Objective:

This Data Management, Protection and Security Policy aims to reinforce Sambodhi’s commitment to protecting confidential, restrictive, or sensitive data. The policy outlines organizational systems and behaviors expected of employees when dealing with data and provides a classification of the types of data they should be concerned about, its storage, and accessibility. The policy incorporates technical safeguards such as firewalls, antimalware solutions, and multi-factor authentication to ensure comprehensive data protection.

Scope:

This policy applies to all employees and consultants of Sambodhi. Reference to the word ’employee’ in this policy should be understood to include the above unless otherwise stated.

Introduction:

Sambodhi collects data using advanced technology, provides real-time and near real-time data, and integrates diverse data points into dashboards for the use of its clients and partners. This capability is essential for assignments where collected information is required to be processed and shared as feedback to project implementers and donors. Data collection occurs via mini-laptops, tablets, PDAs, smartphones, and GPS devices. By leveraging these technologies, Sambodhi reduces time lags in data collection, cleaning, processing, analysis, and sharing of findings while minimizing errors in data collection and collation.

Field activities and data collection for various research studies are carried out by enumerators and supervisors with oversight and support from Sambodhi’s in-house team of field executives, field managers, and researchers. The field team is supported by an in-house logistics management team. Data collected for each project is uploaded to centralized, cloud-based secure servers daily/periodically and can be accessed by authorized researchers associated with the respective project. Sambodhi employs advanced security measures, including firewalls, intrusion detection systems, and encryption, to protect data confidentiality and integrity.

A qualified pool of skilled workforce manages the data processing center/computing hub, ensuring robust data protection practices, including routine vulnerability assessments and penetration testing. Our data team is experienced and proficient with data entry software such as CS Pro, SurveyCTO, mWater, Survey Solutions, EPI Info, SQL, and Fox Pro, as well as data processing and analytics software like MS Excel, MS Power BI, Python, NVivo, Atlas.ti, R Studio and R.

Survey Point, an in-house platform created by Sambodhi, supports high-quality data collection with precision and efficiency. It includes advanced features like role-based access controls and activity logging to maintain data integrity and security. Survey Point reduces time and effort invested in data collection, crucial for projects requiring swift and time-bound feedback. Tech-enabled data collection has also minimized errors, assuring clients of highquality and reliable results. Sambodhi implements comprehensive data protection strategies, including encryption and multi-factor authentication, to safeguard electronically collected data.

Technical Infrastructure: Sambodhi leverages a comprehensive suite of technical infrastructure to ensure the security and integrity of our data. The following technologies are in place:

• Firewall: Provides advanced network security by inspecting traffic and preventing unauthorized access to our network. It also offers threat prevention and application control capabilities.
• End-User Protection: XDR (Extended Detection & Response) – Delivers comprehensive end-user protection through integrated threat detection, response, and investigation across endpoints, networks, and cloud environments.
• Data Back-Up Systems: NAS (Network Attached Storage) – Provides reliable and scalable network-based storage for backing up critical data. Office 365 OneDrive Utilized for cloud storage and file synchronization with multi-factor authentication to enhance security. SharePoint – Used for secure document management and collaboration.
• System Security: BitLocker – Ensures system hardware encryption to protect data at rest on Windows devices, safeguarding against unauthorized access.
• Server Data Protection: Third-party solution for Web Servers Security – Offers advanced protection for web servers against malware, intrusions, and other cyber threats, ensuring server integrity and availability.

Ethical Protocols:

Sambodhi adheres to stringent ethical protocols in social research, including ensuring participant confidentiality, principles of no-harm, and full disclosure of research methods and tools. External ethical review certification from Independent Review Boards (IRBs) is procured before conducting any primary data collection exercise.

Some of the measures undertaken to address ethical concerns are listed below:

• Our teams are oriented to be aware and mindful of differences in culture, local customs, religious beliefs and practices, personal interaction, gender roles, disability, age, and ethnicity while conducting any study.
• Our teams are trained to consider the time required by respondents to participate in any survey.
• Our research protocols are designed to ensure that respondents are informed and their consent is sought before participating in any survey.
• Our teams are trained to select participants based on the study’s aims, using random sampling methods to ensure fair representation.

Respondents must read and agree to a consent form before the study. For children/minors, consent is obtained from their parents/designated guardians/caregivers. We provide all necessary details to make an informed decision about their participation. Informed consent is also obtained for any voice recordings, video, or photographs involving children. Confidentiality of respondent information is maintained, and the scope and limits of confidentiality are communicated prior to the study.

Data Security Guidelines:

Sambodhi follows a standard data security guideline, incorporating technical measures as outlined below:

• The PI/team leader consults the IT manager to correctly configure laptops and other external devices with updated firewalls, antivirus solutions, and secure encryption settings for safe use in collecting and storing research data.
• All data collection and storage devices are protected with strong, unique passwords and multi-factor authentication.
• All data access is strictly controlled and granted only to approved individuals. We use multi-factor authentication technologies to ensure that accessing our data requires more than just a password, adding an extra layer of security.
• All sensitive research information on portable devices is encrypted using advanced encryption standards.
• Access to identifiable data is restricted to authorized members of the study team on a need-to-know basis, with role-based access controls in place.
• All data files are encrypted, and identifiers are securely moved to designated servers as soon as possible.
• Portable devices are stored in a secure location with restricted physical access when not in use.
• After completion of data collection, all data collected on portable devices is transferred to designated servers and deleted from the devices in accordance with data sanitization protocols.
• Use of Google Mail, Calendar services, and similar apps/software for collecting, storing, or transmitting sensitive research data is prohibited.
• External consultants and vendors handling sensitive identifiable data must sign a confidentiality agreement and adhere to the same data protection standards.
• Identifiers, data, and encryption keys are stored in separate, passwordprotected/encrypted files, with each file stored in a different secure location.
• If research design and procedures permit, the PI/Team Leader may delete or destroy identifiable information as soon as possible after collection.
• Data in any form are archived for later use or destroyed as per client requirements.

Data destruction/deletion scenarios include:

• Data retained in the public domain until a specified time frame or perpetuity as requested by the client.
• Data destroyed six months after project completion, following signed permission from the client.
• Data destroyed/deleted as specified in the agreement between Sambodhi and the client.