Are you respecting the right to privacy as you advance social protection?

The protection of privacy in large scale social protection programmes in low-income countries is rightly under the spotlight at this time, and this demands an effective response from those designing and implementing social protection programmes, writes Richard Chirchir.

Server room

At work in a server room, supporting co-ordination of social protection programmes

Criticism regarding data handling for beneficiaries and entitlement transfers, and apparent unauthorised access to identity databases that social protection programmes link to, have been in the news recently. Incidents such as these in the sector underscore the need for social protection actors to reflect critically on the importance of data protection when handling personal data.

The right to privacy is a fundamental human right, enshrined in article 12 of the Universal Declaration of Human Rights as well as over the constitutions of most countries. Recognising this, the European Union has been revising data protection regulations to extend them to all companies processing personal data. Although some developing countries have not enacted data protection laws, if we believe in a rights-based approach to social protection, we must ensure that international data protection protocols and guidelines are adhered to when we design and implement programmes. It cannot be right if fundamental principles such as safeguarding against unauthorised access and undue transfer or data are not adhered to.

Arguments that recipients’ needs outweigh the need to protect privacy cannot go unchallenged under a rights-based approach. The additional costs to do so are much lower than one would expect. So, what practical steps should be implemented by social protection agencies?

Practical steps to adhere to privacy regulations

The data protection principles should be applied through the broad continuum of data management from data collection, data processing, data storage, data sharing and reporting. The practical steps that I would recommend should be taken include:

Data collection

During data collection, the people whose data we collect (‘data subjects’) must have full disclosure of the purpose of data collection and whether their data will be shared with other government agencies. We can do this by designing data collection forms so they include consent clauses – alongside explanations of what people can expect of those handling their data – that beneficiaries can sign.

Data processing

For data processing, the software must have strong identity and validation controls to ensure data accuracy. Mechanisms should also be put in place to validate the data with the data subjects and ensure that any inaccuracies are updated in a timely manner. If data must be verified against external data sources such as ID databases, as I have recommended, the Memorandum of Understanding (MoU) must cover data protection. This demands that the institutions that will be linking to the social protection database – through automated application programming interfaces – must also have strong technical and institutional data safeguards.

Data storage

With the advent of cloud computing, it is becoming increasingly unattractive to build physical hardware data centres – or server rooms – to keep data. This is because physical data centres require replacement of hardware infrastructure every five years, need reliable electricity or backup generators, physical security measures such as CCTV cameras, biometric doors etc, logical security measures such as firewalls, alternative data backup sites in case of disaster, and, importantly, the trained staff to administer them. However, storing data in the cloud comes with challenges such as the policing of trans-border data flows.

What happens if the data privacy of these vulnerable persons is infringed by the cloud service providers? What happens if this data falls into the hands of hackers? Can developing countries penalise these IT companies in a similar manner to how the EU plans to with its updated regulations? Do they have capacity to enforce data breaches against cloud companies with server farms around the world? I strongly believe that the data of a country should not be spirited out of that country, despite weaknesses in hosting platforms. The alternative solution, therefore, is to use the designated government data centres, or to enter into MoUs with private data centre providers, as happens in Rwanda. Or, at the very least, building a basic server room can suffice.

Data Reporting and Sharing

Data sharing protocols must be put in place, complete with procedures for applying, processing, disseminating and destroying data. As a rule of thumb, beneficiary data should only be shared in summary of anonymous format. If personal data must be shared, then data confidentiality and privacy agreements must be signed with an organisation requesting the data. Such protocols should also be signed with the service providers such as payment service providers, monitoring and evaluation agencies, and private consultants. The agreements should have explicit clauses on data destruction and a mechanism in which the social protection agencies can verify.

In our sector, we collect personal data on beneficiaries

In our sector, we collect personal data on beneficiaries

At Development Pathways, data protection and privacy are some of the key issues that we grapple with as we design and implement social protection MISs in development countries. There are projects where clients may not necessarily understand the need for such protocols. Others, in contrast, pro-actively ask for consultancy support to comprehensively address data protection and privacy issues. In all circumstances, we are committed to helping clients to develop and implement data protection and sharing protocols, especially for large-scale, integrated MIS projects. The nature of our support ranges from advice on the revision to data collection forms to align with protocols and laws and development of strong validation controls on MIS modules, through to advice on appropriate logical and physical security measures for data hosting and the implementation of appropriate data-sharing protocols.

Are you in breach of data protection protocols?

Ask yourself: ‘Am I in breach of data protection protocols, or are you taking comfort in the fact that beneficiaries are receiving support?’

I hope that I have convinced you that the fact that those struggling on modest incomes or living in poverty are receiving social protection is no excuse to not implement data protection protocols. It is therefore important to assess your social protection programme, with the aim of ensuring compliance with international data protection protocols and guidelines. The assessment should comprehensively cover the full data management cycle i.e. data collection, data processing, data storage data reporting and sharing. In the end, a good social protection system is one that ensures that fundamental rights of beneficiaries are respected.

Picture1Richard Chirchir is the Senior MIS Specialist at Development Pathways and an experienced Management Information Systems (MIS) expert with over 14 years of relevant professional experience. He has devoted most of his career to the design and development of multi-platform ICT solutions. He has also co-authored two publications on MISs used in developing countries.

8 Responses to “Are you respecting the right to privacy as you advance social protection?”

  1. 100% agreed on the privacy of the data storage, collection and processing. But what about the case studies and visibility of the projects demanded by donors? sometimes its a donor requirement for the project visibility. Normally before publishing any success story we take written consent from the beneficiary but dont you think the visibility itself is a question mark on dignity of a person though we have written consent?

    • Development Pathways Reply

      A good point. The issue of informed consent is a big and important one, and whether and how this is achieved in particular circumstances requires full and serious consideration.

  2. VIctor Ngulube Reply

    Very insightful assessment Richard, I think it is ideal that developing countries invest in their own data centres, its not an ideal situation to have sensitive data in the hands of private data centres…We also need to look at data security around collection of data using PDAs as is becoming a trend…Otherwise great article, looking forward to more of specifically these

    • Development Pathways Reply

      Thank you! You rightly flag the issue of private data centres and PDAs.

  3. I totally agree Richard with the data protection principles espoused in this article. More so on advent of cloud computing in data storage. There is a need for agencies dealing with social protection programs to invest in local basic server room infrastructure for data storage as opposed to cloud computing. Countries like Kenya are developing Government Shared Infrastructure for Government Agencies for data storage which social protection agencies can use.

    • Development Pathways Reply

      Thank you. Developing such infrastructure is key, yes! Kenya is a good example.

  4. Alexi Sluchynsky Reply

    Dear Richard, this is a very relevant, timely, and useful note. Just as a general suggestion, to better motivate discussion, it would be very interesting to present specific cases of data breaches in SP, in the developing world. As you may know, in some countries the ideology itself is very different from, say, the European context. What in Europe could be considered a breach of privacy, in some developing countries is seen as a good practice of disclosure. Which, depending on the case, I may or may not agree with. For example in almost all cases where local community is involved in selecting beneficiaries, it is a norm to have beneficiaries lists public, not least because there is often quota on beneficiaries. Furthermore, in some states in India, it is common to publish the list of recipients of the old age pension on-line. So, I think we need to qualify our approach in these cases.
    But let me be a bit more provocative and suggest that the issue of privacy becomes more important in programs with income-targeting element, while for any universal program (which this platform chose to advocate) the issue of privacy as such is less relevant. Those are truly right-based programs, as you refer to them, and they may not even require any significant additional data collection. In the ideal world, all data for such programs should be automatically sourced from the national registries. (That is an on-going effort of the admin reform, for example, in Lesotho’s old age pension). In such a case, the data protection policy becomes a generic issue, extending beyond the SP, to be comprehensively addressed – ideologically, procedurally, and technically – at the national level.
    Kind regards!

  5. Justus Oguna Reply

    I totally agree with Richard on data privacy of Social Protection beneficiaries as should be the case with all personal data managed by different entities. From my perspective we should approach this holistically by first classifying the data we store on beneficiaries as either private, public or other categories available. Once we have done this then it makes it easy to know what data can be shared with public and what remains private which then can be shared with different entities following agreed data sharing protocols. Example is sharing individual personal information like Bank details or health status of a beneficiary which should be private as opposed to sharing the names of beneficiaries of a programme in a county which is not sensitive. This approach would make if possible for Governments and other stakeholders to report on the programmes.

    On Cloud storage I think is more of perception than facts that cloud storage is less secure than storage in a private server. One thing we have to note is that if the private server is totally private meaning not connected to the internet then we can say data is safe from external intruders. In this age and time it’s not advisable to isolate private servers just because of security rather we should strengthen the security of the servers. An Independent study found that yearly a medium scale company loses around 260 laptops, this is a loss to the company not in monetary terms, but the data that was there on the laptop is valuable, with Cloud you don’t have to worry about that, all your data is stored in a centralized secure location. Cloud services providers like Amazon Web Services (AWS) are investing in fool proof secure systems using latest and very reliable security standards and at no point should be doubt security of cloud rather we should explore cloud usage before ruling it out.

    Having private servers is not the solution but rather focus on security of the servers which is already is ensured in most cloud services. Maybe it’s time we start exploring which cloud option we can go for: private, public or hybrid.

Leave a Reply

Your email address will not be published. Required fields are marked *