Link Search Menu Expand Document
Responsible data management toolbox

6.7 Share and transfer

13-Sept-2022 9 mins Share on social networks


TABLE OF CONTENTS

Case study: sharing sensitive data through an unsecured channel

The situation

You are a project manager working in a development context. You use encryption software to encrypt your files, before sending them to HQ, to make sure they are well protected. With an AES 256 protocol, you are convinced that the shared data is tamper-proof. So, you encrypt your file with specialised software and get an encryption key (this is indeed the way such software works).

You send the file to HQ and communicate in writing -in your mail including the file - the encryption key. Several weeks after this communication, you realise that the medical data included in this file have been disseminated, with a certain impact on some of the beneficiaries (especially those who have STDs, a taboo subject in the operational context in question).

What are the potential risks?

  • Disclosure of personal and sensitive data that does not comply with humanitarian and data protection principles
  • Targeting of a vulnerable population
  • Reputational risks, loss of confidence of affected beneficiaries vis-à-vis the NGO

What to do?

In this example, our project manager forgot to protect the encryption key, and therefore shared it through an unsecured mode of communication.

First of all, it should be clear that it is not, in most cases, the technology that is at fault, but most often the user, and their lack of knowledge of the way the tools work and their limitations.

This is a blatant illustration. It is not because we use encryption software that our data is protected: the false sense of security provided by the technology has deceived the user, who has adopted reckless conduct, and failed to adapt their behaviour consequently. Indeed, whilst the technologies that allow encryption are relatively secure (at least until now, and the advent of quantum technologies could fundamentally challenge this paradigm), there remains a “weak” spot, that of the encryption key. Special attention must be paid to preserving this key and how it is shared. First of all, because the file will only be readable by the user in the case where said user has the key to unlock it. But also, and above all because the procedures for retaining and sharing the key are fundamental in the “safety level” of the use made of it. Thus, despite having the strongest possible encryption, if you share your files and keys via mail, you can expose the source data of your folder.

How could the situation have been avoided?

Training and coaching teams by providing them with recommendations and procedures (within their reach in terms of time and skills) is generally what makes data transfer secure. In point of fact, at organisation level, perfect can be the enemy of good: wanting to encrypt everything, or lock everything, can push employees to share keys through unsecured channels, so be attentive when scaling your tools and security, don’t forget that your security is usually as strong as your weakest link.

In terms of software to share and encrypt files, you can use tools like Vera Crypt, OnionShare, TresoritSend. To share sensitive text (such as a sharing key), prefer (rather than insecure common communication channels) burn-after-reading solutions that ensure that the page cannot be viewed more than a certain number of times, such as PasteBin, PrivateBin, Threema, TresoritSend. And make sure that the connection you are using is secure (avoid airport Wi-Fi for example).

But again, also bear in mind that you must have a contact attuned to the types of security implemented, especially when you share very sensitive data. If the client writes down on a piece of paper the encryption key that you have shared confidentially through the solutions mentioned above, you are likely exposing your data.

Case study: the donor request for your beneficiary list

The situation

You are a project manager, and you operate in an area with high political stakes concerning a population persecuted by different countries. At the end of a project phase, the donor, with close links to the public authorities, asks you without prior notification to communicate your lists of beneficiaries. However, the latter never gave their consent for such use. The donor informs you that not doing so equals a failure to respect your commitments and that this would therefore call into question any continuation of your NGO’s actions in the country.

What are the potential risks?

  • Targeting of a vulnerable population
  • Disclosure of personal and sensitive data that does not comply with humanitarian and data protection principles
  • Reputational risks, loss of confidence of affected beneficiaries vis-à-vis the NGO
  • Financial risks (with regard to the donor, but also fines), activities called into question

What to do?

If the data requested is for audit or statistical purposes, it is entirely possible through a data sharing agreement to provide them with pseudonymised data.

If the vocation lies elsewhere, start by making sure that you have not contractually committed to it, then checking your legal obligations (for example, without informed consent, you simply do not have the right under regulations such as the GDPR if it is applicable). In any case, there may not be a simple solution to the problem, as it would be unethical and contrary to humanitarian principles to share such data.

It is therefore necessary to present your ethical arguments, if possible based on the donor’s charter on this topic - that the majority of donors have - and / or to any public policy that your organisation may have on responsible data management, by explaining that you cannot go against your ethical commitments, stick to them, and if possible join forces with other organisations in the same situation.

How could the situation have been avoided?

To avoid this type of situation that is difficult for all parties, it is important, from the start of the partnership, to seek to clarify as far as possible the type of request that there may be on the data, so as to implement the appropriate measures (contract, consent, etc.).

However, it is not because the request is made at the start of the project that it must be answered positively - always seek to understand the use that could be made on this data and thereby if it is in accordance with your organisation’s principles. Also interact with other organisations to understand the political context and associated weight of the data and the risks associated with such sharing.

Then, make your headquarters aware of publishing policies in this area to give weight to your position (such as Oxfam’s stance on biometric data for example. This will help your argument and establish its legitimacy. You may not be successful (and may have to effectively close your activities in the area if no acceptable solution is found), but you will at least have done everything to bring an ethical solution to the problem.

Case study: risk of identifying contributors to a focus group

The situation

As part of a project to support women victims of violence, a discussion group was organised on gender-based violence (GBV) issues. Following the publication of a report on the project, you are alerted by a third-party organisation that the women present during the discussion group can be identified. Indeed, despite the aggregation of data, the maps published in this report use too precise a location and risky or even doubtful typologies. It is possible to identify the participants by cross-checking the information displayed on the maps and the outcomes of the collected qualitative data analysis.

What are the potential risks?

  • Participants could be targeted, with risks of stigma and potentially retaliation
  • The activities planned under the project could be compromised because they are based on the anonymity of the participants
  • Reputational risks, loss of confidence of affected beneficiaries vis-à-vis your NGO
  • Personal and sensitive data accessible by third parties, which is not in accordance with humanitarian and data protection principles

What to do?

The first essential step is to remove the report from the public domain in order to avoid wider dissemination, then to make the necessary changes. Quickly assess what sensitive data may have been disclosed and the associated risks and notify those affected to inform them of the situation.

How could the situation have been avoided?

Having a validation procedure prior to publication that takes responsible data management into account. For instance, establish a risk assessment grid to refer to as soon as sensitive data is collected and before reports based on that data are made public

Raising teams’ awareness and providing resources on the representation of sensitive data in the form of maps would allow for several people from the team to be attuned to personal data protection issues and to take a critical look at these types of documents before they are shared.

Key resources