Last updated: February 2023
This policy applies to all program and project data processed, aggregated, or collected by Development Gateway and its subcontractors. The policy will be reviewed annually. Development Gateway’s Chief Operating Officer will jointly take responsibility for ongoing compliance and updates to this policy.
See the Annex below for Key Terms.
What Data Protection Principles DG Follows
DG is committed, to the best of its ability, to managing project/program data in accordance with applicable data privacy laws and policies in the countries where we work. In the absence of a globally applicable data privacy law, we follow industry best practice in the safe collection, storage, disposal, use, and sharing of data. In particular, we treat information guided by the following principles:
Processed lawfully, fairly and in a transparent manner in relation to individuals;
Collected for specific, explicit and legitimate purposes;
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are acquired;
Accurate and, where necessary, kept up to date, with every reasonable step taken to ensure that inaccurate personal data is erased or rectified without delay;
Stored in a form which permits identification of individuals for no longer than is necessary for the purposes for which the data is collected during the life of the project/program, and stored for longer periods only for archiving purposes;
Stored in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful use and against accidental loss, destruction or damage, using appropriate technical or organisational measures; and
Will not be sold for commercial purposes.
What Data DG Collects
DG generally gathers Public Data from a variety of sources in the course of our work building tools and advising partners on data management and strategy. On occasion, we may receive Sensitive Data from our clients and partners, and/or share our own Sensitive Data with others. Lastly, we gather Project Data which varies by project, but most often includes qualitative interview data (notes, video and/or audio recordings). In rare instances we may collect Personal Data directly or contract partners to collect Personal Data on our behalf, typically as part of primary data collection.
With all data, we strive to gather only what is necessary, relevant and expected under the scope of project and program agreements, as agreed with our clients and partners. When we collect Personal Data, we gather consent (written where possible) that clearly outlines what data we are collecting, why, and for what purposes. In the event that we contract a partner to assist us in the collection of Personal Data, we ask them to sign a privacy and security addendum with us to ensure it is consistent with our own policies and values.
We take reasonable steps to ensure that the data we collect, aggregate, and use is accurate, including confirming third party ownership where applicable.
How DG Uses Data
DG generally uses data to create reports, websites, videos, and other original products. We typically do so under the Creative Commons licenses, which means that we: (1) credit the original source of data we use; (2) indicate if changes were made to the data; and (3) share freely (i.e. without adding more restrictive terms) when we reshare data.
When we use Personal and/or Sensitive Data, our use is consistent with the terms of the agreement signed with clients and partners. For example, if we build a closed system dashboard for a partner, we never reuse specific data from that system, although we may describe our work in future project proposals with client/partner consent.
We expect the same citation standards from our partners when we create original work. Additionally, we often cite the funders and supporters who contribute to our work, and follow project or program specific attribution rules as required.
What Data DG Shares
Our default is to avoid collecting Personal Data whenever possible. When collected, DG never shares Personal Data without appropriate pseudonymization (or other industry or sector-specific protocols) and/or explicit consent for their information to be published, such as with quotes. Similarly, we do not share Sensitive Data without explicit permission from our partners. In some cases we may develop specific Data Management Protocols (DMPs) to govern the safe sharing of data during the life of a project or program.
How DG Keeps Data Safe
Each DG employee on a project or program takes responsibility for keeping data safe. In general data are kept in Google Drive folders accessible only to logged-in DG employees and project-specific external consultants. When sharing file or folder access more broadly, DG employees are strongly encouraged to limit view/edit permissions with others. Where projects or programs gather Personal Data or Sensitive Data requiring heightened safety protocols, we create limited permissions folders that are only accessible to specific team members (and cannot be viewed or accessed without explicit permission by other members of the organization).
To monitor potential unauthorized access, we have alerts set up to monitor activities where information is made public on the web, and we maintain activity logs that can be reviewed in the case of an incident. When we store Personal Data we conduct audit logs more frequently and/or further limit permissions so that certain data cannot be downloaded or shared, even by users with access to the folders.
DG ensures that data is stored securely using modern, up to date software.
How Long DG Keeps Data
DG keeps Personal Data only as long as necessary, defining start and end dates ideally before data collection begins. DG typically retains Sensitive Data for the life of the project or program, unless agreed upon otherwise during project closeout procedures with the client or partners. For all other data, DG follows applicable funder data retention rules. In the absence of specific rules or other constraints, DG may keep project or program data indefinitely.
What Happens If There is a Breach
In the event of a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data or Sensitive Data, DG, in collaboration with our insurance partner, will promptly assess the risks from exposure and will contact project/program partners as soon as possible, within 7 days of the incident in question.
While DG is not liable for a breach if we have followed appropriate data management procedures, we will do our utmost to support our partners in safeguarding their information going forward.
Have Questions or Concerns?
Please contact the DG Project or Program Manager you work with. If you are not able to contact this person you may also reach out to firstname.lastname@example.org
Annex. Key Terms
‘DMP’ means Data Management Protocols, developed by DG on a case by case basis, to support work with our partners to manage, secure, and share data responsibly under particular projects or programs
‘GDPR’ means the General Data Protection Regulation passed by the European Union in May 2018
‘Personal Data means data that (i) identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person or household; or (ii) meets the definition for “personal information,” “personally identifiable information,” “personal data,” or any similar term in one or more Applicable Privacy and Data Security Laws.
‘Project Data means data DG collects or generates in the course of executing our projects and programs. Some examples (not exhaustive) of the data we work with include: interview notes, in written, audio, and sometimes video form;
‘Public Data’ means data that are already in the public domain, not subject to restrictions (beyond citing a source) before they can be made freely available to the public.
‘Sensitive Data means all other, non-Personal, data that: (i) is unavailable to the public (confidential); (ii) the project/program partners do not want made public (or made public only after cleaning); or (iv) owned (partially or in full) by a third party that requires consultation and/or approval before the data can be published.