Intended audience: Social Impact Professionals
Data security, storage, and privacy are extremely important throughout DataKind’s project process. DataKind is GDPR compliant , but, more importantly, DataKind cares about protecting people’s privacy to ensure our work remains in the service of humanity and in alignment with our values. Data sharing occurs during the Design Stage after the appropriate agreements are signed, the necessary data has been identified, and the appropriate data security protocols are in place. Therefore, the norms are set and decisions are made on how to handle data security at the beginning of the Design Stage. This article introduces DataKind’s data security establishment process. For a full review of DataKind’s data security standards and policies, see this slide deck.
In preparation for the data sharing, DataKind’s process mitigates risks before actually receiving the data and executing the project. The Scopers ensure they understand the sensitivity of the data, agree upon steps to take appropriate security measures alongside the partner organization, and identify and minimize the risk of potential unintended consequences during the data transfer.
DataKind has several tools that are used in this process:
- Data Security Questionnaire captures information on the organization’s data and their sensitivity, in addition to potential governance and legal requirements. Note that in the vast majority of cases, DataKind projects do not require - and, in fact, tend to discourage - the use of any personally-identifiable information (PII). In the very rare cases in which we work with PII, we take appropriate additional security measures into account.
- Data Classification uses the questionnaire responses to classify the partner organization. We keep in mind that data security and anonymization are not skills that all nonprofit organizations necessarily have in house, so we identify data that could be misused or might render people unsafe. DataKind is committed to best practices for data security, storage, and management, enabling our partners to better protect their data as we establish our plan for data sharing.
- Data Management Plan is co-created by the Scopers and the partner organization based on the information gathered in the data security questionnaire and data sensitivity framework. By designing and confirming the plan with the partner organization, Scopers are prepared to set up tools and documentation for managing the data and its access. The plan ensures that the team is able to store, protect, and keep data secure. Lastly, Scopers ensure that all volunteers on the project (and the Project Champion) have seen the data management plan and are prepared to comply with it.
Who should host the data in the platform for sharing?
In most cases, if the partner organization has the capacity to host the data themselves and simply provide the DataKind volunteers with temporary access to the data within their systems, that is our preference. The reason for this is that it better enables them for long term sustainability and minimizes risks for both volunteers and our partner organizations. Unless a project is funded by a grant that is covering the computing costs, we ask that partners plan to host and pay for any needed computing costs.
What data should the partner organization share with DataKind?
Our partner organizations should only provide access to data that you know will be needed to complete the project. Don’t share extra data just for the sake of it.
How does DataKind respond if there is a potential data incident?
A data incident is when there is any risk of or actual unauthorized exposure, destruction, alteration, access, or loss of personal information, also referred to as data breach or data leakage. We use our Data Incident Response Checklist if there is ever a potential data incident.
What should I do if I have more questions?
Further information and links to resources for DataKind volunteers can be found in the Data Storage, Security and Management Processes Playbook article. If you have more questions, reach out to your DataKind point of contact and ask.
Please see other “scoping” articles for social impact organizations at the bottom of the Scoping page.
Contributer(s): Benjamin Kinsella, DKSF Chapter, Jeremy Osborn, Lawrence Kilroy, William Ratcliff, Dulcie Vousden, Edwin Zhang
Contact us
If you would like to learn more about us, partner with us, or get in touch, email us at community@datakind.org
Subscribe