Lean Data Practices for Civil Society Organizations

In the last few months, we've heard reports of crippling hacks of organizations that put their communities at risk. The fact is, civil society organizations (NGOs) that collect data to inform, educate, and activate communities are under attack. And this means our communities are under attack.

After listening to quite a few leaders in the civil society space, I learned that safe data collection and storage practices are rarely baked into the sense of responsibility we feel towards our communities. We know data is important, but we don't always think about how dangerous it can be to hold onto data we don't need. And we're not always thinking about our responsibility to the communities we serve from a digital security perspective.

So with Mozilla's Legal Team, I created Lean Data Practices for Civil Society Organizations, a framework for advocacy organizations to think about their data practices. In this day and age of hacks, breaches, and phishing attacks, how can we make it safe for people to join and participate in the resistance? How can we build trust and reduce risk to create a culture of safety for all?

Lean Data Practices encourage 3 main practices:

1. Stay Lean
2. Build in Security
3. Engage Your Membership

More details on the website. 

1. Stay Lean

Staying lean starts with asking yourself, do I need this data to provide the value I’m trying to deliver to members?

• If you don’t need a piece of data, don’t collect it.
• If you need a piece of data, keep it for only as long as necessary and anonymize the data before you store it.

If you already have a lot of data, it's important to know what you have. There are explicit pieces of information we collect -- like names, email addresses, and zipcodes -- but did you know you might be collecting IP addresses too? How does collecting this piece of data contribute to your theory of change? And when do you delete data?

For example, at Mozilla we often delete data when we know we'll no longer need it. Email addresses that haven't interacted with content we've sent might get one reminder, but usually we delete them from our list 12 months after the last interaction. In other cases, around specific time-bound campaigns, if we've collected any information we'll often delete it within 120 days of the end of the campaign.

2. Build in Security

What protections have you put around the data you’ve collected?

• Limit access to the data to those who truly need access.
• Encrypt it while you’re moving it.
• Know where you store your data and think about how best to protect that data.

At Netroots Nation, where I gave a workshop on the Lean Data Practices, I asked the participants how many people at their organizations had access to the data -- we're talking about the lists of names, email addresses, zipcodes, and other personally identifiable information (PII). In some organizations with about 30 people, ALL of the staff had access to those lists! At other organizations, even the volunteers had access to the full list of data.

But does everyone who has access to the data NEED access?

Sometimes breaches happen. Still, it's worth having your teams -- especially those who access data -- to go through a security training to understand how to encrypt data, and how/where to escalate an issue if they notice a breach. And it's good practice to notify your membership if there is a breach -- do you have a process for sharing this information that will help your membership understand what happened, and how to protect themselves?

What happens if a third-party vendor is breached? What responsibility do they have to share their data if subpoenaed by the government? These types of questions can also help guide what 3rd-party vendors you decide to work with in the beginning as well.

3. Engage Your Membership

Is the way you're collecting, using, and disclosing data clear to your members? Things like in-context notices, a privacy policy, and transparency reports can be helpful in informing your members on how you collect and use data. Members who can choose what data to disclose, and how to control their privacy settings can be very useful towards building trust.

This sort of trust can help build and foster long-lasting relationships between members and organizations. Members join lists and donate to causes because they want to make a positive change in the world. Showing them that you're respecting their privacy while letting them contribute to a better world creates a wonderful, symbiotic relationship.

 

Putting Lean Data into Practice

If you have a lot of data, it's easy to get overwhelmed about where to start. It might help to choose one person on your team to focus on this for a little while -- a Data Steward. You can dive into the details a little more at the Lean Data Practices website. But maybe most importantly, have a discussion with your team about your responsibility to your members and communities, and make that a priority too.