Layers of risk (3) & Conclusion

3. Data/information

Data and information are being produced and generated all the time while organising. This can be in the form of formal or informal, deliberate or shadow forms of data. Another way to understand risks in increments is to look at the data practice of a specific activity or strategy of a movement. Think about this from either a specific working group within a movement that is responsible for carrying out specific tasks or strategies, or from the perspective of an activity. This can also be used at the level of an organisation, as every organisation deals with data, and each unit within an organisation does as well.

Here, there are some security and safety considerations for each phase of the data life cycle. There is an activity called “Data life cycle to as a way to understand risk” that operationalises this section.

a) Creation/gathering/collection of data

  • What kind of data is being gathered?
  • Who creates/gathers/collects data?
  • Will it put people at risk? Who will be put at risk if this data is released?
  • How public/private/confidential is the data gathering process?
  • What tools are you using to ensure the safety of the data gathering process?

b) Data storage

  • Where is the data stored?
  • Who has access to the data storage?
  • What are the practices/processes/tools you are using to ensure the security of the storage device?
  • Cloud storage vs physical storage vs device storage.

c) Data processing

  • Who processes the data?
  • Will the analysis of the data put individuals or groups at risk?
  • What tools are being used to analyse the data?
  • Who has access to the data analysis process/system?
  • In the processing of data, are secondary copies of the data being stored elsewhere?

d) Publishing/sharing of information from the processed data

  • Where is the information/knowledge being published?
  • Will the publication of the information put people at risk?
  • Who are the target audiences of the published information?
  • Do you have control over how the information is being published?

e) Archiving

  • Where is the data and processed information being archived?
  • Is the raw data being archived or just the processed information?
  • Who has access to the archive?
  • What are the conditions of accessing the archive?

f) Deletion

  • When is the data being purged?
  • What are the conditions of deletion?
  • How can we be sure that all copies are deleted?


This background document aims to help provide you with a conceptual overview of how to think about risk assessment from the perspective of movement organising. Often, risk assessment is done at the level of an individual, or an organisation. Thinking about this at the level of movements means asking participants to situate themselves as significant, yet partial, parts of a larger community of organisers.

This can be helpful as a common ground for groups of people who are organised differently to come together and think through a common plan, when a shared context, aim or activity is identified. It can also help to facilitate processes for collective thinking around sustainability and organising by anticipating and planning for risks related to group and relational dynamics, and where information and communications technologies play a critical role as movement infrastructure.

You can share this as an additional resource for background reading with participants, or choose specific layers to further deepen as a group exercise or discussion.

Further reading

More broadly on understanding movement building and collective organising, as well as on digital realities:

Go back to this activity's main module (Risk Assessment)