Responsible Data Policy

At The Engine Room, we believe that data and technology can play an important part in effective social change work. To do this, it’s key to take a rights-based approach to using data, practising responsible data and supporting partners to do the same. Practicing responsible data means considering the privacy, security and ethical implications of working with data, all the way from collecting it, to managing, using and deleting it.

Since 2013, we’ve been stewards of the Responsible Data community, a group of more than 700 people from diverse backgrounds who come together to discuss and develop best practices for using data in their advocacy and social justice work. Being part of this space enables us to learn from the challenges that others are facing, and to draw upon a wealth of expertise in figuring out how best to address those challenges.

Practicing Responsible Data

So, what does all of this mean about how we practice responsible data, and how we collect and store data?

  • We practise data minimisation: only collecting the data we need, and deleting it afterwards
  • We use and support open source technology (more on this below)
  • We incorporate responsible data support when working with partners to design and implement projects
  • We make our sources of revenue transparent so that others can determine if there are any conflicts they may have in working with us
  • When we collect data about people or organisations, we communicate clearly about that collection to allow for informed consent and an opt-in process
  • We do not collect data about people, organizations, or activities that we do not have a clear intent to use productively
  • We invest core resources to actively participate in and facilitate the responsible data community of practice
  • We set high operational security standards for our team, and provide the support needed to meet these standards

To learn more about responsible data, we recommend checking out the Responsible Data Handbook.

As a remote organisation, we use a range of services and tools to keep our virtual doors open. Below, we describe some of our tools and choices, and how they might affect the way we collect and store data.

Services we use

  • We use the open-source platform, self-hosted Matomo analytics software (formerly Piwik) to track visitors to The Engine Room’s main site, and we use this to figure out how we can improve the user experience, answering the question, ’Can people find what information they need in a timely way?’
  • We use WordPress for this site, and for the Responsible Data site, because it’s open source and has a lot of functionality that we can use and re-use. We host our Library site, built on static site generator Jekyll, on Github Pages, so that it is easy to update and relatively light to load. We use Travis CI to build our static sites automatically and push them to our servers.
  • We use Greenhost’s and Koumbit’s servers. Greenhost offers an ‘ethical and sustainable approach’, valuing privacy, which we really appreciate. We use both to distribute and differentiate our infrastructure, selecting the proper location for different tools and services. We also host our email on Greenhost.
  • We use Owncloud for storing documents that may contain confidential or sensitive information, hosted on servers we control.
  • We use Google Drive for non-sensitive information, which is sadly somewhat of a necessity as we’re an entirely virtual organisation. Real-time collaboration over documents is a key part of how we work, and we’ve not yet found an open source solution that offers even close to the same level of functionality, but we’re always on the lookout. (Note: we don’t use Google’s email services, though. As above, we run that through Greenhost.)
  • When we need to gather information from others, we use Gravity Forms, a WordPress plugin. On the occasions we use Google Forms with external partners, we always provide a non-Google option (such as ‘download the form here and email it to us’).
  • We host our code on Github, a platform which allows us to publish code publicly, collaborate internally and externally, and track changes to our projects and those of partners.
  • We use different video/conference call software, as their reliability changes. We’re regular users of end-to-end encrypted messaging platform Wire, though it doesn’t (yet) allow for group video calls. Until that happens, we use appear.in for calls with up to 4 people, or meet.jit.si. Being a distributed organisation, we really appreciate being able to see each others’ faces on video calls! In areas of low-bandwidth, we’ve found Skype to be most reliable, though we know it leaves a lot to be desired on the security front. For bigger group calls (such as our community calls, and our all-team calls) – we’ve found Uber Conference to be best. So far, we’ve had up to 40 people on one call without any technical hitches.

Communications

Internally, we encrypt our team emails using PGP, and we put our public keys up with our staff bios on our Team page. We all use Thunderbird as our email client, another open source software program formerly maintained by Mozilla. Encrypting our emails to each other – and, wherever possible, to partners – has the side benefit that none of us can read our emails on our mobile devices, which encourages a healthy work-life balance.

We send our newsletter using MailChimp, which tracks links, and stores subscribers email addresses. We only send our newsletter to people who actively sign up for it.

The only social media account we use is Twitter. We’ve found that we can get in touch with a lot of our potential partners and communities there, and we use Twitter to keep up to date with the work of people we’re interested in, too, using #responsibledata and keeping an eye on other great work.

For our Light Touch Support work, we use Calendly to schedule calls– a service which allows anyone to book calls with us online. To know more about how they manage their data, check out their Privacy Policy.

Research

When we’re carrying out research projects, we generally start with a blog post to let others know what we’re working on, in the spirit of transparency and collaboration.

When we’re conducting interviews, we store interviewees’ personal data on Owncloud, and we typically use Google Drive to make notes collaboratively, unless the topic is one of particular sensitivity. We take stock of where information should be stored on a project-by-project basis at the start of a project, including how long it should be kept for, and when it should be deleted.

We always make sure that interviewees have the chance to see their quotes in context prior to being published. We also check with interviewees as to whether they’d like to be acknowledged publicly in anything we say publicly about the report or the project. When we’re carrying out community calls, we use open source etherpads hosted by Mozilla, to take notes collaboratively during the call, and so that everyone on the call can access the notes.

On research projects that entail a lot of scouring the internet for reports and links, we sometimes use TagTeam, an open-source tagging platform and feed aggregator. Our hub, which goes through periods of activity and quiet, is here.