Responsible data culture: looking back on the last 18 months

26 March 2020

Following the enforcement of the GDPR in May 2018, CartONG has embarked upon a process of institutionalizing responsible data management in-house. In this article, we invite you to discover the main steps of this change management process that we have been implementing for more than 18 months now, and the key lessons we have learned from it.

The subject of data protection and more generally of responsible data (see box below) has been a long-standing concern for CartONG. It was for example on the agenda of the 2016 bi-annual international “GeOnG” forum that our NGO has been organizing since 2008. Then in 2017, CartONG developed in partnership with Terre des hommes a beginner’s guide to data protection – one of the first of the kind for the aid sector. In parallel, through the implementation of encryption on mobile data collection tools, the mapping of the evolution of stigmatizing diseases, the design of databases with sensitive information, and the development of web applications containing personal data, the subject of data protection has been repeatedly at the heart of our teams’ concerns.

Nevertheless, like most organizations, it was the coming into effect of the General Data Protection Regulation (GDPR) in May 2018 within the European Union that was a turning point for our association. From then on, not only did CartONG want to integrate ethical and responsible principles in the way we manage data from the angle of our humanitarian principles, but our structure had to comply with a new law.

Responsible Data Management vs. Data Protection

Responsible data management is a concept that is becoming more and more widespread in the humanitarian and development sectors. According to OCHA, it goes beyond the concepts of “data privacy” and/or “data protection” and involves a set of principles, processes and tools that support the safe, ethical and effective management of data in humanitarian responses. See also: https://responsibledata.io/what-is-responsible-data/

Launch of a task force with the support of a consultancy mission

After participating in an initial introductory training session in early 2018 and redesigning the content of our Geographic Information Systems (GIS) and Mobile Data Collection (MDC) training sessions to include a more formal data protection component, an internal working group dedicated to the topic was set up mid-2018.

Designed as a “task force” and endowed with a dedicated budget (from core funds), the latter brought together 8 people representative of the different profiles and services existing in CartONG. The team carried out a first evaluation of our internal practices and having assessed the substantial work still to be undertaken and the relevance of using external support to facilitate the implementation of the necessary changes (especially on legal aspects). This lead to CartONG requesting and obtaining – at the end of 2018 – a grant to co-finance a dedicated consultancy from the Institutional and Organizational Strengthening Fund (FRIO) of the Coordination Sud network (a project supported by the French Development Agency).

Key achievements in 2019

Throughout 2019, the internal working group, supported by the team of consultants, launched a series of initiatives. These made it possible to work in a sequenced manner on CartONG’s specific situation: it has a “double hat”, i.e. on the one hand as a subcontractor – for data managed on behalf of its partners – and on the other hand as a data processor like any association (data of employees, members, volunteers, etc.). It should be noted that this “double status” is not very common for an NGO and is due to the specificity of our positioning as a H2H organization.

In 2019, we have achieved the following:

an initial inventory specifying the shortcomings of CartONG in terms of data protection and which allowed us to define priority areas of work
a review of our legal status and the relations we had with our partners which led to the signature of new contracts, amendments or specific annexes covering data protection aspects
a review of our internal organization that led to the required preparation and appointment – at the very beginning of 2020 – of a Data Protection Officer (or DPO) and of focal points within each of CartONG’s departments.
a compliance of CartONG on the most priority elements including in particular the implementation of a register of our data processing processes, a procedure in case of data violation, the drafting of a privacy policy for our communication tools covering the various aspects of CartONG’s life (volunteers, applications, etc.), etc.
the progressive adaptation of our day-to-day professional tools and IT infrastructure with, for example, the adoption by the entire team of a password management tool, the step by step securing of our storage spaces, etc.
the design and implementation of new technical procedures (formalized in the form of “check lists” or of a “how-tos”) linked to our core activities, enabling us to integrate the principles of “data protection by design and default” into our daily operations, for example in the de-identification of data, the review of consent messages in data collection forms or the use of fake datasets in the development of applications.
the implementation of a change management strategy for the entire team, including the organization of a “data protection month” in November 2019

Looking back at some key learnings

The work we have been doing for the past 18 months also allows us to draw and share some key feedback on the various steps we have been through. These are not necessarily revolutionary in themselves, but they complement or reinforce other lessons learned shared by other actors in the sector (such as this article by Linda Raftree).

The collective is a strength: any support provided to the DPO such as focal points or task forces are extremely relevant.
There is also a real added value in using external support: it is easier to accompany the changes required from your own teams when you are yourself accompanied!
Although the importance of going through a real assessment phase is often underestimated, sticking to it allows for better prioritization in the short, medium and long term.
It is a long-term job: do not seek full compliance, much less immediate compliance, because it is an illusion.

Study on the compliance of civil society organizations with the GDPR

We encourage you to read the study on the compliance of civil society organizations (CSOs) with the GDPR that the Open Society Foundations recently published. This report presents the opportunities and challenges faced by CSOs and also offers a set of good practice to limit the risks.

Responsible data is not just a matter of enforcing the GDPR, especially within our sector! CartONG has therefore deliberately chosen to take a broader approach to the data that needs protecting or “data to protect” in the context of its activities (see illustration below & click on it to display it in full).

Yes, data protection is also an opportunity to simplify one’s life in certain aspects: smart password management, clarification of certain processes, etc.

Some resources & readings that we recommend to the actors of the sector

The Handbook on Data Protection in Humanitarian Action of ICRC (a new updated version is planned for mid-2020)
The “Responsible Data” community (including its mailing list) coordinated by The Engine Room
The work carried out by HumData (OCHA) through the design of guides and technical notes
The “Data Accountability Maturity Model for Development Organizations” (Linda Raftree and Care USA)

A new step for CartONG: helping to disseminate a responsible data approach in the aid sector

As a H2H (“humanitarian to humanitarian”) organization specialized in information management, CartONG’s vocation is to support all humanitarian and development actors in the technical, strategic and ethical challenges they encounter while using digital technologies. Having ourselves gone through the first stages of this long-term process of integrating the principles of responsible data management into our processes and practices, we are now in a position to include them as an integral part of our support to other organizations. However, as in other areas, our support is still limited to programmatic information management from humanitarian and development projects – as CartONG has no expertise in handling other categories of data such as HR, financial, etc. data.

In February 2020, CartONG had the opportunity to give its first dedicated training in data protection to 13 member organizations of the German network of humanitarian and development organizations VENRO (the equivalent of Coordination Sud in France), focusing in particular on the constraints and practices of field operations.

The subject of responsible data will remain a complex and burning issue – probably for a few more years – for the aid sector. CartONG will therefore continue its work of specialization on the topic and strengthening its support to NGOs on the topic. To this end, the next GeOnG forum that will take place from November 2nd to 4^th, 2020 will focus on: “People at the heart of information management: promoting responsible and inclusive practices” and will be the perfect opportunity to continue the discussions on the subject.

– – – –

Do not hesitate to contact CartONG for any question related to responsible data management within the aid sector.