Principle: Address Privacy & Security

addressprivacy

#1

Hi! So first of all, I’m not sure if suggestions, pull requests, etc. are allowed for discussing principles and if so feel free to mute this thread.

I’ve been doing some research into developing an MoU as well as a standard data privacy and protection policy for my team at work (and hopefully will be able to propose it to be used department wide!).

Obviously, the principle on Privacy and Security served as inspiration but I also have been spending quite a bit of time reading other material used within development and humanitarian work and have compiled a small list of sources and suggestions I thought I’d share here.

So first, here’s the content I pulled these ideas from:

Here’s a couple of suggestions I thought might be useful when discussing this particular principle:

Firstly, out of the 3 sources listed, I felt the general approach of the Signal Code was the most flexible and likely to be the most effective in development. The reason for this was the fact that they applied a Rights Based Approach to creating policy around managing not just PIA (private identifiable information) and DIA (demographic identifiable information) in development projects but all data collected and used.

Rights based approach (RBA) seems to have been fairly popular in development for a little under a decade now within traditional development projects but has often been thrown aside when it comes to tech in order to “move faster”. I don’t think using RBA when describing tech policy will slow anything down and the cost of not doing so has shown to be harmful on a number of cases.

Perform a risk-benefit analysis of the data being processed that identifies who benefits and who is at risk. This process may need to be repeated throughout the period of performance as new data are needed, new risks are identified or emerge, or new data-sharing partners are considered.

The above point in the privacy & security principle I think could easily sort of justify the removal of rights (that aren’t really defined) if we suspect there may be a strong benefit (which often times turns out not being the case).

My second thought is that I wonder if this principle should be split up or organized in some way beyond just a set of bullet points. I think that privacy and security are certainly quite closely linked but the approach and issues that stem from each are often quite different. Perhaps having sub sections would be a better way to structure them.