Here’s a look at our practices and principles around the collection and use of personal information. If we had to boil it down, our approach is focused on being open and trustworthy.
What do we mean by data privacy and ethics?
Data privacy refers to how we use information, while protecting an individual’s personal information, and respecting their preferences about how it is used.
Ethics tries to answer questions about ‘what is right?’ (and ‘what is wrong?’) from a moral perspective. We’re concerned about doing what is right, when it comes to working with personal data.
Why are we thinking about these things?
As we use data from individuals, we aim to operate in the most ethical way we can. The core tension within our thinking around data policy and practice is the trade-off between sharing people’s data vs. protecting this data. Protecting this data is important, to ensure it is not misused, and doesn’t have negative ramifications for individuals. Sharing this data is also important, because it can be a powerful way to bring about change, grounded in people’s experiences.
We ask ourselves: is there more to be gained by sharing this information than is risked by sharing it? When we make choices, we have to consider risks and rewards of both options— but also the agency of the people the stories belong to, in determining what’s right for them. That’s a right that many people living on the margins find difficult to access.
What are InWithFoward’s principles and practices, when it comes to managing personal information?
Get ready, this is a long one! Our practices are informed by the Fair Information Principles from Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and British Columbia’s Personal Information Protection Act (PIPA).
When it comes to dealing with personal information, we aim for clear, easy to understand practices that are readily available for anyone to read. That’s why we’re talking about them on this page! This in accordance with Fair Information Principle 8 – Openness.
We also believe that being open about our data policies and privacy practices will help us to receive feedback from others, and to improve upon them. Sharing our process and practices also allows other organizations to build on work we’ve done, just as we learn from the practices of other organizations.
We identify why personal data is being collected, at the time of collection. We explain to individuals that data is collected for a particular project or projects, and explain the purpose of the project(s). And if it turns out we want to use data for a new purpose, we’ll reach out to obtain consent again. We also include all this information in a consent form we share with contributing individuals. This is in accordance with Fair Information Principle 2 – Identifying Purposes.
Level of Risk
We work with individuals to determine the level of risk associated with sharing their personal data. In doing so, we use tools like risk matrices.
We support participating individuals to identify potential risks in sharing information, considering things like risks to reputation, health, safety, housing, employment, and legal risks.
With each potential risk, we think about:
- the likelihood → How likely is it to happen?
- the severity → How bad would it be if it did happen?
This discussion helps to inform the ‘risks of harm’ within our consent process, in accordance with Fair Information Principle 3 – Consent.
Preference for Identification
Beside thinking about risk, we also ask individuals about their preferences for identification. For example, does an individual want to be identified by their first name, or a pseudonym? We never share last names, as we see it as an unnecessary risk to the privacy of individuals sharing their stories. At the same time, we feel that individuals should retain the right to have their first name associated with their story.
When sharing information might put an individual at risk, and when particular details might make an individual recognizable— even without their name included— we may edit details of a story, so that an individual is no longer identifiable.
While ‘thick data’ is the essence of much of our work, we collect and share only as much data as we need to tell an individual’s story. We don’t collect personal information beyond this. These practices are in accordance with Fair Information Principle 4 – Limiting Collection.
Individual Access and Ongoing Consent
We also have an ongoing consent process. This is in accordance with Fair Information Principle 3 – Consent. An individual’s sentiment at the time of story collection may not be consistent with their usual preferences. To ensure that an individual feels comfortable making available the information they have shared, we ask for permission when we first collect the data.
Then, whenever possible, we meet with the individual at a later date, to share the information we’ve recorded. At this time, we double-check their sharing preferences, in case they might have changed from our first session. This helps us to adhere to Fair Information Principle 6 – Accuracy. At this point, individuals have the opportunity to change their mind about what they might and might not like to share. This might involve removing their first name, replacing a photo, or removing a particular detail from the story they’ve shared. This also often involves adding. Once people have seen their story, they often feel more comfortable or eager for it to be shared or associated with them!
After this second stage of obtaining consent, the data may be shared, for example, with project partners. However, an individual can still update their story at any time, remove details, or elect to have it deleted. When information is removed from our digital records, we don’t have control over a project partner’s use of the information.
We’re sometimes unable to get in touch with individuals a second time. In this case, we anonymize an individual’s data, even if they gave permission for including identifying photos and first name. These practices are in accordance with Fair Information Principle 9 – Individual Access.
What are my responsibilities, as someone using data from InWithForward?
We depend on the individuals and organizations using the data we share to use it in an ethical way. As an individual examining data from InWithFoward, you are responsible for using it in a way that respects the individuals who have shared it, and recognizes the human behind it. Be mindful of how you share it. This means:
- Keep information in context; avoid reductionism.
- Include the date collected, alongside data.
- Share only as widely as necessary.
How do we store and retain data?
We store data in both physical and digital formats. Digitally, we store data on password-protected computers. We also store information in physical form, as notes in notebooks, and as physical copies in our offices. These physical copies are under lock and key, and accessible by a limited number of InWithFoward employees.
We save digital information on Sync, a cloud storage service, with files stored on Canadian servers. If an individual elects to have their data deleted, we delete the digital copy. We retain physical copies of the data, in case of a discrepancy.
With these practices, we aim to be in accordance with Fair Information Principle 5 – Limiting Use, Disclosure and Retention and Fair Information Principle 7 – Safeguards.
What personal information does InWithFoward disclose to subsidiaries and third parties?
In instances where InWithFoward is partnering with another organization on a project, we share data with these project partners. When this is the case, we clearly specify on our consent form, sharing what type of data will be shared.
What can I do if I want to change information I’ve given to InWithForward?
If you’d like to update, remove details or change information you’ve provided to InWithForward, get in touch with our Operations Manager firstname.lastname@example.org.
With these practices, we aim to be in accordance with Fair Information Principle 9 – Individual Access.
Who at InWithForward is accountable?
Sarah Schulman is the person accountable for privacy policies and practices at InWithForward. She can be reached at email@example.com. This is in accordance with Fair Information Principle 1 – Accountability.
What is informing all of this?
priv.gc.ca → Office of the Privacy Commissioner of Canada
oipc.bc.ca/guidance-documents/1438 → British Columbia’s Personal Information and Protection Act
eff.org → Electronic Frontier Foundation
ico.org.uk → Information Commissioner’s Office (UK)
unglobalpulse.org/policy/risk-assessment/ → United Nations Global Pulse – Risks, Harms & Benefits Assessment Tool