Best Practices for Secure KoboToolbox Data Management

Key Security Actions at a Glance

Your Account: Enable Two-Factor Authentication (2FA). It’s the single most effective way to protect your account.
Form Design: Practice data minimization. If you don’t absolutely need sensitive data, don’t collect it.
Team Access: Always apply the principle of least privilege. Grant only the minimum permissions required for each role.
Mobile Devices: Use KoboCollect’s “Delete after send” feature to minimize data stored on phones.
Data Exports: Never store exported data on personal devices or unsecured cloud services.

Protecting data we collect about people we support is a core part of our “Do No Harm” principle. A data breach can have severe, real-world consequences, from discrimination to physical harm. This guide provides practical, actionable steps to help you manage data securely throughout its lifecycle on the IFRC KoboToolbox server.

Data security is a shared responsibility. While the IFRC provides a secure platform with built-in encryption, you, as the data controller, are responsible for how you configure your project, manage access, and handle the data you collect.Let’s walk through how to do that effectively.

Secure Foundations: Your Account

Security starts with your own account. A single compromised account can jeopardize an entire operation.

Use a Strong Password: Create a strong, unique password for your KoboToolbox account. Don’t reuse passwords from other services. It’s recommended to use a password manager to have strong, unique passwords for every account.
Enable Two-Factor Authentication (2FA): This is one of the most effective things you can do to protect your account. 2FA adds a second layer of security, requiring a code from your phone to log in. Even if someone steals your password, they won’t be able to access your account.

Smart Form Design: Data Protection by Design

The best way to protect sensitive data is to not collect it in the first place. This principle, known as data minimization, should guide your form design process.

Be Critical: For every question you add, ask yourself: “Do we absolutely need this information to achieve our objective?” Avoid collecting sensitive or Personally Identifiable Information (PII) like full names, addresses, or GPS points unless it is essential.
Use Kobo’s Built-in Tools: Leverage the formbuilder to enhance both data quality and security.

Required Questions: Prevent blank or incomplete submissions.
Validation Criteria: Ensure data is in the correct format (e.g., a phone number has the right number of digits).
Skip Logic: Design your form so that users are only asked relevant questions, preventing the accidental collection of unnecessary data.

Managing Your Team: The Principle of Least Privilege

When sharing your project, always follow the Principle of Least Privilege: give people only the minimum level of access they need to do their job, and nothing more. This drastically limits the potential damage if one of their accounts is compromised.

To share a project, go to SETTINGS > Sharing. Here are the recommended permission levels for common roles:

Role	Recommended Permission	Why?
Enumerator	Add submissions	Can submit new data, but cannot see, edit, or delete anyone else’s data.
Field Supervisor	View submissions, Edit submissions, Validate submissions	Can review and clean data from their team, but cannot change the form or project settings.
Data Analyst	View submissions	Can view and export data for analysis, but cannot change the original dataset.
Project Admin	Manage project	Has full control. This should be limited to one or two trusted individuals.

For more granular control, you can use user-level or row-level permissions to give a user access only to submissions a specific user created or to submissions that meet a specific condition (e.g., submissions from a certain district).

In the Field: Secure Mobile Data Collection

The data collection device is often the most vulnerable point in the data lifecycle. A lost or stolen phone can lead to a serious data breach.

Harden Your Devices

Before deploying any device to the field, follow this checklist:

Set a strong screen lock (PIN, fingerprint, or password) and please never use a pattern for unlocking as they’re notoriously easy to snoop even from meters away.
Enable full-disk encryption (this is default on most modern Android devices, but check in the security settings).
Enable Android’s “Find My Device” that allows you to remotely locate, lock, and wipe the device if it’s lost or stolen.
Keep the operating system and all apps updated.

Configure KoboCollect Securely

Connect to the IFRC Server: In KoboCollect settings, use the URL https://kc.ifrc.org and the enumerator’s individual username and password.
Set an Admin Password: This is a critical step. Inside KoboCollect’s settings, set an admin password. This locks down the settings menus, preventing enumerators from accidentally changing the server or disabling security features.
Enable Auto-Delete: To minimize the amount of data stored on the device, configure KoboCollect to “Delete after send.” This ensures that once a record is successfully uploaded to the server, it is permanently erased from the phone.
Finalize Before Sending: Ensure enumerators understand that once a form is sent, it is automatically deleted from the device and can no longer be edited locally. Instruct them to use the “Save as Draft” feature to review their work, only clicking “Send” when they are certain the record is complete and accurate.

Incident Response: Lost or Stolen Device Protocol

If a data collection device is lost or stolen, act immediately.

Report: The user must immediately report the loss to their supervisor and the IM focal point.
Lock & Wipe: Using Android’s Find My Device, lock, and—most importantly—wipe all data from the device.
Change Password: Immediately change the password of the KoboToolbox account that was used on the device.

Managing Your Data’s Lifecycle

Your responsibility doesn’t end once the data is on the server. Proper management of exports and project close-out are key.

Secure Data Handling

Use Secure API Connections: When connecting to external tools like Power BI, use the synchronous exports feature. Ensure your project’s sharing settings do not allow public access to submissions.
Use Data Sharing Agreements (DSAs): Before sharing data with any external partner, you must have a formal DSA in place. The agreement should specify exactly what data is being shared, for what purpose, how it will be protected, and when it will be destroyed. Consult your legal advisor for more information.

Archiving and Deleting Old Projects

Once data collection is finished, clean up your projects to reduce risk and free up server space.

Archive: This is the best option for most completed projects. Archiving makes the project read-only—no new data can be submitted, but you can still view and export the existing data. This prevents enumerators from accidentally submitting data to a project that doesn’t accept submissions anymore.
Delete removes the form and all its data. Only delete a project when you are certain the data is no longer needed and you have a secure backup if required.

Securely Handling Exported Data

Once data leaves the secure IFRC KoboToolbox server as a downloaded file (e.g., XLS, CSV), its protection becomes your direct responsibility.

Secure Storage: Never store exported data containing PII on personal computers, USB drives, or unprotected cloud services. Use approved encrypted storage, such as secure SharePoint sites or password-protected network drives.
Encryption at Rest: For any file containing sensitive data, encrypt it before sharing. Share the password separately and securely (e.g., via a phone call or a different messaging app).
Clean Your Data: Before sharing data for analysis, remove any columns with direct identifiers (names, phone numbers, GPS points) that are not strictly necessary for the analyst’s work.

See IFRC KoboToolbox terms and conditions, data protection policy, and fair use policy, or contact the IFRC IM Team for more information.