5.3 Responsible data management in form design
Planning your data collection responsibly should not be seen as an impossible task. However, it has to be done for NGOs to follow the “do no harm” principle as it is related to data. In general, don’t hesitate to see the part 9 “Mobile Data Collection and Data Protection” of the Module 4: Getting the data we need “Mobile Data Collection and Data Protection” of the IFRC Data Playbook which provides elements and clarification on that subject. Parts “Data protection vs security vs responsibility..?” on page 50, “Some key aspects of GDPR” on page 52 and “Use case” (page 52-54) are recommended.
TABLE OF CONTENTS
The first thing to remember is to keep data capture to a minimum, i.e. to collect only and exclusively the data you need. Exercise 7 - 9 What data do we really need? in Module 7: Responsible Data Practices and Data Protection of the IFRC Data Playbook is very helpful in this matter. Data minimization also prevents the time and resources wasted by a too large and heavy data collection. You can find below some of the most important and relevant steps to take into account when planning a data collection.
If you have no internal recommendations to follow from your organisation on this front (if you don’t have a Data Protection Officer or some data protection guidelines on data collection), you can start off by finding out more on Responsible Data Management in humanitarian organisation it is highly recommended to follow this 2-hour Disaster Ready training (available in both French and English).
Jointly to your Analysis plan, which legitimates your needs for data and limits the collection to the minimum (=data minimisation), you should try to pre-classify the data you want to collect by thinking about some of these aspects:
- (Answered in the Analysis Plan): What type of data is collected? Why and how?
- Will this data be personal data?
- Will this data be sensitive?
- With which stakeholders (donors, funders, …) will you share it and how much of it?
- Which other actors could be interested in such data?
- What are the risks to collect such data and how will you manage it? Are they too important to risk actually collecting this data? To evaluate this, a good practice is to fill a Data Impact Assessment (DIA) as explained below.
- How will you secure this data to guarantee the safety and confidentiality of the people behind it?
- How will you store, share, transfer it? Will you share it internally? and externally?
- How long do you need this data? When and how will plan the suppression, archiving or de-identification of data?
- How will you stay in contact with communities to :
- Inform them about what is being done with their data
- Allow them to get back to you to respect their data rights depending on the legislation you need to respect and also your ethical duties (correction, suppression, etc.)
To help you classify your data you should see point 7 - 13 Data Hygiene Checklist in Module 7: Responsible data practices and data protection in the IFRC Data Playbook.
This set of questions represents the base to complete a Data Management Plan, that is highly recommended to do before any data collection. You can find Oxfam’s Data Management Plan Matrix below to give you an example.
A data management plan can refer to each data collection within a project, or to a specific project, an office or a mission in order to limit to make a new one each time you need to collect data. However, you have to make sure the data you will collect fits with the exigence of the general Data Management Plan of the mission for example.
The answer to these questions above will help you think through how to inform the population from which you’re collecting the data about their rights and to see how you want to ask for their consent.
It is however important to adapt and re-adapt the way you ask for consent (i.e. the “scenario”) depending what is behind it for each data collection (depending on what you plan to actually do with the data, the population characteristics etc…). Here are some points to bear in mind:
- Make it easy to understand
- Include the fact that mobile device will be used for collection if that is the case (or allow them to refuse the fact that a mobile device will be used if it makes them uncomfortable)
- Getting a child’s consent is different than an adult’s consent: you will need to make sure you also have the tutor’s consent.
- To ensure you are getting informed consent and that the respondent knows his/her rights and what is at stake, you should use syntax like “I understand that …”.
- Of course, specify all the uses that will be made of the data, the structures to which it will be shared.
To go further and better understand this question of consent you should check these documents:
- The point 3B Informed consent of respondents and confidentiality of interviews (page 56) in the The Kap Survey model - Knowledge Attitude and Practices can give you an idea on how to ask informed consent in the field.
- The Child Reintegration Monitoring Toolkit (IOM) provides on page 60 an example of text to obtain a consent.
- Guide to good practice for collecting and managing medico-social data (Médecins du Monde)(page 9)
- This document (When words fail: audio recording for verification in multilingual surveys) tackles the question of informed consent: how to rightfully inform the participants of the purpose of the survey (that is not always further assistance) to limit bias in response.
There are multiple tools that can be used to improve and adopt security measures that people are already familiar with. You should look into the Field Book for WPF Staff on Conducting Mobile Surveys Responsively, in particular :
- Section 3 “The responsibility chain” that provides a list of risks and potential harm at 3 stage of data collection (before, during and after) on page 8, a summary of elements to address for each of these 3 stages (page 19), and others useful tips on consent for example.
- Section 4 “Tools and methods that WFP Field Officers can use to mitigate risk” of this Field Book for Staff on Conducting Mobile Surveys Responsively to get to know more detailed and concrete mitigations solutions you can implement.
Here is an example of risks assessment based on a template of a risks assessment plan from Oxfam:
|Stage of data cycle||Risks||Mitigations Measures|
|Collection||Robbery of mobile devices with personal data||Using only the identifier rather than the name or address of your beneficiaries can be a way of reducing the risk of your data being used against your will if a phone is stolen or the survey results fall into wrong hands|
|Collection||Robbery of mobile devices||The type of mobile device to be used should not be too valuable to the locals and should be available on the local market.|
|Collection||Loss of a mobile device and the data collected on it||Send filled forms on a regular and frequent basis|
|Storage : Analysing; Sharing; Retaining||Harm if sensitive data is not properly protected||Follow internal procedure for sensitive data
Define a list of user that are allowed to access to this data
Set up a specific user access with password
Use secure an appropriate MDC and analysis software and tools that have the data protection features you need (encryption, access rights, etc.).
You can also find some potential risks on pages 44-45 of the Module 4: Getting the data we need of the IFRC Data Playbook. It also presents KoBoToolbox points of vulnerability on pages 47-48.