Responsible Data Management for M&E: Stage 1 – Design and Planning

This blog series will focus on Part 2 of the Responsible Data Governance in M&E in the African Context report, which explores practical approaches to responsible data management, before, during, and after data collection.

There are seven stages in the data lifecycle that we’ll cover in this series. Let’s dive into the first stage here!

Designing and Planning is Stage 1 of responsible data governance according to our guiding framework. At this stage, we recommend planning and designing for the full Data Lifecycle, including legal aspects, data sharing plans, risk-benefit assessment, and budgeting.

At this stage you will focus on mapping out processes and resources for the entire Data Lifecycle. It is like an executive summary, as it outlines high-level data-related processes needed for your M&E effort.

Guidelines for Stage 1: Designing and planning

1. Outline the high-level data-related processes needed for your M&E effort

Sketch out your high-level M&E framework.  Data collection activities should derive from the Theory of Change (TOC), the associated list of indicators for tracking the achievement of outputs, outcomes and impacts, and the data-related activities required at the distinct stages of the M&E cycle.

2. Outline the rules and roles for stakeholder participation in your M&E effort

In terms of data governance, it is important to decide who will be involved in various roles, whose voices will be included, and who has the power for decision making. This clarity is a key aspect of governance and vital in the designing and planning process as various stakeholders will have different interests, priorities and needs. The voices of community members must be acknowledged throughout the data collection process, and all stakeholders involved must decide what their own unique definition of success would be for a particular project. For example, how a country defines success will be quite different from how a citizen defines it.

3. Identify the laws that govern your data collection and use and decide on the lawful basis for data collection that fits your situation

Countries are developing and updating their data privacy laws to adapt to new realities of digital societies. Privacy laws use different terminology to describe types of data, and different national regulations may cover different aspects of data. It is thus important that at this stage of the Data Lifecycle, you review data privacy legislation to understand what types of data the law covers and how you need to address the following aspects, amongst many others:

• Personal, sensitive, and other types of data as defined in the law.
• Consent or other lawful bases or restrictions for data collection and processing.
• Requirements related to collection and use of data from children or other sensitive categories of data. In some cases, it may be necessary to establish research ethics boards.
• Data sharing and access to data, including any mandates for government access to data.
• Responsibilities for those controlling and processing data.
• Transfer of data across borders.
• Fines and other punitive measures that can be imposed for the mishandling of data.
• Time limits for data storage and maintenance.
• The rights of those about whom data is being collected or processed (data subject rights).
• Mechanisms required for handling complaints about data collection and use.
• Processes and time frames for reporting data breaches.
• Requirements to hire or assign a data protection officer.

4. Put data sharing and/or data processing agreements in place to protect your organisation and the people whose data you are collecting

Do not take for granted the importance of a legally binding agreement. This includes agreements with anyone with whom you will share data, not only partners and contractors involved in the data collection and management process. This agreement should be in place even in a non-funding or “in kind” case or where data will be shared with partners who are providing technical support.

5. Conduct a data privacy impact assessment or a risk-benefit assessment

Once you have set up your initial plans for the full Data Lifecycle, assess whether your plan ensures the safety and security of the data and the people who provide the data. Conducing a privacy risk assessment or a risk-benefit assessment helps to flag any potential areas of risk, develop mitigation efforts, and to then finalise a plan that reduces the potential of data-related risk or harm.

6. Budget for the management of data from the beginning to the end of the lifecycle

At the Design and Planning stage you will formulate the plan and the budget for the full monitoring and evaluation effort, including the time, systems, people, and money involved. This will enable sound planning for the financial and human resources needed to responsibly manage data throughout the full lifecycle, the staff needed to implement an effective data governance strategy, and whether it is necessary to hire or assign dedicated staff to implement the data governance policy.

Stay tuned for Stage 2, collecting and acquiring data, as we unpack practical responsible data management tips for M&E practitioners.

See our previous blog post to keep up with the discussion, or learn more from the report.