Here’s a look at some of our evolving principles & practices around the collection and use of people’s stories. If we had to boil it down, our approach is focused on being open and trustworthy.
What do we mean by data privacy and ethics?
Data privacy refers to how we collect information (including qualitative stories, quantitative numbers, photos and media) in ways that protect an individual’s personal information, and respect their preferences about how it is used.
Ethics tries to answer questions about what is right and wrong, recognizing this isn’t black and white, and depends on intent and context. When it comes to personal data, we hold space to explore what ‘right’ looks and feels like in every situation we work. Where possible we hire co-researchers from the project context to provide advice and guidance.
Why are we thinking about these things?
As we get to know people, build relationships with them and swap stories, we aim to reduce power divides and amplify agency. We want people to feel in control of what happens to what they share. The core tension within our thinking around data policy and practice is the trade-off between sharing people’s data versus protecting this data. Protecting this data is important, to ensure it is not misused, and doesn’t have negative ramifications for individuals. Sharing this data is also important, because it can be a powerful way to bring about social change, grounded in people’s lived experiences.
We ask ourselves: who will benefit from this data being shared, and who might be harmed, in what ways? When we make choices, we have to weigh risks and rewards — but also the autonomy of the people the stories belong to, in determining what’s fair and just.
We recognize the extractive and exploitative history of data collection, and we strive to engage people who have been marginalized by systems, who we see as our primary user group, in decision-making. Our goal is for data collection to feel collaborative and cathartic, reinforcing people’s voice and choice.
What are InWithForward’s principles and practices, when it comes to personal information?
Get ready, this is a long one! Our practices are informed by the Fair Information Principles from Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and British Columbia’s Personal Information Protection Act (PIPA).
When it comes to dealing with personal information, we aim for clear, easy to understand practices that are readily available and stripped of as much legalese as possible. That’s why we’re talking about them on this page! This in accordance with Fair Information Principle 8 – Openness.
We also believe that being open about our data policies and privacy practices will help us to receive feedback from others, and to improve upon them. Sharing our process and practices also allows other organizations to build on work we’ve done, just as we learn from the practices of other organizations.
We always talk about why we’re collecting stories, who will be reading them, what the intent of the project is, what we’re seeking to change, and how we will compensate people for their time. This is outlined in clearly designed communication materials for each project, and in our consent forms, which include pictures and diagrams (not just words). If it turns out we want to use data for a new purpose, we’ll reach out to obtain consent again. This is in accordance with Fair Information Principle 2 – Identifying Purposes.
Level of Risk
We work with individuals to determine the level of risk associated with sharing their stories. In doing so, we review and talk through possible scenarios.
We support participating individuals to identify potential benefits and risks in sharing information, considering things like reputation, health, safety, housing, employment, and legal exposure.
With each potential risk, we think about:
- the likelihood → How likely is it to happen?
- the severity → How bad would it be if it did happen?
This discussion helps to inform the ‘risks of harm’ within our consent process, in accordance with Fair Information Principle 3 – Consent.
Preference for Identification
Beside thinking about risk, we also ask individuals about their preferences for identification. For example, does an individual want to be identified by their first name, or a pseudonym? What is their race, ethnicity, gender and nationality? We never report last names, as we see it as an unnecessary risk to privacy. At the same time, we believe individuals should retain the right to publicly front their story, using their first name, if so desired.
When other details in a story (e.g location) might make an individual recognizable— even without their name included— we may edit those details, creating fictionalized ethnographies.
While ‘thick data’ is the essence of much of our work, we collect and share only as much data as we need to explore stated project themes. These practices are in accordance with Fair Information Principle 4 – Limiting Collection.
Individual Access and Ongoing Consent
We also have an ongoing consent process that is premised on closing our feedback loop, and ensuring people can edit their own stories. This is in accordance with Fair Information Principle 3 – Consent. An individual’s sentiment at the time of story collection may shift over time. To ensure that an individual feels comfortable making available the information they have shared, we ask for permission when we first listen to their story, and afterwards, when we return their story and bear witness to their lived experiences.
Indeed, wherever possible, we meet with the individual once we’ve processed their data, to share what we recorded and our interpretations. At this time, we invite people to revise their story and double-check their sharing preferences, in case this might have changed from our first session. We also ensure people have a copy of their own story, whether in print or digitally. This helps us to adhere to Fair Information Principle 6 – Accuracy.
At this point, individuals have the opportunity to change their mind about what they might and might not like to share. This might involve removing their first name, replacing a photo, or removing a particular detail from the story they’ve shared. This also often involves adding. Once people have seen their story, they often feel more comfortable or eager for it to be shared or associated with them!
After this second stage of obtaining consent, the data may be shared with project partners. However, an individual can still update their story at any time, remove details, or elect to have it deleted. When information is removed from our digital records, we don’t have control over a project partner’s use of the information.
We’re sometimes unable to get in touch with individuals a second time. In this case, we anonymize an individual’s data, even if they gave permission for including identifying photos and first name. These practices are in accordance with Fair Information Principle 9 – Individual Access.
What are my responsibilities, as someone using data from InWithForward?
We depend on our partner organizations to use the stories & data in an aboveboard way, and in the spirit with which it was collected. That means to respect the individuals who have shared their stories, honour their humanity, avoid generalizations, embrace complexity, and refrain from any punitive actions. We ask anyone interfacing with our data to:
- Keep information in context; avoid labeling and reductionism.
- Identify the lenses and privileges that shape how you interpret the data.
- Use the data to generate curiosities, not draw conclusions.
- Respect the time stamp on the data, recognizing people’s lives are not static and constantly evolve.
- Share aggregated insights and opportunities, rather than individual details.
How do we store and retain data?
We store data in both physical and digital formats. Digitally, we store data on password-protected computers. We also store information in physical form, as notes in notebooks, and as physical copies in our offices. These physical copies are under lock and key, and accessible by a limited number of InWithForward team members.
We save digital information on Sync, a cloud storage service, with files stored on Canadian servers. If an individual elects to have their data deleted, we delete the digital copy. We retain physical copies of the data, in case of a discrepancy.
With these practices, we aim to be in accordance with Fair Information Principle 5 – Limiting Use, Disclosure and Retention and Fair Information Principle 7 – Safeguards.
What personal information does InWithForward disclose to others?
In instances where InWithForward is partnering with another organization on a project, we share data with these project partners. When this is the case, we clearly specify on our consent form, sharing what type of data will be shared.
What can I do if I want to change information I’ve given to InWithForward?
If you’d like to update, remove details or change information you’ve provided to InWithForward, get in touch with our Operations Manager, [email protected].
With these practices, we aim to be in accordance with Fair Information Principle 9 – Individual Access.
Who at InWithForward can I talk to?
Dr. Sarah Schulman is InWithForward’s privacy officer. She can be reached at [email protected]. This is in accordance with Fair Information Principle 1 – Accountability.
What is informing all of this?
priv.gc.ca → Office of the Privacy Commissioner of Canada
oipc.bc.ca/guidance-documents/1438 → British Columbia’s Personal Information and Protection Act
eff.org → Electronic Frontier Foundation
ico.org.uk → Information Commissioner’s Office (UK)
unglobalpulse.org/policy/risk-assessment/ → United Nations Global Pulse – Risks, Harms & Benefits Assessment Tool