This policy applies to all program and project data processed, aggregated, or collected by Open Heroines (OH) and its subcontractors. The policy will be reviewed annually. Open Heroines’ Founder will jointly take responsibility for ongoing compliance and updates to this policy.
What Data Protection Principles OH Follows
OH is committed, to the best of its ability, to managing project/program data in accordance with applicable data privacy laws and policies in the countries where we work. In the absence of a globally applicable data privacy law, we follow industry best practices in the safe collection, storage, disposal, use, and sharing of data. In particular, we treat information guided by the following principles:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specific, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are acquired;
- Accurate and, where necessary, kept up to date, with every reasonable step taken to ensure that inaccurate personal data is erased or rectified without delay;
- Stored in a form that permits identification of individuals for no longer than is necessary for the purposes for which the data is collected during the life of the project/program and stored for longer periods only for archiving purposes;
- Stored in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful use and against accidental loss, destruction or damage, using appropriate technical or organisational measures; and
- Will not be sold for commercial purposes.
What Data OH Collects
OH generally gathers community data to update the database with members’ current contact information and career interests. This information is key in helping us plan events, create thematic working groups, and produce content that interests community members.
We take reasonable steps to ensure that the data we collect, aggregate, and use is accurate, including confirming third-party ownership where applicable.
How OH Uses Data
OH generally uses data to create reports, websites, videos, and other original products. We typically do so under the Creative Commons licenses, which means that we: (1) credit the original source of data we use; (2) indicate if changes were made to the data; and (3) share freely (i.e. without adding more restrictive terms) when we reshare data.
When we use Personal and/or Sensitive Data, our use is consistent with the terms of the agreement signed with community members and partners. We expect the same citation standards from our partners when we create original work. Additionally, we often cite the funders and supporters who contribute to our work and follow project or program-specific attribution rules as required.
What Data OH Shares
Our default is to avoid collecting Personal Data whenever possible. When collected, OH never shares Personal Data without appropriate pseudonymisation (or other industry or sector-specific protocols) and/or explicit consent for their information to be published, such as with quotes. Similarly, we do not share Sensitive Data without explicit permission from our partners. In some cases, we may develop specific Data Management Protocols (DMPs) to govern the safe sharing of data during the life of a project or program.
How OH Keeps Data Safe
Each OH employee on a project or program takes responsibility for keeping data safe. In general, data are kept in Google Drive folders accessible only to logged-in OH employees and project-specific external consultants. When sharing file or folder access more broadly, OH employees are strongly encouraged to limit view/edit permissions with others. Where projects or programs gather Personal Data or Sensitive Data requiring heightened safety protocols, we create limited permissions folders that are only accessible to specific team members (and cannot be viewed or accessed without explicit permission by other organisation members).
To monitor potential unauthorised access, we have alerts set up to monitor activities where information is made public on the web. We also maintain activity logs that can be reviewed in the case of an incident. When we store Personal Data, we conduct audit logs more frequently and/or further limit permissions so that certain data cannot be downloaded or shared, even by users with access to the folders.
How Long OH Keeps Data
OH keeps Personal Data only as long as necessary, defining start and end dates ideally before data collection begins. OH typically retains Sensitive Data for the life of the project or program, unless agreed upon otherwise during project closeout procedures with the client or partners. For all other data, OH follows applicable funder data retention rules. In the absence of specific rules or other constraints, OH may keep project or program data indefinitely.
What Happens if There Is a Breach
In the event of a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data or Sensitive Data, OH, will promptly assess the risks from exposure and will contact project partners and community members as soon as possible, within 7 days of the incident in question.
While OH is not liable for a breach if we have followed appropriate data management procedures, we will do our utmost to support our partners in safeguarding their information going forward.
Have Questions or Concerns?
Please contact the OH Project Manager you work with. If you are not able to contact this person, you may also reach out to email@example.com.
Annex of Key Terms
GDPR – the General Data Protection Regulation passed by the European Union in May 2018
Personal Data – data that (i) identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person or household; or (ii) meets the definition for “personal information,” “personally identifiable information,” “personal data,” or any similar term in one or more Applicable Privacy and Data Security Laws.
Project Data – data OH collects or generates in the course of executing our projects. Some examples (not exhaustive) of the data we work with include interview notes (in written, audio, and sometimes video form) and contact information.
Public Data – data that are already in the public domain, not subject to restrictions (beyond citing a source) before they can be made freely available to the public.
Sensitive Data – all other, non-personal, data that: (i) is unavailable to the public (confidential); (ii) the project/program partners do not want made public (or made public only after cleaning); or (iv) owned (partially or in full) by a third party that requires consultation and/or approval before the data can be published.
- These principles are slightly modified from Article 5 of the GDPR. The GDPR currently lays out some of the strictest data processing regulations in the world. OH takes these principles into account with the expectation that setting a high standard for data protection will best serve (and safeguard) our data, and the data entrusted to us by our partners.