Other formats: See the video associated with this guide here. Access this guide in PDF here.
This section will cover file sharing best practices for Mercy Corps team members using G Suite apps, particularly Google My Drive. To simplify this guide, we will be discussing sharing a single file, such as a spreadsheet. However, the same options are available when sharing a My Drive folder.
Note: Mercy Corps is transitioning to Microsoft 365 for file sharing. Once best practices for that platform have been established, a similar document or resource will be created.
There are several reasons why it is better to share a file by hosting it in Google Drive and sending a link rather than as an attachment in an email.
- Security: you can easily change who is permitted to access or edit your file. You can also make the link time sensitive by only allowing access to the file for a given period of time.
- Version control: when sharing a file that is hosted online, many people can access it at once and all changes and comments will stay in one file. Sending a file as an attachment often results in multiple versions of the same document with different file names, edits, comments, etc. The document owner will spend a lot of time trying to compile all of this into a single file! Using a link also guarantees that the recipients always have access to the most updated version of the document.
- File sizes: Some IT departments impose restrictions on the size of attachment that are allowed. Sending a link allows you to share files of any size.
- Easy editing: Files shared as Google documents in Drive, Microsoft Word in OneDrive, or similar formats allow the recipient to open and interact with the document using a web browser: they do not have to have the most recent version of a particular type of software.
Whenever you share documents, you should consider the following:
- Carefully consider who will create the file or folder, who will own/administer it, and who will access it. If short-term contractors create and administer files there is a risk of the files or the access leaving with the contractors when they leave!
- Only give access to those who need the file.
- Confidential, private or personally identifiable information (PII) content must always have restricted access. If you are unable to determine if or how the content should be restricted, please seek assistance from Legal or the Data Protection and Privacy team.
- Use the appropriate level of permissions.
- Consider an example where a new project charter needs to be created. Most likely, only the team responsible for charter creation should have full access. When it’s time to get feedback from others, grant additional permissions that only allow viewing or commenting.
- Use extreme caution in granting access requests to team members who may accidentally be using their personal email accounts. Instead of granting access to a personal email account, grant access to their Mercy Corps account, and ask the team member to log in with those credentials.
- Permissions change over time
- If you are only working with someone for a short period of time or with people outside Mercy Corps, consider giving temporary permissions. If you forget to remove the access later, an expiration date will ensure their access is suspended at the right time.
- Periodically audit the list of who has access to your files, folders or shared drives to ensure you remove access for team members who have changed roles, or are no longer with Mercy Corps.
- Risky content requires extra steps
- Personally identifiable information (PII), demographically identifiable information (DII), or other types of personal data are protected under multiple data protection laws. Before you share personal data, verify the legal requirements for sharing that information with others. Inappropriate personal data sharing can put program participants, donors, partners and Mercy Corps team members at risk. If you have questions about personal data or data protection laws, please email the Data Protection and Privacy team at dataprotection@mercycorps.org.
- If the information is considered confidential or proprietary for business purposes, share it only with required parties and consider granting temporary access.
- If the person receiving the file works in an insecure location, or if the contents include personal data, consider encrypting the file or protecting it with password protection. See the Encryption and de-identification sections for examples of how to do this.
- Never move files without the owner's permission.
- Moving files may alter who has access and make it impossible for others to find the file! Always check with the document owner before moving a shared file to a new location.
Follow the instructions for file sharing in Gdrive here.
How and with whom you will share data should be part of a larger strategy for the data life cycle of a program or activity. There are several resources that can help you.
- The International Federation of Red Cross and Red Crescent Societies (IFRC) Data Playbook is an excellent resource of exercises, session plans, checklists, and other materials to help you organize conversations and activities with your team. In particular, Module 7 - Data Sharing is a good place to start.
- The International Committee of the Red Cross' Handbook on Data Protection in Humanitarian Action is a detailed guide to almost every aspect of humanitarian data. Chapter 2 specifically deals with data sharing.
- The Cash Learning Partnership's Data Responsibility Toolkit is designed for cash and voucher practitioners specifically, but is a "gold standard" in guidance for responsible data. See especially, Tip Sheet #6, "Data Sharing". The Toolkit is available in English, Arabic, French, and Spanish.