Fundamentals: Agency Use of Technology Technology Summit 2016 San Francisco, CA July 25, 2016 Kaofeng Lee © 2016 NNEDV
Why Does Our Use of Technology Matter?
© 2014 NNEDV
2
Programs Are Concerned… • 82% ‐ Perpetrators may intercept the communication and harm the victim/victim further. • 67% ‐ Someone else may intercept the communication. • 58% ‐ How we communicate or maintain information could negatively affect victims. • 52% ‐ Non face‐to‐face assistance will be misinterpreted/unclear to the victim/victim. • 44% ‐ Communication could implicate our agency • 40% ‐ Our agency has a confidential location that could be compromised.
© 2014 NNEDV
3
Technologies That Agencies Use
Technologies That Agencies Use • Fax • Email • Phones – Voicemail – Texts – Call logs
• Databases • Online Chat • Cameras © 2016 NNEDV
• Computers & networks • Online Spaces – Social media (agency) – Social media (advocates) – Websites
• Mobile Apps
Inadvertent Disclosure of Survivor Information 1. 2. 3. 4.
Oopsies Technology is NOT secure Don’t know how technology works Technology stores a lot of info
© 2016 NNEDV
© 2014 NNEDV
Let’s Just Throw It All Away!
The goal isn’t to stop using the technology, but to figure out how to manage the risk and make it as safe as possible.
© 2016 NNEDV
But I’m not a tech expert!
© 2016 NNEDV
Best Practices & Policy Toolkit
© 2016 NNEDV
5 Key Things to Think About 1. 2. 3. 4. 5.
Information Ownership Access Boundaries & Expectation Survivor Safety
© 2016 NNEDV
Technology Creates, Stores & Shares Information
Don’t Keep a Lot of Information • The less you have, the less can be disclosed. • Don’t collect what you don’t need. – Example: collecting IP addresses, demographics, or other information during online chats. – Example: detailed text message conversation. – Example: phone numbers for anonymous hotline calls.
• Find ways to de‐identify information you have. – Example: texting with survivors © 2016 NNEDV
How Long Do You Keep Info? • Keep information for only as long as you need it. • May depend on state laws, funder requirements, or licensure regulations applied to individual staff. – Even if you are required to keep certain information, it doesn’t mean you have to keep everything. – Push back on excessive retention time. – Weigh reason for how long something is kept vs the risk of the information being disclosed. • Have retention policies for information you collect. © 2016 NNEDV
Information Can Live in Many Places • Backups – Example: email, computer/laptop, databases – Don’t forget paper files.
• Information can be in multiple places. – Example: phone bills for 1‐800 hotlines
• Multiple access points – Example: e‐faxes, emailed voicemail messages
© 2016 NNEDV
Ownership: Who Owns It?
Leasing Company • Might be more cost effective. • When the lease ends, keep the hard drive. – Example: laptops • OR thoroughly wipe the device. – Example: fax machine, tablets, phones.
© 2016 NNEDV
3rd Party • Ownership can be confusing when working with a vendor or company that stores your information. – Example: Cloud storage falls into this category.
• Can they move, release, share your data without your permission? • Can you get your data back at any time? • Generally, you own your data. The issue is can they have access to your data. © 2016 NNEDV
BYOD/A: Staff • Staff owns the device or account. – Example: smartphones, tablets, accounts.
• Concerns: – Staff privacy & safety. – Staff friends & family accidently seeing confidential information. – When staff leaves the agency.
• Challenging to develop policies for staff’s personal equipment/accounts. © 2016 NNEDV
The Agency • Best option, although generally most expensive. • Gives you the most control, including policies on: – Retention – Remote wipe of devices
© 2016 NNEDV
Access: Who Can See Your Stuff
© 2016 NNEDV
Ownership = Access The Cloud
• Even if you own it, can the vendor access that information? • Will they provide notice if they release your information to someone else? • What is in their privacy policy? © 2016 NNEDV
Vendor Access • Vendor may need access to devices or software. – Example: agency IT, database software developer. – Where appropriate, have confidentiality agreements. – Use software that doesn’t require access to raw data.
© 2016 NNEDV
Security Is Crucial • Encryption – between transmission and at rest. • Have strong passwords to devices & accounts. • Access to information should be on a need‐ to‐know basis and, if possible, have multiple access levels.
© 2016 NNEDV
Unintentional Access • Sending information to the wrong person. – Example: watch out for email auto complete; call ahead when sending faxes.
• Devices without passwords or weak passwords. • Friends, family, other people. – Example: BYOD/A
• Multiple access points. – Example: email accounts, access to server & files, shared file storage. © 2016 NNEDV
Abuser Access to Communication • Verify identity, particularly when there are no other indicators. – Example: text messaging, emails.
• Check in with survivor about potential risks. • Some spaces will be inherently more vulnerable than others. – Example: online forums or support groups.
© 2016 NNEDV
Boundaries & Expectations
© 2016 NNEDV
Expectations Because of Tech • What you use to communicate can affect how you communicate. – Example: phone call vs texting. – Example: in‐person counseling vs video counseling.
• Establish expectations and boundaries with survivors. – Example: do survivors expect quicker response with text vs phone call vs email. © 2016 NNEDV
Staff Boundaries & Expectations • It can be hard to “turn off” technology. – Example: Survivors texting after hours. – Example: Hotline calls that goes to advocates cell phones.
• BYOD/A – can mix and mingle personal + professional information, causing privacy concerns.
© 2016 NNEDV
Survivor Safety
© 2016 NNEDV
Survivor’s Devices & Accounts • Inform, educate, empower. • Talk to the survivor about potential privacy and security risks. – Example: saving advocates’ number in the survivor’s phone. – Example: saving a text conversation thread.
• Find safer options when possible. – Example: use safer unmonitored devices or call instead of text. © 2016 NNEDV
Minimize Your Information when Communicating with Survivors • Use webforms vs. emails on websites. • Be cautious when leaving voicemails or when emailing. – Delete email threads.
• Use virtual numbers or block phone number. • Know the technology you’re using and what information could be revealed. – Use non‐identifying accounts and associate with non‐identifying emails. © 2016 NNEDV
Survivor-Centered Considerations • Survivors experiences are unique, complex, and constantly changing and so are their privacy and safety risks. • Educate and inform survivors about their privacy risks? – Informative, notice, transparency.
• Choice, control, empowerment.
© 2016 NNEDV
Best Practice & Policies
© 2016 NNEDV
TechSafety.org/resources-agencyuse
© 2016 NNEDV
QUESTIONS?
Kaofeng Lee Safety Net Project, NNEDV
[email protected] [email protected] © 2016 NNEDV