Upholding Data Protection and Privacy
Published on: Fri Jul 03 2020 by Ivar Strand
Data in Trust: Upholding the Highest Standards of Data Protection and Privacy
Introduction
In the field of third-party monitoring, data is our primary currency. It is the raw material from which we derive insights and provide assurance. However, when this data is collected from individuals and communities, particularly in fragile or post-conflict settings, it ceases to be a simple asset. It becomes a profound responsibility—a trust placed in our hands that carries significant ethical and legal weight.
A fundamental idea in our work is that managing this responsibility requires more than just good intentions. It demands a systematic, end-to-end data governance framework that protects sensitive information throughout its entire lifecycle, from the moment it is collected to the moment it is securely destroyed.
Stage 1: Collection – The Principle of Data Minimization
Effective data protection begins before a single question is asked. It starts with the core principle of data minimization: we collect only the data that is strictly necessary for the defined monitoring purpose.
- Limiting Personally Identifiable Information (PII): We treat all PII—any data that can be used to identify a specific individual, such as a name, phone number, address, or national ID—with the highest level of care. Our default position is to avoid collecting PII unless it is absolutely essential for the verification task (e.g., confirming receipt of a cash transfer).
- Ensuring Informed Consent: The ethical bedrock of data collection is informed consent. Before an interview, every participant must be clearly informed, in a language they understand, what data is being collected, why it is needed, how it will be stored and used, and what potential risks are involved. Consent must be knowing, specific, and entirely voluntary.
Stage 2: Transmission and Storage – The Principle of Security
Once data is collected, it is immediately at risk. Protecting it requires robust technical security measures to safeguard it both in transit and at rest.
- Security in Transit: Data collected on mobile devices in the field is never stored locally for long. It is transmitted via encrypted channels (HTTPS/TLS) directly to secure central servers, ensuring it cannot be intercepted during transfer.
- Security at Rest:
- Device-Level Protection: All data collection devices (tablets, laptops) are encrypted, protected by strong passwords, and equipped with remote-wipe capabilities in case of loss or theft.
- Server-Level Protection: We adhere to the highest international standards for data storage. All project data is stored on secure, access-controlled servers located in physically secure data centers in Norway. This ensures compliance with the stringent requirements of the EU’s General Data Protection Regulation (GDPR), which we apply as our global standard, regardless of project location.
Stage 3: Analysis and Reporting – The Principle of Anonymization
Raw data is rarely shared. Before data is used for analysis or included in any report, it undergoes a rigorous process to protect the confidentiality of the individuals who provided it.
- Anonymization and Aggregation: All direct PII is stripped from analytical datasets or replaced with non-identifiable codes (pseudonymization). Findings are then presented in an aggregated form (e.g., “75% of respondents in District Y stated…”). This makes it impossible to trace a specific data point or opinion back to an individual, ensuring their privacy is maintained throughout the reporting process.
Stage 4: Retention and Destruction – The Principle of Purpose Limitation
Sensitive data should not be kept indefinitely. Its retention must be tied directly to the purpose for which it was collected.
- Data Retention Policy: At Abyrint, we have a formal policy that defines the specific retention period for all project data. This period is determined by our contractual obligations to the client and any overriding legal requirements.
- Secure Destruction: Once the retention period expires and the project is formally closed, all associated data is securely and permanently destroyed. This includes deletion from primary servers and all backup systems. This final step is critical to ensuring that our responsibility for the data has a clearly defined end point.
Beyond Compliance: Data Ethics as a Core Value
A technical framework for data protection is essential, and regulations like GDPR provide a mandatory global baseline for responsible conduct. However, true data stewardship goes beyond compliance with rules. It involves embedding a culture of data ethics where every member of our team understands that the numbers in our datasets represent human lives and stories.
Protecting this data is therefore not simply about managing legal or reputational risk. It is a core professional and moral obligation. It is how we uphold the trust placed in our organization by our clients and, most importantly, by the communities we serve.
