The 7 biggest mistakes the humanitarian makes when she/he handles digital data
You all know now that I LOVE innovation and technologies because I truly and sincerely think that they bring great added value to our interventions in the field …
IF they are well used and risks and threats are well identified and mitigated.
Yes, every new approach or tool (even non technological) brings risks you need to handle to do no harm.
Information and data are crucial to our work: they allow us to assess the context and the most urgent needs, respond quickly and at scale, monitor the results and impact of our interventions.
With the development of new technologies and their use in the humanitarian sector, we are generating a great amount of information and data everyday. We are even overwhelmed by them!
However, generating and managing such an amount of information lead to risks, some risks are still unknown or widely underestimated in the field.
I have worked on data information system for more 7 years: I realized progressively the risks linked to this activity and this is why I'm sharing with you my concerns but also good practices to become a “responsible data” champion.
What is Responsible data?
Responsible Data (RD) is a new concept: it means that this is our shared responsibility to answer to the social, legal, ethical and privacy challenges related to the use of data in our work.
I’m sharing with you the 7 biggest mistakes you MUSTN’T make in the field when you handle data.
Mistake #1: Digital data = no risks
· How many of you are aware that the data you are managing can create risks and what kind of risks?
· How many times have you heard “What do you mean by RISKS with the data I’m handling”?
· Who would be interested in the lists of beneficiaries with their personal information and phone numbers?
· Who would use the data of your post distribution monitoring surveys, the list of all the villages you identified as destroyed or the GPS coordinates data of health centers or schools you collected ?
I was analyzing the post distribution monitoring data of the last intervention in the field: several sensitive questions about protection were included: "when going to the distribution site, have you experienced insecurity or threats?", " Were you asked favors to receive food assistance and if yes, from who (NGO, leaders etc.)?"
I found out that several respondents answered yes to one of these questions. The database was including their personal information so these respondents were traceable and could be tracked down if the database was accessible to everybody.
In this example, I could not share the raw database and I had to restrict its access (and on kobo and on my laptop).
Another example is related to your beneficiaries’ lists: by essence, they are sensitive because they are providing information about who received, where, what and when. Imagine an armed group or a politician putting pressure or asking for money to all the beneficiaries of your programme or from one group?
Imagine if your programme’s objective is about helping survivors from gender based violence. The perpetrator has access to the survivor’s information enabling him/her to threat the survivor or worse.
You are collecting GPS coordinates of schools or health centers with mobile phones– in improper hands, these coordinates could be used to target and attack them.
It is still difficult to determine all the risks associated to digital data and we are still facing a gap of evidence and literature regarding data management.
But be conscious that risk can be very high! In addition, cyber attacks and “cyber insecurity” with malicious intents are everywhere and they drastically increased these last years, especially last year with the COVID19.
The humanitarian sector is also targeted! In some contexts, the humanitarian community had to strengthen its data protection practices after facing sophisticated cyberattacks from armed groups.
I’m sharing few advices and key questions to ask yourself about risks when you collect and manage data:
Risks are linked to your context, not just to countries but also to communities, populations and periods of time. If you are working with vulnerable or marginalized communities, do you think that some groups of people might have motivation to acquire your data and how capable are they?
Assess the risks of unauthorized or large access or leakage of any stored data: what would be the impact on the individuals if accessed or published maliciously? What would the risks if you combine your data with other data sets?
Mistake #2: You don’t protect your data (what for ??)
You are used to export all your data on excel sheet and share them widely. They are even accessible to all your colleagues on online platform: beneficiaries’ lists, results of your vulnerability assessment or monitoring survey.
Well, I’m referring to Mistake #1, Yes, Data bring RISKS so PROTECT your data.
Check with your IT officer if you do not have a data security and data protection policy.
When I say Protect your data, it means to secure and restrict access:
· Identify the sensitive data in your context: phone numbers, names, ethnic group, political party, gender, being sick or COVID positive
· Restrict access: Identify who can have access to the raw data, revised database or the results: in my case, we were only 3 people to have access to raw database and they were protected by a password and were encrypted.
· Anonymize your database if you want to share it, delete all the sensitive data and share it via a secured platform (filezilla, other ?) or check with your favorite ITC. Ideally, encrypt the file when you share it;
· Secure access: Keep a copy of your raw database with password, encrypted and do not share it. Check that your database is stored on secure servers or secure cloud storage devices
Mistake #3: Your databases are spread out everywhere between your laptop, hard drives and the cloud
You are not a champion to classify all your folders and files– don’t worry, this is the same for me!
BUT, when it comes to data, I have a specific folder classification I used for every survey I carry out (see the screen shot).
AND check what your data will become and how they will be stored:
· Catalog and track any personal or sensitive information captured throughout the project:
· Create a PLAN for mid-and post-project destruction of personal or sensitive data (a simple table is enough)
· Secure offline storage of sensitive data
· Review your hard drives, cloud file storage, flash drives, email inboxes and other common sources of data leakages.
Mistake #4: You are using data you collect as you want
How many times were you asked to share the beneficiaries’lists with another partner for joint programming or monitoring activities ? Or you are asked to share your raw database?
Between us, did you do it or not ??
But do you own the data you collect? Can you do everything with them?
· Regulations exist! Check first if there is a regulation in your contry. I am sharing the data protection policy of the African Union and of the EU, one of the most restrictive in the world.
· And yes, I confirm: you must have a data management strategy.
Your strategy doesn’t need to be complicated. A simple matrix on an excel sheet with answers to the questions below is a good start:
1. who gets to decide what to do with the data: your manager, you, the Ministry?
2. who is allowed to access or use the data
3. and where data can (or must) be stored?
4. Do you plan to delete data , which ones and when?
· The next step is to systematically ask the informed consent of the people you are collecting data from. Why?
You have to be transparent with individuals whose data are collected by explaining how your initiative will use and protect their data.
You have to obtain informed consent prior to any data collection:
It is crucial to ensure that participants understand why their data are being collected, how data are used and shared, and how the participants can access or change the data collected — and that they be given the option to refuse to participate.
Participants should be informed of and fully understand the risks related to sharing their data.
Consent forms should be written in the local language and easily understood by the individuals whose data are being collected.
Here is below an example you need to include in all your questionnaires:
“Informed Consent
Please read the following consent form prior to starting the interview:
<Show your identification badge>
My name is <name> and I work with <partner organization> and <partner organization>, who are the organizations that have been recently providing assistance. I am here to collect information about how the distribution took place and if the <entitlement> was appropriate. This will allow us to adjust our operations and better serve the people in need.
Your participation in this interview is not mandatory and you can decide to opt out. If you choose to participate, you may choose to not respond to some questions. If you do not understand any of the questions, please say so and I will explain it. You may ask me questions at any point during the interview. Please note that your decision to be part of the interview will not guarantee or affect your participation in future <partner organization> activities.
The information you provide us will be used by <partner organization> and <specify which partners will have access to data e.g. UN agencies, NGO, Government, other>.
After the interview if you want to correct or delete the information you provide today, please contact <mail or hotline>.
Do you have any questions? May I start the interview?”
And then add this part:
“Please have the interviewee who is answering the questions sign the informed consent statement (below).
"I fully understand the information that I was given regarding the use and disclosure of my personal data by <partner organization> and the other mentioned partners and I give my consent to it"
If the interviewee is unable or unwilling to sign, please explain why in the comments section at the end of this form, and ask the interviewee to read (or repeat in case of illiteracy) the informed consent statement found above”
Mistake #5: You are sharing data you collect as you want with other partners
Data protection policies are not always easy to understand or practical to implement at the field level.
On the contrary, they can be sometime counterproductive because they prevent you to share data (the NO-WAY approach) or they do not give you practical tools to share data safely.
But it often happens that you HAVE TO share some data with other organizations, that’s what we call coordination.
For example how can you ensure synergies or continuity between programmes from several organisations if you cannot share beneficiaries’ lists?
How can you carry out monitoring activities with third parties if you cannot share the beneficiaries’lists?
If you need to share the data with external partners, you need to include this part on the informed consent: “your data can be shared with your organisations ‘ partners and the government for xx purpose".
Sign a datasharing agreements with all data-sharing partners: check with your manager, your colleagues at your regional office or at your HQ.
Mistake #6: You collect as much data as you can, they could be useful some day
Responsible data means to collect the data you really need to inform your programme, not more!
If you decide to collect data:
· Harness secondary data first!! You do not necessarily need to collect data if they are already available: this step is usually forgotten
· Only collect personal data for specific and justified use: be clear with the objective of your survey or data collection exercise before designing your questionnaire
· Minimize data collection – avoid 7 rounds of monitoring with the same beneficiaries
· Minimize the collection of personal identifiable information (or PII) such as names, identity document’s number (passport, national identity card), social security number, bank account number, email address, phone numbers and I would add GPS coordinates.
· Share resources and plan multi organizations data collection exercises: I did it several times and you could be surprised about the enthusiasm and interest of organizations to participate to a joint assessment: this is more work of coordination but you’re saving money, you can carry out a large scale exercise in a limited timeframe and your results are widely shared and used.
Mistake#7: Your data are just technical and neutral
Yes, your data can be biased by your cultural background or your organization mandate!
Gap of data or gap in the analyses can lead to wrong or uncomplete programming which don’t address all the needs or the needs of certain population.
Gender data is a very good example : if you lack of data or you do not analyze your data taking into account sex, age or disabilities looking at for example the access and use of mobile phone, you take the risk to increase the digital gap and exclude them from access to basic services and support.
Don’t forget that the people we collect data from are vulnerable and usually with less power than the enumerators or NGO staff: they can hesitate or even refuse to give some data on sensitive topics.
· Design and review the questionnaires by different persons, men, women, old and young, technical expert and community key informants to get diverse points of view, and “debiased” your data collection system
· Think and prepare in advance your analysis plan and make sure you take into account different factors influencing the results (male/female, age categories, size of the household, disabilities, status of IDPs/refugees/migrant etc.)
Finally, if you really think data responsibility and data protection are not such a big issue, I am sharing with you a great resource from OCHA and this great article from the Guardian “Poor data protection could put lives at risk”
You can also find more references of digital principles and responsible data if you want to dig more.
The post “The 7 biggest mistakes the humanitarian makes when she/he handles digital data“ appeared first on #Future4Change
#digitalhumanitariancommunity #responsibledata #principles4digitaldev #donodigitalharm #future4change #cyberinsecurity