The protection of privacy in large scale social protection programmes in low-income countries is rightly under the spotlight at this time, and this demands an effective response from those designing and implementing social protection programmes, writes Richard Chirchir.
Criticism regarding data handling for beneficiaries and entitlement transfers, and apparent unauthorised access to identity databases that social protection programmes link to, have been in the news recently. Incidents such as these in the sector underscore the need for social protection actors to reflect critically on the importance of data protection when handling personal data.
The right to privacy is a fundamental human right, enshrined in article 12 of the Universal Declaration of Human Rights as well as over the constitutions of most countries. Recognising this, the European Union has been revising data protection regulations to extend them to all companies processing personal data. Although some developing countries have not enacted data protection laws, if we believe in a rights-based approach to social protection, we must ensure that international data protection protocols and guidelines are adhered to when we design and implement programmes. It cannot be right if fundamental principles such as safeguarding against unauthorised access and undue transfer or data are not adhered to.
Arguments that recipients’ needs outweigh the need to protect privacy cannot go unchallenged under a rights-based approach. The additional costs to do so are much lower than one would expect. So, what practical steps should be implemented by social protection agencies?
Practical steps to adhere to privacy regulations
The data protection principles should be applied through the broad continuum of data management from data collection, data processing, data storage, data sharing and reporting. The practical steps that I would recommend should be taken include:
During data collection, the people whose data we collect (‘data subjects’) must have full disclosure of the purpose of data collection and whether their data will be shared with other government agencies. We can do this by designing data collection forms so they include consent clauses – alongside explanations of what people can expect of those handling their data – that beneficiaries can sign.
For data processing, the software must have strong identity and validation controls to ensure data accuracy. Mechanisms should also be put in place to validate the data with the data subjects and ensure that any inaccuracies are updated in a timely manner. If data must be verified against external data sources such as ID databases, as I have recommended, the Memorandum of Understanding (MoU) must cover data protection. This demands that the institutions that will be linking to the social protection database – through automated application programming interfaces – must also have strong technical and institutional data safeguards.
With the advent of cloud computing, it is becoming increasingly unattractive to build physical hardware data centres – or server rooms – to keep data. This is because physical data centres require replacement of hardware infrastructure every five years, need reliable electricity or backup generators, physical security measures such as CCTV cameras, biometric doors etc, logical security measures such as firewalls, alternative data backup sites in case of disaster, and, importantly, the trained staff to administer them. However, storing data in the cloud comes with challenges such as the policing of trans-border data flows.
What happens if the data privacy of these vulnerable persons is infringed by the cloud service providers? What happens if this data falls into the hands of hackers? Can developing countries penalise these IT companies in a similar manner to how the EU plans to with its updated regulations? Do they have capacity to enforce data breaches against cloud companies with server farms around the world? I strongly believe that the data of a country should not be spirited out of that country, despite weaknesses in hosting platforms. The alternative solution, therefore, is to use the designated government data centres, or to enter into MoUs with private data centre providers, as happens in Rwanda. Or, at the very least, building a basic server room can suffice.
Data Reporting and Sharing
Data sharing protocols must be put in place, complete with procedures for applying, processing, disseminating and destroying data. As a rule of thumb, beneficiary data should only be shared in summary of anonymous format. If personal data must be shared, then data confidentiality and privacy agreements must be signed with an organisation requesting the data. Such protocols should also be signed with the service providers such as payment service providers, monitoring and evaluation agencies, and private consultants. The agreements should have explicit clauses on data destruction and a mechanism in which the social protection agencies can verify.
At Development Pathways, data protection and privacy are some of the key issues that we grapple with as we design and implement social protection MISs in development countries. There are projects where clients may not necessarily understand the need for such protocols. Others, in contrast, pro-actively ask for consultancy support to comprehensively address data protection and privacy issues. In all circumstances, we are committed to helping clients to develop and implement data protection and sharing protocols, especially for large-scale, integrated MIS projects. The nature of our support ranges from advice on the revision to data collection forms to align with protocols and laws and development of strong validation controls on MIS modules, through to advice on appropriate logical and physical security measures for data hosting and the implementation of appropriate data-sharing protocols.
Are you in breach of data protection protocols?
Ask yourself: ‘Am I in breach of data protection protocols, or are you taking comfort in the fact that beneficiaries are receiving support?’
I hope that I have convinced you that the fact that those struggling on modest incomes or living in poverty are receiving social protection is no excuse to not implement data protection protocols. It is therefore important to assess your social protection programme, with the aim of ensuring compliance with international data protection protocols and guidelines. The assessment should comprehensively cover the full data management cycle i.e. data collection, data processing, data storage data reporting and sharing. In the end, a good social protection system is one that ensures that fundamental rights of beneficiaries are respected.
Richard Chirchir is the Senior MIS Specialist at Development Pathways and an experienced Management Information Systems (MIS) expert with over 14 years of relevant professional experience. He has devoted most of his career to the design and development of multi-platform ICT solutions. He has also co-authored two publications on MISs used in developing countries.