Responsible data management toolbox

2.3 Questions and Answers

13-Sept-2022

25 mins

In this section you will find answers to common questions that arise when “data protection” and “responsible data” are discussed.

Though it is not possible to be exhaustive here, several answers will point at specific sections of this toolbox which will provide more details and explanations. Elements come from various sources: our own experience as practitioners and essential reference documents like those of the Center of Humanitarian Data, ICRC, IFRC, The Engine Room, various authorities and national agencies in charge of data protection or data and system security such as CNIL, ANSSI or ICO.

The topic being dynamic and extensively discussed in the sector you may find other resources slightly differing in their languages and messages. Do not be put off by what could appear contradictory at first, the topic is complex and can be addressed from various angles.

TABLE OF CONTENTS

1. Key definitions
2.NGO Standards and Responsibilities
3. Regarding the GDPR…
4.Risks and Consequences
5.Responsible Data Processes
6. I am not sure if …
7. And, also …

1. Key definitions

1.1 Is there any difference between “data protection” and “responsible data management”?

Responsible data management is the “responsible processing of data in accordance with ethical standards and principles in the humanitarian context, taking into account potential consequences and taking measures to avoid endangering individuals or communities” (source 510 Global - an initiative from the Netherlands Red Cross).

More Definitions on section 2.1 Glossary and key definitions.

Data protection is therefore one component of responsible data management.
It can also be interpreted very differently in other countries where authorities will consider their citizens’ data as a mean to watch and control their population.

More on this in section 2.2 Stakes and Risks.

1.2 Does data protection only concern digital data or also paper data?

Data protection concerns all types of data; there is no difference in treatment between digital data and paper data. For example, data includes the handwritten notes from an interview with an unaccompanied girl, a digital photo of a boy on your camera, or a printed map that shows communities where an NGO is planning to build latrines.

1.3 What is the difference between data security and data protection?

Is data that is considered secure, protected?

Data protection corresponds to all processes, practices and systems that are used to safeguard information from being lost, corrupted or accessed by unauthorised parties. Data security is the technical implementation of what data protection requires, with the prevention of unwanted/non-authorized access to data.

Therefore, data that is secured is not necessarily protected. For example, it can be stored in a very secure environment, but with a person having put the password on a post-it visible to anyone in the office.

2.NGO Standards and Responsibilities

2.1 Are there any general standards in the humanitarian and development sector for data protection?

There are no general standards, but they can be defined to a certain extent in accordance with the first principle of the Sphere Humanitarian Standards, which are a key reference for the sector.

The Harvard Humanitarian Initiative also has the Signal Program, which “works to advance the safe, ethical, and effective use of information technologies by communities of practice during humanitarian and human rights emergencies”.

Resources produced by the Centre of Humanitarian Data and the ICRC are essentials that everyone interested in the topic should know about and review.

More on this in section 2.5 Data Responsibility in humanitarian actions.

2.2 As an NGO, what are my data protection responsibilities?

When an NGO collects data, it takes the role of ‘data controller’, thereby becoming fully responsible for the use of the data. When data are personal and/or sensitive, it means they belong to the ‘data subjects’; examples including beneficiaries and/or employees. Under European GDPR, the data subjects have user rights towards their data, and therefore the NGO will be liable towards them.

As the data controller, the NGO can be subject to queries and investigations from various stakeholders such as local authorities and/or donors. It is therefore essential to have a clear vision and a good understanding of what is happening to data within the organisation.

Your personal responsibility will depend on your specific role, alongside what type and how much data are you dealing with, and what controls do you have over them, etc.

More on roles and responsibilities in section 4. The Human pillar and Staff.

2.3 Is data protection only a responsibility for IT, or is it everybody’s?

To be very clear: data protection is the responsibility of everyone.

While nowadays we tend to refer to data mostly in the digital form, it is essential to keep in mind that data protection and data privacy rights encompass data in whatever form they take, digital and/or paper. From a legal point of view, GDPR compliance can only be achieved through the entire organisation effectively getting involved. Thus, the responsibility of handling it properly cannot be limited to IT technicians, and is shared at all times by everyone, you included.

Responsible Data as an ethical principle goes even one step further as it is not limited to regulatory and/or technical requirements. Rather, it can be seen as an opportunity to bring together parts of your organisation that sometimes might have been working separately, to unite, striving to achieve legal and ethical interactions with data. For instance, program teams could benefit from reaching out to their IT colleagues, asking about the best ways to secure the data they are collecting and use the IT tools provided by the organisation. Or, the Head of mission, the Administration coordinator and the Data specialist in the team can discuss about their common responsibility and inform one another about the latest sensitive data collected, a new national regulation, etc.

More on this in section 6. Concrete application of Responsible data management.

2.3 Is data protection only a responsibility for lawyers and legal teams, or is it everybody’s?

To be very clear, data protection is the responsibility of everyone.

While the legal and contractual components of the topic take a large part in the discussions and need to be carefully considered while setting up contracts with any stakeholder (governments, donors, employees, consultants, etc.), they are not sufficient. The responsibility of adhering and processing data in accordance with the rules and frameworks defined in those contracts is shared at all times by everyone.

From a legal point of view, GDPR compliance can only be achieved through the entire organisation effectively getting involved. Thus, the responsibility of handling it properly cannot be limited to administrators or legal specialists, and is shared at all times by everyone, you included.

More on this in section 3. The legal and contractual pilar.

2.4 What are the data protection regulations from donors?

What do we need to follow to be compliant?

Data protection regulations from donors will be defined in the contract that you have signed with them. Therefore, they should be discussed and drafted carefully to ensure that you can comply with them without compromising your ethical values as well as your own compliance to the GDPR.

For accountability purposes, donors have a tendency to request access to much more data than what they really need. You can have a look to this study.

To be compliant, you should only share data with donors/partners that they are legally and ethically supposed to have. Check your contract details and start by sharing the results of your analysis (not your detailed datasets). Most of time this should be satisfactory. Doing so is also a great way to engage your donor/partner in a healthy discussion about their concrete data needs and the limits and risks of sharing personal or sensitive data.

From a responsible data perspective, sharing personal data such as beneficiary lists is problematic and is actually pretty complicated to implement in a responsible way. In fact, doing so would entails the following prerequisites:

informed, unambiguous and explicit consent asked from person specifically on the fact that it will be shared with the donor;
clear justified request prior to the data collection by the donor (on a “need-to-know” basis); and,
adequate frameworks, such as a data sharing agreement, a right of access from the individual, modification and being forgotten policies, and storage limitations.

2.5 How can we function and work with such strict regulations?

It is true that data protection rules are daunting and feel difficult to implement and follow. However, you can step back and root your reflections and decisions on the humanitarian principles well known and respected across the sector.

To simplify, data protection rules can be powerful tools to promote and enforce humanitarian principles, especially the ‘do-no-harm’ principle present in any humanitarian and development programs. Data protection rules can also serve to building trust between you and the affected populations you are aiming at supporting.

Most importantly, start somewhere and in small steps. You will be surprised how much progress can be achieve with just a bit of time !

2.6 When do we need to have a DPO or data protection focal point?

Though not an obligation, any organisation dealing with affected populations in vulnerable or conflict settings are most likely dealing with personal or sensitive data. If it is based in Europe and/or receives any European funding, the organisation is subject to the GDPR.

As a consequence, appointing a DPO or data protection focal point is a good practice. This person will help map your data processes and identify gaps/weaknesses as prerequisites to invest into potential mitigation measures. Depending on your size and resources, this role can be another “hat” attributed to an existing function, such as MEAL, IT, HR or Legal.

More on this in section 4. The Human pillar and Staff.

2.7 We do not have any legal nor IT specialist in our organisation. Can I find answers in this toolbox?

We hope so!Though each organisation and situation are unique, you will find resources and materials that should help you get at least a better understanding of your own specific circumstances.

As an NGO you have the same obligations to adhere to the GDPR as any company.

If this might sound overwhelming, but in a nutshell, it requires organizations to step back, identify where in your programs and activities you deal with personal or sensitive data, and then, ideally, be able to explain for each ‘data flow’ exactly who is doing what.

This ‘data mapping’ exercise takes time, but is a great way to engage your team members in tackling this challenge together. It will most certainly highlight good practices you are already doing; for example, you may already rely on a solid IT infrastructure that guarantees a good level of security of your data. It will also point at gaps that require reflection and inform decisions; for example, you might realise that it is unclear who is in charge of filing and archiving your data.

It is hard to be fully GDPR-compliant, but the most important thing is to start somewhere. A lot can be achieved with no extra investment other than common sense. The paramount objective is to protect and respect the integrity of the persons you wish to serve and support, as well your employees.

This toolbox will hopefully give you some ideas, places to start, and pointers for moving forward. Take a bit of time and pick a section.

Do they also cover the data previously collected and stored by the organisation?

Legally, GDPR rules only apply to data collected after May 2018. However, keeping data forever does not conform to GDPR.
Ethically, you should apply responsible data principles to all of your data, most specifically ‘data minimisation’. Also, all data should have an ‘end-date’ and should be destroyed at a pre-defined point. There is a tendency to keep (and forget about) data forever, which is a trend amplified in the humanitarian and development sectors due to the high staff turnover. As such, this can lead to errors and misinformation when, accidentally or not, obsolete data are used.

More on the concept of ‘Info Sobriety” with a webinar from CartONG in French:

3.3 What other data protection laws exist in the world apart from the EU/GDPR?

The GDPR is definitely the strongest data protection regime in the world, aiming at protecting its citizens’ personal data and privacy. Most countries around the world have now followed through and have data protection laws in place that need to be considered carefully because sometimes they differ and are contradictory to the European GDPR.

Navigating the various layers of legal and contractual rules and obligations is a complex and tedious (but necessary) task for NGOs, with no straight answer.

Indeed, having data protection laws does not necessarily entail the respect of Human rights or humanitarian principles. There are some striking well known examples where laws will favour or encourage population surveillance as a powerful tool to fight insecurity or terrorism.

More on this in Section 3. The legal and contractual pilar.

There are several tools that exist to display and compare data protection laws:

4.Risks and Consequences

4.1 What could be the risk of bad data protection for beneficiaries or NGO staff?

Risks describe the likelihood and impact of a harmful event occurring.

The risk for a beneficiary (but also groups of people, communities, etc.) from a data breach could be:

tangible harm (including bodily harm, loss of liberty or freedom of movement, damage to persons or property, or other tangible harm);
psychological harm (including embarrassment/anxiety, (re)traumatisation, or other psychological harm);
social harm (including discrimination/stigma, loss of trust, legal persecution, or other social harms); or
economic harm, which may include: Financial loss, loss of economic opportunities, other economic harm.

For an NGO staff, some of these risks also exist, as a data protection issue could make them a target of a group of people, thereby entailing tangible, psychological, social or economic harms.

4.2 What are the greatest risks in terms of data protection at the organisation level?

Are they only financial and reputational?

The types of organisational data protection risks to be prepared for are:

reputational : if there is a data leak, beneficiaries’ and partners’ trust could be eroded, whether it has any direct consequences or not;
financial : fines, ransomwares, closure of projects or loss of new projects;
operational : reduced efficiency, missed opportunities and restriction of humanitarian access due to loss or theft of data; and/or ethical positioning.

4.3 What do you mean by a data breach?

A data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

The degree of severity and the consequences of any data breach will depend on the nature and use of the data, from inconsequential to life threatening.

Examples of breaches on personal and sensitive data include:

data that are accessed by an unauthorised stakeholder (eg. a former employee still has access to the organisation databases, or your servers are hacked with the objective of copying your beneficiaries’ lists);
deliberate or accidental actions (or inaction) by a stakeholder
(eg: confidential paperwork are forgotten in the printer);
sending personal data to an incorrect recipient by email (eg. hitting “reply all”);
computing devices containing personal data being lost or stolen
(eg. personal files copied on a USB key are lost);
alteration to personal data without permission
(eg. by mistake a staff deletes the content of a sensitive file, which was not password protected); and/or
loss of access or availability of data.

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is: accidentally lost, destroyed, corrupted or disclosed; accessed without proper authorisation, or; made unavailable, with this unavailability having a negative effect on individuals.

5.Responsible Data Processes

5.1 As an NGO, can we work without personal and sensitive data?

That would be complicated but not impossible.

The less personal and sensitive data you have to deal with, the less legal and technical obligations you have to follow and implement. Rationalising your data needs as per the principles of ‘data minimization’ and ‘data proportionality’ can go a long way to simplify your data practices, processes and procedures.

It might certainly be difficult to eliminate all personal and sensitive data; for instance, a medical organisation will have a hard time functioning without patient files and data. However, there are basic steps that you should take to balance your operation needs with potential ethical dilemmas and risks, which are heavily dependent on context.

First you need to acknowledge that in the past you have and still continue to collect, keep and use a lot of data, sometimes personal and sensitive.
Then, you need to inventory all types of personal and sensitive data you collect, store, manipulate and analyse: for what purpose (why?); with what tools (how?); who is doing what; and who is in charge?

Only then, you can make some informed decisions about your data management.
In data protection jargon, doing so is called a Data Protection Impact Assessment (DPIA).

This is indeed confusing.

‘Consent,’ as per the GDPR, is one of the legal bases justifying a lawful process. It is strictly defined and entails the application of data subjects’ rights, which includes the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and the right not to be subject to a decision based solely on automated processing.

In practice, this can prove extremely difficult (or simply impossible) to implement in the countries of intervention for humanitarian and development actors. Think about how realistic it is to tell your beneficiaries they can have access and review their data.

This is why for any process of personal or sensitive data, the organisation needs to define its purpose and associate it with the appropriate legal basis.

More on this in section 2.1 Key Definitions and in section 2.7 Key concepts to master.

Remember that no tool is perfect and that the compliance will mostly depend on what data you use it with and how you use it.

You will need to invest time or have someone in your team knowledgeable about how to ‘read through’ the technicalities, limits and settings of any chosen tool in regards to your intended use (thereby identifying potential risks and harms).

CartONG has for instance produced a benchmark on MDC (mobile data collection ) tools, which highlights functionality in relation to data protection principles.

Further, the French Agence National de la Sécurité des Systems d’Information (ANSSI) has lists of trusted partners and qualified technologies that are guaranteed to follow national rules and protocols aiming at securing and protecting data.

5.4 If all data is sent to HQ (or regional or capital office), is it safer?

A centralisation of data does not necessarily imply better protection. It will depend on how secure the associated storage place is; who will have access to the data, as well as the procedures and tools in place to collect/send the data to the centralised storage place. If these three aspects are however well thought out in terms of data protection, it can entail better overall data protection. Doing so will limits the risk of multiple local, non-secure storage solutions.

5.5 Is viewing or having access to data considered as data processing?

Yes. According to the GDPR - Article 4, a “processing operation” is defined as “any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

5.6 How should I react when I discover that I received files with personal or sensitive data I was not supposed to see?

What do I need to do to share data securely?

First of all, beware opening any unsolicited documents attached to an email: they can be spam, malware, a virus, which may trigger much more annoying problems and consequences once opened.

Technically this would be considered a data breach, but the adequate response would also highly depend on the content.

Most of the time, such incidences would result from a simple user’s mistake. In this case, it is best then to reach out (without replying with the attached file) and raise the issue with the sender. Once you have concluded it was a mistake, you can delete the file at your end. This is also an opportunity to raise awareness on the topic.

If the intent was to send you the data, you might want to reflect on how safe and secure are the email transfers. Maybe something simple like sharing a link to a protected folder would have been better. Most Cloud services provide secure document sharing at no cost.

If you find unprotected files with personal or sensitive data on a computer/hard drive/USB key, do not act on your own and decide to keep or delete the data. Report it to your data protection focal point, IT or Legal, or line manager. Again, this can be a simple mistake or this might shed light on a flaw in your system and lead to a more formal data breach record.
… Most importantly “if you see something, say something”!

6. I am not sure if …

I am not sure if the data is sensitive.
I am not sure if this tool is secure.
I am not sure if I should have access to this data.
I am not sure if I should be transferring this data.
… In case of doubt, and to prevent any harm, have a conservative approach and do not act before having asked or checked with your manager, data protection focal point, and/or IT specialist. Better be safe than sorry!

7. And, also …

Should we manage data in a different way that is de-identified or pseudonymised, compared to a dataset containing PII?
What is a VPN? What is it used for? When should I use one?
Is viewing or having access to data considered data processing?
Passwords: how frequently do I need to change them? How useful is a password manager?
Hard drives / USB keys: can we store any kind of data there, including sensitive information? Is it safer to do so?
Anonymisation, pseudonymisation: what is the difference and how can I anonymise a dataset?

These specific questions will be answered throughout section 6. Concrete applications of responsible data management.