Unit 14.1 Stay safe and secure when working with collaboration technology

Introduction

This report will look at safety when using collaboration technology, why guidelines needs to be established, develop and implement guidelines for good practices, and how to establish an identity or present information that will promote trust.

In today’s digital society every aspect of  daily activities, work activity,  business  and more are being detain on the technology. Many organisation and individually are taking the advantage of this system to benefit. The fact that this technology has a huge disadvantages, precaution needs to be taken and guideline needs to be established for working with collaboration technology in order to implement all necessary privacy.

The guidelines are intended to address identification and authentication of individuals by organisations, organisations should also have appropriate processes in place to authenticate employees who have access to customer or client personal information.

1.1 Explain what and why guidelines needs to be established for working with collaboration technology.

Collaborative technology are set by organisation or community of interest. the guidelines entail the uses, security, copyright, plagiarism, libel, confidentiality and data protection. For example, to implement all necessary privacy precaution, ensure the work is self-research and truthful and respect the information in possession of in order to protect the confidentiality of the business.

It is important to realise that Silo mentality is damaging. Silo mentality is a mindset present when certain departments or sectors do not wish to share information with others in the same company. This type of mentality will reduce efficiency in the overall operation, reduce morale, and may contribute to the demise of a productive company culture. Silo is a business term that has been passed around and discussed in many boardrooms over the last 30 years.  Silos are seen as a growing pain for organisations of all sizes. Wherever it’s found, a silo mentality becomes synonymous with power struggles, lack of cooperation, and loss of productivity

1.2 Develop and implement guidelines for good practices in working with collaborative technology.

It is important to figure out the specific needs of the team. For example, how will this team needs to collaborate on product or document development? How will communication usually progress between this teams? Where are team members located? Does this team need a centrally accessible archive? It’s important to focus on developing a strategy that helps understand the “why” before getting to the “how.” It is important to choose several different options and let the team decide the features, interface, that are the best fit.

Build your collaboration strategy around the “human element.”In trying to capture and communicate the cumulative wisdom of a workforce, the public and private sectors have invested hundreds of millions of dollars in portals, software, and intranets. But collaboration is more than the technology that supports it, and even more than a business strategy aimed at optimising a organisation’s experience and expertise. Collaboration is, first and foremost, a change in attitude and behaviour of people throughout an organisation. Successful collaboration is a human issue.

Make visioning a team sport. The most successful leaders guide their organisation not through command and control, but through a shared purpose and vision. These leaders adopt and communicate a vision of the future that impels people beyond the boundaries and limits of the past. If the future vision belongs  to only the top management, it will never be an effective motivator for the workforce. The power of a vision comes truly into play only when the employees themselves have had some part in its creation.

Encourage and establish real-time communication and collaboration habits within the workplace

One way to establish a culture of real-time communication and collaboration is to suggest that face-to-face meetings and emails take place in a virtual, web-based collaboration space. While email is an effective way to communicate within a business, it’s a poor collaborative tool. To break the email habit, organisations can try turning off email for a period of time in order to ensure alternative modes of communication are used. Organisations can also encourage meeting attendees to utilise mobile-video tools, as opposed to video conferences which often require dedicated facilities, since mobile video tools allow people to attend meetings regardless of their current location. Not only is it easy, but mobile video is a great way to bring key experts into conversations when needed. Since real-time communication and collaboration technologies make it easy to track collaborative behaviour, performance evaluations and incentives can be designed to foster teamwork and reward collaboration.

Be supportive, but mostly get out of the way

First and foremost, it’s important that team members are fully trained, educated and supported in using new software. It might be useful to identify a team member or project manager to oversee the implementation and use of the platform. This person will have the ability to not only manage the organisational processes, but also help team members if they have problems, as well as encourage people to use the system. Once the real-time communication and collaboration tool is in place, let  employees do what they need to do. Sometimes by regulating usage and enforcing too many guidelines and rules, will end up stifling the collaboration and communication process within the organisation.

Don’t be afraid to adapt and evolve

Real-time collaboration and communication tools are consistently improving and evolving as new software and strategies continue to emerge. Because of that, it’s imperative that organisation is flexible and adaptable to change. Be knowledge to what’s going on within the organisation as well as in the industry as a whole. This allows to innovate new solutions and anticipate upcoming trends and changes. It’s important to remember to make sure  employees are part of the decision-making process when it comes to employing real-time collaboration and communication tools. Be sure to listen to their ideas, needs and suggestions and make it a point to integrate their feedback in your technology and strategy.

Teamwork and Collaboration

This connotes the ability to work effectively on a common task with other members of a team. A good collaborative technology software such as Sinnaps provides an easy way for businesses to track the work of employees in order to get the best possible results. This platform can allow organisation or individual to  create to-do lists for ongoing projects, send requests to colleagues, reminders for upcoming deadlines and allow for team members make remarks to posts within the platform.

Collaborative Strategies

Working in groups creates synergy between businesses and stakeholders. It encourages idea generation and sharing as well as improve communication and trust. Collaborative strategies entail leveraging stakeholders to plan your desired outcomes. For a business, stakeholders may include financiers, employees, partners, suppliers and vendors, and to realise a business objective, they must be properly engaged throughout the entire process.

1.3 Explain how to establish an identity or present information that will promote trust.

Respect Their Time
As our society in general loses some of the courtesy and respect previous generations showed one another, I think we are well served to raise our awareness of other people’s time, personal schedule, and needs. This concept translates to:
Promptly returning phone calls. Promptly replying to emails and thoroughly addressing all points raised. Log on to a scheduled call 2 minutes in advance of start time.
Hold fast to estimated call end times, or (near scheduled end time) inquire if attendees are free to keep going.
Conform To Their Work Style
It is  read how some people get all their writing in as the roosters crow? Or maybe heard the phrase “Call me anytime – I’m always working”? Consider establishing communication preferences part of new client on boarding process. Sure, it may intuit somewhere around week 4 that the contact is always available. Early, then that demonstrates the thinking of all the details and willing to take some steps to accommodate the client.
Keep appointments.
Promptly getting back in touch with any follow-up items promised.
Regularly communicate progress made toward an established deadline (this is a great way of demonstrating you’re always thinking of the client and it keeps the client up to speed in case others ask them about status).
Listen For Their Pain Points And Relieve Them
It can be hard to dig down beneath the basic barriers to being more productive we all share – too little time, too many meetings, too much bureaucracy. But if listening  closely enough for underlying root cause,  ways can be found to make the client’s life just a little easier. And that’s just one way to demonstrate the commitment and gain some trusted ground. Does the client have to take data you report and mash it into a bigger aggregate report for use by internal stakeholders? Offer to format  information so it slides in easily. Or offer to do the admin work (if it makes sense to do so). Find flaws in the client’s processes , and improve upon them.
Establish Level Ground
Sometimes people can articulate the problems and  want to solve them. These are some steps  to come closer when delivering on client expectations:
Ask them to thoroughly complete a project brief at the onset of working together. Some people will try to avoid it, saying it takes too much time. Those people will be very hard to satisfy because they haven’t zeroed in on their priorities. Get them to talk about projects that they consider to have been successes. What variables contributed? Get them to talk about projects that failed. What were the communication failures? Administrative or logistic failures? Learn from what worked and what didn’t.
Communicate Clearly And Openly                                                                                                 It’s true: all of us have different attention spans and information requirements. Some people like to be carbon copied on all activity, even if people don’t have an assigned deliverable. Others don’t want the full picture, only to be looped in if a problem arises.
The way I see it, part of  responsibility as a contractor, is  to push information out to the group public. This may mean: Writing conference reports detailing phone discussions or in-person meetings where decisions and task assignments were made and outstanding questions raised. I first experienced this early in my career on the agency side. Still a good practice, maybe more so with less frequent in-person meetings. Maintaining a central repository of messages and associated files. For projects or ongoing assignments with clients (not a simple, quick info exchange), I rely on project management tools like Asana to be a “hub” with clients. We’ll write more about collaboration and project tools later. Never assuming information/requests sent was received. “Well, I emailed her but didn’t hear back” is weak. Passing a hot potato doesn’t absolve one of responsibility.

Don’t Place Blame
When people work together, honest mistakes and disappointments happen, and it’s easy to blame someone who causes these. However, when everyone starts pointing fingers, an unpleasant atmosphere can quickly develop. This lowers morale, undermines trust, and is ultimately unproductive. Instead, encourage everyone in your group to think about the mistake in a constructive way. What can you all do to fix what happened, and move forward together? And how can you make sure that this mistake doesn’t happen again?

Discuss Trust Issues
Managing an established team that has trust issues, it’s essential to find out how these problems originate, so that there can be some opportunity to come up with a strategy for overcoming them. Consider giving team members a questionnaire to fill out anonymously. Ask about the level of trust within the group, as well as why they think there’s a lack of trust. Once the  results are submitted, get everyone together to talk about these issues.

Discourage Cliques
Sometimes, cliques can form within a team, often between team members who share common interests or work tasks. However, these groups can – even inadvertently – make others feel isolated. They can also undermine trust between group members.
Start an open discussion about this with team members, and see what they think about cliques and their effect on other group members. Only by addressing the issue openly can discourage this damaging behaviour.

1.4 Develop and     bn

Authentication is the process of recognising a user’s identity. It is the mechanism of associating an incoming request with a set of identifying credentials. The credentials provided are compared to those on a file in a database of the authorised user’s information on a local operating system or within an authentication server.

The authentication process always runs at the start of the application, before the permission and throttling checks occur, and before any other code is allowed to proceed. Different systems may require different types of credentials to ascertain a user’s identity. The credential often takes the form of a password, which is a secret and known only to the individual and the system. Three categories in which someone may be authenticated are: something the user knows, something the user is, and something the user has.

Authentication process can be described in two distinct phases – identification and actual authentication. Identification phase provides a user identity to the security system. This identity is provided in the form of a user ID. The security system will search all the abstract objects that it knows and find the specific one of which the actual user is currently applying. Once this is done, the user has been identified. The fact that the user claims does not necessarily mean that this is true. An actual user can be mapped to other abstract user object in the system, and therefore be granted rights and permissions to the user and user must give evidence to prove his identity to the system. The process of determining claimed user identity by checking user-provided evidence is called authentication and the evidence which is provided by the user during process of authentication is called a credential.

Identity, Identity Attributes, and Identifiers

An individual’s identity can be defined as the sum of all the characteristics that make up who an individual is, such as their name, birthday, where they live or other information. These characteristics are called identity attributes.

An identity attribute can also be an identifier. For example, an individual may be referred to by their name or by a number that is assigned to them. An identifier may be common (i.e., more than one person can have the same birth date) or it may be unique in that it only pertains to one individual. These concepts, and their distinctions, are important to keep in mind when considering how to develop and implement proper identification and authentication processes.

Identification

Identification typically occurs when an individual first enrols or registers with an organisation. Establishing identity is the process of linking an identifier to an individual so that it can be remembered. Identifying an individual allows an organisation to ensure, for example, that an individual’s transactions are associated with their account, and that their records are retrievable.

Depending on legal requirements and the nature of a business, the identifier that is attached to the individual need not be a “real world” identifier such as a name (e.g., John Doe). It could be an identifier created for the purposes of the interaction (e.g., customer A167). Both are identity attributes used as identifiers to identify an individual – but they are distinguishable by how much they reveal about an individual’s actual identity.

Some transactions (face-to-face cash retail sales, for example) may be concluded in complete anonymity. Others may require an individual to divulge only some information or identity attributes. In some cases, legal requirements may require that the organisation know exactly with whom it is dealing (i.e., banks and other organisations subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, for example).

Authentication and Authentication Factors

When someone presents themselves to an organisation, or their website, and claims to be a customer with whom the business has a relationship, the organisation may need to authenticate that claim.

There are different ways to authenticate an individual’s identity. Those are:

Something that is known to the individual (for example, a password, a personal identification number or PIN, an account number, favourite colour, name of first pet); Something that the individual has (for example, a bankcard, token, identity card, public-key digital certificate); Something that the individual is (or does) (for example, a bio-metric, such as a facial image, retina scan, voice print or gait). In some cases, one of these factors may be used alone to authenticate an individual; in others, combinations may be used. For example:

Access to e-mail using a password: This represents a single-factor authentication process that relies on something the individual knows.                                                                    Access to a physically secure area using an identity card with an embedded chip (a smart card) and a hand-scan bio-metric: This represents a two-factor authentication process: it relies on something the individual has (the smart-card) and something the individual is (the bio-metric).                                                                                                    Access to a secure area using a valid magnetic strip card, a four-digit PIN code and a hand-scan bio-metric: This represents a three-factor authentication process: it relies on something that the individual has (the card), something that the individual knows (the PIN), and something that the individual is (the bio-metric.)                              Authentication based on two elements from the same category, for example an account number and a password-both things that someone knows-is more appropriately referred to as multi-layer authentication, not multi-factor authentication.

In addition to the authentication factors listed above, other data such as behaviours or actions that an individual takes (for example, logs on to their account from a certain computer, uses their credit card in a certain location, or conducts web searches) may assist in authenticating an individual.

Assurances and Authorisation

Identification and authentication are fundamentally about the management of risk:

The risk to the organisation of, through bad identification or authentication practices, either denying access to a legitimate customer or giving access to an impostor; or, the risk to individuals that their personal information is lost or inappropriately disclosed, and that their identity, finances, or privacy are compromised.

Organisations need assurances that individuals legitimately possess the necessary identity attributes to complete a legitimate transaction. Similarly, individuals need to be assured that only the right people are accessing their account, or conducting transactions using their identification, whether face-to-face or online.

Once an individual’s identity is properly authenticated, or verified, the organisation may authorise a transaction.

Guidelines for Identification and Authentication

There is no one-size-fits-all approach to identification or authentication. As stated above, these guidelines are intended to help organisations develop appropriate identification and authentication processes.

Although the guidelines are intended to address identification and authentication of individuals by organisations, organisations should also have appropriate processes in place to authenticate employees who have access to customer or client personal information.

Only identify when necessary

If there is no legal requirement to do so, or the organisation does not intend to maintain an ongoing relationship with an individual, it likely does not need to identify an individual.

Organisations should question if  it’s needed to collect, store, and/or share personal information to authorise transactions. In other words, is identification necessary to fulfill the transaction? Can the transaction be authorised in a way that is just as secure without collecting any personal information?

Case in Point

In PIPEDA Case Summary 2008-396, the personal information collection and recording practices exceeded what was required to verify age and permit entry into the premises.

Should organisations determine that identification is necessary for their purposes, it is also important to consider for how long personal information should be retained and how it should be destroyed when it is no longer required for those purposes.

Determine what identity attributes are necessary to authorise a transaction

If an organisation does determine that it needs to identify individuals to authorise transactions, the next question to ask is: what is the minimum amount of information required to fulfil that purpose?

Organisations should ask  whether the transaction could be authorised in a way that is secure without collecting unnecessary personal information. For example, rather than collecting and storing a person’s full date of birth, a partial date of birth or attestation that someone is over a certain age may be all that is required.

It is also important to avoid, where ever possible, using numbers such as a driver’s licence number or social insurance number as an identifier as they were created for different purposes. For more information, see our Guidelines on the collection of driver’s licence numbers in the retail sector and our Best practices for the use of Social Insurance Numbers in the Private Sector.

Inform individuals and obtain the appropriate form of consent before identification

Identifying individuals without their knowledge or consent limits their control over their personal information and is contrary to the law. Organisations should therefore seek to inform individuals why their information is being collected.

Consent is strongly tied to the principle that information should only be used for the purposes for which it was collected. If an individual provides personal information for identification or authentication purposes, and it is envisioned that that information will be used for other purposes-such as personalising or enhancing the customer experience, targeted advertising, communicating product updates, or engaging in other forms of relationship building-individuals should be informed of those purposes and their consent obtained before or at the time of collection. In many instances, individuals should also be able to obtain the service for which they signed up without having to agree to these other uses.

Advances in technology have led to newer, less transparent ways of identifying individuals. For example, by analysing metadata-data about data-individuals may be identified without them directly providing information about themselves. (See the OPC’s Legal and Technical Overview of Metadata and Privacy).

Metadata could be collected through cookies or web beacons (See the OPC’s Frequently Asked Questions on Cookies); device fingerprinting which involves collecting enough information about a device to uniquely distinguish it from other devices; or signals monitoring, which uses cellular, Wi-Fi, or Bluetooth signals to uniquely distinguish a device and monitor its location. Since a device is typically associated with the individual who owns or uses it, such technologies can also be used to identify individuals without them being aware.

Without informing individuals or obtaining their consent, such activities may be viewed as being more akin to surveillance and profiling than promoting mutually beneficial interactions that build trust in Canada’s economy.

Only authenticate when necessary

An individual should only be authenticated by an organisation when it is necessary for the purposes of the transaction. Even if there is a preexisting relationship between an organisation and an individual (i.e., the individual has gone through the identification process), their identification may not need to be verified in every instance.

If an individual does need to be authenticated, personal information should only be disclosed to that person once the organisation is assured that the individual is who they say they are.

Ensure the level of authentication is commensurate with risks

The stringency of authentication processes should be commensurate with the risks to the organisation as well as to the individual. The higher the risks the higher the assurances an organisation will likely need to authorise a transaction. As such, the use of more authentication factors or layers may be appropriate. For example:

A simple single-factor authentication process may be appropriate to allow an individual to obtain access to voice mail or to check the account balance of a loyalty program. Obtaining an account balance for a utility bill may require an account or membership number and a numeric access code, (i.e., multi-layer single-factor authentication); or,      financial services that permit the issuing of payment instructions and making transfers to third-parties may require a multi-factor or multi-layer authentication process.

Ensure employees are properly trained

According to Principles 4.1.4 and 4.7.4 of PIPEDA organisations are required to train staff about the organisation’s privacy policies and practices, and to make their employees aware of the importance of maintaining the confidentiality of personal information.

As such, organisations should ensure that all customer service representatives, data processors, and all other employees who have access to personal information receive appropriate training on the importance of protecting customers’ personal information, including the importance of protecting it from unauthorised access and disclosure. Organisations should provide ongoing training on identification authentication policies and processes.

Maintain appropriate transaction records

The authentication process should maintain reliable audit records of authentication transactions including the date, time and the outcome. Maintaining such records can assist in assessing risk, as well as demonstrating compliance with applicable privacy laws. The level of detail in the audit logs, as well as the retention period for data, should reflect the risks associated with the information or service. Audit records should record attempted and failed authentications, but should not contain the actual authentication information (i.e., passwords).

As well, audit records need to be protected since they can create data trails that can reveal information about the individual. Such metadata, when linked with other identifying information, could constitute personal information under PIPEDA. Audit logs should therefore be treated with the same protections as other personal information.

Continually assess threats and mitigate risks

Organisations should regularly reassess risks and threats for each service delivery touch point and deploy appropriate risk mitigation measures, including adjusting the strength of authentication processes, to address changing threats. This entails keeping abreast of changes in business practices and technologies that either strengthen existing authentication processes or undermine them.

For example, organisations should have systems and procedures in place to address man-in-the-middle attacks where a fraudulent actor intercepts communication between an organisation and an individual. Organisations should also have plans in place to address phishing, where a malicious actor attempts to trick an individual into thinking that he/she is interacting with a real organisation.

In addition to the due diligence required of organisations to mitigate risk, it is also important that individuals play a part in protecting their personal information by maintaining up-to-date anti-virus, anti-spam, and firewall programs, and by not sharing their PINs or passwords. At the same time, organisations should not overlook more conventional low-tech threats.

Protect personal information

Organisations should have policies and practices in place to manage risks to the personal information they hold. Security safeguards must take into account the sensitivity of the personal information and the risks associated with it. For more information see our Securing Personal Information Self-Assessment Tool.

Given the potentially sensitive nature of identity information, organisations should also have a plan to notify individuals should there be a security breach so that those individuals can take the necessary steps to protect themselves from identity theft. For more information see Respond to a privacy breach at your business.

It is important to note that S-4 (The Digital Privacy Act) received royal assent in June 2015 and that the amendments dealing with breach reporting, notification and record keeping will be brought into force once the related regulations outlining specific requirements are developed and in place.

Rely on trusted identity documents or credentials

As a means of authentication, identity documents or credentials (for example, identity cards, drivers’ licences, passports, etc.) can be used with more confidence when their genuineness can be verified. In general, the issuer of the document is in the best position to assess the appropriate reliance to place on a credential.

Ideally, they should only be used for their original intended purpose. In other situations, an organisation should only rely on them when it has some assurance of the integrity of the issuance process. For example, relying on a driver’s licence from a foreign country may entail more risks than relying on a licence issued in Canada. Organisations may also rely on e-credentials or tokens from trusted sources, preferably if they have already entered into agreements with them.

Rely on trusted parties when outsourcing identity management

Under PIPEDA, an organisation is responsible for personal information under its control, including information that has been transferred to a third party for processing.

Therefore, in situations where an organisation outsources identification or authentication functions to a third party, primary responsibility for ensuring the adequacy of the processes remains with the organisation providing the service to the individual. This means that the organisation remains accountable, through contractual or other means, for ensuring that identification and authentication processes meet its requirements and reliably protects its customers’ personal information.

Organisations that outsource identity management to third parties should inform their customers’ of this practice. Third party organisations that act as identity management providers should also collect, use or disclose personal information in accordance with these guidelines.

Permit individuals to control their identification and authentication information

Organisations should offer individuals options to manage their identification and authentication information. When possible, individuals should be allowed to choose their:

Own identifier and should not be required to only use their name. However, there may be situations, for example, when opening a bank account, where organisations are required to collect specific information and the use of a nickname or other alternative identifier is not possible.                                                                                                    Passwords or PINs, including those that exceed a standard minimum length and complexity and questions and answers where personal preferences are used for authentication.

Where reasonable and appropriate in the circumstances, organisations should also provide enhanced authentication processes to individuals who request them.

Consider the use of bio-metrics carefully

Before considering the use of bio-metrics (such as automated facial recognition technology, retina scans, fingerprints, hand-scans) in their identity management systems, companies should consider whether they are necessary, effective, and proportional to the potential privacy risks, and whether there is a less privacy invasive way to identify or authenticate an individual.

Although they can be strong identifiers (i.e., a fingerprint is a unique and persistent identifier that corresponds to one individual the vast majority of times) they are far from being a panacea. For example, faces change over time, fingerprints can be worn down, and a person’s gait can be altered by an accident or injury. Depending on how unique and persistent a bio-metric is, and how effective the technology used is at data matching, automated recognition systems may produce false-positives or false-negatives.

Unlike a password, if a bio-metric is stolen or compromised it is very difficult, if not impossible, to change. If there is a risk that a bio-metric could be compromised, it should not be used for authentication on its own – it should be used with another authenticator, such as something only the individual has or knows.

When appropriate, bio-metric information should be locally stored (i.e., on a device) rather than in a central database. Centralised storage heightens the risk of data loss or the inappropriate cross-linking of data across systems. Local storage, such as mobile phones or smart cards, by contrast, gives individuals more control over their personal information.

By its very nature bio-metric information is sensitive information and should be protected by appropriate safeguards, including for example, encryption.

1.5 Analyse and plan for the risk in the  use of collaborative technologies for different task

Transparency and technology in a wider context

While transparency is a tool for combating corruption, it is also part of overarching societal goals of accountability, democratisation and good governance. This connection is based on the assumption that using newly disclosed information, citizens, media, civil society and government officials will investigate and positively influence policy. This is a big assumption, and is very much tied into specific political, social, economic and cultural contexts. For example, existing evidence suggests that the democratising power of transparency depends largely on its ability to link into ongoing political and social mobilisation.1 Transparency can transform existing power structures, but often fails to, based in part on how problems are framed and the capacity of users to interpret and use information.2

Many of these same power and knowledge asymmetries plague technology projects, particularly as they have begun to tackle complex governance issues. While open source technology is a valuable tool in implementing transparency, work towards accountability and good governance is complex, with high stakes and a diverse set of stakeholders. Issues of privacy, security, trust, inclusive and capacity take on new importance as technologists navigate real-world communities, which in many cases hold very different values to those espoused by the open source community. At the same time, local groups, government, mass media, NGOs and the global community must make space for technology and the new skill sets required to integrate online tools into development work.

Examining a series of technology-for-transparency pilot projects,3 this report begins with a brief investigation into some of the obstacles to effective implementation, highlighting the communication and knowledge network gaps that exist. Turning to recent research on this topic, the report goes on to explore the concept of collaborative learning networks and their impact on existing gaps in engagement, trust and knowledge.

Undermining accountability: Barriers faced by technology-for-transparency projects

Turning online activity into offline change continues to be a struggle for digital activists all over the world, and projects aimed at addressing issues of corruption are no exception. Low engagement and a lack of infrastructure are commonly cited obstacles for many technology projects; however, they are particularly relevant in the case of transparency, where participation from a diverse set of actors is essential to the success of most initiatives. Privacy and security are also growing concerns, particularly given the recent trends toward government censorship and monitoring.4

Low engagement

Effecting offline change often requires a shift in perception of civic engagement. While many technology projects report substantial interest from citizens, some, particularly those focusing on disseminating government information rather than on collecting citizen input, have difficulty gaining and sustaining citizen engagement. In many countries, there is little public awareness and understanding of government activity, or of the power of citizen oversight. The founder of Cidade Democrát ica (“Democratic City”) in Sao Paulo, Brazil observed that the majority of citizens believe that improving civic services is not their responsibility, due in part to the top-down nature of the state.5 In Venezuela, ProAcceso, a project pushing for right to information (RTI) laws, found that even where laws existed to protect and empower citizens, they were not well known or understood. In response, the project developers instead focused on providing information that is directly relevant to individual and community life – such as information on education and public health for a mother with young children.6

When data is being collected from individuals and communities, low engagement could also be a result of distrust or poor relationships with the intended users of disclosed information. Local mappers working on the Map Kibera community mapping project were originally met with suspicion by residents, and questioned about their right to collect and record information. Some mappers were asked whether they were being paid for their work, or were asked for payment in return for the data they received.7

Engagement with mass media and citizen journalists is also an essential component to achieving wider social impact by transparency-for-technology projects. When asked how their project would spend additional funding, many transparency pilots interviewed by Global Voices focused on citizen and local media capacity building with online tools, new media, reporting and investigating.8 This is an important aspect of taking technology projects beyond the “disclosure” stage. Local mass and independent media must be aware of and able to use the information collected by technology projects in order to hold governing actors accountable.

A lack of engagement with governing actors at various scales can also be a substantial obstacle in combating corruption through technology. Distrust, animosity and secrecy are commonly cited issues for technology projects working towards government accountability, often exacerbated by a lack of communication and consultation on both sides. Government officials can be an essential ally in increasing government transparency, pushing for legislative reform based on reported data. This was the case in Bangalore, where the transport commissioner for the state of Karnataka used data collected from the online platform “I Paid a Bribe” to push through reforms in the motor vehicle department, including online applications and video monitoring to drive down corruption and increase transparency.9

One of the most commonly raised issues among pilot technology projects is the need for clear outcomes from citizen engagement. In many cases there was significant interest from communities, but when the project was unable to effect change, interest and support for the project waned.10 Conversely, when participants felt that their input had led to a definitive outcome, even if that outcome did not translate directly into accountability, confidence in the value of the tool, and in contribution, increased.

This has been the case for the Kiirti11 programme in India, which aggregates and visualises citizen complaints and questions on a variety of issues using Front-line SMS and Ushahidi. According to the developers of Kiirti, users of the platform are able to bring about a change in their community with minimal effort. These changes are often very local, such as changing a streetlight or paving a road; however, there is a substantial impact on the mindset of users, and there is an expectation that as participation increases, governing actors will be forced to tackle more complex issues.

Lack of infrastructure

In discussing technology, infrastructure is often understood as the physical networks required for access to the internet. But this is only one of many structures needed to realise the potential of transparency. Technology projects also rely on what is sometimes referred to as “soft infrastructure” – systems of governance, education, regulation, culture and social support.12 These structures are very much tied into issues of engagement, and in some cases it may be necessary to build up soft infrastructure before effectively engaging various actors. Ideally, technology-driven transparency projects should have clear frameworks for implementation and progression, which ultimately rely on existing and emerging networks of activism, institutional and financial support, and participant capacities.

The founders of Map Kibera revealed the importance of infrastructure in their community information project, which originally started as a three-month pilot.13 Partnering with the Kibera Community Development Agenda (KCODA), a side project for Map Kibera involved developing an online mapping application to monitor the status of projects funded by the Kenya Constituency Development Fund (CDF). Individuals could submit photographs and reports on the real status of projects, contrasting those with official government reports. Information was also provided on the amount of funding allocated, the contractor involved, and geographic location. Unfortunately, there was limited time for training with the web application, and the collection of evidence was not well organised. When the tool was presented at a community forum on local budgets, some of the reports were shown to be out of date, which weakened confidence in the tool more broadly.14 Reflecting on the project, one of the developers, Mikel Maron, suggested that limited time and resources were substantial constraints to building capacities and structures for long-term engagement.

At a recent workshop hosted by the Bridging Transparency and Technology partnership, one participant described how a well-planned project fell victim to a 12-month timeline, which focused on results over longevity.16 Funding was a major issue for most of the projects examined by Global Voices, with much of the work done on a voluntary basis by only a few dedicated developers.17

Language is another aspect of soft infrastructure that, if overlooked, can significantly restrict the impact of technology-driven transparency. In compiling best practices for ICTs, Talyarkhan notes the importance of addressing local language needs before developing communication strategies.18 This is particularly important given recent calls for more online content in local languages in countries such as South Africa.19 Moreover, many people prefer to receive information orally at face-to-face meetings, which allow for demonstrations and follow-up.20 In Malaysia, the coordinators of Penang Watch used face-to-face meetings to collect citizen complaints, train participants and build interest in the project.21

Privacy and security

The potential for transparency to threaten the security of marginalised communities and to reinforce existing power inequalities carries no small risk. Governing authorities may garner international legitimacy and attract funding while at the same time exerting increased control over communities through greater understanding of local conditions. As information is gathered by state or external authorities, it is reduced to standardised pieces of information that allow citizens to be easily managed.22

In her 2011 report on the opportunities and challenges of open ICT for vulnerable and marginalised communities, Evangelia Berdou highlights tensions and risks associated with the open provision, collection and dissemination of information in the context of under-resourced and politically contested spaces. The results of an in-depth study of Map Kibera in the first six to eight months of the project revealed persistent barriers to accessing information and risks of project participant exploitation due to increased visibility. Young mappers received requests for collaboration by external actors on a number of occasions, some of which were judged to be exploitative,23 revealing a need for structures to train and protect participants from abuse. In November 2010 Map Kibera developed a trust, which provides an important organisational framework, including structures for processing external requests.

At the same time, online privacy, censorship and secure communications present new challenges to technology-for-transparency projects. This includes dangerous restrictions to freedom of expression and access to information by marginalised communities. For example, in July 2012 the Pakistan Telecommunication Authority banned a watchdog website that documented violence against Shi’ite Muslims in the country, citing the propagation of religious views as reason for the suppression.24 There are also substantial risks to the privacy of online communications in many countries, as online surveillance continues to be touted as a tool for combating issues from online piracy to terrorism.25 Technology-driven transparency projects need to be cautious in how they collect and use data, and ensure that participants know how to protect their right to privacy online.

Collaborative learning networks

Online tools provide an important opportunity for “collaborative transparency”, where the users of data create and shape information content, allowing for a level of interactivity not present in offline transparency projects.26 At the same time, as this report has highlighted, there are a number of obstacles to achieving effective collaborative transparency, including the very real danger that intended users do not have the capacities to understand and use disclosed information. There are often substantial communication, trust and knowledge gaps that exist as a result of low engagement and a lack of infrastructure.

Collaborative multi-stakeholder learning networks provide an opportunity to bridge these gaps. In conducting her research on the impact of online tools, Berdou found that non-profit technology companies and open source technology entrepreneurs play a significant role in supporting the uptake of online tools by activists and organisations. By sharing skills and knowledge, these partnerships can improve the design and impact of technology-driven transparency. Concluding her report, Berdou asks the important question of how partnerships and networks can be constructed to promote learning and support the successful use of online tools and platforms.

The partnerships and networks developed around transparency in the extractive industries provide some insight into this question. Publish What You Pay (PWYP), a global network of 650 civil society organisations, works with multi-stakeholder initiatives such as the Extractive Industries Transparency Intiative (EITI) to advocate for and implement disclosure of information on extractive industry revenues and contracts.27 In 2010, Ghanaian PWYP members issued a statement to the national government, based on consultations with community and faith-based organisations from all ten regions, as well as media and development partners.28 Among the recommendations was a call for the development of a public oversight committee, which was subsequently established in 2011 under Section 51 of the Petroleum Revenue Management Act.29 In May 2012 the public oversight committee published a report indicating discrepancies in funds paid and received by the national oil company. Mass media picked up the story, and as a result the government released new documents which confirmed the discrepancy and disclosed the location of the missing funds.30 PWYP network members are also part of Ghana’s multi-stakeholder EITI steering committee, which regularly reviews government receipts and disbursements of revenues from the extractive sector.31

These two coalitions contribute, along with international NGOs like Revenue Watch and Transparency International, to greater oversight and accountability in resource-rich countries, fighting corruption and contributing to sustainable development. Like many multi-stakeholder initiatives these actors still struggle to effectively engage and empower citizens on a broader scale. However, by creating spaces where all stakeholders can participate in the design and implementation of transparency, PWYP and EITI contribute to a culture of participatory governance.

As technologically driven transparency continues to grow, these same structures of multi-stakeholder collaboration must develop. In some areas this is already occurring, such as the newly formed Bridging Transparency and Technology project,32 which has hosted a number of workshops and meetings to discuss how online tools can best be utilised by transparency projects. Although it is not clear yet how the recommendations and strategies from these meetings will be implemented, the project provides a vital space for continued discussion and partnership building.

1.6 Analyse and manage risk in the use of collaborative technologies

Risk is made up of two parts: the probability of something going wrong, and the negative consequences if it does.
Risk can be hard to spot, however, let alone prepare for and manage. And, if you’re hit by a consequence that you hadn’t planned for, costs, time, and reputations could be on the line. This makes Risk Analysis an essential tool when your work involves risk. It can help you identify and understand the risks that you could face in your role. In turn, this helps you manage these risks, and minimise their impact on your plans.
In this article and video, we look at how you can use Risk Analysis to identify and manage risk effectively.

What Is Risk Analysis?
Risk Analysis is a process that helps you identify and manage potential problems that could undermine key business initiatives or projects.
To carry out a Risk Analysis, you must first identify the possible threats that you face, and then estimate the likelihood that these threats will materialise.
Risk Analysis can be complex, as you’ll need to draw on detailed information such as project plans, financial data, security protocols, marketing forecasts, and other relevant information. However, it’s an essential planning tool, and one that could save time, money, and reputations.
When to Use Risk Analysis
Risk analysis is useful in many situations:
When planning projects, some organisation anticipate and neutralise possible problems.
Some organisation decide whether or not to move forward with a project.
Organisation improves safety and managing potential risks in the workplace.
Some organisation prepare for events such as equipment or technology failure, theft, staff sickness, or natural disasters and also plan to change the environment status, such as new competitors coming into the market, or changes to government policy.
To carry out a risk analysis, follow these steps:

Identify Threats
The first step in Risk Analysis is to identify the existing and possible threats that you might face. These can come from many different sources. For instance, they could be:
Human – Illness, death, injury, or other loss of a key individual.
Operational – Disruption to supplies and operations, loss of access to essential assets, or failures in distribution.
Reputation – Loss of customer or employee confidence, or damage to market reputation.
Procedural – Failures of accountability, internal systems, or controls, or from fraud.
Project – Going over budget, taking too long on key tasks, or experiencing issues with product or service quality.
Financial – Business failure, stock market fluctuations, interest rate changes, or non-availability of funding.
Technical – Advances in technology, or from technical failure.
Natural – Weather, natural disasters, or disease.
Political – Changes in tax, public opinion, government policy, or foreign influence.
Structural – Dangerous chemicals, poor lighting, falling boxes, or any situation where staff, products, or technology can be harmed.
You can use a number of different approaches to carry out a thorough analysis:
Run through a list such as the one above to see if any of these threats are relevant.
Think about the systems, processes, or structures that you use, and analyze risks to any part of these. What vulnerabilities can you spot within them?
Ask others who might have different perspectives. If you’re leading a team, ask for input from your people, and consult others in your organisation, or those who have run similar projects. Tools such as SWOT Analysis and Failure Mode and Effects Analysis can also help you uncover threats, while Scenario Analysis helps you explore possible future threats.

Estimate Risk
Once you’ve identified the threats you’re facing, you need to calculate out both the likelihood of these threats being realised, and their possible impact.
One way of doing this is to make your best estimate of the probability of the event occurring, and then to multiply this by the amount it will cost you to set things right if it happens. This gives you a value for the risk:
Risk Value = Probability of Event x Cost of Event
As a simple example, imagine that you’ve identified a risk that your rent may increase substantially. You think that there’s an 80 percent chance of this happening within the next year, because your landlord has recently increased rents for other businesses. If this happens, it will cost your business an extra $500,000 over the next year.
So the risk value of the rent increase is: 0.80 (Probability of Event) x $500,000 (Cost of Event) = $400,000 (Risk Value).
Organisation  can also use a Risk Impact/Probability Chart to assess risk. This will help them to identify which risks they need to focus on.
Don’t rush this step. Gathering as much information as much as possible, the organisation can accurately estimate the probability of an event occurring, and the associated costs. Use the past data as a guide if the organisation n don’t have an accurate means of forecasting.
How to Manage Risk
Identified the value of the risks the organisation is facing, then start to look at ways of managing them. Look for cost-effective approaches – it’s rarely sensible to spend more on eliminating a risk than the cost of the event if it occurs. It may be better to accept the risk than it is to use excessive resources to eliminate it.
Be sensible in how to apply this, though, especially if ethics or personal safety are in question.
Avoid the Risk
In some cases, some organisation may want to avoid the risk altogether. This could mean not getting involved in a business venture, passing on a project, or skipping a high-risk activity. This is a good option when taking the risk involves no advantage to the organisation, or when the cost of addressing the effects is not worthwhile.
Remember that when avoiding a potential risk entirely, the organisation might miss out on an opportunity. Conduct a “What If?” Analysis to explore some options when making decision.

Share the Risk
This could also opt to share the risk  and the potential gain with other people, teams, organisations, or third parties. For instance,  sharing a risk when it insure that the  office building and the inventory with a third-party insurance company, or when partnering  with another organisation in a joint product development initiative.
Accept the Risk
Your last option is to accept the risk. This option is usually best when there’s nothing you can do to prevent or mitigate a risk, when the potential loss is less than the cost of insuring against the risk, or when the potential gain is worth accepting the risk.
For example, you might accept the risk of a project launching late if the potential sales will still cover your costs. Before you decide to accept a risk, conduct an Impact Analysis to see the full consequences of the risk. You may not be able to do anything about the risk itself, but it can likely come up with a contingency plan to cope with its consequences.
Control the Risk If you choose to accept the risk, there are a number of ways in which you can reduce its impact.

Business Experiments are an effective way to reduce risk. They involve rolling out the high-risk activity but on a small scale, and in a controlled way. You can use experiments to observe where problems occur, and to find ways to introduce preventative and detective actions before you introduce the activity on a larger scale.
Preventative action involves aiming to prevent a high-risk situation from happening. It includes health and safety training, firewall protection on corporate servers, and cross-training your team.

Detective action involves identifying the points in a process where something could go wrong, and then putting steps in place to fix the problems promptly if they occur. Detective actions include double-checking finance reports, conducting safety testing before a product is released, or installing sensors to detect product defects.
Plan-Do-Check-Act is a similar method of controlling the impact of a risky situation. Like a Business Experiment, it involves testing possible ways to reduce a risk. The tool’s four phases guide you through an analysis of the situation, creating and testing a solution, checking how well this worked, and implementing the solution.

Conclusion

Collaboration tools have evolved, some organisations have found benefits they hadn’t counted on, such as increased transparency, better problem-solving and more efficient crisis planning. As technologically driven transparency continues to grow, these same structures of multi-stakeholder collaboration must develop and implement of  multiple solutions to common problems or goals. Organisations need assurances that individuals legitimately possess the necessary identity attributes to complete a legitimate transaction. Similarly, individuals need to be assured that only the right people are accessing their account, or conducting transactions using their identification, whether face-to-face or online.

Resources.

https://www.cmswire.com/digital-workplace/4-best-practices-for-real-time-collaboration-and-communication/  Access on 15 /02/2019

https://www.mindtools.com/pages/article/building-trust-team.htm  access on 15/02/2019

http://soloprpro.com/7-ways-to-build-trust-with-your-clients/ access on 17/02/2019

https://www.mindtools.com/pages/article/newTMC_07.htm/access on 1/01/2019

https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2002/pipeda-2002-040/ access on 19/02/2019

https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2009/pipeda-2009-012/  access on 19/02/2019

https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2002/pipeda-2002-040  access on 19/02/2019