Summary

Guide staff through an activity to have them list private data within the organization (e.g. Using the "personal information to keep private" handout. personal_information_to_keep_private)

Walkthrough

    Personal Information To Keep Private

    Information that can be used to identify individuals, organizations, and even communities of practice should be treated with the utmost care. Some data, like names, phone numbers, and addresses are obvious, while others, like computer names, the MAC addresses of wifi cards, or pseudonymous social media accounts may be less obvious. Also, combinations of information - location, data, and type of activity, or even an issue area of interest and a city name may specify a very small number of activists or organizations.

    This spreadsheet, part of the Responsible Data Forum documentation sprint provides a useful baseline of types of data and ways to manage or obfsucate it usefully: Data Anonymization Checklist

Recommendation

    For the internal audit report back to the organization, much of the information will require specific identification of user devices (and by extension, their users), as well as very sensitive organizational data. None of this data, by intention, accident, or adversarial action, should be shared with third parties.

    Please refer to the Analysis and Reporting section for the limited data set that is required for project reporting, and to the Operational Security section for guidance on data security.