In an age of increasingly digital social protection system, an important and sometimes overlooked issue is data protection. While digitalisation brings many benefits in the form of increased efficiencies, reduced costs, and increased transparency and inclusiveness, it also carries certain risks. One of these risks is that the use of technology in creating digital social protection systems may not take into account data protection and the citizens' right to privacy sufficiently.
This blog summarises the exchanges and key messages raised by the expert panel at the webinar ‘‘Key Issues of Data Protection for Social Protection and Implications for Linking Social Protection to Sustainable Employment’’, held on 27 April 2021 and organised by the Social Protection for Employment Community, SPEC, and supported by the Australia - Department of Foreign Affairs and Trade, DFAT and the Deutsche Gesellschaft für Internationale Zusammenarbeit, GIZ.
Importance of data protection
Dr Carolina Ferro from Enabling Digital Rights and Governance spent the first segment of the webinar giving an overview of the data protection and privacy concerns which surround digitising social protection systems. She started out the presentation by clarifying that data protection and social protection are by no means incompatible, and it simply takes awareness of the necessity for data protection and building it into the digitising of the system. She went on to clarify that the protection of data is important to adhere to citizens' right to privacy as well as to ensure a functional democracy. Data protection guidelines are set out at the international, regional, and national level. At the international level the UN and the OECD have created non-binding instruments which act as guiding frameworks for data protection measures, and there are several non-binding regional instruments detailing data protection measures. Noting that this map is from 2019, the image below shows the prevalence of data protection laws at that time:
Principles of data protection
Dr Ferro went on to list out the seven principles of data protection:
- Purpose limitation: Personal data should be processed for a specified, explicit and legitimate purpose, stated to data subjects at the point of collection, and further processing also compatible with this purpose.
- Data minimisation: The processing of personal data should be adequate, relevant and limited to the necessity of the purpose for which it is being processed.
- Lawfulness, transparency, and fairness: The processing of personal data should be lawful and fair and done in a transparent manner.
- Accuracy: Personal data that is processed should be accurate, complete and measures should be taken to ensure it is up to date.
- Storage limitation: Personal data should only be retained, in a form that permits identification of data subjects, for the time period that is necessary for the purposes for which it was processed.
- Security safeguards: Appropriate organisational and technical measures should be taken to ensure the security of data and systems and to protect personal data from unauthorised or unlawful processing, and against accidental or deliberate loss, destruction, modification, disclosure, or unauthorised access.
- Accountability: Those that process personal data should be accountable for demonstrating compliance with the data protection and privacy principles, their obligations, and facilitating the exercise of the data subjects’ rights.
In addition to this Dr Ferro listed the data-related rights which each citizen should enjoy:
- Right to information
- Right to access
- Rights to rectify and erasure
- Right to object
- Right to data portability
- Rights related to profiling and automated decision making
- Right to an effective remedy
- Right to compensation and liability
Ensuring data protection when linking data bases
In some instances, eg., when social protection programmes are linked to measures promoting sustainable employment, different databases need to be linked to allow for the efficient or effective functioning of a social protection system. Dr Ferro outlined how linking data bases can be done within the parameters of data protection. She specified that databases should only be linked when there is a new legal basis to do so, such as a legal framework or the consent of the beneficiaries. The other situation in which data bases may be linked is when there is a legitimate purpose, however in this case Dr Ferro specifies that the purpose must be compatible with the original consent gained from the beneficiaries, and the data shared should be kept to the minimum possible. Regardless, she further notes that any such linking must follow the transparency and fairness principle outlined above, meaning that beneficiaries should be informed at the time of data collection, and before the data is integrated whether the information will be shared with other government agencies.
Finally, Dr Ferro outlines the risks and challenges of linking databases. This includes the lack of consent for this data to be used or linked, as well as the possible conditionality between employment and social protection, meaning that the linking of the systems could be perceived as a threat.
At this point Dr Wagner was asked to outline the main challenges faced by countries attempting to integrate data protection in their social protection systems. He pointed out that the main issue is the lack of awareness about the need for data protection, and that it is important to integrate it from the very beginning of a social protection system. He explained that while integrating data protection from the beginning may slow things down, it helps build trust and makes things smoother and easier in the long run. In addition, he explained that it was important to avoid the stigmatisation of people receiving social assistance and to give them a choice in how they present themselves in employment databases. He adds that one of the biggest challenges faced by implementers of social protection can be making sure that data protection is systematic and rigorous.
In response to the question what steps should be taken to ensure the data protection is started off on the right foot Dr Wagner had several recommendations:
- find out what data exists, where it is kept, and what consent is attached to this data;
- find out what the quality of this data is;
- if this data will be used, ensure that you either have consent to use it for this purpose, or ensure that you gain this consent;
- whether the data is new or pre-existing, ensure that the consent gathered for this is informed and easily understandable to the relevant audience.
He emphasises that these steps are vital because data protection and privacy are gateway rights that ensure other rights. Building social protection systematically allows recipients to have agency over the information. Particularly for vulnerable communities, having agency over the data can help shift the relationship away from dependency.
The Panelists for this webinar were Meer Anwar, who is the Director General Technology for the Benazir Income Support Programme (BISP) in Pakistan, Dr Maliki who is the Director for Poverty Alleviation and Community Empowerment at the Ministry of National Development Planning/National Development Planning Agency (Bappenas) in Indonesia, and Rodolfo Beazley, who works as an Independent Researcher and Consultant.
While Dr Maliki and Mr Anwar gave an understanding of the specific situation and challenges facing data protection in social protection systems in their countries, Mr Beazley gave more general information on these challenges.
Mr Beazley outlined that there are two types of data scenarios which must be taken into account when discussing challenges:
- Completely self-contained programmes and programmes which rely on data sharing or linking databases.
- Programmes which stand completely on their own and use no outside sources of data need to pay specific attention to data rights, ensuring accountability, the power dynamics involved in the data collection, and ensuring that informed consent was received.
The data protection challenges which arise from the second scenario are threefold. For one, data linking or sharing may breach the principle of purpose limitation, which might need additional consent or legislation to rectify. For another, the sharing or linking must comply with the principle of data minimisation, meaning that only the data needed for targeting may be shared. Finally, an issue that arises from this scenario is data storage limitation, which raises the question of how long this data may be stored.
In the specific scenario of the ongoing Covid-19 pandemic Mr Beazley notes that social protection data was widely used to attempt to mitigate the adverse social and economic impacts of the pandemic. For this a lot of pre-existing social protection data was used, and he expects that there will be an ongoing expansion of building data bases, in preparation also for such shocks in future. He notes that this may come into conflict with some data protection principles, if not balanced against data privacy concerns adequately.
Insights from Pakistan
On the topic of data protection development in Pakistan Mr Anwar gave a comprehensive overview of the current status and the changes a new data protection bill would bring. The Personal Data Protection bill is due to be tabled this year, with the aim of covering the data protection gaps which are not currently covered by cyber security laws. The new law will specifically deal with a number of data protection specific topics such as:
- Outlining the purpose of data collection
- Specifying the non-disclosure of data collected
- Specifying the required security level of data storage
- Requirement of notification of beneficiaries in case of breaches
Mr Anwar also gave examples of situations in which independent systems of data protection were implemented by agencies themselves. For instance, one programme which uses social protection data to help facilitate employment, is guided by the OECD framework for data protection. This self-implemented model of data protection was given the acronym CART which stands for:
In addition, to ensure the accuracy and transparency of data sharing with sister and ancillary organisations an API architecture is currently being implement. This API architecture is to follow the data sharing protocols. On top of this, the agency responsible for sharing this data is in the process of implementing the ISO 37,001 information management standard.
Mr Anwar further discussed the current barriers to data sharing in Pakistan, which included first and foremost a lack of awareness on the importance of data privacy both among lay people and in the relevant sector. He discussed that particularly vulnerable people had very little care for their data privacy as their priority was receiving the support they needed. He discussed the need for education of both groups to ensure data protection was given the right level of importance. He further reflected that the passing of the new data protection bill would offer a gateway for data sharing between agencies within the parameters of data protection, and this may even extend to provincial agencies.
On the topic of how data protection was handled during the Covid-19 crisis in the existing social protection systems, Mr Anwar explained that the priority was to get assistance out to vulnerable groups as rapidly, efficiently, and effectively as possible.
Insights from Indonesia
Dr Maliki explained that while there were data protection laws in place they needed updating and to be complemented with data sharing frameworks. Indonesia is building a social registry, because it is important for different governmental agencies to have access to and to share information. At this point in time it is still a challenge to get ministries to communicate with each other and to share and link data. Public information laws in place set the parameters for what data may be shared with private sector or non-governmental organisations. Personal information may not be shared with these sectors, and this is particularly challenging when attempting to link eligibility of economic assistance to the ownership of assets. Another challenging element of this restriction is that formal and non-formal education levels of beneficiaries may not be shared. The existing social registry only covers approximately 40% of the population from which beneficiaries for various routine programmes are selected. Due to the COVID-19 crisis people who had previously been categorised as ‘non-poor’ fall into poverty and the government plans to expand the registry to cover around 60% of the population. To do this, information has to be pulled from different sources of information. This required the development of new regulations and policies to guide data sharing and protection. Dr Maliki emphasised the importance to balance data privacy with transparency around the distribution of benefits and this has been proven challenging and would require further thought.
The discussions during the webinar underlined that data protection is important, but often overlooked in social protection design and implementation. Participants highlighted that, when linking databases, care needs to be taken to ensure that the data related rights of vulnerable populations are respected and protected. In emergency situations, such as the current pandemic, the speed with which benefits need to be distributed can conflict with ensuring that data protection is carried out systematically and rigorously. The examples from Pakistan and Indonesia show the challenges policy makers and practitioners responsible for social protection schemes face and the great efforts they make to ensure effective and efficient coverage without compromising beneficiaries’ data rights.
The webinar ended with a Q&A session which you can watch here.