🗣️Annex 1: Data Collection and Management Best Practices

Where the identity of the complainant is essential for the investigation, organisations should take diligent measures to safeguard the confidentiality of sensitive information such as gender identity, sexual orientation, medical history, location, and contact information. There are two key principles to confidentiality to adhere to:

• Need-to-know basis: Access to data should be limited only to (i.e. if person A was to lodge a complaint against person B. The workplace supervisor for both person should be informed of the need for separation and distancing without the need to inform them of the details of harassment or assault). those who require the information to provide protection and assistance to the person whose data belongs to. Personal data should only be shared with relevant staff, supervisors and referral partners. All parties involved have a responsibility to not accidentally, purposefully or unnecessarily divulge information to other colleagues or parties.

• Informed consent: Informed consent could be defined as any voluntarily given and informed indication of an agreement to process the personal data of the person whose data belongs to. This may be given through written or oral statements or clear affirmation. Consent must be tailored to the characteristics of the person to whom the data belongs, including their age, gender, sex characteristics, language, disability status and other diversity criteria. The following diagram from the New Zealand government’s official data agency outlines guidelines and best practices for determining if and how to collect sex and gender data.

When collecting information, it is essential to transparently communicate with complainants about the data required, the purpose of its collection, how it will be utilised, and by whom. Survivors should also always have the option to withhold specific information from particular partners or people, as well as the discretion to decide when and with whom they share their personal information.

Access to data should be limited only to those who require the information to investigate and provide assistance to the person to whom the data belongs. Respect the confidentiality of LGBTQIA+ survivors' personal information, including details about their SOGIESC. Seek their explicit consent before disclosing such information, even to other staff members within the same organisation.

Information irrelevant to the complaint and investigation and would not in any way affect the final determination can potentially be anonymized to reduce the possibility of identifying the complainant when privacy is critical. As an example, when the complaint is indisputably an issue of gender discrimination between a man and woman, ethnicity may not be relevant and does not need to be provided. Or when a man supervisor sexually harassed a male staff member, the sexuality of the male staff member is not relevant to the conduct at hand.

If there is no choice but to disclose their information, complainants should be given advance notice and access to protection measures.

Organisations should ensure their internal data are maintained to common standards such as the European Union’s General Data Protection Regulation (GDPR) and at the very least, require information to be encrypted and accessible by limited authorized persons. Personal information should also be accessible only from sanctioned devices (i.e. office computers) and should not be accessible via personal or private devices.