April 22, 2020 / by Dr Jill Campbell
10 things that evaluators (and anyone in the not-for-profit sector) needs to know.
As an evaluator (or, frankly, anyone on the frontlines of the not-for-profit sector), our job is to know a thing or two about data privacy. After all, we’re increasingly required to collect impact data for donors and funders about how well our organisations, programs and individuals are performing.
But while there is much to like about data – most notably, it helps to fuel more evidence-based change in our sector – how often do we think about it, really? And are we up-to-date with privacy law, especially when it pertains to data privacy online?
These questions have only been made more acute with our collective move to digital channels and tools in response to the COVID-19 lockdown.
If our ‘bread and butter’ is data – and lots of it – then the last thing we want to see happen is our data-management approach to run afoul of the law.
With that in mind, here are 10 points to be thinking about to help you remain compliant with Australian law concerning data-collection and data-storage.
(Bonus point: At the end of this post, you’ll find details of a Clear Horizon live webinar to be held on Thursday 7 May 2020 that will give you the opportunity to further expand your knowledge in this area, and talk directly to people with years of data privacy experience.)
“The Privacy Act in Australia has the potential to impact the not-for-profit sector immensely,” says Clear Horizon Privacy Officer and Principal Consultant, Dr Jill Campbell, who is a member of the Australian Evaluation Society (AES) and Australian Market and Social Research Society (AMSRS).
“There remains a significant gap between the law and how evaluators – and the not-for-profit sector in general – work. For instance, there is a lack of distinct data-privacy guidelines for those of us working in evaluation and impact measurement. Privacy and confidentiality are lost in the ethics space and they really shouldn’t be. Privacy needs to have a place of its own; it’s that important.”
Under the Privacy Act (1988), the maximum penalties for misuse of personal information by entities covered by the Privacy Act range from $2.1 million to $10 million, or three times the value of any benefit obtained through the misuse of information, or 10 per cent of a company’s annual domestic turnover.
If you’re saving your data on a cloud storage option, check where the sever is located!
For all intents and purposes, cloud storage is not the place to be storing personal data – unless the cloud storage servers you use are based in Australia, says Jill. That means tools used by evaluators such as Zoom and SurveyMonkey may be off-limits as data-storage options (unless you take additional precautions), because their servers can be based overseas.
“If you’re an organisation operating in Australia, you’re liable if you store personal data on overseas servers and the data gets compromised. Keep your data stored in the cloud on Australian servers, instead. Platforms such as Microsoft have Australian servers, so their tools – like Microsoft Forms and Teams – are okay to use.”
Chances are, if your work for a not-for-profit with a turnover of over $3million or your meet other criteria in terms of the personal information you collect and use, that the Australian Privacy Principles will apply to your organisation. That means, you need to ensure someone is responsible for developing and updating your organisation’s privacy policy. Further, the Privacy Act in Australia requires that you make this policy publicly available, as well as implement robust data privacy practices, procedures and systems.
Consider this your clarion call.
Every evaluator has a toolkit – and every evaluator’s toolkit has a privacy checklist. True? If you answered in the negative, now’s the time to create a checklist. After all, if you’ve got a privacy checklist as part of your toolkit, says Jill, it’s more likely that data privacy will be factored into your planning.
The questions in your data privacy checklist could include:
Whilst data privacy is imperative, that doesn’t mean that once you have your data privacy provisions in place, you can collect any data you want to. You need a legal reason to collect data. The rule is: collect personal and sensitive information only where ‘reasonably necessary’, that is, it is directly related to or necessary for what you or your clients do and how they function.
As well as having a reason to collect data, you must get consent from the person providing it (unless they are incapable of doing so and then you must get consent from a guardian). To ensure you’re getting the consent you need, you should communicate to those providing you with personal data the following information:
The best way to ensure the above information is communicated, says Jill, is through a data collection statement.
It is always good practice at the start of a project to check-in with your client about how the data you collect will be used, says Jill. But sometimes those requirements can change over time.
“If your client later decides they want to use those wonderful quotes or stories you’ve acquired for purposes not agreed-to up-front – say, to include in a pamphlet for marketing purposes – you must go back to the person who provided the data and get their additional consent that they are willing for it to be used in this new way as well.”
This one cannot be over-emphasised: Assign someone in your organisation (or yourself) to be the data privacy officer – even if it’s not a formal role. That way, your organisation will be better able to fulfil its responsibilities for storing data securely.
“Make sure someone owns this function,” insists Jill, “because if something isn’t owned, it won’t get done.
It can also be helpful, she says, if your privacy officer has practical experience in meeting privacy requirements; that is, knowing what’s generally needed in a broad range of situations, and providing advice across your organisation.
“While some aspects of privacy can be covered by such things as collection statements or checklists that people can adapt, it is helpful to have the privacy officer review work and offer advice about how to meet privacy requirements in a practical, client-focused way.”
If you have promised to provide confidentiality, it’s important to establish protocols to de-identify data – for instance, using numbers instead of names against interview recordings or transcriptions – right from the outset of a project.
“Don’t wait to establish these protocols – do them up-front,” says Jill. “Furthermore, if you’ve been handed contact details from your client (who, themselves, should confirm they have been acquired legally), these details should only be kept for as long as the project – including any review process – is in place.
“When you close a project, it’s very important to ensure that all contact and identifying information is deleted.”
If any third-party accesses or uses the data you collect in any way, you are legally liable for that use. For instance, says Jill, “if a subcontractor is using the personal data in some way, you need to ensure they adhere to your privacy policy, including the way the data is stored.”
All of these 10 points are designed to clarify the requirements of data privacy under Australian law. But if we were to sum all of them up into one key point, it would be to say this:
The data you collect doesn’t belong to you – it belongs to those who gave you the permission to use it. It’s up to you to protect it.
Want to keep the conversation going on data privacy? Clear Horizon Academy will be running a live webinar titled Data Privacy and Australian Law on Tuesday 7 May 2020, featuring Dr Jill Campbell, Clear Horizon Chief Innovation Officer Jen Riley, and Clear Horizon Learning Experience Coordinator Cameron Elliott. This webinar gives you the opportunity to further expand your knowledge in this area, as well as talk directly to people with 50+ years of Australia’s data privacy experience between them.
Caution: This article provides an overview of our understanding of the Commonwealth and state and territory laws on privacy, and is not intended to replace legal advice. Privacy Laws can be complex, so you have any doubts, consult a privacy lawyer for advice.
Article developed by Dr Jill Campbell, Clear Horizon Privacy Officer and Principal Consultant, member of the Australian Evaluation Society (AES) and Australian Market and Social Research Society (AMSRS). Edited by Rohan Kay.
132B Gwynne St, Cremorne 3121 VIC
P (+61) 3 9425 7777 | info@clearhorizon.com.au
Clear Horizon acknowledges Aboriginal and Torres Strait Islander people as the Traditional Custodians of the land and acknowledges and pays respect to their Elders, past and present.
COVID-19 screwed your MEL plans? What next.