored automatically. For some modern hard-drives, it is very difficult to fully delete data, and it may be better to encrypt it so that it is not usable rather than deleting it as such. Paper files and old or broken hardware containing data must also be securely disposed of.

Check out these technical tips from the Electronic Frontier Foundation for how to securely delete data from different hardware and operating systems.

These blogs are based on the publication How to talk about data? Learnings on responsible data for social change from the SPEAK! campaign, and this work was made possible through a Digital Impact Grant by the Stanford Center on Philanthropy and Civil Society.

Talking about threats and protection (Part 5)

This is the fifth in a series of blogs sharing lessons learned from a collaboration between DataShift and the SPEAK! campaign and the resulting conversations about data management practices among diverse organisations working to overcome social divisions around the world. The series aims to show that sound data management is built on common sense and available to everyone, no matter their level of technical expertise; to get readers thinking and talking about data; and to encourage conscious decisions about its creation, use, protection and disposal. Click here to read the earlier blog posts.

During SPEAK! 2018, campaign partners organised dialogue events to overcome division around the world. We used a loose script of questions designed to get them talking about how they work with data and to help us design support that would meet their needs. The following questions from the script deal with assessing the risks we expose our data to and taking appropriate measures to protect it.

Where is the real threat?

It is very common to exaggerate rare risks and downplay common ones. We overestimate risks outside of our control, such as having webcams hacked while underestimating those within our control, such as forgetting our passwords. Human rights organisations working in repressive contexts with powerful adversaries need to take advanced security, but for many organisations, the main risks are in their own policies and practices, and thus within their own control.

What happens if a device breaks or is lost, stolen, or seized?

Is the data on the device protected, by a password, encryption, or other means? Do you have a high risk of device seizure or theft? Knowing in advance what steps to take if a device is compromised (such as withdrawing its permissions to access email accounts, changing passwords, or blocking the device) will reduce the harm caused and give intruders less time to try access your data.

If you are at high risk of device seizure or another attack, please get in touch with our digital security experts at datashift@civicus.org for more tailored advice.

What about back-ups?

Is the data backed up somewhere else? Automatically or manually? Where are the backups stored? Has anyone checked that they are working lately? As a general rule, manual back-ups tend not to function well because of human error and forgetfulness. Backed up data is often forgotten about until it is needed, so corrupted files or non-functioning back-ups aren’t discovered until it is too late.  Setting a reminder to check back-ups at regular intervals is wise.

Whose devices are used?

Are staff and volunteers using their own laptops or mobile phones to collect or work with data? It is increasingly common for personal devices to be used for work purposes, but this means organisations have less control over the security of these devices. Organisations may want to consider a Bring Your Own Device (BYOD) policy – an agreed set of rules regarding how personal devices can be used for work purposes and what support is available for them. 

Just talking about back-ups can be enough to prompt action. One organisation in Syria made daily backups, but stored the backup flash drive in the same place as its only laptop – so if the computer were lost or stolen, both would be lost. By taking the time to reflect on how they used and stored data, the organisation was able to identify this concern and make immediate improvements with minimal effort, simply by storing the laptop and the backup separately. Similarly, being asked about back-ups and data storage made several partners in Africa and Latin America realise that they had none. This meant that they could start to address this issue now, rather than waiting for disaster to strike.

Do you have tech support or IT person?

Most of our partners did not have any dedicated IT support and were working with varying levels of computer proficiency. Knowing how much technical expertise is available in the organisation will help you to work out what kind of solutions or changes are feasible.

Dealing with apathy

Not all of our partners wanted to talk to us about data. Some were too busy, saw it as a low priority, or were comfortable with taking data-related risks. Any ‘solution’ seen as being imposed from outside is anyway unlikely to work, but a useful tactic for those who are less than enthusiastic about change is to make them aware of the risks in their practices, especially those that could expose third parties to harm, and ask if they are comfortable with those risks.

The next blog in the series will look at the final stage of the data lifecycle: disposal and archiving.

These blogs are based on the publication How to talk about data? Learnings on responsible data for social change from the SPEAK! campaign, and this work was made possible through a Digital Impact Grant by the Stanford Center on Philanthropy and Civil Society.

 

SPEAK! event in Albania uses art and social media to break down prejudice against Roma communities. Photo credit: Build Green Group

 

What data do you have? (Part 4)

This is the fourth in a series of blogs sharing lessons learned from a collaboration between DataShift and the SPEAK! campaign and the resulting conversations about data management practices among diverse organisations working to overcome social divisions around the world. The series aims to show that sound data management is built on common sense and available to everyone, no matter their level of technical expertise; to get readers thinking and talking about data; and to encourage conscious decisions about its creation, use, protection and disposal. Click here to read the earlier blog posts.

 

Once data has been created or collected, it is used for running an organisation’s programs. It needs to be adequately protected and used responsibly during this process. And in order to protect something, you need to know what it is, where it is, and how valuable or sensitive it is.

During SPEAK! 2018, campaign partners organised dialogue events to overcome division around the world. We used a loose script of questions designed to get them talking about how they work with data, and to help us design support that would meet their needs. The following questions from the script dealt with the next stage in the ‘data lifecycle’ – dealing with data responsibly while it is in active use.

These conversations made us reassess some assumptions. Perhaps due to our team’s biases (we are all digitally literate and based in the global North), we had been thinking of data primarily as digital data, but conversations with partners in Syria, Turkey, Uganda and Argentina showed us that paper is still used by many organisations, for simple ease or because of a lack of funds to buy computers or low computer literacy among some staff. Most of the principles in these blogs will apply equally to paper files as to digital ones.

 

 

 

What policy, if any, do you have in place to deal with your data?

Policies can be formal or informal. Even if there is no written policy in place, are your partners thinking about how to deal with their data responsibly? Conversely, there may be a beautiful policy that is stored in a cupboard and ignored. Discussing the policy can be a way to formalise and validate it, or to notice if it is illogical, not fit for purpose, or is being disregarded.

Where is your data stored?

On the organisation’s computers and mobile phones? At an onsite server, or rented server space, elsewhere? On staff members’ own devices?  At internet café computers? In cloud services, or email and messaging applications? What about paper files? Is it in the public realm? Data tends to spread to more places than one might expect, and once it has left your organisation, it is very difficult to have any form of control over it.

Who can access the data?

Can all staff access all data? What about volunteers? What data is available to the public? Overall, sensitive data should be accessible on a need-to-know basis: that is, only staff who need a piece of data to complete a task should be able to view it, for the amount of time they need it for that particular task. Furthermore, staff or volunteers need to understand for what purposes they are allowed to access the data. In a large organisation, the IT department may have a sophisticated access control system, or in a more paper-based organisation it may be as simple as the manager keeping hold of the keys to the filing cabinets.

Data mapping

It is a good idea to have a clear conception of where your data is located, how important it is and who has access to it. A data mapping exercise can help you achieve this by getting a grasp on what data you have and where it is kept, which in turn will help you to protect it and to plan for archiving or deletion when it is no longer in use – check out our online course for more on how to carry out a data mapping.

The next blog in the series will look at assessing the risks your data is exposed to.

These blogs are based on the publication How to talk about data? Learnings on responsible data for social change from the SPEAK! campaign, and this work was made possible through a Digital Impact Grant by the Stanford Center on Philanthropy and Civil Society.

Why invest time and effort in talking about data? (Part 2)

This is the second in a series of blogs sharing lessons learned from a collaboration between DataShift and the SPEAK! campaign and the resulting conversations about data management practices among diverse organisations working to overcome social divisions around the world. The series aims to show that sound data management is built on common sense and available to everyone, no matter their level of technical expertise; to get readers thinking and talking about data; and to encourage conscious decisions about its creation, use, protection and disposal. Click here to read the first blog post.

Data Journey Talks: Why?

Time and resources are stretched. Why invest time in conversations about data that at first glance may not seem your highest priority? First and foremost, we share a responsibility to mitigate the risks that come with careless use of data. Investing time in assessing the risks helps to make more informed decisions about what data to publish, and how to protect non-published data from loss or attack.

During SPEAK! 2018, campaign partners organised dialogue events to overcome division around the world. SPEAK! staff used a series of open-ended questions to get partners thinking and talking about more responsible data use.

What are the risks?

Data published by organisations in reports or other materials can be damaging, especially if consent was not properly obtained to do so. Even if not made public or used maliciously, lost, accidentally changed or deleted data can obstruct workflows and prevent organisations from meeting their commitments. Data can be used maliciously to target the data subjects.

Unexpected positives

In addition to the responsibility to minimise these risks, there are added bonuses that can emerge from discussions around data. Firstly, media coverage of sophisticated cyber-attacks can be overwhelming, giving the impression that data issues are dauntingly complex and causing organisations to disengage. Practical conversations with real-life examples help to demystify data, put the risks in context, and build confidence to make informed decisions that minimise those risks.

Talking about data management doesn’t have to mean tearing up current policies, buying expensive software or taking up disproportionate amounts of time and energy. Instead, it will often validate existing practices, empower partners to identify areas where changes should be made, and make informed and deliberate decisions to do so. It also leads to collecting leaner and more targeted data in manageable quantities, improving efficiency and use of staff time.

For example, our conversations around data management with an organisation working with Syrian refugee women in Turkey served to validate many of the informal policies they had already developed to protect their beneficiaries’ data, such as only providing access to the organisation’s files to volunteers for specific purposes. Only a few small improvements were needed, but the conversation reassured staff that they were already ‘doing it right’ and made them more confident in their ability to improve where needed.

Before you get to the data…

Before diving into detailed discussions about data with your partners, consider your approach to the conversation. The human factor is vital in bringing people on board with steps to improve data management, and in instilling a sense of agency over decisions: if the partner feels ownership over their decisions, they will be much more likely to commit to and follow through on them than where they perceive a policy as being imposed on them.

  • Self-reflect – Ask yourself the same questions you plan to ask your partners. Taking time to think about your practices will help you understand your partners better as they deal with the same questions.
  • Consider power imbalances – If you are a funder, or you are in any other position of power in comparison to your partner, your questions about data may be perceived as interrogatory rather than supportive and put people on the defensive. 
  • Be transparent – Explain upfront why you are asking questions and explain to partners how you use their data. You may need to refer partners to an expert in some cases (please email us at datashift@civicus.org if you would like to be referred to an expert).
  • Trust is crucial – We found that partners with whom our staff had already built a trusting relationship over time were much more receptive to improving data practices with our support.

The next in our series of blogs will start exploring the questions we used to get people talking about data.

These blogs are based on the publication How to talk about data? Learnings on responsible data for social change from the SPEAK! campaign, and this work was made possible through a Digital Impact Grant by the Stanford Center on Philanthropy and Civil Society. 

Syrians, Lebanese and Palestinians cook together during a SPEAK! event in Lebanon. Photo credit: URDA