Statistical Disclosure Control Process
All data publicly or privately shared through HDX is reviewed by a Centre for Humanitarian Data team member to ensure it follows the Terms of Service. This initial check is always performed by a member of the Centre's Data Partnerships team (DPT). A dataset will immediately be deleted from the HDX platform in case the data is found to contain personally identifiable information or other data that the DPT member considered likely to be sensitive.
- In case the potentially sensitive data is microdata, the following steps will be taken:
- The DPT member on duty makes the dataset private and creates a ticket in the SDC for Microdata Log (this sheet)
- Nafi obtains a copy of the microdata
- Nafi notifies the organization and explains the SDC process, through this email template, and offers the organization the opportunity to download their data before it is deleted from the platform
- After Nafi and the organization have downloaded a copy, or after 24hrs pass, the data is deleted from HDX unless it is to be reasonably expected that the data in question does not pose any significant risk, given the contents and context of the dataset
- Nafi applies the risk assessment tool which is part of the SDCmicro package developed by the World Bank
- Nafi shares back the risk assessment with DPT and Policy
- The organization focal point and Nafi reach out to the organization to inform them about the established risk level and suggested next steps
- If needed, Nafi applies the SDC tool to the data concerned, and conducts another risk assessment and estimates information loss, results are shared with organization focal point and policy email address
- Next steps are decided in a call to do case review and recommendation with organization, focal point, Nafi, and ideally data policy
- If the data is re-published on HDX after SDC has been applied, Nafi suggests to the contributor how to flag this in the metadata
- Lessons learned are recorded in the SDC for Microdata Log (available here) by Nafi