10 things that evaluators (and anyone in the not-for-profit sector) needs to know.
As an evaluator (or, frankly, anyone on the frontlines of the not-for-profit sector), our job is to know a thing or two about data privacy. After all, we’re increasingly required to collect impact data for donors and funders about how well our organisations, programs and individuals are performing.
But while there is much to like about data – most notably, it helps to fuel more evidence-based change in our sector – how often do we think about it, really? And are we up-to-date with privacy law, especially when it pertains to data privacy online?
These questions have only been made more acute with our collective move to digital channels and tools in response to the COVID-19 lockdown.
If our ‘bread and butter’ is data – and lots of it – then the last thing we want to see happen is our data-management approach to run afoul of the law.
With that in mind, here are 10 points to be thinking about to help you remain compliant with Australian law concerning data-collection and data-storage.
(Bonus point: At the end of this post, you’ll find details of a Clear Horizon live webinar to be held on Thursday 7 May 2020 that will give you the opportunity to further expand your knowledge in this area, and talk directly to people with years of data privacy experience.)
Your cloud option might not be safe
If you’re saving your data on a cloud storage option, check where the sever is located!
For all intents and purposes, cloud storage is not the place to be storing personal data – unless the cloud storage servers you use are based in Australia, says Jill. That means tools used by evaluators such as Zoom and SurveyMonkey may be off-limits as data-storage options (unless you take additional precautions), because their servers can be based overseas.
“If you’re an organisation operating in Australia, you’re liable if you store personal data on overseas servers and the data gets compromised. Keep your data stored in the cloud on Australian servers, instead. Platforms such as Microsoft have Australian servers, so their tools – like Microsoft Forms and Teams – are okay to use.”
Make sure your evaluator toolkit includes a privacy checklist
Every evaluator has a toolkit – and every evaluator’s toolkit has a privacy checklist. True? If you answered in the negative, now’s the time to create a checklist. After all, if you’ve got a privacy checklist as part of your toolkit, says Jill, it’s more likely that data privacy will be factored into your planning.
The questions in your data privacy checklist could include:
- Are we receiving data from clients?
- Are we collecting personal or sensitive information from individuals?
- What will this data be used for?
- Can we guarantee data confidentiality?
- What processes will we use to get informed consent?
- How long will we need to store this data?
- Are we complying with Australian law around data privacy?
You must always get consent
As well as having a reason to collect data, you must get consent from the person providing it (unless they are incapable of doing so and then you must get consent from a guardian). To ensure you’re getting the consent you need, you should communicate to those providing you with personal data the following information:
- Your name and that of your organisation
- A notification that you are collecting data (if third-party) or personal information (if first-hand)
- Information on why you are collecting that data, e.g. who commissioned you to do the work
- Information on how that information will be used. Try to think ahead and anticipate what those uses could be – for instance, clients can sometimes ask to see the raw data you’ve collected. If there is a possibility that could happen, you need to tell those you’re collecting the data from that this might happen, even if it’s de-identified when the client receives it.
- Information on how your organisation will treat their personal information – will it be treated as confidential, who can access it, how it will be stored and for how long?
- How that person can access their data and what they are committing to in agreeing to provide their information.
The best way to ensure the above information is communicated, says Jill, is through a data collection statement.
You are personally responsible for storing data securely
This one cannot be over-emphasised: Assign someone in your organisation (or yourself) to be the data privacy officer – even if it’s not a formal role. That way, your organisation will be better able to fulfil its responsibilities for storing data securely.
“Make sure someone owns this function,” insists Jill, “because if something isn’t owned, it won’t get done.
It can also be helpful, she says, if your privacy officer has practical experience in meeting privacy requirements; that is, knowing what’s generally needed in a broad range of situations, and providing advice across your organisation.
“While some aspects of privacy can be covered by such things as collection statements or checklists that people can adapt, it is helpful to have the privacy officer review work and offer advice about how to meet privacy requirements in a practical, client-focused way.”
You are responsible for any third-party who accesses the data