Link Search Menu Expand Document
Mobile Data Collection toolbox

5.3 Responsible data management in form design

Planning your data collection responsibly should not be seen as an impossible task. However, it has to be done for NGOs to follow the “do no harm” principle as it is related to data. In general, don’t hesitate to see the part 9 “Mobile Data Collection and Data Protection” of the Module 4: Getting the data we need “Mobile Data Collection and Data Protection” of the IFRC Data Playbook which provides elements and clarification on that subject. Parts “Data protection vs security vs responsibility..?” on page 50, “Some key aspects of GDPR” on page 52 and “Use case” (page 52-54) are recommended.


Collect only what you need

The first thing to remember is to keep data capture to a minimum, i.e. to collect only and exclusively the data you need. Exercise 7 - 9 What data do we really need? in Module 7: Responsible Data Practices and Data Protection of the IFRC Data Playbook is very helpful in this matter. Data minimization also prevents the time and resources wasted by a too large and heavy data collection. You can find below some of the most important and relevant steps to take into account when planning a data collection.

If you have no internal recommendations to follow from your organisation on this front (if you don’t have a Data Protection Officer or some data protection guidelines on data collection), you can start off by finding out more on Responsible Data Management in humanitarian organisation it is highly recommended to follow this 2-hour Disaster Ready training (available in both French and English).

Jointly to your Analysis plan, which legitimates your needs for data and limits the collection to the minimum (=data minimisation), you should try to pre-classify the data you want to collect by thinking about some of these aspects:

  • (Answered in the Analysis Plan): What type of data is collected? Why and how?
  • Will this data be personal data?
  • Will this data be sensitive?
  • With which stakeholders (donors, funders, …) will you share it and how much of it?
  • Which other actors could be interested in such data?
  • What are the risks to collect such data and how will you manage it? Are they too important to risk actually collecting this data? To evaluate this, a good practice is to fill a Data Impact Assessment (DIA) as explained below.
  • How will you secure this data to guarantee the safety and confidentiality of the people behind it?
  • How will you store, share, transfer it? Will you share it internally? and externally?
  • How long do you need this data? When and how will plan the suppression, archiving or de-identification of data?
  • How will you stay in contact with communities to :
    • Inform them about what is being done with their data
    • Allow them to get back to you to respect their data rights depending on the legislation you need to respect and also your ethical duties (correction, suppression, etc.)

To help you classify your data you should see point 7 - 13 Data Hygiene Checklist in Module 7: Responsible data practices and data protection in the IFRC Data Playbook.

This set of questions represents the base to complete a Data Management Plan, that is highly recommended to do before any data collection. You can find Oxfam’s Data Management Plan Matrix below to give you an example.

image info

A data management plan can refer to each data collection within a project, or to a specific project, an office or a mission in order to limit to make a new one each time you need to collect data. However, you have to make sure the data you will collect fits with the exigence of the general Data Management Plan of the mission for example.

The answer to these questions above will help you think through how to inform the population from which you’re collecting the data about their rights and to see how you want to ask for their consent.

It is however important to adapt and re-adapt the way you ask for consent (i.e. the “scenario”) depending what is behind it for each data collection (depending on what you plan to actually do with the data, the population characteristics etc…). Here are some points to bear in mind:

  • Make it easy to understand
  • Include the fact that mobile device will be used for collection if that is the case (or allow them to refuse the fact that a mobile device will be used if it makes them uncomfortable)
  • Getting a child’s consent is different than an adult’s consent: you will need to make sure you also have the tutor’s consent.
  • To ensure you are getting informed consent and that the respondent knows his/her rights and what is at stake, you should use syntax like “I understand that …”.
  • Of course, specify all the uses that will be made of the data, the structures to which it will be shared.

image info

Source : Becoming RAD: How to Retain, Archive and Dispose of data responsibly

To go further and better understand this question of consent you should check these documents:

Manage the risks

There are multiple tools that can be used to improve and adopt security measures that people are already familiar with. You should look into the Field Book for WPF Staff on Conducting Mobile Surveys Responsively, in particular :

  • Section 3 “The responsibility chain” that provides a list of risks and potential harm at 3 stage of data collection (before, during and after) on page 8, a summary of elements to address for each of these 3 stages (page 19), and others useful tips on consent for example.
  • Section 4 “Tools and methods that WFP Field Officers can use to mitigate risk” of this Field Book for Staff on Conducting Mobile Surveys Responsively to get to know more detailed and concrete mitigations solutions you can implement.

Here is an example of risks assessment based on a template of a risks assessment plan from Oxfam:

Stage of data cycle Risks Mitigations Measures
Collection Robbery of mobile devices with personal data Using only the identifier rather than the name or address of your beneficiaries can be a way of reducing the risk of your data being used against your will if a phone is stolen or the survey results fall into wrong hands
Collection Robbery of mobile devices The type of mobile device to be used should not be too valuable to the locals and should be available on the local market.
Collection Loss of a mobile device and the data collected on it Send filled forms on a regular and frequent basis
Storage : Analysing; Sharing; Retaining Harm if sensitive data is not properly protected Follow internal procedure for sensitive data
Define a list of user that are allowed to access to this data
Set up a specific user access with password
Use secure an appropriate MDC and analysis software and tools that have the data protection features you need (encryption, access rights, etc.).

You can also find some potential risks on pages 44-45 of the Module 4: Getting the data we need of the IFRC Data Playbook. It also presents KoBoToolbox points of vulnerability on pages 47-48.

On sharing and retaining practice, please refer to section 10 Sharing your data and section 11 Retaining - Archiving - Disposing of your data.