Program Evaluation Toolkit for Harm Reduction Organizations
A key element of the evaluation process is ensuring that the data being collected does not jeopardize the safety of clients or those contributing to your program evaluation process. Ensuring data protections involves establishing and adhering to parameters that both protect the confidentiality of personally identifying information, and limit the use of that information to the sole purposes of program evaluation and program improvement. Protecting data in this way is of particular importance due to criminalization laws and other legal risks associated with illicit drug use and offering certain harm reduction services. The table below outlines the recommended practice for handling different types of confidential data:
Table (4.10). Recommendations for Handling and Securing Data According to Risk Level
| Data Risk Level | Risk Level | Examples | Recommended Practice |
|---|---|---|---|
| Low-risk confidential data | Information that, in its current form, likely would not cause harm to an individual if disclosed | Anonymous survey data; anonymized qualitative or quantitative data | How to store this data: Store on a password-protected computer. How to share this data: Any file sent via email should be password-protected. The password should be sent to the recipient through a different medium. |
| Sensitive confidential data | Information that, in its current form, can be expected to negatively impact an individual’s reputation, put them at risk, or cause embarrassment | Any data (quantitative or qualitative) that has not yet been anonymized. That could include information shared in confidence, social security numbers, or drug use information | How to collect this data: Collect data on a password-protected device. How to store this data: Data should be encrypted and password-protected. How to share this data: Any file sent via email should be password protected. The password should be sent to the recipient through a different medium. |
| Data that would likely cause harm if disclosed | Information that, if disclosed in its current form, could create a risk of social, psychological, reputational, financial, legal or other harm to an individual or a group. | Sensitive data that cannot be anonymized because it is needed as is for analysis. This could include health information, drug use information, criminal history, public assistance information, or social security information | How to collect this data: Use of paper material is not encouraged, but, if necessary, it should be handled with extreme care and not left unattended unless in a locked and secure environment. Electronic data should be collected on an encrypted and password-protected device. How to store this data: Data should be encrypted and password-protected. How to share this data: This data should not be shared via email. Files should be encrypted when using an organization’s shared drive. How to access this data: Access to this data should be limited and controlled by the lead evaluator or program team member. It is a best practice to keep a list of individuals who have been granted access to this type of data. |
| Information that would cause severe harm if disclosed | Information that, if disclosed in its current form, could create risk of criminal liability, loss of employment or severe harm to an individual or a group. | Highly confidential data that cannot be anonymized because it is needed as is for analysis. This could include drug use information, criminal history, or any documented illegal activity (e.g., sex work) | How to collect this data: Use of paper material is not encouraged, but, if necessary, it should be handled with extreme care and not left unattended unless in a locked and secure environment. Electronic data should be collected on an encrypted and password-protected device. How to store this data: Data of this type should be stored in a physically locked room on a password-protected and encrypted hard drive or computer. How to share this data: Sharing of this data in any form (written, verbal, electronic) should be limited and only take place in a secure location. Data should not be shared by email. How to access this data: Access should be very limited and strictly controlled. It is a best practice to keep a list of individuals who have been granted access to this type of data. |
Here is some additional information on securing evaluation data:
Turning to real-world experiences can often be a helpful way to translate data and information concepts into functional understanding, precise improvements, and meaningful dialogues with the wider world. On the next page, Sam describes the importance of qualitative and quantitative measures as tools to support what is ultimately the purpose of evaluation: to understand what you do, how you do it, and what can be done better as individuals and communities seek to survive and thrive through the War on Drugs.
