How to Responsibly Transmit and Store M&E Data


Responsible data transmission and storage is stage 3 of responsible data governance according to our guiding framework. Here we offer guidance on data security during transmission and storage, key questions for review of third-party vendors, and orientation on data breach protocols.

At this point we’ve all realized how important it is to safeguard data – especially personal or sensitive data. This requires that certain precautions are followed when transmitting data (when data is sent from one place to another) and when storing data whether this is on a laptop or mobile device, on desktop computers, on servers that your organisation owns and manages, or in the cloud.

Guidelines for responsible transmission and storage of data

1.1 Implement good security measures to protect data in transmission or storage
1.2 Ensure that third-party vendors protect your data

If you are hiring a tech vendor or firm to manage, store, analyse, or otherwise process your data or you are considering pro-bono offers for these types of services from a company or advisory firm, there are critical issues to bear in mind regarding data privacy and security.

For example, it is necessary to enter into a legal agreement which states that the data will be protected and not used or shared with any other party. You should include any third-party vendor information in your consent form so that individuals are aware of who the data will be shared with.

Here are some questions to ask when contracting or securing pro-bono services with a company or vendor with whom you might share data about your staff or data from or about people or partners that you are working with. Asking these questions does not guarantee that the vendor, contractor, or company will manage data in a perfectly private and secure way, but it can give you a sense of whether they take security and privacy seriously, and if they have the capacity to protect the data.

  • What measures do they have in place to ensure and demonstrate compliance with data privacy principles and/or national data protection legislation, health data protection regulations or other similar data standards?
  • Do they maintain records of their processing activities that are compliant with national regulations and/or industry standards?
  • Can they produce these records if needed?
  • Would they be working with any sub-processors or sharing your data with others? If so, who?
  • And how do they ensure that sub-processors are held to the same standards of data protection?
  • How do they deal with data subject access requests, such as requests to correct, delete, or restrict data processing?
  • Are they able to trace consent? How do they authenticate users of their systems? Do they use
  • two-factor-authentication?
  • Who has access to the data and how is access determined? What controls are in place and how often are they reviewed or updated?
  • What experience do they have in conducting data privacy impact assessments?
  • Are they prepared to approach this work from the lens of privacy by design/privacy by default?
  • What information security compliance measures are in place? Do they stress-test their systems?
  • Have there been any past data security issues, breaches or documented/public criticisms of their tools and services?
  • How, and how quickly, did they respond?
  • How do they govern their data?
  • Who is responsible for data security and data breaches?
  • What are their data security breach management and notification policies and procedures?
  • Have any of their staff been trained on data privacy laws and/or do they have legal counsel that is aware of privacy legislation?
  • How have they prepared internally for compliance with data privacy laws?
  • How likely is it that the vendor will be around in the long-term? If they shut down or are acquired, what will happen to the data they are holding?
  • Do they have a privacy policy? Do they share, provide, or sell personal data or data profiles to third parties?
  • What is their business model and does it involve acquiring and profiting from personal data?
1.3 Develop a data breach protocol

As you collect, transmit, store, and share increasing amounts of data, the possibility of a data breach increases. A data breach refers to any incident involving unauthorised access to a system containing personal data, theft of a device containing electronic personal data, or loss of physical or electronic data. Data corruption is also considered a data breach, as is any other incident that affects the availability of personal data, such as a ransomware attack. When you hold personal and sensitive data, a breach or leak can expose vulnerable groups involved in your M&E efforts to harm.

Having a data breach protocol in place is essential to help organisations prevent data breaches and, if breaches do happen, to respond speedily and appropriately. Irrespective of how well secured data is, the possibility of a breach is always there. For this reason, it is critical to be prepared to react quickly when a breach occurs. A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Plan ahead so that you are ready to respond rapidly and appropriately in the case of a breach or leak. Various teams will have a role in preventing and responding to data breaches. The first step in protecting against a data breach is prevention.

The following are important points to consider:

  • While all teams might have a role in prevention, a smaller sub-set should be identified as those responsible for managing a data breach, e.g. designated persons from IT, HR, legal, communications/PR, finance, and a member of the team affected by the breach.
  • Individuals in the data breach sub-set should receive prior training and meet periodically to discuss their roles and responsibilities so that any breach can be dealt with swiftly and efficiently.
  • A simulation exercise should be organised at least once a year to maintain the vigilance of the team in preparation for a possible breach.

See Tip Sheet 5 for more on how to design a data breach protocol.

Stay tuned to the next stage, Responsible M&E data cleaning, analysis, and use, as we unpack practical responsible data management tips for M&E practitioners.

See our previous blog post to keep up with the discussion, or learn more from the report.

Leave a Reply

Your email address will not be published. Required fields are marked *