SlideShare a Scribd company logo
1 of 14
Download to read offline
Data innovation for development guide
RISKS, HARMS AND BENEFITS ASSESSMENT TOOL
1/14
CHECKLIST
Rationale for the checklist: Large-scale social or behavioural data may not always contain directly identifiable personal data and/
or may be derived from public sources. Nevertheless, its use could potentially cause harm to individuals.
Data use should be always assessed in light of its impact (negative or positive) on individual rights. This risk assessment tool (or
checklist) outlines a set of minimum checkpoints, intended to help you to understand and minimize the risks of harms and
maximize the positive impacts of a data innovation project (and is intended primarily for projects implemented within
international development and humanitarian organizations).
When to use the checklist: The checklist should be considered before a new project is launched, when new sources of data or
technology are being incorporated into an existing project, or when an existing project is substantially changed. In particular, this
assessment should consider every stage of the project’s data life cycle: data collection, data transmission, data analysis, data
storage, and publication of results.
How to use the checklist: If possible, the questions raised by the checklist should be considered by a diverse team comprised of
the project leader as well as other subject matter experts, including—where reasonably practical—a representative of the
individuals or groups of individuals who could be potentially affected by the use of data. Consider consulting with data experts,
including data privacy experts, and legal experts so that they can assist with answering these questions and help to further
mitigate potential risks, where necessary.
Note that the checklist was developed by Global Pulse as part of a more comprehensive Risks, Harms and Benefits Assessment,
consisting of Two Steps: (I) Initial Assessment and (II) Comprehensive Risks, Harms and Benefits Assessment. This checklist is an
Initial Assessment that should help to determine whether a Comprehensive Risks, Harms and Benefits Assessment should be
conducted.
Nature of the checklist: This checklist is not a legal document and is not based on any specific national law. It draws inspiration
from international and regional frameworks concerning data privacy and data protection. The document provides only a minimum
set of questions and guiding comments. The checklist and guiding comments are designed primarily as a general example for
internal self-regulation. As this checklist offers only minimum guidance, you are encouraged to expand the list depending on the
project’s needs, risks, or specific context, or in response to the evolving data landscape. Depending on the implementing
organization (its legal status/nature) and applicable laws, the guiding principles, standards and basis for answering these
questions may need to be changed.
For more information or to provide input on the checklist, please contact dataprivacy@unglobalpulse.org. This checklist is a living
document and will change over time in response to the evolving data landscape. The latest version of the Risks, Harms and
Benefits Assessment is available at www.unglobalpulse.org/privacy/tools.
	
For more information on the privacy protective and ethical use of data, please refer to the UN Principles on the Protection of
Personal Data and Privacy and the UNDG Data Privacy, Ethics and Protection Guidance Note (2018).
Data innovation for development guide
RISKS, HARMS AND BENEFITS ASSESSMENT TOOL
2/14
Instructions for completion
Please be sure to answer all of the questions by choosing at least one of the following answers: “Yes,”“No,”“Don’t Know,” or
“Not Applicable.” Please use the comments column to explain your decision where necessary.
For every “Not Applicable” answer, please provide an explanation in the comments. Every “Don’t Know” answer should be
automatically considered a risk factor that requires further consultation with a domain expert before a project is undertaken.
Once you have properly consulted with an expert regarding the issue, please be sure to go back to the checklist and change your
answer in the form to finalize your checklist. A final decision should not be made if there is any answer marked “Don’t Know.”
Project information
Describe the purpose of the data use (e.g., reasons, benefits):
Name the parties involved in the project and their roles (e.g., controller, processor, beneficiaries, etc.):
Any other relevant details:
Data innovation for development guide
RISKS, HARMS AND BENEFITS ASSESSMENT TOOL
3/14
Part 1: Type of Data
Personal Data: For the purposes of this document, personal data means any data relating to an identified or identifiable
individual, who can be identified, directly or indirectly, by means reasonably likely to be used related to that data, including where
an individual can be identified from linking the data to other data or information reasonably available in any form or medium. If
you are using publicly available data, note that this data can also be personal, and therefore may involve some of the same
considerations as non-public personal data.
1.1	 Will you use (e.g. collect, store, transmit, analyse etc.) data that directly identifies individuals?
Personal data directly relating to an identified or identifiable individual may include, for example, name, date of birth, gender,
age, location, user name, phone number, email address, ID/social security number, IP address, device identifiers, account
numbers, etc.
	 Yes
	 No
	 Don’t know
	 Not applicable
1.2	 Will you use data that does not directly identify an individual, but that could be used to single out a
	 unique individual by applying existing and readily accessible means and technologies?
Keep in mind that de-identified data (e.g., where all personal identifiers—such as name, date of birth, exact location, etc.—are
removed), while not directly linked to an individual(s) or group(s) of individuals, can still single out an individual(s) or group(s) of
individuals with the use of adequate technology, skills, and intent, and thus may require the same level of protection as explicit
personal data. To determine whether an individual(s) or group(s) of individuals is identifiable, consider all of the means reasonably
likely to be used to single out an individual(s)or group(s) of individuals. Factors that influence a likelihood of re-identification
include availability of expertise, costs, amount of time required for re-identification and reasonably and commercially available
technology.
	 Yes
	 No
	 Don’t know
	 Not applicable
Comments:
Comments:
Data innovation for development guide
RISKS, HARMS AND BENEFITS ASSESSMENT TOOL
4/14
1.3	 Will you use sensitive data?
Any data related to (i) racial or ethnic origin, (ii) political opinions, (iii) trade union association, (iv) religious beliefs or other beliefs
of a similar nature, (v) physical or mental health or condition (or any genetic or biometric data), (vi) sexual orientation; (vii) the
commission or alleged commission of any offence, (viii) any information regarding judicial proceedings, (ix) any financial data, or
any information concerning (x) children; (xi) individual(s) or group(s) of individuals, who face any risks of harm (physical,
emotional, economical etc.) should be considered as sensitive data. Consider that the risk of harm is much higher for sensitive
data and stricter measures for protection should apply if such data is explicit personal data or is reasonably likely to identify an
individual(s) or a group of individuals. Consider also whether the data itself is not sensitive, but that its use may become sensitive
due to the sensitive context in which it is used.
	 Yes
	 No
	 Don’t know
	 Not applicable
Next step: As you go through the remaining sets of questions, please keep the data type you identified in the section above in
mind. If you answered “YES” to at least one of the questions above, the risk of harms is increased.
Part 2: Data Access and Data Use
2.1	 Means for data access
This question aims to help you understand the way in which you have obtained your data, to ensure that there is a legitimate
and lawful basis for you to have access to the data in the first place. It is important to understand that whether directly or
through a third-party contract, data should be obtained, collected, analyzed or otherwise used in conformity with the purposes
and principles of the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights and other
applicable laws, including privacy laws as well as organizational rules and regulations.
How was the data obtained?
	 Directly from individual(s) (e.g., survey)
	 Through a data provider (e.g. website,
	 social media platform, telecom operator)
	 Don’t know
Comments:
Comments:
Data innovation for development guide
RISKS, HARMS AND BENEFITS ASSESSMENT TOOL
5/14
2.2	 Legitimacy and fairness of data access and use
Any personal data must be collected and otherwise used through legitimate and fair means. Personal data use may be based, for
example, on one or more of the following bases, subject to applicable law: i) consent of the individual whose data is used; ii)
authority of law; iii) the furtherance of international (intergovernmental) organizational mandates (e.g. in case where an
international intergovernmental organization is the holder of the mandate and is the implementer of a data project); iv) other
legitimate needs to protect the vital interest of an individual(s) or group(s) of individuals. Keep in mind that the legitimacy of your
right to use the data must be carefully assessed, taking into account applicable law, the context of data use, legal status of your
organization. The above bases (i-iv) are only included as examples for the purposes of this document.
Data should always be accessed, analyzed, or otherwise used taking into account the legitimate interests of those individuals
whose data is being used. Specifically, to ensure that data use is fair, data should not be used in a way that violates human rights,
or in any other ways that are likely to cause adverse effects on any individual(s) or group(s) of individuals. It is also recommended
that the legitimacy and fairness of data use always be assessed taking into account the risks, harms of data use and non-use.
Note on consent: Informed consent should be obtained prior to data collection or when the purpose of data re-use falls outside of
the purpose for which consent was originally obtained. Keep in mind that in many instances consent may not be adequately
informed. Thus, it is important to consider assessing the proportionality of risks, harms and benefits of data use even if consent
has been obtained.
While there may be an opportunity to obtain consent at the time of data collection, re-use of data often presents difficulties for
obtaining consent (e.g., in emergencies where you may no longer be in contact with the individuals concerned). In situations
where it is not possible or reasonably practical to obtain informed consent, as a last resort, data experts may still consider using
such data for the best or vital interest of an individual(s) or group(s) of individuals (e.g., to save their life, reunite families etc.). In
such instances, any decision to proceed without consent must be based on an additional detailed assessment of risks, harms and
benefits to justify such action and must be found fair and legitimate. Additionally, any use of personal or sensitive data should be
done in accordance with the principle of proportionality, where any potential risks and harms should not be excessive in relation
to the expected benefits of data use.
a)	 Do you have a legitimate basis for your data access and use?
	 Yes
	 No
	 Don’t know
	 Not applicable
b)	 Due diligence on third party data providers access to and use of data
This question usually applies when you are not a data collector, but rather obtained data from a third party (e.g. telecom operator,
social media platform, web site). It is important that you verify, to the extent reasonably practical, whether your data provider has
a legitimate basis to collect and share the data with you for the purposes of your project. For example, have you checked whether
your data provider has obtained adequate consent (e.g. directly or indirectly through the online terms of use) or has another
legitimate basis for sharing the data with you for the purposes compatible with your project? (See notes on “Lawfulness,
legitimacy, and fairness” above).
Comments:
Data innovation for development guide
RISKS, HARMS AND BENEFITS ASSESSMENT TOOL
6/14
Does your data provider have a legitimate basis to provide access to the data for the purpose of the project?
	 Yes
	 No
	 Don’t know
	 Not applicable
c)	 Regulation and legal compliance
Make sure that you have obtained all regulatory and other required authorizations to proceed with the Project. (For example, the
use of telecom data may be restricted under telecommunication laws, and additional authorizations may be needed from a
telecommunication regulator; or the transfer of data from one country to another may need to comply with rules concerning
trans-border data flows).
Furthermore, to ensure that you have complied with the terms under which you have obtained the data, you should check existing
agreements, licenses, terms of use on social media platforms or terms of consent. If you are uncertain about this question, you
should consult with your privacy and legal expert.
Is your use of the data compliant with a) applicable laws and b) the terms under which you obtained the data?
	 Yes
	 No
	 Don’t know
	 Not applicable
2.3	 Purpose specification
Personal data should be used for specified legitimate purposes, taking into account the balancing of relevant rights, freedoms
and interests. The purpose of data use should be as narrowly defined as practically possible. Furthermore, requests or proposals
for data access (or collection where applicable) should also be narrowly tailored to a specified purpose. The purpose of data
access (or collection where applicable) should be articulated no later than the time of data access (or collection where
applicable). In answering this question, concentrate on the reason why you need the data. Also, think about articulating your
answer prior to or at the time of request for data.
Have you defined the purpose for which you will be using the data as narrowly and practically as possible?
	 Yes
	 No
	 Don’t know
	 Not applicable
Comments:
Comments:
Comments:
Data innovation for development guide
RISKS, HARMS AND BENEFITS ASSESSMENT TOOL
7/14
2.4	 Proportionality and necessity of data use
The use of personal data should be relevant, limited and adequate to what is necessary in relation to the specified purpose.
a)	 Purpose compatibility
Any data use must be compatible to the purposes for which it was obtained. Mere difference in purpose does not make your
purpose incompatible. In determining compatibility consider, for example, how deviation from your original purpose may affect an
individual(s) or group(s) of individuals; the type of data you are working with (e.g. public, sensitive or non-sensitive); measures
taken to safeguard the identity of individuals whose data is used (e.g. anonymization, encryption). There must be a legitimate and
fair basis for an incompatible deviation from the purpose for which the data was obtained. (See notes on “Lawfulness, legitimacy,
and fairness” above).
Is the purpose for which you will be using the data compatible with the purpose
for which you obtained the data?
	 Yes
	 No
	 Don’t know
	 Not applicable
b)	 Data minimization
Data access, analysis, or other use should be kept to the minimum amount necessary (to fulfill its legitimate purpose of use as
noted in points 3.1 and 3.2). Data access, collection, analysis or other use should be necessary, adequate, and relevant in relation
to the purposes for which the data has been obtained. Data minimization may entail limiting the number of individuals,
geographic area, or time period to that which is necessary to fulfil the project’s legitimate purpose. You should also be sure to
anticipate and minimize the incidental collection of any metadata in the course of your data processing. In answering this
question, consider if at any point in time in your project cycle you have the minimum data necessary to fulfill the purpose of
intended use.
Are all the data that you will be using necessary and not excessive?
	 Yes
	 No
	 Don’t know
	 Not applicable
2.5	 Data retention
Data should only be stored for as long as necessary to accomplish the specified purposes. Any retention of data should also be
lawful, legitimate, and fair. The data should be deleted and destroyed once it is no longer necessary for accomplishing the
specified purposes.
Comments:
Comments:
Data innovation for development guide
RISKS, HARMS AND BENEFITS ASSESSMENT TOOL
8/14
Are all the data that you will be using stored for no longer than the time necessary for the specified purposes?
	 Yes
	 No
	 Don’t know
	 Not applicable
2.6	 Data accuracy
Personal data should be accurate and, where necessary, up to date to fulfil the specified purposes. Data experts as well as
domain experts should be consulted, if necessary, to determine the relevance and quality of data sets. Data sets must be checked
for biases to avoid any adverse effects, including giving rise to unlawful and arbitrary discrimination.
Is your data accurate, up to date and relevant to the purpose of the project?
	 Yes
	 No
	 Don’t know
	 Not applicable
2.7	 Data Security and Confidentiality
Taking into account the available technology, cost of implementation and data type, organizational, administrative, physical and
technical safeguards and procedures, including efficient monitoring of data access and data breach notification procedures,
should be implemented to protect the security of personal data, against or from unauthorized or accidental access, damage, loss
or other risks presented by data processing. Embedding principles of privacy by design and employing privacy enhancing
technologies during every stage of the data life cycle is recommended as a measure to ensure robust data protection. Note that
proper security is necessary in every stage of your data use.
In considering security, special attention should be paid when data analysis is outsourced to subcontractors. Data access should
be limited to authorized personnel, based on the need-to-know principle. Personnel should undergo regular and systematic data
privacy and data security trainings. Prior to data use, the vulnerabilities of the security system (including data storage, way of
transfer etc.) should be assessed.
When considering the vulnerability of your security, consider the factors that can help you identify “weaknesses”—such as
intentional or unintentional unauthorized data leakage: (a) by a member of the project team; (b) by known third parties who have
requested or may have access, or may be motivated to get access to misuse the data and information; or (c) by unknown third
parties (e.g., due to the data or information release or publication strategy).
It is generally encouraged that personal data should be de-identified, where practically possible, including using such methods as
aggregation, pseudonymization or masking, to help minimize any potential risks to privacy. To minimize the possibility of re-
identification, de-identified data should not be analyzed or otherwise used by the same individuals who originally de-identified the
data.
Comments:
Comments:
Data innovation for development guide
RISKS, HARMS AND BENEFITS ASSESSMENT TOOL
9/14
It is important to ensure that the measures taken to protect the data do not compromise the data accuracy and overall value for
the intended use.
Note on confidentiality: Personal data should be processed with due regard to confidentiality. Confidentiality is an ethical duty
and protection afforded to data that has been shared legitimately with your organization. Inappropriate disclosure or use of
confidential information can harm the efficiency and credibility of your organization and damage its ability to achieve its
objectives. You should therefore ensure that sensitive or confidential information is carefully protected in order to safeguard the
interests of your organization, partners, data subjects and beneficiaries. Confidential information must never be disclosed or used
improperly for personal or other private gain.
Have you employed appropriate and reasonable technical and administrative safeguards (e.g. strong
security procedures, vulnerability assessments, encryption, de-identification of data, retention policies,
confidentiality/non-disclosure, data handling agreements) to protect your data from breach (e.g. intentional
or unintentional disclosure, leakage or misuse)?
	 Yes
	 No
	 Don’t know
	 Not applicable
Part 3: Communication about your project
3.1	Transparency
Transparency is a key factor in helping to ensure accountability and is generally encouraged. The use of personal data should be
carried out with transparency to the data subjects, as appropriate and whenever possible. Transparency can be achieved via
communication about your project, including by providing adequate notice about the data use, the principles and policies
governing the data use as well as information on how to request access, verification, rectification, and/or deletion of that personal
data, insofar as the specified purpose for which personal data is used is not frustrated.
Note on open data: Making the outcomes or data sets of your data innovation project public (i.e.“open”) can be important for
innovation. If you decide to make a data set open, you must conduct a separate assessment of risks, harms and benefits. In this
case, you may also want to provide transparent notices on the process and applicable procedures for making the data set open.
Have or will you communicate about the data use and other related information (to the data subject,
publicly or to other appropriate stakeholders)?
	 Yes
	 No
	 Don’t know
	 Not applicable
Comments:
Comments:
Data innovation for development guide
RISKS, HARMS AND BENEFITS ASSESSMENT TOOL
10/14
3.2	 Level of transparency
Being transparent about data use (e.g., publishing data sets, publishing an organization’s data use practices, publishing the
results of a data project, etc.) is generally encouraged when the benefits of being transparent are higher than the risks and
possible harms. There may be cases where being transparent would cause more harm than benefit; for instance, if doing so would
put vulnerable data subjects at risk of being identified. Also note that the level of detail (e.g., the level of aggregation) in a data set
that is being made open should be determined after a proper assessment of risks and harms.
Particular attention should be paid to whether, for example, publishing non-sensitive details about a project or making non-
identifiable datasets open can cause a mosaic effect with another open datasets. Accidental data linking or mosaic effect can
make an individual(s) or group(s) of individuals identifiable or visible, thus exposing the individual(s) or group(s) of individuals to
potential risks of harms.
Are there any risks and harms associated with the publication of the collected data or resulting reports and
are they proportionately high compared to the benefits?
	 Yes
	 No
	 Don’t know
	 Not applicable
Part 4: Data transfers
4.1	 Due diligence in selecting partner third parties (e.g., research partners and service providers,
	 including cloud computing providers, etc.).
Frequently, data related initiatives require collaboration with third parties-data providers (to obtain data); data analytics
companies (to assist with data analysis); and cloud or hosting companies (for computing and storage). In cases where
collaboration is required, you should only transfer personal data to a third party that will afford appropriate protection for that
data. It is therefore important that such potential collaborators are carefully chosen, through a proper due diligence vetting
process that also includes minimum check points for data protection compliance, the presence of privacy policies, and fair and
transparent data-related activities.
It is also important to ensure that third party collaborators are bound by necessary legal terms relating to data protection. These
may include: non-disclosure agreements and other agreements containing appropriate terms on data handling; data incident
history; adequate insurance, data transfer and data security conditions among other matters.
Note on cloud hosting: Many projects may use cloud or other hosting services, meaning that your organization does not maintain
security of the hardware. It is important to ensure that your chosen cloud or hosting provider, and the data center in which they
operate, have appropriate standards of security. Security certifications could be good evidence of your cloud provider’s security
compliance. When considering cloud storage and computing, take into account where the data will be actually located to
understand potential vulnerabilities, compliance with laws, the special status of an implementing organization, including their
privileges and immunities, where applicable, or rules concerning trans-border data flows.
Comments:
Data innovation for development guide
RISKS, HARMS AND BENEFITS ASSESSMENT TOOL
11/14
Are your partners, if any, compliant with at least as strict standards and basic principles regarding data
privacy and data protection as outlined in this checklist?
	 Yes
	 No
	 Don’t know
	 Not applicable
Part 5: Risks and Harms
Any risks and harms assessment should take into consideration the context of data use, including social, geographic, political,
and religious factors. For example, analysis of the movement of vulnerable groups during humanitarian emergencies in conflict-
affected zones could also be used by non- intended users of data to target them with discrimination or persecution.
Any Risk, Harms and Benefits Assessment should consider the impact that data use may have on an individual(s) and/or group(s)
of individuals, whether legally visible or not, and whether known or unknown at the time of data use.
When assessing your data use, consider how it affects individual rights. Rather than taking rights in opposition to each other,
assessing the effect of data on individual rights in conjunction is recommended wherever possible. Use of data should be based
on the principle of proportionality. In particular, any potential risks and harms should not be excessive in relation to the positive
impacts (expected benefits) of data use. In answering questions 6.1 and 6.2 below also consider any potential risks and harms
associated with (or that could result from) every “No” answer or “Don’t Know” answer that you selected in the Sections above.
5.1	 Risks: Does your use of data pose any risks of harms to individuals or groups of individuals,
	 whether or not they can be directly identified, visible or known?
Risks should be assessed separately from harms. Note that not all risks may lead to harms. In answering this question, it is
important to concentrate on the likely risks. Types of risks may vary depending on the context. For example, some of the risks that
should be considered include data leakage, breach, unauthorized disclosure (intentional or unintentional), intentional data
misuse beyond the purposes for which the data was obtained/or intended to be used by your organization, risk of re-identification
or singling out, data not being complete or of good quality, etc.
Note that typically data analytics result in the production of a new data set. Such an outcome should be considered a risk as well,
and must be separately assessed for risks, harms and benefits before any further use/disclosure. Also, consider bias as a risk that
can be produced as a result of data use. (In many cases, bias can negatively affect an individual(s) or group(s) of individuals and
lead to harms).
	 Yes
	 No
	 Don’t know
	 Not applicable
Comments:
Comments:
Data innovation for development guide
RISKS, HARMS AND BENEFITS ASSESSMENT TOOL
12/14
If you do not know what kind of risks exist or whether the risks are likely, it is recommended that you perform a more
comprehensive Risk, Harms and Benefits Assessment (as a Step 2).
5.2	 Risk Mitigation: Are there any steps you can take to mitigate these risks?
If you have identified potential risks, please be sure to employ the necessary mitigation measures to reduce such risks to a
minimum. You should consider mitigation strategies to reduce the risks (e.g., enhancing overall data security strategy; changing
the passwords; training personnel; deleting unnecessary data) or alter the overall design of the project or dataset (e.g., by
reducing the data granularity or by limiting data access to only certain individuals or entities). Consider consulting with an expert
about how to mitigate the risks (i.e., the data expert, the legal or privacy expert, or the data security expert). After taking these
remedial steps, you should consider running through this checklist again.
	 Yes
	 No
	 Don’t know
	 Not applicable
5.3	 Harms: Is your project likely to cause harm to individuals or groups of individuals,
	 whether or not the individuals can be identified or known?
No one should be exposed to harm or undignified or discriminatory treatment as a consequence of data use. There are many
types of harms that should be considered, including: i) physical harms (e.g. serious bodily injury); ii) legal harms (e.g. loss of
privacy, free expression, or other rights); iii) economic harms (e.g. loss of property or livelihood); iv) psychological or emotional
(e.g. distress or depression); v) social harms (e.g. reputational damage); or other harms. An assessment of harms should consider
such key factors as i) the likelihood of occurrence of harms; ii) the potential magnitude of harms; iii) the potential severity of
harms.
Depending on the context, a non-identifiable group of individuals could also suffer harm as a result of unintended effects of the
data project’s outcome. It is therefore important to consider potential harms both to known/identifiable individuals or groups and
unknown or non-identifiable individuals or groups. For example, a project unrelated to an election may inadvertently identify a
group of individuals that were protesting against certain policies in a country. Even if the project does not identify who these
protesting individuals actually were, it could show that a certain group were from a specific village. In this case, it is critical to
consider that—depending on contextual factors (such as political, cultural, or geography)—information that protesters were from
a specific village, if known, may harm the entire village, if such information is misused and enables authorities to limit freedom of
speech as a result. For this reason, you will be asked to identify each harm for known and unknown individuals separately.
Note that the risks of harms may be higher for sensitive data. Decisions concerning use of sensitive data may involve consultation
with the individual(s) or a group(s) of individuals concerned (or their representative), where reasonably practical, to mitigate any
risks. If you do not know what kind of harms exist or you have identified significant harms, try to perform a more comprehensive
Risk, Harms and Benefits Assessment (as a Step 2 mentioned in the introduction section).
	 Yes
	 No
	 Don’t know
	 Not applicable
Comments:
Comments:
Data innovation for development guide
RISKS, HARMS AND BENEFITS ASSESSMENT TOOL
13/14
Part 6: Final assessment and rationale for decision
Based on your answers in Sections 1 – 5, explain if the risks and resulting harms are disproportionately high
compared to the expected positive impacts of this project.
Questions 1.1 – 1.3; 3.2; 5.1; 5.3 answered as “Yes” mean that the risk is present.
Questions 2.2 – 2.7; 4.1; 5.2 answered as “No” mean that the risk is present.
If you answered “Don’t Know” to any of the questions, consider it as a “risk factor”. You should not complete this assessment
unless all questions are answered “Yes”, “No” or “Not Applicable”.
If you have answered “Not applicable”, you should make sure that you explained why it is not applicable in the Comments column.
If you found any risks, you should assess the likelihood of the risks and likelihood, magnitude and severity of the resulting harms
and make sure to mitigate them before the project is undertaken.
If you identify that some of the risks or harms are unclear, or high, then you should perform a more comprehensive Risk, Harms,
Benefits Assessment as a Step 2 (as mentioned in the Introduction) and engage data security, privacy and legal experts.
If you have found that the likelihood of risks and harms is very low (or non-existent) in comparison to the probability of the positive
impact, you should now proceed with your project. Always bear in mind you should implement as many mitigation measures for
the identified risks (even if low).
After reviewing the above and reflecting on your answers, how will you proceed?
	 The risks and harms are more severe than the potential benefit of the project.
	 The risks cannot be mitigated. I will cancel the project.
	 The risks and harms are more severe than the potential benefit of the project.
	 However, I can mitigate the risks and proceed with the project.
	 The risks and harms are not likely, and if they are, they would not be severe.
	 Moreover, the benefits outweigh these risks. I will proceed with the project.
	 I do not know. I need more guidance from domain and data experts (legal, privacy, security, etc.).
Data innovation for development guide
RISKS, HARMS AND BENEFITS ASSESSMENT TOOL
14/14
Review team
Person who performed the assessment
This should be filled out and signed by the lead person responsible for conducting the assessment.
	Name:
	Title:
	Signature:
People who participated in or reviewed the assessment
(e.g. Project Lead, Data Security, Privacy, Legal Expert)
This should be filled out by those who assisted the lead person in making the decision or who have been consulted on specific
questions raised above, if any (add additional reviewers, if necessary). You can indicate the specific questions that this person
answered. If this person also helped to determine the final outcome of the overall assessment, please indicate in the comments
section.
	Name:
	Title:
	Signature:
	Name:
	Title:
	Signature:
	Name:
	Title:
	Signature:
	Name:
	Title:
	Signature:
	Name:
	Title:
	Signature:
Comments:
Comments:
Comments:
Comments:
Comments:
Comments:

More Related Content

What's hot

Gender Equality and Big Data. Making Gender Data Visible
Gender Equality and Big Data. Making Gender Data Visible Gender Equality and Big Data. Making Gender Data Visible
Gender Equality and Big Data. Making Gender Data Visible UN Global Pulse
 
Big Data For Development A Primer
Big Data For Development A PrimerBig Data For Development A Primer
Big Data For Development A PrimerUN Global Pulse
 
Integrating big data into the monitoring and evaluation of development progra...
Integrating big data into the monitoring and evaluation of development progra...Integrating big data into the monitoring and evaluation of development progra...
Integrating big data into the monitoring and evaluation of development progra...UN Global Pulse
 
Track 2 progress report 2015-2016 Pulse Lab Kampala
Track 2 progress report 2015-2016 Pulse Lab KampalaTrack 2 progress report 2015-2016 Pulse Lab Kampala
Track 2 progress report 2015-2016 Pulse Lab KampalaUN Global Pulse
 
PSFK Future Of Real-Time Information
PSFK Future Of Real-Time InformationPSFK Future Of Real-Time Information
PSFK Future Of Real-Time InformationPSFK
 
Open data barometer global report - 2nd edition
Open data barometer   global report - 2nd edition Open data barometer   global report - 2nd edition
Open data barometer global report - 2nd edition yann le gigan
 
Towards enrichment of the open government data: a stakeholder-centered determ...
Towards enrichment of the open government data: a stakeholder-centered determ...Towards enrichment of the open government data: a stakeholder-centered determ...
Towards enrichment of the open government data: a stakeholder-centered determ...Anastasija Nikiforova
 
Invited talk "Open Data as a driver of Society 5.0: how you and your scientif...
Invited talk "Open Data as a driver of Society 5.0: how you and your scientif...Invited talk "Open Data as a driver of Society 5.0: how you and your scientif...
Invited talk "Open Data as a driver of Society 5.0: how you and your scientif...Anastasija Nikiforova
 
Open Government Data - updates from around the world
Open Government Data - updates from around the worldOpen Government Data - updates from around the world
Open Government Data - updates from around the worldAndrew Stott
 
#StopBigTechGoverningBigTech . More than 170 Civil Society Groups Worldwide O...
#StopBigTechGoverningBigTech . More than 170 Civil Society Groups Worldwide O...#StopBigTechGoverningBigTech . More than 170 Civil Society Groups Worldwide O...
#StopBigTechGoverningBigTech . More than 170 Civil Society Groups Worldwide O...eraser Juan José Calderón
 
Social Big Data in Government
Social Big Data in GovernmentSocial Big Data in Government
Social Big Data in GovernmentAdegboyega Ojo
 
The Emerging Workforce Data Ecosystem: New Strategies, Partners & Tools Helpi...
The Emerging Workforce Data Ecosystem: New Strategies, Partners & Tools Helpi...The Emerging Workforce Data Ecosystem: New Strategies, Partners & Tools Helpi...
The Emerging Workforce Data Ecosystem: New Strategies, Partners & Tools Helpi...Kristin Wolff
 
Predicting Big Data Adoption in Companies With an Explanatory and Predictive ...
Predicting Big Data Adoption in Companies With an Explanatory and Predictive ...Predicting Big Data Adoption in Companies With an Explanatory and Predictive ...
Predicting Big Data Adoption in Companies With an Explanatory and Predictive ...eraser Juan José Calderón
 
Big Data and Social Media Mining in Crisis and Emergency Management
Big Data and Social Media Mining in Crisis and Emergency ManagementBig Data and Social Media Mining in Crisis and Emergency Management
Big Data and Social Media Mining in Crisis and Emergency ManagementBYTE Project
 
Using data effectively worskhop presentation
Using data effectively worskhop presentationUsing data effectively worskhop presentation
Using data effectively worskhop presentationcommunitylincs
 
What does “BIG DATA” mean for official statistics?
What does “BIG DATA” mean for official statistics?What does “BIG DATA” mean for official statistics?
What does “BIG DATA” mean for official statistics?Vincenzo Patruno
 

What's hot (20)

Gender Equality and Big Data. Making Gender Data Visible
Gender Equality and Big Data. Making Gender Data Visible Gender Equality and Big Data. Making Gender Data Visible
Gender Equality and Big Data. Making Gender Data Visible
 
Big Data For Development A Primer
Big Data For Development A PrimerBig Data For Development A Primer
Big Data For Development A Primer
 
Integrating big data into the monitoring and evaluation of development progra...
Integrating big data into the monitoring and evaluation of development progra...Integrating big data into the monitoring and evaluation of development progra...
Integrating big data into the monitoring and evaluation of development progra...
 
Track 2 progress report 2015-2016 Pulse Lab Kampala
Track 2 progress report 2015-2016 Pulse Lab KampalaTrack 2 progress report 2015-2016 Pulse Lab Kampala
Track 2 progress report 2015-2016 Pulse Lab Kampala
 
PSFK Future Of Real-Time Information
PSFK Future Of Real-Time InformationPSFK Future Of Real-Time Information
PSFK Future Of Real-Time Information
 
Open data barometer global report - 2nd edition
Open data barometer   global report - 2nd edition Open data barometer   global report - 2nd edition
Open data barometer global report - 2nd edition
 
Towards enrichment of the open government data: a stakeholder-centered determ...
Towards enrichment of the open government data: a stakeholder-centered determ...Towards enrichment of the open government data: a stakeholder-centered determ...
Towards enrichment of the open government data: a stakeholder-centered determ...
 
Invited talk "Open Data as a driver of Society 5.0: how you and your scientif...
Invited talk "Open Data as a driver of Society 5.0: how you and your scientif...Invited talk "Open Data as a driver of Society 5.0: how you and your scientif...
Invited talk "Open Data as a driver of Society 5.0: how you and your scientif...
 
Open Government Data - updates from around the world
Open Government Data - updates from around the worldOpen Government Data - updates from around the world
Open Government Data - updates from around the world
 
Tracking Typhoon Haiyan: Open Government Data in Disaster Response and Recovery
Tracking Typhoon Haiyan: Open Government Data in Disaster Response and RecoveryTracking Typhoon Haiyan: Open Government Data in Disaster Response and Recovery
Tracking Typhoon Haiyan: Open Government Data in Disaster Response and Recovery
 
#StopBigTechGoverningBigTech . More than 170 Civil Society Groups Worldwide O...
#StopBigTechGoverningBigTech . More than 170 Civil Society Groups Worldwide O...#StopBigTechGoverningBigTech . More than 170 Civil Society Groups Worldwide O...
#StopBigTechGoverningBigTech . More than 170 Civil Society Groups Worldwide O...
 
Big Data technology
Big Data technologyBig Data technology
Big Data technology
 
Social Big Data in Government
Social Big Data in GovernmentSocial Big Data in Government
Social Big Data in Government
 
The Emerging Workforce Data Ecosystem: New Strategies, Partners & Tools Helpi...
The Emerging Workforce Data Ecosystem: New Strategies, Partners & Tools Helpi...The Emerging Workforce Data Ecosystem: New Strategies, Partners & Tools Helpi...
The Emerging Workforce Data Ecosystem: New Strategies, Partners & Tools Helpi...
 
Public deck
Public deckPublic deck
Public deck
 
Predicting Big Data Adoption in Companies With an Explanatory and Predictive ...
Predicting Big Data Adoption in Companies With an Explanatory and Predictive ...Predicting Big Data Adoption in Companies With an Explanatory and Predictive ...
Predicting Big Data Adoption in Companies With an Explanatory and Predictive ...
 
Big Data and Social Media Mining in Crisis and Emergency Management
Big Data and Social Media Mining in Crisis and Emergency ManagementBig Data and Social Media Mining in Crisis and Emergency Management
Big Data and Social Media Mining in Crisis and Emergency Management
 
Measuring the promise of Open Data: Development of the Impact Monitoring Fram...
Measuring the promise of Open Data: Development of the Impact Monitoring Fram...Measuring the promise of Open Data: Development of the Impact Monitoring Fram...
Measuring the promise of Open Data: Development of the Impact Monitoring Fram...
 
Using data effectively worskhop presentation
Using data effectively worskhop presentationUsing data effectively worskhop presentation
Using data effectively worskhop presentation
 
What does “BIG DATA” mean for official statistics?
What does “BIG DATA” mean for official statistics?What does “BIG DATA” mean for official statistics?
What does “BIG DATA” mean for official statistics?
 

Similar to Risks, Harms and Benefits Assessment Tool (Updated as of Jan 2019)

InstructionsPaper A Application of a decision making framework
InstructionsPaper A Application of a decision making framework InstructionsPaper A Application of a decision making framework
InstructionsPaper A Application of a decision making framework lauricesatu
 
This assignment is an opportunity to explore and apply a decisio.docx
This assignment is an opportunity to explore and apply a decisio.docxThis assignment is an opportunity to explore and apply a decisio.docx
This assignment is an opportunity to explore and apply a decisio.docxrhetttrevannion
 
For this assignment, you are given an opportunity to explore and.docx
For this assignment, you are given an opportunity to explore and.docxFor this assignment, you are given an opportunity to explore and.docx
For this assignment, you are given an opportunity to explore and.docxshanaeacklam
 
Paper A Application of a decision making framework to an IT-related.docx
Paper A Application of a decision making framework to an IT-related.docxPaper A Application of a decision making framework to an IT-related.docx
Paper A Application of a decision making framework to an IT-related.docxhoney690131
 
Paper A Application of a decision making framework to an IT-related.docx
Paper A Application of a decision making framework to an IT-related.docxPaper A Application of a decision making framework to an IT-related.docx
Paper A Application of a decision making framework to an IT-related.docxdunnramage
 
Paper A Application of a decision making framework to an IT-rel.docx
Paper A Application of a decision making framework to an IT-rel.docxPaper A Application of a decision making framework to an IT-rel.docx
Paper A Application of a decision making framework to an IT-rel.docxhoney690131
 
Paper A Application of a decision making framework to an IT-rel.docx
Paper A Application of a decision making framework to an IT-rel.docxPaper A Application of a decision making framework to an IT-rel.docx
Paper A Application of a decision making framework to an IT-rel.docxsmile790243
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industryNumaan Huq
 
Application of a decision making framework to an IT-related ethical
Application of a decision making framework to an IT-related ethical Application of a decision making framework to an IT-related ethical
Application of a decision making framework to an IT-related ethical mallisonshavon
 
Information+security rutgers(final)
Information+security rutgers(final)Information+security rutgers(final)
Information+security rutgers(final)Amy Stowers
 
Brussels Privacy Hub: SATORI and iTRACK
Brussels Privacy Hub: SATORI and iTRACKBrussels Privacy Hub: SATORI and iTRACK
Brussels Privacy Hub: SATORI and iTRACKTrilateral Research
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
 
Evidence Based Healthcare Design
Evidence Based Healthcare DesignEvidence Based Healthcare Design
Evidence Based Healthcare DesignCarmen Martin
 
Objective Apply decision making frameworks to IT-related ethica.docx
Objective Apply decision making frameworks to IT-related ethica.docxObjective Apply decision making frameworks to IT-related ethica.docx
Objective Apply decision making frameworks to IT-related ethica.docxjuliennehar
 
Objective Apply decision making frameworks to IT-related ethical .docx
Objective Apply decision making frameworks to IT-related ethical .docxObjective Apply decision making frameworks to IT-related ethical .docx
Objective Apply decision making frameworks to IT-related ethical .docxhopeaustin33688
 
Road Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit Clinics
Road Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit ClinicsRoad Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit Clinics
Road Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit ClinicsIOSR Journals
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 
Hivos and Responsible Data
Hivos and Responsible DataHivos and Responsible Data
Hivos and Responsible DataTom Walker
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskJohn Loveland
 

Similar to Risks, Harms and Benefits Assessment Tool (Updated as of Jan 2019) (20)

InstructionsPaper A Application of a decision making framework
InstructionsPaper A Application of a decision making framework InstructionsPaper A Application of a decision making framework
InstructionsPaper A Application of a decision making framework
 
This assignment is an opportunity to explore and apply a decisio.docx
This assignment is an opportunity to explore and apply a decisio.docxThis assignment is an opportunity to explore and apply a decisio.docx
This assignment is an opportunity to explore and apply a decisio.docx
 
For this assignment, you are given an opportunity to explore and.docx
For this assignment, you are given an opportunity to explore and.docxFor this assignment, you are given an opportunity to explore and.docx
For this assignment, you are given an opportunity to explore and.docx
 
Paper A Application of a decision making framework to an IT-related.docx
Paper A Application of a decision making framework to an IT-related.docxPaper A Application of a decision making framework to an IT-related.docx
Paper A Application of a decision making framework to an IT-related.docx
 
Paper A Application of a decision making framework to an IT-related.docx
Paper A Application of a decision making framework to an IT-related.docxPaper A Application of a decision making framework to an IT-related.docx
Paper A Application of a decision making framework to an IT-related.docx
 
Paper A Application of a decision making framework to an IT-rel.docx
Paper A Application of a decision making framework to an IT-rel.docxPaper A Application of a decision making framework to an IT-rel.docx
Paper A Application of a decision making framework to an IT-rel.docx
 
Paper A Application of a decision making framework to an IT-rel.docx
Paper A Application of a decision making framework to an IT-rel.docxPaper A Application of a decision making framework to an IT-rel.docx
Paper A Application of a decision making framework to an IT-rel.docx
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
 
Application of a decision making framework to an IT-related ethical
Application of a decision making framework to an IT-related ethical Application of a decision making framework to an IT-related ethical
Application of a decision making framework to an IT-related ethical
 
Information+security rutgers(final)
Information+security rutgers(final)Information+security rutgers(final)
Information+security rutgers(final)
 
Brussels Privacy Hub: SATORI and iTRACK
Brussels Privacy Hub: SATORI and iTRACKBrussels Privacy Hub: SATORI and iTRACK
Brussels Privacy Hub: SATORI and iTRACK
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
 
Evidence Based Healthcare Design
Evidence Based Healthcare DesignEvidence Based Healthcare Design
Evidence Based Healthcare Design
 
Objective Apply decision making frameworks to IT-related ethica.docx
Objective Apply decision making frameworks to IT-related ethica.docxObjective Apply decision making frameworks to IT-related ethica.docx
Objective Apply decision making frameworks to IT-related ethica.docx
 
Objective Apply decision making frameworks to IT-related ethical .docx
Objective Apply decision making frameworks to IT-related ethical .docxObjective Apply decision making frameworks to IT-related ethical .docx
Objective Apply decision making frameworks to IT-related ethical .docx
 
Road Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit Clinics
Road Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit ClinicsRoad Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit Clinics
Road Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit Clinics
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls Survey
 
Hivos and Responsible Data
Hivos and Responsible DataHivos and Responsible Data
Hivos and Responsible Data
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info Risk
 

More from UN Global Pulse

Step 2: Due Diligence Questionnaire for Prospective Partners
Step 2: Due Diligence Questionnaire for Prospective PartnersStep 2: Due Diligence Questionnaire for Prospective Partners
Step 2: Due Diligence Questionnaire for Prospective PartnersUN Global Pulse
 
Step 1: Due Diligence Checklist for Prospective Partners
Step 1: Due Diligence Checklist for Prospective Partners Step 1: Due Diligence Checklist for Prospective Partners
Step 1: Due Diligence Checklist for Prospective Partners UN Global Pulse
 
Using Data and New Technology for Peacemaking, Preventive Diplomacy, and Peac...
Using Data and New Technology for Peacemaking, Preventive Diplomacy, and Peac...Using Data and New Technology for Peacemaking, Preventive Diplomacy, and Peac...
Using Data and New Technology for Peacemaking, Preventive Diplomacy, and Peac...UN Global Pulse
 
Pulse Lab Kampala Progress Report 2016/2017
Pulse Lab Kampala Progress Report 2016/2017Pulse Lab Kampala Progress Report 2016/2017
Pulse Lab Kampala Progress Report 2016/2017UN Global Pulse
 
Pulse Lab Jakarta 2015 Annual Report
Pulse Lab Jakarta 2015 Annual Report Pulse Lab Jakarta 2015 Annual Report
Pulse Lab Jakarta 2015 Annual Report UN Global Pulse
 
Embracing Innovation: How a Social Lab can Support the Innovation Agenda in S...
Embracing Innovation: How a Social Lab can Support the Innovation Agenda in S...Embracing Innovation: How a Social Lab can Support the Innovation Agenda in S...
Embracing Innovation: How a Social Lab can Support the Innovation Agenda in S...UN Global Pulse
 
Urban Vulnerability Mapping Toolkit
Urban Vulnerability Mapping ToolkitUrban Vulnerability Mapping Toolkit
Urban Vulnerability Mapping ToolkitUN Global Pulse
 
Navigating the Terrain: A Toolkit for Conceptualising Service Design Projects
Navigating the Terrain: A Toolkit for Conceptualising Service Design ProjectsNavigating the Terrain: A Toolkit for Conceptualising Service Design Projects
Navigating the Terrain: A Toolkit for Conceptualising Service Design ProjectsUN Global Pulse
 
Experimenting with Big Data and AI to Support Peace and Security
Experimenting with Big Data and AI to Support Peace and SecurityExperimenting with Big Data and AI to Support Peace and Security
Experimenting with Big Data and AI to Support Peace and SecurityUN Global Pulse
 
Banking on Fintech: Financial inclusion for micro enterprises in Indonesia
Banking on Fintech: Financial inclusion for micro enterprises in IndonesiaBanking on Fintech: Financial inclusion for micro enterprises in Indonesia
Banking on Fintech: Financial inclusion for micro enterprises in IndonesiaUN Global Pulse
 
Haze Gazer - Tool Overview
Haze Gazer - Tool Overview Haze Gazer - Tool Overview
Haze Gazer - Tool Overview UN Global Pulse
 
Building Proxy Indicators of National Wellbeing with Postal Data - Project Ov...
Building Proxy Indicators of National Wellbeing with Postal Data - Project Ov...Building Proxy Indicators of National Wellbeing with Postal Data - Project Ov...
Building Proxy Indicators of National Wellbeing with Postal Data - Project Ov...UN Global Pulse
 
Sex Disaggregation of Social Media Posts - Tool Overview
Sex Disaggregation of Social Media Posts - Tool OverviewSex Disaggregation of Social Media Posts - Tool Overview
Sex Disaggregation of Social Media Posts - Tool OverviewUN Global Pulse
 
Using Big data Analytics for Improved Public Transport
Using Big data Analytics for Improved Public Transport Using Big data Analytics for Improved Public Transport
Using Big data Analytics for Improved Public Transport UN Global Pulse
 
Translator Gator - Tool Overview
Translator Gator - Tool Overview Translator Gator - Tool Overview
Translator Gator - Tool Overview UN Global Pulse
 
Big Data for Financial Inclusion, Examining the Customer Journey - Project Ov...
Big Data for Financial Inclusion, Examining the Customer Journey - Project Ov...Big Data for Financial Inclusion, Examining the Customer Journey - Project Ov...
Big Data for Financial Inclusion, Examining the Customer Journey - Project Ov...UN Global Pulse
 
Understanding Perceptions of Migrants and Refugees with Social Media - Projec...
Understanding Perceptions of Migrants and Refugees with Social Media - Projec...Understanding Perceptions of Migrants and Refugees with Social Media - Projec...
Understanding Perceptions of Migrants and Refugees with Social Media - Projec...UN Global Pulse
 
Using vessel data to study rescue patterns in the mediterranean - Project Ove...
Using vessel data to study rescue patterns in the mediterranean - Project Ove...Using vessel data to study rescue patterns in the mediterranean - Project Ove...
Using vessel data to study rescue patterns in the mediterranean - Project Ove...UN Global Pulse
 
Improving Professional Training in Indonesia with Gaming Data - Project Overview
Improving Professional Training in Indonesia with Gaming Data - Project OverviewImproving Professional Training in Indonesia with Gaming Data - Project Overview
Improving Professional Training in Indonesia with Gaming Data - Project OverviewUN Global Pulse
 
Ambulance Tracking Tool Helps Improve Coordination of Emergency Service Vehic...
Ambulance Tracking Tool Helps Improve Coordination of Emergency Service Vehic...Ambulance Tracking Tool Helps Improve Coordination of Emergency Service Vehic...
Ambulance Tracking Tool Helps Improve Coordination of Emergency Service Vehic...UN Global Pulse
 

More from UN Global Pulse (20)

Step 2: Due Diligence Questionnaire for Prospective Partners
Step 2: Due Diligence Questionnaire for Prospective PartnersStep 2: Due Diligence Questionnaire for Prospective Partners
Step 2: Due Diligence Questionnaire for Prospective Partners
 
Step 1: Due Diligence Checklist for Prospective Partners
Step 1: Due Diligence Checklist for Prospective Partners Step 1: Due Diligence Checklist for Prospective Partners
Step 1: Due Diligence Checklist for Prospective Partners
 
Using Data and New Technology for Peacemaking, Preventive Diplomacy, and Peac...
Using Data and New Technology for Peacemaking, Preventive Diplomacy, and Peac...Using Data and New Technology for Peacemaking, Preventive Diplomacy, and Peac...
Using Data and New Technology for Peacemaking, Preventive Diplomacy, and Peac...
 
Pulse Lab Kampala Progress Report 2016/2017
Pulse Lab Kampala Progress Report 2016/2017Pulse Lab Kampala Progress Report 2016/2017
Pulse Lab Kampala Progress Report 2016/2017
 
Pulse Lab Jakarta 2015 Annual Report
Pulse Lab Jakarta 2015 Annual Report Pulse Lab Jakarta 2015 Annual Report
Pulse Lab Jakarta 2015 Annual Report
 
Embracing Innovation: How a Social Lab can Support the Innovation Agenda in S...
Embracing Innovation: How a Social Lab can Support the Innovation Agenda in S...Embracing Innovation: How a Social Lab can Support the Innovation Agenda in S...
Embracing Innovation: How a Social Lab can Support the Innovation Agenda in S...
 
Urban Vulnerability Mapping Toolkit
Urban Vulnerability Mapping ToolkitUrban Vulnerability Mapping Toolkit
Urban Vulnerability Mapping Toolkit
 
Navigating the Terrain: A Toolkit for Conceptualising Service Design Projects
Navigating the Terrain: A Toolkit for Conceptualising Service Design ProjectsNavigating the Terrain: A Toolkit for Conceptualising Service Design Projects
Navigating the Terrain: A Toolkit for Conceptualising Service Design Projects
 
Experimenting with Big Data and AI to Support Peace and Security
Experimenting with Big Data and AI to Support Peace and SecurityExperimenting with Big Data and AI to Support Peace and Security
Experimenting with Big Data and AI to Support Peace and Security
 
Banking on Fintech: Financial inclusion for micro enterprises in Indonesia
Banking on Fintech: Financial inclusion for micro enterprises in IndonesiaBanking on Fintech: Financial inclusion for micro enterprises in Indonesia
Banking on Fintech: Financial inclusion for micro enterprises in Indonesia
 
Haze Gazer - Tool Overview
Haze Gazer - Tool Overview Haze Gazer - Tool Overview
Haze Gazer - Tool Overview
 
Building Proxy Indicators of National Wellbeing with Postal Data - Project Ov...
Building Proxy Indicators of National Wellbeing with Postal Data - Project Ov...Building Proxy Indicators of National Wellbeing with Postal Data - Project Ov...
Building Proxy Indicators of National Wellbeing with Postal Data - Project Ov...
 
Sex Disaggregation of Social Media Posts - Tool Overview
Sex Disaggregation of Social Media Posts - Tool OverviewSex Disaggregation of Social Media Posts - Tool Overview
Sex Disaggregation of Social Media Posts - Tool Overview
 
Using Big data Analytics for Improved Public Transport
Using Big data Analytics for Improved Public Transport Using Big data Analytics for Improved Public Transport
Using Big data Analytics for Improved Public Transport
 
Translator Gator - Tool Overview
Translator Gator - Tool Overview Translator Gator - Tool Overview
Translator Gator - Tool Overview
 
Big Data for Financial Inclusion, Examining the Customer Journey - Project Ov...
Big Data for Financial Inclusion, Examining the Customer Journey - Project Ov...Big Data for Financial Inclusion, Examining the Customer Journey - Project Ov...
Big Data for Financial Inclusion, Examining the Customer Journey - Project Ov...
 
Understanding Perceptions of Migrants and Refugees with Social Media - Projec...
Understanding Perceptions of Migrants and Refugees with Social Media - Projec...Understanding Perceptions of Migrants and Refugees with Social Media - Projec...
Understanding Perceptions of Migrants and Refugees with Social Media - Projec...
 
Using vessel data to study rescue patterns in the mediterranean - Project Ove...
Using vessel data to study rescue patterns in the mediterranean - Project Ove...Using vessel data to study rescue patterns in the mediterranean - Project Ove...
Using vessel data to study rescue patterns in the mediterranean - Project Ove...
 
Improving Professional Training in Indonesia with Gaming Data - Project Overview
Improving Professional Training in Indonesia with Gaming Data - Project OverviewImproving Professional Training in Indonesia with Gaming Data - Project Overview
Improving Professional Training in Indonesia with Gaming Data - Project Overview
 
Ambulance Tracking Tool Helps Improve Coordination of Emergency Service Vehic...
Ambulance Tracking Tool Helps Improve Coordination of Emergency Service Vehic...Ambulance Tracking Tool Helps Improve Coordination of Emergency Service Vehic...
Ambulance Tracking Tool Helps Improve Coordination of Emergency Service Vehic...
 

Recently uploaded

ChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics InfrastructureChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics Infrastructuresonikadigital1
 
Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023Vladislav Solodkiy
 
5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best Practices5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best PracticesDataArchiva
 
SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024Becky Burwell
 
Strategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for ClarityStrategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for ClarityAggregage
 
YourView Panel Book.pptx YourView Panel Book.
YourView Panel Book.pptx YourView Panel Book.YourView Panel Book.pptx YourView Panel Book.
YourView Panel Book.pptx YourView Panel Book.JasonViviers2
 
Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...PrithaVashisht1
 
Mapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptxMapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptxVenkatasubramani13
 
How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?sonikadigital1
 
The Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayerThe Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayerPavel Šabatka
 
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptxTINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptxDwiAyuSitiHartinah
 
CI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual interventionCI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual interventionajayrajaganeshkayala
 
MEASURES OF DISPERSION I BSc Botany .ppt
MEASURES OF DISPERSION I BSc Botany .pptMEASURES OF DISPERSION I BSc Botany .ppt
MEASURES OF DISPERSION I BSc Botany .pptaigil2
 
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024Guido X Jansen
 
Master's Thesis - Data Science - Presentation
Master's Thesis - Data Science - PresentationMaster's Thesis - Data Science - Presentation
Master's Thesis - Data Science - PresentationGiorgio Carbone
 
Virtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product IntroductionVirtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product Introductionsanjaymuralee1
 
AI for Sustainable Development Goals (SDGs)
AI for Sustainable Development Goals (SDGs)AI for Sustainable Development Goals (SDGs)
AI for Sustainable Development Goals (SDGs)Data & Analytics Magazin
 

Recently uploaded (17)

ChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics InfrastructureChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics Infrastructure
 
Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023
 
5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best Practices5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best Practices
 
SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024
 
Strategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for ClarityStrategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
 
YourView Panel Book.pptx YourView Panel Book.
YourView Panel Book.pptx YourView Panel Book.YourView Panel Book.pptx YourView Panel Book.
YourView Panel Book.pptx YourView Panel Book.
 
Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...
 
Mapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptxMapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptx
 
How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?
 
The Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayerThe Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayer
 
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptxTINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
 
CI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual interventionCI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual intervention
 
MEASURES OF DISPERSION I BSc Botany .ppt
MEASURES OF DISPERSION I BSc Botany .pptMEASURES OF DISPERSION I BSc Botany .ppt
MEASURES OF DISPERSION I BSc Botany .ppt
 
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
 
Master's Thesis - Data Science - Presentation
Master's Thesis - Data Science - PresentationMaster's Thesis - Data Science - Presentation
Master's Thesis - Data Science - Presentation
 
Virtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product IntroductionVirtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product Introduction
 
AI for Sustainable Development Goals (SDGs)
AI for Sustainable Development Goals (SDGs)AI for Sustainable Development Goals (SDGs)
AI for Sustainable Development Goals (SDGs)
 

Risks, Harms and Benefits Assessment Tool (Updated as of Jan 2019)

  • 1. Data innovation for development guide RISKS, HARMS AND BENEFITS ASSESSMENT TOOL 1/14 CHECKLIST Rationale for the checklist: Large-scale social or behavioural data may not always contain directly identifiable personal data and/ or may be derived from public sources. Nevertheless, its use could potentially cause harm to individuals. Data use should be always assessed in light of its impact (negative or positive) on individual rights. This risk assessment tool (or checklist) outlines a set of minimum checkpoints, intended to help you to understand and minimize the risks of harms and maximize the positive impacts of a data innovation project (and is intended primarily for projects implemented within international development and humanitarian organizations). When to use the checklist: The checklist should be considered before a new project is launched, when new sources of data or technology are being incorporated into an existing project, or when an existing project is substantially changed. In particular, this assessment should consider every stage of the project’s data life cycle: data collection, data transmission, data analysis, data storage, and publication of results. How to use the checklist: If possible, the questions raised by the checklist should be considered by a diverse team comprised of the project leader as well as other subject matter experts, including—where reasonably practical—a representative of the individuals or groups of individuals who could be potentially affected by the use of data. Consider consulting with data experts, including data privacy experts, and legal experts so that they can assist with answering these questions and help to further mitigate potential risks, where necessary. Note that the checklist was developed by Global Pulse as part of a more comprehensive Risks, Harms and Benefits Assessment, consisting of Two Steps: (I) Initial Assessment and (II) Comprehensive Risks, Harms and Benefits Assessment. This checklist is an Initial Assessment that should help to determine whether a Comprehensive Risks, Harms and Benefits Assessment should be conducted. Nature of the checklist: This checklist is not a legal document and is not based on any specific national law. It draws inspiration from international and regional frameworks concerning data privacy and data protection. The document provides only a minimum set of questions and guiding comments. The checklist and guiding comments are designed primarily as a general example for internal self-regulation. As this checklist offers only minimum guidance, you are encouraged to expand the list depending on the project’s needs, risks, or specific context, or in response to the evolving data landscape. Depending on the implementing organization (its legal status/nature) and applicable laws, the guiding principles, standards and basis for answering these questions may need to be changed. For more information or to provide input on the checklist, please contact dataprivacy@unglobalpulse.org. This checklist is a living document and will change over time in response to the evolving data landscape. The latest version of the Risks, Harms and Benefits Assessment is available at www.unglobalpulse.org/privacy/tools. For more information on the privacy protective and ethical use of data, please refer to the UN Principles on the Protection of Personal Data and Privacy and the UNDG Data Privacy, Ethics and Protection Guidance Note (2018).
  • 2. Data innovation for development guide RISKS, HARMS AND BENEFITS ASSESSMENT TOOL 2/14 Instructions for completion Please be sure to answer all of the questions by choosing at least one of the following answers: “Yes,”“No,”“Don’t Know,” or “Not Applicable.” Please use the comments column to explain your decision where necessary. For every “Not Applicable” answer, please provide an explanation in the comments. Every “Don’t Know” answer should be automatically considered a risk factor that requires further consultation with a domain expert before a project is undertaken. Once you have properly consulted with an expert regarding the issue, please be sure to go back to the checklist and change your answer in the form to finalize your checklist. A final decision should not be made if there is any answer marked “Don’t Know.” Project information Describe the purpose of the data use (e.g., reasons, benefits): Name the parties involved in the project and their roles (e.g., controller, processor, beneficiaries, etc.): Any other relevant details:
  • 3. Data innovation for development guide RISKS, HARMS AND BENEFITS ASSESSMENT TOOL 3/14 Part 1: Type of Data Personal Data: For the purposes of this document, personal data means any data relating to an identified or identifiable individual, who can be identified, directly or indirectly, by means reasonably likely to be used related to that data, including where an individual can be identified from linking the data to other data or information reasonably available in any form or medium. If you are using publicly available data, note that this data can also be personal, and therefore may involve some of the same considerations as non-public personal data. 1.1 Will you use (e.g. collect, store, transmit, analyse etc.) data that directly identifies individuals? Personal data directly relating to an identified or identifiable individual may include, for example, name, date of birth, gender, age, location, user name, phone number, email address, ID/social security number, IP address, device identifiers, account numbers, etc. Yes No Don’t know Not applicable 1.2 Will you use data that does not directly identify an individual, but that could be used to single out a unique individual by applying existing and readily accessible means and technologies? Keep in mind that de-identified data (e.g., where all personal identifiers—such as name, date of birth, exact location, etc.—are removed), while not directly linked to an individual(s) or group(s) of individuals, can still single out an individual(s) or group(s) of individuals with the use of adequate technology, skills, and intent, and thus may require the same level of protection as explicit personal data. To determine whether an individual(s) or group(s) of individuals is identifiable, consider all of the means reasonably likely to be used to single out an individual(s)or group(s) of individuals. Factors that influence a likelihood of re-identification include availability of expertise, costs, amount of time required for re-identification and reasonably and commercially available technology. Yes No Don’t know Not applicable Comments: Comments:
  • 4. Data innovation for development guide RISKS, HARMS AND BENEFITS ASSESSMENT TOOL 4/14 1.3 Will you use sensitive data? Any data related to (i) racial or ethnic origin, (ii) political opinions, (iii) trade union association, (iv) religious beliefs or other beliefs of a similar nature, (v) physical or mental health or condition (or any genetic or biometric data), (vi) sexual orientation; (vii) the commission or alleged commission of any offence, (viii) any information regarding judicial proceedings, (ix) any financial data, or any information concerning (x) children; (xi) individual(s) or group(s) of individuals, who face any risks of harm (physical, emotional, economical etc.) should be considered as sensitive data. Consider that the risk of harm is much higher for sensitive data and stricter measures for protection should apply if such data is explicit personal data or is reasonably likely to identify an individual(s) or a group of individuals. Consider also whether the data itself is not sensitive, but that its use may become sensitive due to the sensitive context in which it is used. Yes No Don’t know Not applicable Next step: As you go through the remaining sets of questions, please keep the data type you identified in the section above in mind. If you answered “YES” to at least one of the questions above, the risk of harms is increased. Part 2: Data Access and Data Use 2.1 Means for data access This question aims to help you understand the way in which you have obtained your data, to ensure that there is a legitimate and lawful basis for you to have access to the data in the first place. It is important to understand that whether directly or through a third-party contract, data should be obtained, collected, analyzed or otherwise used in conformity with the purposes and principles of the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights and other applicable laws, including privacy laws as well as organizational rules and regulations. How was the data obtained? Directly from individual(s) (e.g., survey) Through a data provider (e.g. website, social media platform, telecom operator) Don’t know Comments: Comments:
  • 5. Data innovation for development guide RISKS, HARMS AND BENEFITS ASSESSMENT TOOL 5/14 2.2 Legitimacy and fairness of data access and use Any personal data must be collected and otherwise used through legitimate and fair means. Personal data use may be based, for example, on one or more of the following bases, subject to applicable law: i) consent of the individual whose data is used; ii) authority of law; iii) the furtherance of international (intergovernmental) organizational mandates (e.g. in case where an international intergovernmental organization is the holder of the mandate and is the implementer of a data project); iv) other legitimate needs to protect the vital interest of an individual(s) or group(s) of individuals. Keep in mind that the legitimacy of your right to use the data must be carefully assessed, taking into account applicable law, the context of data use, legal status of your organization. The above bases (i-iv) are only included as examples for the purposes of this document. Data should always be accessed, analyzed, or otherwise used taking into account the legitimate interests of those individuals whose data is being used. Specifically, to ensure that data use is fair, data should not be used in a way that violates human rights, or in any other ways that are likely to cause adverse effects on any individual(s) or group(s) of individuals. It is also recommended that the legitimacy and fairness of data use always be assessed taking into account the risks, harms of data use and non-use. Note on consent: Informed consent should be obtained prior to data collection or when the purpose of data re-use falls outside of the purpose for which consent was originally obtained. Keep in mind that in many instances consent may not be adequately informed. Thus, it is important to consider assessing the proportionality of risks, harms and benefits of data use even if consent has been obtained. While there may be an opportunity to obtain consent at the time of data collection, re-use of data often presents difficulties for obtaining consent (e.g., in emergencies where you may no longer be in contact with the individuals concerned). In situations where it is not possible or reasonably practical to obtain informed consent, as a last resort, data experts may still consider using such data for the best or vital interest of an individual(s) or group(s) of individuals (e.g., to save their life, reunite families etc.). In such instances, any decision to proceed without consent must be based on an additional detailed assessment of risks, harms and benefits to justify such action and must be found fair and legitimate. Additionally, any use of personal or sensitive data should be done in accordance with the principle of proportionality, where any potential risks and harms should not be excessive in relation to the expected benefits of data use. a) Do you have a legitimate basis for your data access and use? Yes No Don’t know Not applicable b) Due diligence on third party data providers access to and use of data This question usually applies when you are not a data collector, but rather obtained data from a third party (e.g. telecom operator, social media platform, web site). It is important that you verify, to the extent reasonably practical, whether your data provider has a legitimate basis to collect and share the data with you for the purposes of your project. For example, have you checked whether your data provider has obtained adequate consent (e.g. directly or indirectly through the online terms of use) or has another legitimate basis for sharing the data with you for the purposes compatible with your project? (See notes on “Lawfulness, legitimacy, and fairness” above). Comments:
  • 6. Data innovation for development guide RISKS, HARMS AND BENEFITS ASSESSMENT TOOL 6/14 Does your data provider have a legitimate basis to provide access to the data for the purpose of the project? Yes No Don’t know Not applicable c) Regulation and legal compliance Make sure that you have obtained all regulatory and other required authorizations to proceed with the Project. (For example, the use of telecom data may be restricted under telecommunication laws, and additional authorizations may be needed from a telecommunication regulator; or the transfer of data from one country to another may need to comply with rules concerning trans-border data flows). Furthermore, to ensure that you have complied with the terms under which you have obtained the data, you should check existing agreements, licenses, terms of use on social media platforms or terms of consent. If you are uncertain about this question, you should consult with your privacy and legal expert. Is your use of the data compliant with a) applicable laws and b) the terms under which you obtained the data? Yes No Don’t know Not applicable 2.3 Purpose specification Personal data should be used for specified legitimate purposes, taking into account the balancing of relevant rights, freedoms and interests. The purpose of data use should be as narrowly defined as practically possible. Furthermore, requests or proposals for data access (or collection where applicable) should also be narrowly tailored to a specified purpose. The purpose of data access (or collection where applicable) should be articulated no later than the time of data access (or collection where applicable). In answering this question, concentrate on the reason why you need the data. Also, think about articulating your answer prior to or at the time of request for data. Have you defined the purpose for which you will be using the data as narrowly and practically as possible? Yes No Don’t know Not applicable Comments: Comments: Comments:
  • 7. Data innovation for development guide RISKS, HARMS AND BENEFITS ASSESSMENT TOOL 7/14 2.4 Proportionality and necessity of data use The use of personal data should be relevant, limited and adequate to what is necessary in relation to the specified purpose. a) Purpose compatibility Any data use must be compatible to the purposes for which it was obtained. Mere difference in purpose does not make your purpose incompatible. In determining compatibility consider, for example, how deviation from your original purpose may affect an individual(s) or group(s) of individuals; the type of data you are working with (e.g. public, sensitive or non-sensitive); measures taken to safeguard the identity of individuals whose data is used (e.g. anonymization, encryption). There must be a legitimate and fair basis for an incompatible deviation from the purpose for which the data was obtained. (See notes on “Lawfulness, legitimacy, and fairness” above). Is the purpose for which you will be using the data compatible with the purpose for which you obtained the data? Yes No Don’t know Not applicable b) Data minimization Data access, analysis, or other use should be kept to the minimum amount necessary (to fulfill its legitimate purpose of use as noted in points 3.1 and 3.2). Data access, collection, analysis or other use should be necessary, adequate, and relevant in relation to the purposes for which the data has been obtained. Data minimization may entail limiting the number of individuals, geographic area, or time period to that which is necessary to fulfil the project’s legitimate purpose. You should also be sure to anticipate and minimize the incidental collection of any metadata in the course of your data processing. In answering this question, consider if at any point in time in your project cycle you have the minimum data necessary to fulfill the purpose of intended use. Are all the data that you will be using necessary and not excessive? Yes No Don’t know Not applicable 2.5 Data retention Data should only be stored for as long as necessary to accomplish the specified purposes. Any retention of data should also be lawful, legitimate, and fair. The data should be deleted and destroyed once it is no longer necessary for accomplishing the specified purposes. Comments: Comments:
  • 8. Data innovation for development guide RISKS, HARMS AND BENEFITS ASSESSMENT TOOL 8/14 Are all the data that you will be using stored for no longer than the time necessary for the specified purposes? Yes No Don’t know Not applicable 2.6 Data accuracy Personal data should be accurate and, where necessary, up to date to fulfil the specified purposes. Data experts as well as domain experts should be consulted, if necessary, to determine the relevance and quality of data sets. Data sets must be checked for biases to avoid any adverse effects, including giving rise to unlawful and arbitrary discrimination. Is your data accurate, up to date and relevant to the purpose of the project? Yes No Don’t know Not applicable 2.7 Data Security and Confidentiality Taking into account the available technology, cost of implementation and data type, organizational, administrative, physical and technical safeguards and procedures, including efficient monitoring of data access and data breach notification procedures, should be implemented to protect the security of personal data, against or from unauthorized or accidental access, damage, loss or other risks presented by data processing. Embedding principles of privacy by design and employing privacy enhancing technologies during every stage of the data life cycle is recommended as a measure to ensure robust data protection. Note that proper security is necessary in every stage of your data use. In considering security, special attention should be paid when data analysis is outsourced to subcontractors. Data access should be limited to authorized personnel, based on the need-to-know principle. Personnel should undergo regular and systematic data privacy and data security trainings. Prior to data use, the vulnerabilities of the security system (including data storage, way of transfer etc.) should be assessed. When considering the vulnerability of your security, consider the factors that can help you identify “weaknesses”—such as intentional or unintentional unauthorized data leakage: (a) by a member of the project team; (b) by known third parties who have requested or may have access, or may be motivated to get access to misuse the data and information; or (c) by unknown third parties (e.g., due to the data or information release or publication strategy). It is generally encouraged that personal data should be de-identified, where practically possible, including using such methods as aggregation, pseudonymization or masking, to help minimize any potential risks to privacy. To minimize the possibility of re- identification, de-identified data should not be analyzed or otherwise used by the same individuals who originally de-identified the data. Comments: Comments:
  • 9. Data innovation for development guide RISKS, HARMS AND BENEFITS ASSESSMENT TOOL 9/14 It is important to ensure that the measures taken to protect the data do not compromise the data accuracy and overall value for the intended use. Note on confidentiality: Personal data should be processed with due regard to confidentiality. Confidentiality is an ethical duty and protection afforded to data that has been shared legitimately with your organization. Inappropriate disclosure or use of confidential information can harm the efficiency and credibility of your organization and damage its ability to achieve its objectives. You should therefore ensure that sensitive or confidential information is carefully protected in order to safeguard the interests of your organization, partners, data subjects and beneficiaries. Confidential information must never be disclosed or used improperly for personal or other private gain. Have you employed appropriate and reasonable technical and administrative safeguards (e.g. strong security procedures, vulnerability assessments, encryption, de-identification of data, retention policies, confidentiality/non-disclosure, data handling agreements) to protect your data from breach (e.g. intentional or unintentional disclosure, leakage or misuse)? Yes No Don’t know Not applicable Part 3: Communication about your project 3.1 Transparency Transparency is a key factor in helping to ensure accountability and is generally encouraged. The use of personal data should be carried out with transparency to the data subjects, as appropriate and whenever possible. Transparency can be achieved via communication about your project, including by providing adequate notice about the data use, the principles and policies governing the data use as well as information on how to request access, verification, rectification, and/or deletion of that personal data, insofar as the specified purpose for which personal data is used is not frustrated. Note on open data: Making the outcomes or data sets of your data innovation project public (i.e.“open”) can be important for innovation. If you decide to make a data set open, you must conduct a separate assessment of risks, harms and benefits. In this case, you may also want to provide transparent notices on the process and applicable procedures for making the data set open. Have or will you communicate about the data use and other related information (to the data subject, publicly or to other appropriate stakeholders)? Yes No Don’t know Not applicable Comments: Comments:
  • 10. Data innovation for development guide RISKS, HARMS AND BENEFITS ASSESSMENT TOOL 10/14 3.2 Level of transparency Being transparent about data use (e.g., publishing data sets, publishing an organization’s data use practices, publishing the results of a data project, etc.) is generally encouraged when the benefits of being transparent are higher than the risks and possible harms. There may be cases where being transparent would cause more harm than benefit; for instance, if doing so would put vulnerable data subjects at risk of being identified. Also note that the level of detail (e.g., the level of aggregation) in a data set that is being made open should be determined after a proper assessment of risks and harms. Particular attention should be paid to whether, for example, publishing non-sensitive details about a project or making non- identifiable datasets open can cause a mosaic effect with another open datasets. Accidental data linking or mosaic effect can make an individual(s) or group(s) of individuals identifiable or visible, thus exposing the individual(s) or group(s) of individuals to potential risks of harms. Are there any risks and harms associated with the publication of the collected data or resulting reports and are they proportionately high compared to the benefits? Yes No Don’t know Not applicable Part 4: Data transfers 4.1 Due diligence in selecting partner third parties (e.g., research partners and service providers, including cloud computing providers, etc.). Frequently, data related initiatives require collaboration with third parties-data providers (to obtain data); data analytics companies (to assist with data analysis); and cloud or hosting companies (for computing and storage). In cases where collaboration is required, you should only transfer personal data to a third party that will afford appropriate protection for that data. It is therefore important that such potential collaborators are carefully chosen, through a proper due diligence vetting process that also includes minimum check points for data protection compliance, the presence of privacy policies, and fair and transparent data-related activities. It is also important to ensure that third party collaborators are bound by necessary legal terms relating to data protection. These may include: non-disclosure agreements and other agreements containing appropriate terms on data handling; data incident history; adequate insurance, data transfer and data security conditions among other matters. Note on cloud hosting: Many projects may use cloud or other hosting services, meaning that your organization does not maintain security of the hardware. It is important to ensure that your chosen cloud or hosting provider, and the data center in which they operate, have appropriate standards of security. Security certifications could be good evidence of your cloud provider’s security compliance. When considering cloud storage and computing, take into account where the data will be actually located to understand potential vulnerabilities, compliance with laws, the special status of an implementing organization, including their privileges and immunities, where applicable, or rules concerning trans-border data flows. Comments:
  • 11. Data innovation for development guide RISKS, HARMS AND BENEFITS ASSESSMENT TOOL 11/14 Are your partners, if any, compliant with at least as strict standards and basic principles regarding data privacy and data protection as outlined in this checklist? Yes No Don’t know Not applicable Part 5: Risks and Harms Any risks and harms assessment should take into consideration the context of data use, including social, geographic, political, and religious factors. For example, analysis of the movement of vulnerable groups during humanitarian emergencies in conflict- affected zones could also be used by non- intended users of data to target them with discrimination or persecution. Any Risk, Harms and Benefits Assessment should consider the impact that data use may have on an individual(s) and/or group(s) of individuals, whether legally visible or not, and whether known or unknown at the time of data use. When assessing your data use, consider how it affects individual rights. Rather than taking rights in opposition to each other, assessing the effect of data on individual rights in conjunction is recommended wherever possible. Use of data should be based on the principle of proportionality. In particular, any potential risks and harms should not be excessive in relation to the positive impacts (expected benefits) of data use. In answering questions 6.1 and 6.2 below also consider any potential risks and harms associated with (or that could result from) every “No” answer or “Don’t Know” answer that you selected in the Sections above. 5.1 Risks: Does your use of data pose any risks of harms to individuals or groups of individuals, whether or not they can be directly identified, visible or known? Risks should be assessed separately from harms. Note that not all risks may lead to harms. In answering this question, it is important to concentrate on the likely risks. Types of risks may vary depending on the context. For example, some of the risks that should be considered include data leakage, breach, unauthorized disclosure (intentional or unintentional), intentional data misuse beyond the purposes for which the data was obtained/or intended to be used by your organization, risk of re-identification or singling out, data not being complete or of good quality, etc. Note that typically data analytics result in the production of a new data set. Such an outcome should be considered a risk as well, and must be separately assessed for risks, harms and benefits before any further use/disclosure. Also, consider bias as a risk that can be produced as a result of data use. (In many cases, bias can negatively affect an individual(s) or group(s) of individuals and lead to harms). Yes No Don’t know Not applicable Comments: Comments:
  • 12. Data innovation for development guide RISKS, HARMS AND BENEFITS ASSESSMENT TOOL 12/14 If you do not know what kind of risks exist or whether the risks are likely, it is recommended that you perform a more comprehensive Risk, Harms and Benefits Assessment (as a Step 2). 5.2 Risk Mitigation: Are there any steps you can take to mitigate these risks? If you have identified potential risks, please be sure to employ the necessary mitigation measures to reduce such risks to a minimum. You should consider mitigation strategies to reduce the risks (e.g., enhancing overall data security strategy; changing the passwords; training personnel; deleting unnecessary data) or alter the overall design of the project or dataset (e.g., by reducing the data granularity or by limiting data access to only certain individuals or entities). Consider consulting with an expert about how to mitigate the risks (i.e., the data expert, the legal or privacy expert, or the data security expert). After taking these remedial steps, you should consider running through this checklist again. Yes No Don’t know Not applicable 5.3 Harms: Is your project likely to cause harm to individuals or groups of individuals, whether or not the individuals can be identified or known? No one should be exposed to harm or undignified or discriminatory treatment as a consequence of data use. There are many types of harms that should be considered, including: i) physical harms (e.g. serious bodily injury); ii) legal harms (e.g. loss of privacy, free expression, or other rights); iii) economic harms (e.g. loss of property or livelihood); iv) psychological or emotional (e.g. distress or depression); v) social harms (e.g. reputational damage); or other harms. An assessment of harms should consider such key factors as i) the likelihood of occurrence of harms; ii) the potential magnitude of harms; iii) the potential severity of harms. Depending on the context, a non-identifiable group of individuals could also suffer harm as a result of unintended effects of the data project’s outcome. It is therefore important to consider potential harms both to known/identifiable individuals or groups and unknown or non-identifiable individuals or groups. For example, a project unrelated to an election may inadvertently identify a group of individuals that were protesting against certain policies in a country. Even if the project does not identify who these protesting individuals actually were, it could show that a certain group were from a specific village. In this case, it is critical to consider that—depending on contextual factors (such as political, cultural, or geography)—information that protesters were from a specific village, if known, may harm the entire village, if such information is misused and enables authorities to limit freedom of speech as a result. For this reason, you will be asked to identify each harm for known and unknown individuals separately. Note that the risks of harms may be higher for sensitive data. Decisions concerning use of sensitive data may involve consultation with the individual(s) or a group(s) of individuals concerned (or their representative), where reasonably practical, to mitigate any risks. If you do not know what kind of harms exist or you have identified significant harms, try to perform a more comprehensive Risk, Harms and Benefits Assessment (as a Step 2 mentioned in the introduction section). Yes No Don’t know Not applicable Comments: Comments:
  • 13. Data innovation for development guide RISKS, HARMS AND BENEFITS ASSESSMENT TOOL 13/14 Part 6: Final assessment and rationale for decision Based on your answers in Sections 1 – 5, explain if the risks and resulting harms are disproportionately high compared to the expected positive impacts of this project. Questions 1.1 – 1.3; 3.2; 5.1; 5.3 answered as “Yes” mean that the risk is present. Questions 2.2 – 2.7; 4.1; 5.2 answered as “No” mean that the risk is present. If you answered “Don’t Know” to any of the questions, consider it as a “risk factor”. You should not complete this assessment unless all questions are answered “Yes”, “No” or “Not Applicable”. If you have answered “Not applicable”, you should make sure that you explained why it is not applicable in the Comments column. If you found any risks, you should assess the likelihood of the risks and likelihood, magnitude and severity of the resulting harms and make sure to mitigate them before the project is undertaken. If you identify that some of the risks or harms are unclear, or high, then you should perform a more comprehensive Risk, Harms, Benefits Assessment as a Step 2 (as mentioned in the Introduction) and engage data security, privacy and legal experts. If you have found that the likelihood of risks and harms is very low (or non-existent) in comparison to the probability of the positive impact, you should now proceed with your project. Always bear in mind you should implement as many mitigation measures for the identified risks (even if low). After reviewing the above and reflecting on your answers, how will you proceed? The risks and harms are more severe than the potential benefit of the project. The risks cannot be mitigated. I will cancel the project. The risks and harms are more severe than the potential benefit of the project. However, I can mitigate the risks and proceed with the project. The risks and harms are not likely, and if they are, they would not be severe. Moreover, the benefits outweigh these risks. I will proceed with the project. I do not know. I need more guidance from domain and data experts (legal, privacy, security, etc.).
  • 14. Data innovation for development guide RISKS, HARMS AND BENEFITS ASSESSMENT TOOL 14/14 Review team Person who performed the assessment This should be filled out and signed by the lead person responsible for conducting the assessment. Name: Title: Signature: People who participated in or reviewed the assessment (e.g. Project Lead, Data Security, Privacy, Legal Expert) This should be filled out by those who assisted the lead person in making the decision or who have been consulted on specific questions raised above, if any (add additional reviewers, if necessary). You can indicate the specific questions that this person answered. If this person also helped to determine the final outcome of the overall assessment, please indicate in the comments section. Name: Title: Signature: Name: Title: Signature: Name: Title: Signature: Name: Title: Signature: Name: Title: Signature: Comments: Comments: Comments: Comments: Comments: Comments: