Data and meta-data about an organization and its staff is incredibly difficult to keep track of over time, as people or projects use cloud services like Dropbox or Google Drive for some activities, a shared server for others, and a mix of work and personal devices (laptops, phones, tablets...).

This is natural, but it is important to keep track of where your organization's data lives and who can access it.


    • Some of the stickies generated in this activity may provide sensitive data, dispose of them responsibly.
    • If you take photos for reporting needs, save the image files in a secure, encrypted container.

Walk Through

    Sensitive Data Assessment Activity

    This exercise is adapted from the LevelUp Activity, Backup Matrix, part of the curricula for Data Retrention and Backup by Daniel O'Clunaigh, Ali Ravi, Samir Nassar, and Carol. Sample Matrix | Relative Sensitivity | Computer | USB / External Drive | Cloud Storage | Phones, Print, etc. | | -------------------- | -------- | -------------------- | ------------- | ------------------- | | High | | | | | | Moderate | | | | | | Low | | | | | Process Explain to participants that we're going to conduct an information mapping activity to get a sense of where our important information actually is.

    Start by listing the different places where our information is stored, according to participants. If no suggestions are forthcoming, we can prompt participants with the obvious stuff:

    • Computer hard drives
    • USB flash drives
    • External hard drives
    • Cellphones
    • CDs & DVDs (and BDs)
    • Our email inbox
    • The Cloud: Dropbox, Google Drive, SkyDrive, etc
    • Physical copies (or “hard copies”) in the office
    • Multimedia: Video tapes, audio recordings, photographs, etc.

    Use large stickies to place these as column headers on a wall. More will come up later in the course of the exercise.

    Elicit from participants what type of information or data they have in each of these places. For example:

    • Email
    • Contact details, such as a member database
    • Reports/research
    • Funder information / contracts
    • Accounts/spreadsheets
    • Videos
    • Images
    • Private messages on Facebook, etc.

    To encourage participant interaction, write one example on a sticky and place it in the appropriate box in the matrix. Then, ask whether there is another copy of this data somewhere. If there is, you can use another sticky and put it wherever they keep the duplicate.

    TIP: Place Computers, Phones, and Email next to each other, so you won't have to create duplicates for everything "stored" in email (and therefore on laptops and phones)

    Introduce a new vertical axis representing sensitivity. The higher on the chart, the more sensitive the data. Ask the participants to rank data.

    For a large group, divide the group into smaller teams for the next steps (it helps if there are relatively clear thematic distinctions within the group, such as nationality, type of work, area of interest, etc.)

    Provide stickies to the group(s). Have the group(s) brainstorm about all of the data they work with, focusing on the most important data first.

    Participants should write ONE type per sticky, and create duplicates if the data is stored in multiple locations.

    For a small group, this can be done as a "live" brainstorm. For larger groups that have been subdivided, have each group finish listing out their most important data and then have each group place the stickies on the matrix. Invite discussions around the sensitivity of the data.

    An example may look something like this:

    Level Up Backup Matrix Example with a matrix filled in with stickies representing specific types of data stored in different locations (e.g. email, shared drive, backups)

    Explain that this gives us an idea of where our data is. Elicit whether or not this is all the data we generate? Of course it isn't: It's only a small percentage.

    The LevelUp lesson uses this primarily to discuss the importance of backups, and this is a valuable point to make.

    Call out the information that they are keeping on their computer's hard drive (which will usually be the fullest one). Elicit some of the things that can cause a computer to stop working. Maybe take a show of hands: Who has had this happen to them?

    • Virus or malware attack destroyed a computer or some data
    • Stolen computer, confiscated computer
    • Infrastructural problems, like a power failure broke a computer
    • Inexplicably bricked computer, etc.

    For SAFETAG, we focus on the "Sensitive data in the wrong hands" section. Based on the clustering of sensitive data along the vertical access, choose a column that has an unsual amount of sensitive data (email or computers, usually).

    Remove the stickies from the column but keep them in your hand and read them. Now I have this information. What can I do with it? And what are you left with? Is anyone at risk - yourselves? partners? If this were published on the Internet, what would happen?


    Laptops, workstations, servers, external hard drives, and backup systems should be configured to use some form of hard drive encryption.

    • For Windows, Microsoft BitLocker is built in to the latest versions, free-of-charge for anyone with a valid Windows 7 “Ultimate” license or Windows 8.
    • For Apple OSX users, FileVault2 is a built-in alternative that is also free-of-charge.
    • TrueCrypt is a cross-platform solution that is open source and free of charge, and can work on Mac, Windows, and Linux machines as well. All three solutions provide a way to encrypt data on internal drives as well as external hard drives, and USB memory sticks.