Across the global development community, non-profits, government agencies, and humanitarian response organizations are using data to catalyze innovation through increasing mobile access, scaling up field operations and promoting inclusive decisions between implementers and beneficiaries.
While organizations may act with best intentions, and in doing so, embrace digitization and adopt advanced analytics to improve these efforts, issues of privacy, security and ownership of such data can be inconsistently addressed. Promoting responsible use of data and implementing data protection policies that can be rapidly adopted in the field are not being prioritized by enough practitioners.
As one example, a study by The Centre for Internet & Society following the international response to the Ebola outbreak in West Africa called attention to the unregulated use of call detail records (CDRs) by response organizations and how some actors did not seek informed consent before collecting and using personal identifiable information (PII) to track how Ebola was moving throughout the region.
Whether organizations collect sensitive information from beneficiaries or manage large datasets from various countries, the need to adopt data privacy best practices and policy is paramount.
Despite the challenges, there are clear best practices that organizations can adopt—either at the institutional level or in the field—to ensure data is protected. Even with the challenges that the Centre for Internet & Society found during the Ebola outbreak, there were important good practices from that response, noted in this USAID report, that should inform future crisis response efforts. For example, during the outbreak, data-enabled responders were continually updating emergency response centers with proper activity reports, which enhanced coordination of efforts and ensured that the location of Ebola outbreaks was recorded properly.
Understand the Data Lifecycle
Field staff need to understand how the data that they collect is managed by their organization or implementing partners from inception to close-out of their program. In practice, organizations should have a clear framework in place that tracks how data flows in and out of their programs to mitigate risk, responsibly collect data, provide feedback to program partners and ultimately dispose or properly archive collected data.
Focused data collection protocols—including data minimization policies—decrease the chance that sensitive data is misused and ensures that such data can be properly and rapidly disposed of when the program concludes. The Electronic Cash Transfer Learning Action Network—convened by Mercy Corps and MasterCard—practices data minimization to reduce the risk of data being misused and decrease the cost of data collection in the field.
Build Awareness, Educate, then Implement
Upholding data privacy in the field can seem expensive in time and effort, but there are tools available for practitioners to improve data privacy activities. Organizations need to first build awareness of the data privacy challenge at-large, educate their staff on strategies to address it and finally implement privacy guidelines into their field programs.
Practically, organizations actively using the Principles for Digital Development can join upcoming workshops, disseminate toolkits and follow how-to guides outlined in the principles to Be Data Driven and Address Privacy & Security.
The Responsible Data Management (RDM) partnership between Oxfam and The Engine Room realized the translation from awareness to practice. RDM includes briefings, leaflets, and an interactive training package—complete with card games—that field officers can use to educate their operations staff about data responsibility. Staffers work through different real-world dilemmas and learn where programs may have to deal with sensitive information and how they can do so in an ethical and responsible fashion.
Institutionalize Data Responsibility
Executive officers and donors should enact policies that institutionalize data protection and responsible use throughout their respective operations. Such policies can engender a greater sense of technical literacy and a culture of data responsibility in addressing the data privacy challenge.
In fact, certain organizations—including World Vision International and Catholic Relief Services—have formed information security offices and adopted privacy policies across their ICT programs, in addition to calling on donors and other partners to develop and implement stringent privacy safeguards in this regard.
On the Horizon
Going forward, staff members should continue to tap into expertise that already exists through such organizations as Global Pulse—a UN-led data initiative—or The Responsible Data Forum to improve their data privacy practices and keep the discussion going.
Non-profit organizations and government agencies also need to consider that a majority of existing data is largely-owned by private-sector telecommunications and network infrastructure companies. Mobile network operators will be core partners for NGOs and government development agencies for future digital development programs.
Addressing data privacy in digital development is crucial if implementers want to continue to use data for good and improve their programs. Collaboration on building a data privacy consensus between donors, implementers and conveners can engender sustainable policies and effective resilience for data responsibility, protection and privacy.
Mitch Hulse was a fellow at the Digital Impact Alliance during the summer of 2017. During his fellowship, Mitch focused on building out DIAL’s literacy on data privacy—specifically how the ICT community can leverage data responsibly and sustainably with both private-sector and public partners. He is currently completing his Masters of Public Policy degree at the University of British Columbia.