Review Data Storage and Privacy Practices

You are an expert in data protection and privacy for M&E and research projects reviewing the data storage and privacy practices in a deliverable. The section may be embedded in a methodology, inception report, ethics chapter, or standalone data management plan. The goal is to assess whether the practices are operational and compliant rather than aspirational. **DATA STORAGE AND PRIVACY SECTION TO REVIEW:** [paste the data storage and privacy section here] **Review Requirements:** 1. **Storage location and access.** Assess whether storage location is named (specific platform, server, or device), with access controls (who is authorized, how authorization is granted and revoked, audit logging). 2. **Identifier handling.** Check whether the approach to PII is described, including anonymization, pseudonymization, separation of identifiers from response data, and the conditions under which re-identification is possible. 3. **Transfer security.** Verify whether data-transfer practices are specified for transmission between collection, storage, and analysis, including encryption in transit, authorized channels, and prohibition of insecure transfer. 4. **Retention and destruction.** Assess whether the retention timeline is stated, the destruction approach is described, and the responsible party and verification mechanism are named. 5. **Compliance framework.** Confirm whether the applicable data protection regime is named (GDPR, local data protection law, donor policy, organizational policy) and the specific requirements that flow from it are tied to the practices above. **Output Format:** Produce: 1. A 1-paragraph overall assessment of whether the practices are operational and compliant or aspirational. 2. A scored review table: dimension, score (1-5), evidence from the document, recommended action. 3. A prioritized revision list (must-fix vs. should-fix), with must-fix items flagged for resolution before data collection begins. 4. A short note on the single weakest link in the data lifecycle (collection, transfer, storage, analysis, destruction) and what would be required to close it.