Confluence SOP

SOP Name: GovStack Confluence Guidance 

Version

Author / Editor

Date

Changes

Version

Author / Editor

Date

Changes

v1

Esther

Oct 26, 2022

 

 

 

 

 

 

INTRODUCTION 

The GovStack initiative will use Confluence to create documents, collaborate, and document teamwork.  

PURPOSE:  

To standardize the process for knowledge management for GovStack Initiative in a transparent way. 

SCOPE OF APPLICABILITY 

This procedure refers to documents that do not contain sensitive or confidential information. For documents with sensitive or confidential information. Please read the information confidentiality below

RESPONSIBILITY  

All member of the GovStack team can create and save documents for the use of other members.  

DEFINITIONS 

Confluence is a tool to create, store, and share information 

Create information: Create pages. Build how-to materials. Brainstorm ideas. Capture thoughts. Plan new projects.  

Store information: Store resources. Organize pages. Easily find the information you need. 

Share information: Share projects. Give and receive feedback. Collaborate across teams. 

PROCEDURE: 

 

Step 

Process 

Person Responsible 

Create a page on Confluence for GovStack workstream. Link to how to create confluence page here

 

PM/Team member 

If there is a relevant page created, create a child page to document GovStack related information 

PM/Team member 

Insert template created in Confluence as required. Link to meeting note template here. More customized template on confluence. 

 

PM/Team member 

Link page to relevant Jira ticket e.g., Building Block issue 

PM/Team member 

Update each page as required 

PM/Team member 

5  

Create blog for announcement or publish accomplishment 

Comms Lead/PM 

Upload document created outside of Confluence but relevant to GovStack initiative. 

All team members 

 

Note:  

Contact PM if unsure how to create Confluence page and where to store documents 

 

INFORMATION CONFIDENTIALITY CLASSIFICATION AND TOOL USAGE

Version

Editors

Changes

Version

Editors

Changes

0.8

Nico Lück, Rachel Lawson, P.S. Ramkumar, Esther Ogunjimi, Moritz Fromageot, Ayush Shukla

 

PURPOSE OF THIS DOCUMENT

This document is to guide participants of the GovStack community in finding the appropriate place to store information. As a community driven by the principle of openness, we aim to make decisions and information as much public as possible. However, to ensure that we do not risk issues to the project, or the partners supporting the project, we must consider the content/data we are handling and store it in locations that mitigate those risks. The overall way we work is to: 1. classify content/data and agree how each classification is handled 2. place reminders of what classification of content/data is appropriate on each platform, where possible 3. communicate to all members of the project team which platforms are available for use and what classification of content/data is appropriate in each.

 PERSONAL DATA

Data relating to people’s must always be handled with the greatest care and always in accordance with the rules given by GDPR. The GovStack project details these rules in its Privacy Policy and they must always be followed before further considering what information to store where, as described in this document.

CLASSIFICATION OF INFORMATION

Protection needs of the information consider damage that may occur if confidentiality, integrity or availability is compromised. The person creating the information is responsible for selecting the appropriate classification. For this person to select the correct classification, the protection need is described in detailed abstract manner and example cases are given. Reoccurring meetings shall be already categorized so that information coming out of this meeting inherit the respective class. We also define the tools we use to handle information at each classification. There may be exceptions to these rules, especially at the Public classification. At the Normal / High classifications, usage of a particular tool other than that defined here should be cleared with your partner lead.

Protection Need

Potential damage to GovStack Initiative or partners (Def. See below)

Example cases (incl. Meetings) Initially, it is up to the groups to decide the classification of information not yet listed here. However, in long-term, all groups in the category “normal” should consider to move into “non classified/public”

Tools we use in the GovStack project for this purpose

Protection Need

Potential damage to GovStack Initiative or partners (Def. See below)

Example cases (incl. Meetings) Initially, it is up to the groups to decide the classification of information not yet listed here. However, in long-term, all groups in the category “normal” should consider to move into “non classified/public”

Tools we use in the GovStack project for this purpose

Non classified/ Public information

No damage expected

General

  • Overall deployment plan and roadmap

  • Events with GovStack participation

Governance Committee

  • Meeting and decision Minutes

  • Information on procurements which are also available in the respective web portals

Product Committee

  • Meeting and decision minutes

Technical Committee

  • Meeting and decision minutes Confluence Public Areas Jira Public Areas Slack Github Gitbook Website Social Media 3 Working Groups (including Building Blocks but also things like Comms, Community etc)

  • Backlog of work

  • Source Code

Specs documents, use case definition by working groups. Including in-development versions.

Country Engagement (for comms purposes or digital public goods)

  • General status and backlog of cooperation with partner countries for communication purposes

  • Products like playbooks

  • Digital Readiness Studies

Confluence Public Areas

Jira Public Areas

Slack

GitHub

Gitbook

Website

Social Media

Normal

Damage impacts are limited and manageable.

General

  • Personnel non-contractual details of employees/ participants (contact details, email...)

Country Engagement Team

  • Work plan priorities, Activities to be done etc.

  • Playbook development

  • Work on Inception Reports

  • Meeting Minutes

Founding partner meeting (closed Governance meeting)

  • The Founding Partners may wish to release a version of the summary/meeting minutes of the closed Governance meeting for general consumption in the Public Confluence space, keeping the whole project up to date with their decisions.

Communications and Events

  • Event photos taken at initiative meetings

  • List of event participants (names etc.) Partnership Management (Private and public sector)

  • Meeting minutes of calls with private companies

Confluence Restricted Areas

Jira Restricted Areas

E-Mail

MS Teams direct Chat

High

The damage effects can be considerable

Founding partner meeting (closed Strategic Governance meeting)

  • Information to coordinate partners on financial, HR, strategy or donor matters.

  • Personal contractual details

  • Country engagement strategic priorities/constraints

  • Report on planned or active procurements

  • Travel plans in fragile contexts

  • Coordination with local implementers in fragile contexts, e.g. Somalia

  • Contracts of the founding partner with third parties, e.g. EU

Partnership Management (Donors)

  • Priorities of partners

Country Engagement

  • Status of engagement with new countries to be involved into GovStack

  • Description of the Actions, IDGC

Code of Conduct Team

  • Meeting Notes

GIZ MS Teams

E-Mail

Very High

The damage effects can reach an existentially threatening, catastrophic extent

  • Personal information of target group (e.g. political activists)

  • Sensitive personal data sets for testing purposes (e.g. real data from partner systems)

No exchange of these information

PROTECTION NEEDS IN DETAIL

“Normal” protection needs category

  1. Violation of laws/ regulations/contracts

    • Violations of regulations and laws with minor consequences

    • Minor breaches of contract with at most low contractual penalties

  2. Impairment of the right to informational self-determination

    • It is a question of personal data, the processing of which may have adverse effects on the social standing or economic conditions of the person concerned.

  3. Impairment of the physical integrity of a person

    • Impairment does not appear possible.

  4. Impairment of the ability to perform tasks

    • The impairment would be assessed as tolerable by those concerned.

    • The maximum acceptable downtime is between 24 and 72 hours.

  5. Negative internal or external effects

    • Low and/or only internal impairment of reputation/confidence is to be expected.

  6. Financial consequences

    • The financial loss is acceptable to the organization.

“High” protection need category

  1. Violation of laws/regulations/contracts

    • Violations of regulations and laws with substantial consequences

    • Major breaches of contract with high contractual penalties

  2. Impairment of the right to informational self-determination

    • It is a question of personal data, the processing of which may have significant adverse effects on the social standing or economic conditions of the person concerned.

  3. Impairment of the physical integrity of a person

    1. Adverse effects on the personal integrity cannot be ruled out completely.

  4. . Impairment of the ability to perform tasks

    • The adverse effects would be assessed as intolerable by some of the individuals concerned.

    • The maximum acceptable down time is between one and 24 hours.

  5. Negative internal or external effects

    • Considerable impairment of reputation/confidence is to be expected.

  6. Financial consequences

    1. The financial loss is considerable, but does not threaten the existence of the organization

 

“Very high” protection need category

  1. Violation of laws/regulations/contracts

    • Fundamental violation of regulations and laws

    • Breaches of contract with ruinous damage liabilities

  2. Impairment of the right to informational self-determination

    • Includes personal data, the processing of which entails a danger to life and limb or the personal freedom of the person concerned.

  3. Impairment of the physical integrity of a person

    • Severe adverse effects on the personal integrity are possible.

    • Danger to life and limb

  4. Impairment of the ability to perform tasks

    • The adverse effects would be assessed as unacceptable by all concerned.

    • The maximum acceptable downtime is less than one hour.

  5. Negative internal or external effects

    • National adverse effects on the reputation or confidence are possible, which may even threaten its continued existence.

  6. Financial consequences

    • The financial loss threatens the existence of the organization.

RECLASSIFYING INFORMATION

Of course, we couldn’t classify information without also recognizing that there will be occasions where it needs to be reclassified for a particular purpose.

An example of data needing reclassification might be photos taken at an event. By default, they are treated as “Normal” classification meaning they are only stored on email, MS Teams or the private Confluence. We want to publish them on the website so need to reclassify as “Public”.

The method to reclassify information is to agree this reclassification in a committee or working group meeting, record the agreement to reclassify the information in the meeting notes and then move the information where it is needed.

So, for the example of photos taken at an event, the Comms team must note in their meeting minutes that images x y and z.jpg have been reclassified as public and may now be added to social media.