Feeds:
Posts
Comments

Posts Tagged ‘recommendations’

Unpacking digital privacy, security & safety in the development space

Posted in data, development, ICT4D, ICTs, ICTs, mobile and technology, privacy, wait... what?, tagged , , , , , , , , on May 25, 2016| 3 Comments »

Crowdsourcing our Responsible Data questions, challenges and lessons. (Photo courtesy of Amy O'Donnell).

Crowdsourcing our Responsible Data questions, challenges and lessons. (Photo by Amy O’Donnell).

At Catholic Relief Services’ ICT4D Conference in May 2016, I worked with Amy O’Donnell  (Oxfam GB) and Paul Perrin (CRS) to facilitate a participatory session that explored notions of Digital Privacy, Security and Safety. We had a full room, with a widely varied set of experiences and expertise.

The session kicked off with stories of privacy and security breaches. One person told of having personal data stolen when a federal government clearance database was compromised. We also shared how a researcher in Denmark scraped very personal data from the OK Cupid online dating site and opened it up to the public.

A comparison was made between the OK Cupid data situation and the work that we do as development professionals. When we collect very personal information from program participants, they may not expect that their household level income, health data or personal habits would be ‘opened’ at some point.

Our first task was to explore and compare the meaning of the terms: Privacy, Security and Safety as they relate to “digital” and “development.”

What do we mean by privacy?

The “privacy” group talked quite a bit about contextuality of data ownership. They noted that there are aspects of privacy that cut across different groups of people in different societies, and that some aspects of privacy may be culturally specific. Privacy is concerned with ownership of data and protection of one’s information, they said. It’s about who owns data and who collects and protects it and notions of to whom it belongs. Private information is that which may be known by some but not by all. Privacy is a temporal notion — private information should be protected indefinitely over time. In addition, privacy is constantly changing. Because we are using data on our mobile phones, said one person, “Safaricom knows we are all in this same space, but we don’t know that they know.”

Another said that in today’s world, “You assume others can’t know something about you, but things are actually known about you that you don’t even know that others can know. There are some facts about you that you don’t think anyone should know or be able to know, but they do.” The group mentioned website terms and conditions, corporate ownership of personal data and a lack of control of privacy now. Some felt that we are unable to maintain our privacy today, whereas others felt that one could opt out of social media and other technologies to remain in control of one’s own privacy. The group noted that “privacy is about the appropriate use of data for its intended purpose. If that purpose shifts and I haven’t consented, then it’s a violation of privacy.”

What do we mean by security?

The Security group considered security to relate to an individual’s information. “It’s your information, and security of it means that what you’re doing is protected, confidential, and access is only for authorized users.” Security was also related to the location of where a person’s information is hosted and the legal parameters. Other aspects were related to “a barrier – an anti-virus program or some kind of encryption software, something that protects you from harm…. It’s about setting roles and permissions on software and installing firewalls, role-based permissions for accessing data, and cloud security of individuals’ data.” A broader aspect of security was linked to the effects of hacking that lead to offline vulnerability, to a lack of emotional security or feeling intimidated in an online space. Lastly, the group noted that “we, not the systems, are the weakest link in security – what we click on, what we view, what we’ve done. We are our own worst enemies in terms of keeping ourselves and our data secure.”

What do we mean by safety?

The Safety group noted that it’s difficult to know the difference between safety and security. “Safety evokes something highly personal. Like privacy… it’s related to being free from harm personally, physically and emotionally.” The group raised examples of protecting children from harmful online content or from people seeking to harm vulnerable users of online tools. The aspect of keeping your online financial information safe, and feeling confident that a service was ‘safe’ to use was also raised. Safety was considered to be linked to the concept of risk. “Safety engenders a level of trust, which is at the heart of safety online,” said one person.

In the context of data collection for communities we work with – safety was connected to data minimization concepts and linked with vulnerability, and a compounded vulnerability when it comes to online risk and safety. “If one person’s data is not safely maintained it puts others at risk,” noted the group. “And pieces of information that are innocuous on their own may become harmful when combined.” Lastly, the notion of safety as related to offline risk or risk to an individual due to a specific online behavior or data breach was raised.

It was noted that in all of these terms: privacy, security and safety, there is an element of power, and that in this type of work, a power relations analysis is critical.

The Digital Data Life Cycle

After unpacking the above terms, Amy took the group through an analysis of the data life cycle (courtesy of the Engine Room’s Responsible Data website) in order to highlight the different moments where the three concepts (privacy, security and safety) come into play.

Screen Shot 2016-05-25 at 6.51.50 AM

  • Plan/Design
  • Collect/Find/Acquire
  • Store
  • Transmit
  • Access
  • Share
  • Analyze/use
  • Retention
  • Disposal
  • Afterlife

Participants added additional stages in the data life cycle that they passed through in their work (coordinate, monitor the process, monitor compliance with data privacy and security policies). We placed the points of the data life cycle on the wall, and invited participants to:

  • Place a pink sticky note under the stage in the data life cycle that resonates or interests them most and think about why.
  • Place a green sticky note under the stage that is the most challenging or troublesome for them or their organizations and think about why.
  • Place a blue sticky note under the stage where they have the most experience, and to share a particular experience or tip that might help others to better manage their data life cycle in a private, secure and safe way.

Challenges, concerns and lessons

Design as well as policy are important!

  • Design drives everScreen Shot 2016-05-25 at 7.21.07 AMything else. We often start from the point of collection when really it’s at the design stage when we should think about the burden of data collection and define what’s the minimum we can ask of people? How we design – even how we get consent – can inform how the whole process happens.
  • When we get part-way through the data life cycle, we often wish we’d have thought of the whole cycle at the beginning, during the design phase.
  • In addition to good design, coordination of data collection needs to be thought about early in the process so that duplication can be reduced. This can also reduce fatigue for people who are asked over and over for their data.
  • Informed consent is such a critical issue that needs to be linked with the entire process of design for the whole data life cycle. How do you explain to people that you will be giving their data away, anonymizing, separating out, encrypting? There are often flow down clauses in some contracts that shifts responsibilities for data protection and security and it’s not always clear who is responsible for those data processes? How can you be sure that they are doing it properly and in a painstaking way?
  • Anonymization is also an issue. It’s hard to know to what level to anonymize things like call data records — to the individual? Township? District Level? And for how long will anonymization actually hold up?
  • The lack of good design and policy contributes to overlapping efforts and poor coordination of data collection efforts across agencies. We often collect too much data in poorly designed databases.
  • Policy is not enough – we need to do a much better job of monitoring compliance with policy.
  • Institutional Review Boards (IRBs) and compliance aspects need to be updated to the new digital data reality. At the same time, sometimes IRBs are not the right instrument for what we are aiming to achieve.

Data collection needs more attention.

  • Data collection is the easy part – where institutions struggle is with analyzing and doing something with the data we collect.
  • Organizations often don’t have a well-structured or systematic process for data collection.
  • We need to be clearer about what type of information we are collecting and why.
  • We need to update our data protection policy.

Reasons for data sharing are not always clear.

  • How can share data securely and efficiently without building duplicative systems? We should be thinking more during the design and collection phase about whether the data is going to be interoperable and who needs to access it.
  • How can we get the right balance in terms of data sharing? Some donors really push for information that can put people in real danger – like details of people who have participated in particular programs that would put them at risk with their home governments. Organizations really need to push back against this. It’s an education thing with donors. Middle management and intermediaries are often the ones that push for this type of data because they don’t really have a handle on the risk it represents. They are the weak points because of the demands they are putting on people. This is a challenge for open data policies – leaving it open to people leaves it to doing the laziest job possible of thinking about the potential risks for that data.
  • There are legal aspects of sharing too – such as the USAID open data policy where those collecting data have to share with the government. But we don’t have a clear understanding of what the international laws are about data sharing.
  • There are so many pressures to share data but they are not all fully thought through!

Data analysis and use of data are key weak spots for organizations.

  • We are just beginning to think through capturing lots of data.
  • Data is collected but not always used. Too often it’s extractive data collection. We don’t have the feedback loops in place, and when there are feedback loops we often don’t use the the feedback to make changes.
  • We forget often to go back to the people who have provided us with data to share back with them. It’s not often that we hold a consultation with the community to really involve them in how the data can be used.

Secure storage is a challenge.

  • We have hundreds of databases across the agency in various formats, hard drives and states of security, privacy and safety. Are we able to keep these secure?
  • We need to think more carefully about where we hold our data and who has access to it. Sometimes our data is held by external consultants. How should we be addressing that?

Disposing of data properly in a global context is hard!

  • Screen Shot 2016-05-25 at 7.17.58 AMIt’s difficult to dispose of data when there are multiple versions of it and a data footprint.
  • Disposal is an issue. We’re doing a lot of server upgrades and many of these are remote locations. How do we ensure that the right disposal process is going on globally, short of physically seeing that hard drives are smashed up!
  • We need to do a better job of disposal on personal laptops. I’ve done a lot of data collection on my personal laptop – no one has ever followed up to see if I’ve deleted it. How are we handling data handover? How do you really dispose of data?
  • Our organization hasn’t even thought about this yet!

Tips and recommendations from participants

  • Organizations should be using different tools. They should be using Pretty Good Privacy techniques rather than relying on free or commercial tools like Google or Skype.
  • People can be your weakest link if they are not aware or they don’t care about privacy and security. We send an email out to all staff on a weekly basis that talks about taking adequate measures. We share tips and stories. That helps to keep privacy and security front and center.
  • Even if you have a policy the hard part is enforcement, accountability, and policy reform. If our organizations are not doing direct policy around the formation of best practices in this area, then it’s on us to be sure we understand what is best practice, and to advocate for that. Let’s do what we can before the policy catches up.
  • The Responsible Data Forum and Tactical Tech have a great set of resources.
  • Oxfam has a Responsible Data Policy and Girl Effect have developed a Girls’ Digital Privacy, Security and Safety Toolkit that can also offer some guidance.

In conclusion, participants agreed that development agencies and NGOs need to take privacy, security and safety seriously. They can no longer afford to implement security at a lower level than corporations. “Times are changing and hackers are no longer just interested in financial information. People’s data is very valuable. We need to change and take security as seriously as corporates do!” as one person said.

 

 

Read Full Post »

Child participation at events: getting it right

Posted in children, development, participation, smart aid, youth, tagged , , , , , , , , , , , , , , on July 13, 2010| 8 Comments »

Group work at a regional consultation

Children and adolescent’s participation in decisions that affect them is key. More and more, decision makers are realizing that they need to consult with children when they are making decisions about children, meaning that children have more opportunities to weigh in on issues that impact on their lives.

Not knowing how to manage a good participation process or not listening to past lessons learned, however, can make it difficult for children and adolescents to take advantage of opportunities offered them to input into these decisions.

Children’s rights to participate

A child is anyone under the age of 18.  According to the UN Convention on the Rights of the Child (UN CRC), in addition to survival, development and protection rights, children also have participation rights.

  • Children have rights to be listened to, to freely express their views on all matters that affect them, and to freedom of expression, thought, association and access to information.
  • Participation should promote the best interest of the child and enhance the personal development of each child.
  • All children have equal rights to participation without discrimination.
  • All children have the right to be protected from manipulation, violence, abuse and exploitation

from the “Minimum Standards for Children’s Participation 10th draft”, written by Helen Veitch,*drawing on Articles 2, 3, 12, 13, 17, 19, 34 and 36 in the UN Convention on the Rights of the Child

What are the principles of participation? (Summarized from the above document)

An ethical approach: transparency, honesty and accountability

Adults involved need to follow ethical and participatory practices and put children’s best interests first. Because there are power and status imbalances between adults and children.  An ethical approach is needed in order for children’s participation to be genuine and meaningful.

A child friendly environment

The atmosphere should be safe, welcoming and encouraging.  Because in order for children to feel comfortable participating they need to feel safe and supported.

Equality of opportunity

Space should be ensured for those groups of children who typically suffer discrimination and are often excluded from activities. Because children, like adults, are not a homogeneous group and participation should be open to all.

Participation promotes the safety and protection of children

Child protection policies and procedures are an essential part of participatory work with children. Because organisations have a duty of care to children with whom they work and everything should be done to minimize the risk to children of abuse and exploitation or other potentially negative consequences of their participation.

Child participation in national, regional and global consultations

Children’s right to participate is key. However in practice, a safe and open environment for child participation at national, regional and global events can be difficult to ensure. It requires resources as well as a great deal of preparation.

Over the past several years, I’ve participated in some disappointing events where:

  • lessons learned about effective child participation and child protection were ignored
  • those tasked with ensuring child participation and protection were powerless to influence event organizers to ensure quality and safe participation
  • those organizing the event or sending children to it simply had no idea that there are standards and protocols and plenty of lessons learned that they should have taken into consideration.

Minimum standards for child participation

For example, back in 2005, several organizations in East Asia and the Pacific* collaborated to produce minimum standards for child participation in national and regional consultation events. These were initially developed for the UN Study on Violence against Children.

They offer a comprehensive overview of how to manage child participation and can be used as a guide for other national, regional or global events where children participate.  They should be considered whenever organizing, hosting or participating in an event where children are being consulted or their participation is desired.

You can have the most amazing and wonderful children present and the very best intentions, but fall very short of your goals of quality child participation because logistics and organization are poor and/or child participation and protection protocols are not followed.

What often goes wrong?

Child participation holds tremendous value, but when it’s not properly facilitated or supported; results can be negative on many levels, including:

  • Children are tokenized or used
  • Poor organization gets in the way of participation
  • Important opportunities are missed
  • Children become frustrated
  • Children are put at risk
  • Money and time are wasted

Oh, the things I’ve seen…

Mistakes those new to organizing events or supporting child participation in events often make:

  • Having singing and dancing in traditional costumes be the main role for children
  • Setting up totally new groups to participate in an event rather than working with existing groups
  • Not understanding the concept of ‘representativity’ and not ensuring democratic and fair selection processes of those children who participate
  • Not realizing (for global events) that the visa application process takes a very long time, and requires visa invitation letters and appointments in advance
  • Forgetting to get children their required vaccines
  • Not realizing that children may not have birth certificates or passports, meaning the visa process takes even longer
  • Not preparing children well for visa interviews, including the possibility that their visa request will be denied
  • Not allocating time and budget for travel necessary to obtain visas, permission from parents who do not live with the child (child trafficking laws often require this now) and other documentation
  • Not obtaining permission slips, medical histories, media releases from parents and/or not obtaining travel insurance for children
  • Not getting the above materials translated into a language parents can understand
  • Not having child protection policies in place and adhering to them
  • Not doing background checks on people who will be working with children
  • Thinking it’s OK to send children overseas without a chaperone, not budgeting for chaperones
  • Forgetting that not all children speak a major language like English, Spanish, Portuguese or French and will require translation of all materials before the event as well as constant translation during the event, and support following the event if they will continue to participate in event follow up

Children's responses on what they feared at an event.

Mistakes that even experienced child participation facilitators make:

  • Influencing too much on what children will say
  • Using children to promote the sponsoring organization or INGO’s agenda
  • Having children represent an NGO or INGO rather than representing themselves, their own groups or their communities
  • Having children wear NGO/ INGO t-shirts, caps and other branded items
  • Asking children from some countries (usually those from countries deemed ‘exotic’) to bring traditional costumes and share their culture, but not asking the same from other countries
  • Creating/building up ‘professional’ child participants and creating child star speakers
  • Relying on the same children all the time to represent because they have passports or visas or prior experience
  • Only bringing children who speak a major language or live in the capital to events
  • During sessions, not organizing group work in ways that facilitate communication across different languages
  • Sending any adult as a chaperone, rather than sending the best or the right adult as a chaperone
  • Not planning ahead on how children will be supported when they get back home to continue inputting into global networks and processes
  • Not ensuring a space for children to share their experiences with home offices and groups
  • Making children work long hours to fit everything in
  • Not giving children pocket money so that those with less means can also purchase small things for themselves or for family members
  • Housing children in fancy hotels with fancy food that they may not be used to; (not cooking enough good quality rice at lunch and dinner!)
  • Not realizing children may need to be shown how to use things like hotel showers, air conditioning, toilets
  • Not realizing that children may not want to sleep alone in a room
  • Not providing additional warm clothing for children if the conference climate is colder than their own
  • Not realizing that a trip overseas creates culture shock, children may feel lonely for their families
  • Not ensuring that children have the means to call home as soon as they arrive to an event and periodically during their stay
  • Not realizing that those facilitating child participation or working on child protection may not have the power to influence event organizers, especially if events are being organized in hierarchical ways with governments and high level committees involved
  • Not establishing at what point enough is enough, and children shouldn’t participate because conference organizers simply haven’t created favorable conditions, and children are put at risk or their participation will not be of good quality or have any real impact

Mistakes I’ve seen conference and event organizers repeat over and over:

  • Focusing on number of children participants rather than quality of participation
  • Not providing information with enough lead time for it to be translated and shared with children, or for good planning and selection processes to be done
  • Segregating children in parallel events where they don’t interact with adults
  • Not giving children space to lead sessions or engage with adults; offering them the last spot in the opening /closing speeches, and giving them a small percentage of the time that the adult speakers are given; or reducing children’s participation time because adults have gone over their allotted time
  • Patronizing children by clapping every time a child says something, or saying “oh that’s such a great idea!” not treating children respectfully as equals
  • Encouraging adults to get their photos taken with ‘exotic looking’ children in costumes
  • Not balancing the number of local participants and global participants
  • Not understanding that they need certain conditions to be available to fulfill child protection protocols (eg., children and adults need separate rooms; boys and girls as well as older/younger youth need to have separate rooms; the venue selection needs to have a measure of safety/security to prevent outsiders from taking advantage of any of the participating children, etc.)
  • Packing too many activities into the day and leaving children no time to rest
  • Not allowing any time for sight-seeing or recreation
  • Thinking all children have access to internet and computers to fill out registration forms, etc. and to participate in networks post conference
  • Not realizing that they need to listen to child participation and protection committees and adjust their ideas for their event so that children can effectively participate and are not put at risk
  • Thinking they can hire just anybody to manage child participation at the event
  • Not including a child participation/child protection point person in the organizing committee

So, what then?

I do honestly believe that children should participate and have a say in these issues, and that only by listening to children can decision-makers ensure that they are coming to the best decisions that benefit, resonate with, or have the best impact on children’s lives.

However unless proper organization, logistics, preparation and care are taken, these opportunities can be frustrating or a waste of an opportunity for everyone involved, and the validity of the efforts can easily be questioned.

Child participation needs to be taken seriously, not as an add-on or nice to have or cute to have. Unless and until regional and global events can ensure that this is happening, it might be a better investment to work with children at local and national levels.

Event organizers and child participation facilitators need to look at existing protocols, documentation, minimum standards and lessons learned and use them. Organizations shouldn’t be coming up with the same ‘lessons learned’ after every event and repeating the same mistakes at the next one. Surely we can do better than that.

What guidelines does your organization have? What mistakes have you made and learned from? What recommendations can you give? How can we get it right? Please share your thoughts in the comments section…

Download

Minimum Standards on Child Participation

Protocols and documents to use to help ensure good quality participation

*The following organizations participated on the steering committee that elaborated the Minimum Standards: UNICEF East Asia Pacific Regional Office, World Health Organisation, Office for the High Commissioner for Human Rights, ILO IPEC Asia and the Pacific, NGO Advisory Panel on the UN Study on Violence Against Children, Save the Children Alliance, Child Workers in Asia, ECPAT International, World Vision International APRO, Plan International, Terre des Hommes Germany, ASEAN Foundation.

Related posts on Wait… What?

Child protection, the media and youth media programs

Children and young people’s vision for a new Haiti

Read Full Post »