Data Risk Checker

From Responsible Data Wiki
Revision as of 13:30, 1 October 2014 by Rdfwikiperson (Talk | contribs)

Jump to: navigation, search

Subtitle: one sentence on what it does, who is it for, and what is its goal

Outputs

Connection to previous RDFs

This output builds upon (and diverges from) work done in the RDF on private sector data.

The Output

Assumptions

Three-step process.

We assume that the risk mapping will occur inside of a three-step process:

  1. Data (and responsible data) literacy
  2. Risk mapping
  3. Mitigation

Data literacy

In order to be able to effectively utilise the risk mapping tool, it is assumed that the practitioners understand the basic concepts and components of data, such as metadata, collection strategies, formats and storage types (boolean, integer, geographic coordinates, etc), and that they are comfortable working with data wrangling tools such as spreadsheets.

Practitioners should also understand the core Responsible Data (talk to Niels, and Mary) principles that apply when collecting data that might pose risks to entities providing the data (data owners).

Mitigation

The risk mapping tool only assesses the risks; it does not propose or recommend risk mitigation techniques. It is assumed that risk mapping will be followed by a concrete risk mitigation phase that will be informed by the results of the risk mapping.

Audience

The risk mapping is always tailored towards the audience. Thus, it assumes that whoever is using it has a deep knowledge of the audience, its needs and risks. As a recommendation, the audience should always be included in the risk mapping process.

Data is inherently unsafe

As indicated by the recent events, the overarching assumption throughout this process is that data is always under the risk of exposure. The Risk Mapping process is not intended to communicate or build awareness on how to secure data. We recommend reading and implementing best practices when it comes to collection, storage and dissemination of data

Types of threats

We also assume that the person using the risk mapping tool understands the basic concepts of digital and physical threat: understanding categories, the power of information, understands what threat modelling means and what it is for, etc.

Types of harm

To make the assessment a non-exhaustive exercise, we have broadly classified the harms:

  1. Physical Harm: Identifies any harm that directly puts the owner of the data as a target and cause physical damage.
  2. Psychosocial/Emotional Harm: Identifies any harm that cause emotional or social damage to the owner of the data or their acquaintances.
  3. Economic Harm: Identifies any harm that cause damages to personal and financial assets.


Audience

Personas, use cases, context

Next steps

  • development of a spreadsheet that automatically maps and colours content according to input, and created charts and visualizations of the broad picture to assist with decision making

Contributors

Food for thought

  • concepts, problems
  • questions to ask frequently
  • preventions: what do you actually do in concrete terms to prevent these things from happening
  • reactions: responsible responses for when things go wrong

Resources (we <3 links!)

Frontline Defenders, Digital Rights and Security for Human Rights Defenders