Data privacy for organizations
- 1 Themes from intros:
- 2 Ideas/guiding questions:
- 3 Basic needs of data privacy, user agreements
- 4 What do we want to do with data? What are threats to storing data?
- 5 Data minimization
- 6 Storing data in encrypted form, encryption key stores separately, data is only un-encrypted when its going to be used.
- 7 Analytics
- 8 Sharing best practices by nonprofits: e.g. Archive the Internet, bay area nonprofit, anonymizes their data, lots of it
- 9 List of basic resources for data privacy
Themes from intros:
- Improving privacy unintended bad results
- Technology challenges, beyond CRM or website
- Security of data for community orgs
- Anonymizing tracking information
How we can do both? Be respectful of people’s data & do business in a viable way What conversations must we have in order to do this well?
Basic needs of data privacy, user agreements
Individual privacy – only protected type of privacy – but creates “small harms to large groups,” (e.g. differential privacy = de-identifying data. Can’t use race or gender for certain types of analysis (e.g. health).
How can we do analytics on data in safe way?)
Some of these things already happen…
Advertiser cannot target “African Americans,” but they might target a particular neighborhood, income bracket, etc. “I can look at a population and determine a connection between smoking and cancer, without knowing whether any particular individual smokes or has cancer.”
EU law forbids storage and collection of information with personal identifyers – potential starting point for discussion
How does anonymity effect equity?
Aggregation is one way to de-personalize data
What do we want to do with data? What are threats to storing data?
- can sell them
- can be stolen
- company can use data in malicious ways
open-whisper systems : app developer, were asked by federal govt for IP addresses, but they did not have that info on their server.
Data travels – has a journey – need to consider threats at different moments in that journey. When doing a survey, sharing data, etc.
Storing data in encrypted form, encryption key stores separately, data is only un-encrypted when its going to be used.
In EU, many companies having these conversations – impact assessments, data flow tools, We should all be analyzing our use of data, privacy threats, etc.
Privacy badger – EFF browser anynomization tool
Will be interesting to see how corporations will conform to new regulations
Non-profits have cause for concern in protecting the privacy of their data, especially if they work with vulnerable populations
Can we use this event to have new discussions about the ethics of data privacy, there are some large companies that all of a sudden have interest and resources.
Development of new tools that are being used by companies – some are crap, but there are some good tools also. Non-profits can use these tools as well, should also assess threats
Data brokers – share data amongst companies
Website developers offer it, don’t want to use Google Analytics, but there are few other options
Many forces are pushing nonprofits to risky practices (such as Google)
Some might that storing data without a clear agreement should be illegal…at least start the conversation here Foundations and funders should also understand how they might be compromising the communities they are wanting to support – pushing for greater data gathering, analystics, etc.
Sharing best practices by nonprofits: e.g. Archive the Internet, bay area nonprofit, anonymizes their data, lots of it
Not every nonprofit can hire someone with a professional understanding of data, but there should be a list of best practices, including risk assessments, etc.
Do we trust large companies who are making promises about data privacy?
MailChimp, for example, have expressed that they will voluntarily comply with GDPR (General Data Protection Regulation), but will small organizations be able to legally challenge if they don’t??
What do we do to remain functional as nonprofits?
In EU there are email providers that are showing up as viable alternatives
List of basic resources for data privacy
- Data Ethics – nonprofit that consults around ethical data storage
- EFF – “Who Has Your Back” Report: 5 questions for service providers that rate their stance on data privacy. Also * Report on Data anonymization
- Privacy Badger
- “Road map” webinars and toolkits for nonprofits and grassroots groups, how to create threat assessment, etc.
- Data Ethics canvas (similar to business model canvass) tool for thinking about what data you have, how you store it, what is the data’s life cycle, etc. Creative Commons licensed.
- Connecting more nonprofits to resources like Capital One?
- Tactical Tech (Europe), Engine Room, consultants that will help non profits with issues of data, analytics, etc.
- Digital Society Lab, Stanford, help for organizations that want to set up ethical data usage. E.g. use agreement templates, etc. https://Digitalimpact.io
- British govt has survey on data usage that provides recommendations