This is the seventh and final blog in a series sharing lessons learned from a collaboration between DataShift and the SPEAK! campaign and the resulting conversations about data management practices among diverse organisations working to overcome social divisions around the world. The series aims to show that sound data management is built on common sense and available to everyone, no matter their level of technical expertise; to get readers thinking and talking about data; and to encourage conscious decisions about its creation, use, protection and disposal. Click here to read the earlier blog posts.
While considering your partners’ responses to the conversation starters covered in these blogs, you may well find yourself asking the same questions regarding your own organisation’s data practices. Within the SPEAK! team, we tried to apply the same principles we shared with partners to our own work within the campaign. Though there is still room for improvement, we learned a lot through the process, were able to make some immediate improvements, and will be able to make more in 2019’s campaign as a result.
To monitor and evaluate the results of the campaign, we used two surveys: one for event organisers and one for event participants. We set up the online participant survey to not collect unnecessary personal data such as IP addresses, email addresses, or names. We were less successful in the survey for organisers, where we inadvertently requested some duplicative or superfluous data (such as physical addresses or repeated descriptions of the events), unnecessarily increasing the reporting burden on our partners. We also provided a paper version of the participant survey, and encouraged organisers to adapt it and our other campaign tools so as to fit their needs. This resulted in some messy, or incomplete data which was not always easy to process or use for direct comparisons. Though not always convenient, this was nonetheless a better outcome: instead of having organisers bend to fit around a rigid demand of a uniform dataset, the organisers had ownership of what they collected and why, and the slightly messier data actually met their needs.
Our online and paper surveys had simple, one-sentence explanations of the purpose for which data was being collected so as to obtain respondents’ consent, and our communications to event organisers reminded them about asking consent for photography. When writing these blogs report, we went back to the organisations cited in the examples to confirm they were comfortable with us using their experiences for a new purpose and appearing in the public realm. Where they preferred to remain anonymous, we confirmed they were happy with the way we described them. Once again, we did not always get it right. During the campaign days, some event organisers did not ask permission before taking photos or videos, making participants uncomfortable, and we did not explain how long we would store the survey data for.
Data mapping and planning for disposal
We noticed that data related to the campaign is kept in many places: laptops and mobile phones (both personal and CIVICUS devices), email folders, the campaign website, CIVICUS’ monitoring and evaluation software, and in WhatsApp, Google Drive, Survey Monkey, Skype, and WorkPlace accounts. That’s not to mention all the campaign data relating to individual events stored by scores of event organisers all around the world.
There were some steps we could take immediately within the team: planning to remove access to Google Drive for staff no longer working on the campaign; archiving the best video and photo material and securely deleting; keeping material that can be used or adapted for future iterations of the SPEAK! campaign. Others will take longer and require buy-in from the rest of the organisation, and might include a Bring Your Own Device (BYOD) policy for staff using personal devices for CIVICUS work. A BYOD policy regulates how personal devices are used for work purposes. This may include which devices are or are not allowed, the extent of IT support for personal devices, password requirements, removal of access to data for old employees, and the level of security required for personal devices.
We also thought about the nature of data we had, and the level of risk if it were to be compromised. Much of our data was uncontroversial – descriptions of public events that were already in the public domain. Nonetheless, we also held personal data such as contact details for organisers, and banking details for those who received microgrants, which needed a higher level of protection.
These blogs are based on the publication How to talk about data? Learnings on responsible data for social change from the SPEAK! campaign, and this work was made possible through a Digital Impact Grant by the Stanford Center on Philanthropy and Civil Society.