What data storage has to do with tech-related VAW

Dealing with incidents of tech-related violence involves reporting, investigating and collecting evidence. Collecting data is critical, as tech-related VAW is an increasing but under-analysed issue due to lack of valuable data. Record-keeping can help your workplace or community establish the existence of an ongoing or frequent problem, explore risk factors, analyse the effectiveness of policies and protocols and identify training needs.

An increase in sensitive digital or physical files related to VAW, however, can create additional vulnerabilities for the people involved.

The confidentiality of survivor information is critical, as is transparency regarding the process for handling cases.

You can learn more about talking to survivors and dealing with privacy and anonymity in Take Back the Tech!’s companion fact sheets.

What to consider

  • Know the laws in your area on confidentiality and storage of sensitive information regarding incidents of violence. If you're not sure, check with your local legal aid organisation.
  • Minimize the amount of data you collect. The more you collect, the more you have to protect. Do not record irrelevant information or staff members’ subjective opinions.
  • Limit the number of people who have access to sensitive information.
  • If there is any reason to share records with a third party, get the survivor’s signed permission. Make the purpose for sharing clear.
  • Keep records away from the internet. Consider storing sensitive data on a computer that is not connected to the internet or networked with other computers. If you must share data over networks, use encryption that will protect it from unauthorised viewers.
  • Change passwords frequently and keep them in a safe place.
  • Where possible, you can also test your security measures with an organisation or consultant who is well versed in digital security.

What policies and protocols are needed

  • Incident information: Incident reports, evidence, investigative checklist, relevant communications, notes on action taken, demographics and more.
  • Anonymity and confidentiality: Whether or not to collect identifiable data, the survivor’s signed permission for specific third-party access including purpose and context of sharing, how cases should be discussed with those who do not have access to files.
  • Access: Who has it, how it can be changed or revoked, how to prevent unauthorised access, how to screen and train individuals with access.
  
  • Use of records: Appropriate use, what to do when records have been used inappropriately.
  • Survivor rights: Opting out, inspecting, withdrawing or correcting records.
  • Storage and retention: How paper and electronic records are to be stored, how long to keep records, how to dispose of paper and electronic records securely.
  • Transparency: Clearly informing on policies and protocols, on demographics when a significant number of cases have been collected, on action taken.

What to watch out for

  • Lack of comprehensive training on data collection.
  • Lack of standardization in data collection, access and security throughout the workplace
  • Failure to adequately follow precautions to protect survivor anonymity and safety
  • Loss of or interference with electronic records due to back-up and security problems
  • Transferring records to insecure machines; note that images of documents typically remain on digital photocopiers without complete deletion or a scrub of the hard drive
  • Insecure record relocation process or uncertainty as to how to secure records in the case of emergency evacuation
  • Maintaining data collection and storage standards in the face of high staff turnover
Law enforcement
 Consistent and efficient data management is an important part of investigation and enforcement. If you cannot analyse data related to violence against women, you will not know how many officers to train or if your police work is successful.
If you are using a protection order registry or database, enter any changes immediately so that survivors can depend on all law enforcement having accurate information. Ensure proper screening and follow-up checks with anyone who has access to databases, as abusers can get confidential addresses from friends working in the system.
Survivor service providers
Some agencies now use cloud computing, which allows staff to access files offsite and leaves maintenance to a third party, but storing data online is insecure. There is a serious risk of hacking or other unauthorised access when data is distributed across multiple devices and locations.

If you store data on a cloud, the company that runs the cloud has access to that data, which means survivor consent is needed for you to upload records. It is important to familiarise yourself with the cloud computing provider’s policies. For example, does the company or your organisation own data that is in the cloud? Can the company deny your organisation access to data?

 
Schools and universities
Schools serving minors need to know area laws on how to treat the anonymity and confidentiality of minors. Schools also need policies on how to deal with cases hitting social media, whether students are using social media to share related images without consent, reveal survivor information or bully survivors, as well as what information to collect from social media.

In some parts of the world, schools must have a specific staff person in charge of data collection and maintenance and reporting requirements.

Private sector: employers and intermediaries

Employers should be familiar with area laws on workplace privacy and have policies on electronic monitoring and the use of digital devices at work. Make clear to employees if personal data transmitted through work computers may be seen and stored by the employer.

Avoid sending emails regarding a sensitive incident or including an employee’s personal data gleaned from electronic monitoring if such emails can be accessed by other employees. Sensitive data picked up by electronic monitoring (e.g., photos, account details) could be stolen by employees with access and used for blackmail or shared without consent. Employers may be held accountable for not properly protecting employee information culled from monitoring.

Data vulnerability is an especially sensitive issue for intermediaries (telecoms, internet service providers and other platforms through which violence happens). Anyone who has access to a user’s data, especially intimate images, can potentially share that data without consent. Employees can also stalk or steal data from users. Proper screening and training are essential, as are ongoing workshops on sensitivity, ethics and legal issues.