Open Technology Fund (OTF) is committed to using data responsibly in our work supporting the internet freedom community. The internet freedom community is composed of individuals and organizations who use open technologies to promote human rights and open society. OTF acknowledges that contexts in which individuals and projects operate around the world are unique and ever-changing. Behaviors and activities considered safe today might no longer be safe tomorrow, particularly within the context of closing space for civil society across the world. Therefore, we stress the importance of a harm reduction approach when working with data, recognizing that all our actions and behaviors lead to an impact, whether positive or negative, intended or unintended. Through this responsible data policy, OTF commits to amplifying the positive effects of our actions while attempting to reduce possible negative effects. Updated 2018-10-10
Open Technology Fund interprets responsible data as the collective duty to account for the unintended consequences of working with data by:
- prioritizing the right to knowledge, privacy, and security of the individuals and communities we work with
- providing access to data and insights we are privileged to access as a funder, in line with our core values of transparency and openness
- inspiring other funders to work towards a similarly responsible and open philanthropy
We hope this policy will continue to foster healthier relationships between OTF and the projects we support and encourage dual accountability. Its aim is threefold: to inform the community, to be accountable to OTF partners, and to anticipate responsible data challenges that may arise in the future.
The core values of this responsible data policy are:
E. Open philanthropy
It is clear from OTF’s community research in December 2017 that there is desire for more reflection and transparency around OTF processes and priorities. This RD policy responds to some of these articulated needs, particularly those around collecting, storing, sharing and publishing data. The policy is the beginning of an open conversation around OTF’s responsible data practices and the community's needs. OTF anticipates this policy will adapt to emerging challenges and opportunities over time. In doing so, it will act as a record of OTF's responsible data values and practices.
For the purpose of this policy, we consider "data" to be all information that is collected, stored and shared about the projects and people we work with, and data provided to us about the community by other philanthropic organizations. By "use of data," we mean the collection, storage, sharing, and publishing of data that occurs while we support open technologies and contribute to the broader IF community. The term "community" refers to anyone who identifies as a member of the Internet Freedom community and is impacted by our activities.
This responsible data policy also aims to be transparent about the limitations presented by the environment in which we operate. While we are a private non-profit organization, OTF is sustained by annual grants from the Broadcasting Board of Governors (BBG), which originate from yearly U.S. Congressional appropriations for State, Foreign Operations, and Related Programs. Because OTF receives this public funding from the U.S. Government, OTF must comply with United States federal government standards around transparency and accountability, which can entail sharing data of individuals and projects with the U.S government.
As the makeup of the Internet Freedom community diversifies, the threat model of its community members shifts along with it. In this policy, we reaffirm our longstanding commitment to creating an inclusive and diverse community. In order to do so, OTF must reflect on the new threats that come along with this diversity, and adjust our baseline responsible data practices accordingly. We aim to the best of our ability to safeguard data and will communicate clearly about any limitations we have to do so.
This policy is designed to be forward looking and to enable OTF and the community to take full advantage of the current opportunities and future potential of the data, while anticipating challenges that may arise in the future. This policy should be seen as a baseline upon which we will iterate and build upon as circumstances change.
OTF strives to be a leader in open philanthropy and governance by sharing our values, how we work and what we have learned in the process. In addition to our commitment to handle data responsibly, we consider this policy a call to action to other philanthropic funders. We invite others to copy from it and remix it, and to use it as a template for reflecting upon their own data practices and how they impact the communities they serve.
OTF is committed to communicating clearly what happens to community member data once it’s collected – and why it’s being collected – in order to enable community members to make informed decisions about if and how they want to participate in any of our activities.
- Before collecting community member data, OTF will take all reasonable measures to explain why this data is collected, who has access to it and for how long it will be retained.
- OTF will clearly document and communicate the decision-making process for applications, including any third-party access to application data.
- OTF is open to reflecting and adapting its data practices in dialogue with the community, within the constraints of receiving funds from a U.S. congressional appropriation subsidiary.
- OTF will clearly define and communicate what data must be shared with the all of our stakeholders for compliance purposes, including the BBG and the United States Congress.
OTF acknowledges that some of the data we collect could compromise the privacy and safety of community members should it fall into the wrong hands. OTF is committed to providing community members who interact with the Fund reasonable and actionable measures to protect their privacy. Given the nature of the work, some collection of sensitive data is unavoidable. In these cases, OTF is committed to upholding best practices when it comes to handling, accessing and deleting the data.
- If OTF plans to use the data for anything other than the purpose(s) originally outlined, OTF will ask for explicit consent.
- Whenever possible, OTF will practice data minimization, collecting only the data we need for our activities. We are open to receiving the data in a variety of ways to accommodate different threat models.
- If, at any point in the data life-cycle, OTF allows for pseudo-anonymous information in place of PII, OTF will communicate this option to all community members.
- If PII is collected and OTF is not required to retain that data, OTF will take all appropriate measures to delete it securely.
- When collecting PII, OTF will notify the people if and when it might be shared with third-parties.
- The community can have reasonable expectations that OTF will, as much as possible, minimize access to third parties who have access to personal identifiable information or other sensitive data, and encourage them to uphold similar values as those outlined in this responsible data policy.
Although applicants consent to sharing their data with OTF, they do this with the assumption that OTF maintains healthy organisational security practices. The practices should reduce the likelihood of the threats facing OTF, reduce the impact these threats may have on applicants’ data, and avoid risky behaviors as much as possible. In keeping with the harm reduction approach, OTF is committed to upholding and improving upon these best practices.
- OTF will take all reasonable precautions to ensure that the totality of the data life-cycle has no negative physical, psychological, or political consequences on the community. However, we acknowledge that there are residual risks inherent to our work that we cannot predict.
- OTF stores large quantities of sensitive data, ranging from personally identifiable information to contextually sensitive data, and is committed to minimizing harm by securing the data accordingly.
- OTF is committed to implementing best security practices throughout the organization and maintaining thoughtful workflows that reduce the likelihood and impact of various risks to the system.
- OTF will promote healthy security practices by working solely with technology providers we trust in the context of our, and our communities, threat models – and by documenting best practices around organisational security internally.
- If the infrastructure is compromised and the security of the data cannot be confirmed, OTF is committed to alerting those affected and doing everything in our power to address the incident.
As a funder, OTF has privileged access to data that could be of use to the wider internet freedom community. We are committed to sharing this data responsibly. In order to accomplish this, OTF is guided by the three values above – awareness, privacy, and security – to ensure that we collect data with informed consent and that all possible measures have been taken to guarantee optimum levels of privacy and security.
- Responsible publishing does not mean indiscriminately publishing all data or none of the data. Instead, it aspires to share useful data intentionally and thoughtfully.
- OTF acknowledges that publishing the fund's data is a means to an end and not an end in itself. Published data should always address specific community needs or the needs of other funders.
- The application data, although collected and stored by OTF, does not solely belong to OTF. Therefore, without the active consent of all applicants, we should not publish any or all of the data with the public.
- OTF will do all in our ability to either anonymize the data or reduce the amount of personal identifiable information, unless specific consent from the community member has been obtained and OTF is reasonably certain it will not put the member at risk.
- OTF will take all reasonable measures to ensure published aggregate data will not negatively impact the community as a whole.
- OTF will publish the data in different formats to increase inclusion, usability and accessibility.
E. Open philanthropy
Open Technology Fund strongly believes in the doctrine of open philanthropy and governance, to share openly with the community and other stakeholders all possible aspects of our work, including what we have learned. We will work to ensure that our values of open philanthropy are balanced with our commitment to the four values outlined above – awareness, privacy, security and access.
- Open philanthropy for us means to responsibly share data from our activities with the purpose of strengthening the community working against repressive censorship and surveillance.
- We acknowledge that the data we hold is not all representative, but represents only a fraction of the needs and challenges of the internet freedom community. Any conclusions we draw should reflect the limitations of the data.
- OTF believes that open philanthropy is most effective when all philanthropic funders are committed to responsibly sharing data about all aspects of their work. OTF is committed to collaborating openly with other funders to develop a healthy and accountable funding ecosystem.
Governance and implementation of the Policy
The final responsibility for this policy rests with OTF's Principal and Deputy Director. Every year they will review the policy and request feedback on potential updates. This policy may change at anytime and this will be communicated clearly. Any significant updates will be in drafted in conversation with OTF's team, the IF community and other philanthropic funders. This effort ensures that the policy remains relevant despite the changing context in which Open Technology Fund operates.
The implementation of the policy is the responsibility of the entire OTF team. We acknowledge that maintaining this policy requires significant engagement and vigilance on behalf of the OTF team. We are using this opportunity to challenge ourselves to apply responsible data to our work. Institutionalizing these practices will take time and patience, please bear with us as we push these changes forward. The Deputy Director and Director of Technology will ensure that this implications of this policy are integrated into the team's workflows and practices. Every year the team will reflect on this responsible data policy and its implementation, and look for areas of improvement.
Glossary of terms
- Anonymized data: Data from which an individual cannot be identified by
- Community: Anyone who identifies as a member of the Internet Freedom community and is impacted by our activities.
- Data: all information that is collected, stored and shared about our staff, the projects and people we work with, and data provided to us about the community by other philanthropic organizations.
- Data that is deemed sensitive: information that is protected against unwarranted disclosure due to personal, ethical, legal or other reasons.
- Diversity: Inclusion of all voices, especially those underrepresented due to national origin, gender, gender identity and expression, race, ethnicity, sexual orientation, physical characteristics, disability, religion, and age.
- Dual accountability: Beyond the traditional accountability of fellows and projects being accountable to OTF we want to increase our accountability to the community.
- Harm reduction approach: An approach that recognizes that all actions and behaviors lead to an impact, whether positive or negative, intended or unintended, and taking steps to reduce negative impacts.
- Informed consent: Informed consent ensures that people can provide data or participate freely and voluntarily, with full information about what it means for them to take part. Consent must be given before people start to provide their data.
- Internet Freedom: A global network composed of individuals and organizations who use open technologies to promote human rights and open society.
- Open philanthropy: The doctrine which holds that the programming, operations, governance, effectiveness, and efficiency of nonprofit organizations should be open and visible by the public, donors, and especially, stakeholders in those nonprofits.
- Personal Identifiable Information: Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
- Responsible data: The collective duty to account for unintended consequences of working with data by: 1) prioritising people’s rights to consent, privacy, security and ownership when using data in social change and advocacy efforts, 2) implementing values and practices of transparency and openness.
- Threat model: A way of narrowly thinking about the sorts of protection you want for your data.
- Use of data: the collection, storage, sharing, and publishing of data that occurs while we support open technologies and contribute to the broader IF community.