Difference between revisions of "Data privacy for organizations"
(Created page with "Data privacy *Themes from intros: Improving privacy unintended bad results Technology challenges, beyond CRM or website Security of data for community orgs Anonymizing tracki...") |
|||
| (13 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | ==Themes from intros:== | |
| + | * Improving privacy unintended bad results | ||
| + | * Technology challenges, beyond CRM or website | ||
| + | * Security of data for community orgs | ||
| + | * Anonymizing tracking information | ||
| − | + | ==Ideas/guiding questions:== | |
| − | + | How we can do both? Be respectful of people’s data & do business in a viable way | |
| − | + | What conversations must we have in order to do this well? | |
| − | |||
| − | |||
| − | + | ==Basic needs of data privacy, user agreements== | |
| − | How we | + | Individual privacy – only protected type of privacy – but creates “small harms to large groups,” (e.g. differential privacy = de-identifying data. Can’t use race or gender for certain types of analysis (e.g. health). |
| − | + | ||
| + | How can we do analytics on data in safe way?) | ||
| − | |||
| − | |||
Some of these things already happen… | Some of these things already happen… | ||
| + | |||
Advertiser cannot target “African Americans,” but they might target a particular neighborhood, income bracket, etc. | Advertiser cannot target “African Americans,” but they might target a particular neighborhood, income bracket, etc. | ||
“I can look at a population and determine a connection between smoking and cancer, without knowing whether any particular individual smokes or has cancer.” | “I can look at a population and determine a connection between smoking and cancer, without knowing whether any particular individual smokes or has cancer.” | ||
| + | |||
EU law forbids storage and collection of information with personal identifyers – potential starting point for discussion | EU law forbids storage and collection of information with personal identifyers – potential starting point for discussion | ||
| + | |||
How does anonymity effect equity? | How does anonymity effect equity? | ||
| + | |||
Aggregation is one way to de-personalize data | Aggregation is one way to de-personalize data | ||
| + | |||
Relational database | Relational database | ||
| − | + | ==What do we want to do with data? What are threats to storing data?== | |
| − | + | # can sell them | |
| − | + | # can be stolen | |
| − | + | # company can use data in malicious ways | |
| − | + | ==Data minimization== | |
open-whisper systems : app developer, were asked by federal govt for IP addresses, but they did not have that info on their server. | open-whisper systems : app developer, were asked by federal govt for IP addresses, but they did not have that info on their server. | ||
| + | |||
Data travels – has a journey – need to consider threats at different moments in that journey. When doing a survey, sharing data, etc. | Data travels – has a journey – need to consider threats at different moments in that journey. When doing a survey, sharing data, etc. | ||
| − | + | ==Storing data in encrypted form, encryption key stores separately, data is only un-encrypted when its going to be used.== | |
In EU, many companies having these conversations – impact assessments, data flow tools, | In EU, many companies having these conversations – impact assessments, data flow tools, | ||
We should all be analyzing our use of data, privacy threats, etc. | We should all be analyzing our use of data, privacy threats, etc. | ||
| − | Privacy badger – EFF browser anynomization tool | + | |
| − | Will be | + | Privacy badger – EFF browser anynomization tool |
| + | |||
| + | Will be interesting to see how corporations will conform to new regulations | ||
| + | |||
Non-profits have cause for concern in protecting the privacy of their data, especially if they work with vulnerable populations | Non-profits have cause for concern in protecting the privacy of their data, especially if they work with vulnerable populations | ||
| + | |||
Can we use this event to have new discussions about the ethics of data privacy, there are some large companies that all of a sudden have interest and resources. | Can we use this event to have new discussions about the ethics of data privacy, there are some large companies that all of a sudden have interest and resources. | ||
| + | |||
Development of new tools that are being used by companies – some are crap, but there are some good tools also. | Development of new tools that are being used by companies – some are crap, but there are some good tools also. | ||
| − | Non-profits can use these tools as well, should also assess threats | + | Non-profits can use these tools as well, should also assess threats |
| + | |||
Data brokers – share data amongst companies | Data brokers – share data amongst companies | ||
| − | + | ==Analytics== | |
Website developers offer it, don’t want to use Google Analytics, but there are few other options | Website developers offer it, don’t want to use Google Analytics, but there are few other options | ||
| + | |||
Many forces are pushing nonprofits to risky practices (such as Google) | Many forces are pushing nonprofits to risky practices (such as Google) | ||
| + | |||
Some might that storing data without a clear agreement should be illegal…at least start the conversation here | Some might that storing data without a clear agreement should be illegal…at least start the conversation here | ||
Foundations and funders should also understand how they might be compromising the communities they are wanting to support – pushing for greater data gathering, analystics, etc. | Foundations and funders should also understand how they might be compromising the communities they are wanting to support – pushing for greater data gathering, analystics, etc. | ||
| − | + | ==Sharing best practices by nonprofits: e.g. Archive the Internet, bay area nonprofit, anonymizes their data, lots of it== | |
| + | |||
Not every nonprofit can hire someone with a professional understanding of data, but there should be a list of best practices, including risk assessments, etc. | Not every nonprofit can hire someone with a professional understanding of data, but there should be a list of best practices, including risk assessments, etc. | ||
| − | Do we trust large companies who are making promises about data privacy | + | |
| + | Do we trust large companies who are making promises about data privacy? | ||
| + | |||
MailChimp, for example, have expressed that they will voluntarily comply with GDPR (General Data Protection Regulation), but will small organizations be able to legally challenge if they don’t?? | MailChimp, for example, have expressed that they will voluntarily comply with GDPR (General Data Protection Regulation), but will small organizations be able to legally challenge if they don’t?? | ||
| + | |||
What do we do to remain functional as nonprofits? | What do we do to remain functional as nonprofits? | ||
| + | |||
In EU there are email providers that are showing up as viable alternatives | In EU there are email providers that are showing up as viable alternatives | ||
| − | + | ==List of basic resources for data privacy== | |
| − | Data Ethics – nonprofit that consults around ethical data storage | + | * Data Ethics – nonprofit that consults around ethical data storage |
| − | EFF – “Who Has Your Back” Report: 5 questions for service providers that rate their stance on data privacy. Also Report on Data anonymization | + | * EFF – “Who Has Your Back” Report: 5 questions for service providers that rate their stance on data privacy. Also * Report on Data anonymization |
| − | Privacy Badger | + | * Privacy Badger |
| − | “Road map” webinars and toolkits for nonprofits and grassroots groups, how to create threat assessment, etc. | + | * “Road map” webinars and toolkits for nonprofits and grassroots groups, how to create threat assessment, etc. |
| − | Data Ethics canvas (similar to business model canvass) tool for thinking about what data you have, how you store it, what is the data’s life cycle, etc. Creative Commons licensed. | + | * Data Ethics canvas (similar to business model canvass) tool for thinking about what data you have, how you store it, what is the data’s life cycle, etc. Creative Commons licensed. |
| − | Connecting more nonprofits to resources like Capital One? | + | * Connecting more nonprofits to resources like Capital One? |
| − | Tactical Tech (Europe), Engine Room, consultants that will help non profits with issues of data, analytics, etc. | + | * Tactical Tech (Europe), Engine Room, consultants that will help non profits with issues of data, analytics, etc. |
| − | Digital Society Lab, Stanford, help for organizations that want to set up ethical data usage. E.g. use agreement templates, etc. [https://Digitalimpact.io] | + | * Digital Society Lab, Stanford, help for organizations that want to set up ethical data usage. E.g. use agreement templates, etc. [https://Digitalimpact.io https://Digitalimpact.io] |
| − | British govt has survey on data usage that provides recommendations | + | * British govt has survey on data usage that provides recommendations |
Latest revision as of 23:09, 28 November 2017
Themes from intros:
- Improving privacy unintended bad results
- Technology challenges, beyond CRM or website
- Security of data for community orgs
- Anonymizing tracking information
Ideas/guiding questions:
How we can do both? Be respectful of people’s data & do business in a viable way What conversations must we have in order to do this well?
Basic needs of data privacy, user agreements
Individual privacy – only protected type of privacy – but creates “small harms to large groups,” (e.g. differential privacy = de-identifying data. Can’t use race or gender for certain types of analysis (e.g. health).
How can we do analytics on data in safe way?)
Some of these things already happen…
Advertiser cannot target “African Americans,” but they might target a particular neighborhood, income bracket, etc. “I can look at a population and determine a connection between smoking and cancer, without knowing whether any particular individual smokes or has cancer.”
EU law forbids storage and collection of information with personal identifyers – potential starting point for discussion
How does anonymity effect equity?
Aggregation is one way to de-personalize data
Relational database
What do we want to do with data? What are threats to storing data?
- can sell them
- can be stolen
- company can use data in malicious ways
Data minimization
open-whisper systems : app developer, were asked by federal govt for IP addresses, but they did not have that info on their server.
Data travels – has a journey – need to consider threats at different moments in that journey. When doing a survey, sharing data, etc.
Storing data in encrypted form, encryption key stores separately, data is only un-encrypted when its going to be used.
In EU, many companies having these conversations – impact assessments, data flow tools, We should all be analyzing our use of data, privacy threats, etc.
Privacy badger – EFF browser anynomization tool
Will be interesting to see how corporations will conform to new regulations
Non-profits have cause for concern in protecting the privacy of their data, especially if they work with vulnerable populations
Can we use this event to have new discussions about the ethics of data privacy, there are some large companies that all of a sudden have interest and resources.
Development of new tools that are being used by companies – some are crap, but there are some good tools also. Non-profits can use these tools as well, should also assess threats
Data brokers – share data amongst companies
Analytics
Website developers offer it, don’t want to use Google Analytics, but there are few other options
Many forces are pushing nonprofits to risky practices (such as Google)
Some might that storing data without a clear agreement should be illegal…at least start the conversation here Foundations and funders should also understand how they might be compromising the communities they are wanting to support – pushing for greater data gathering, analystics, etc.
Sharing best practices by nonprofits: e.g. Archive the Internet, bay area nonprofit, anonymizes their data, lots of it
Not every nonprofit can hire someone with a professional understanding of data, but there should be a list of best practices, including risk assessments, etc.
Do we trust large companies who are making promises about data privacy?
MailChimp, for example, have expressed that they will voluntarily comply with GDPR (General Data Protection Regulation), but will small organizations be able to legally challenge if they don’t??
What do we do to remain functional as nonprofits?
In EU there are email providers that are showing up as viable alternatives
List of basic resources for data privacy
- Data Ethics – nonprofit that consults around ethical data storage
- EFF – “Who Has Your Back” Report: 5 questions for service providers that rate their stance on data privacy. Also * Report on Data anonymization
- Privacy Badger
- “Road map” webinars and toolkits for nonprofits and grassroots groups, how to create threat assessment, etc.
- Data Ethics canvas (similar to business model canvass) tool for thinking about what data you have, how you store it, what is the data’s life cycle, etc. Creative Commons licensed.
- Connecting more nonprofits to resources like Capital One?
- Tactical Tech (Europe), Engine Room, consultants that will help non profits with issues of data, analytics, etc.
- Digital Society Lab, Stanford, help for organizations that want to set up ethical data usage. E.g. use agreement templates, etc. https://Digitalimpact.io
- British govt has survey on data usage that provides recommendations