Link Search Menu Expand Document
Responsible data management toolbox

3.1 Decoding GDPR


TABLE OF CONTENTS


Keep in mind

While responding in the field, you collect and use the personal data of affected populations, which confers responsibility upon you to protect them from associated risks. Protecting this personal data equals protecting the fundamental right to privacy of the populations with whom you work.

The GDPR is the European framework for the protection of personal data. We introduce it here as an example of the toughest and most protective framework in the world. Respecting its general principles, including transparency and the legal basis for collection, allows NGOs to continue to implement the “Do no harm” principle in the digital age.

One of the main concepts of responsible data management is the protection of personal data. Collecting, using and producing personal data is not risk-free, especially for those to whom such data belongs. This responsibility is governed by laws that vary from one country to another and are sometimes non-existent. In Europe, a regulation exists: the General Data Protection Regulation, the notorious “GDPR”.

Humanitarian Aid and International Development actors handle a lot of personal data as part of their projects and in the implementation of activities, making them accountable for the appropriate use of such data. This is why the aid sector is also affected by the GDPR. This section sets out to decipher this regulation, at times solely perceived as a constraint, to understand the essence of its measures and obtain clear guidelines on data protection directly applicable in the field.

3.1.1 The ethical origin of GDPR: Why do we need to protect personal data?

Data protection is a fundamental right derived from the right to privacy of data subjects, in order to maintain their privacy and dignity. This fundamental right can be balanced against the need to process personal data – for example in the aid sector, to determine the recipients of a humanitarian response or to uphold its contractual commitments with a donor.

To ensure that an appropriate balance is struck between these two interests and in response to the spread of technology and expanded use to collect and share data, European legislation has evolved to better regulate the topic.

The European Union (EU) adopted the GDPR (General Data Protection Regulation) in May 2018, to implement more consistency and strength in the data protection rules of the different Member States and to ensure that individuals are aware of how their data is used. The obligations of organisations – such as NGOs – that collect their data are strengthened in order to protect the fundamental rights of individuals more effectively.

As such, the GDPR is rooted in an environment of respect for the “Do no harm” principle in the digital age (more information on this principle in section 2.1 of the toolbox).

Despite not always being applicable to all of the operational contexts of NGOs, we are using it here as an example because, among all legislations, it affords the highest degree of protection. Let us keep in mind however that data protection, as envisioned in the EU, is a social construct, and that its blind application is not necessarily possible in all of the NGOs’ countries of intervention, depending on the local legal framework and the socio-cultural context. Each NGO must apply, as best it can, a responsible approach in this area, taking into account its various obligations (legislation, governments, donors, but above all the populations receiving aid) and room for manoeuvre in its operational context.

image info

3.1.2 What are the GDPR’s general principles?

The general principle of the GDPR is to protect personal and sensitive data against processing that does not respect the rights of individuals. It applies to all processing of associated personal and sensitive data.

To understand what the “processing” of data is, to gain knowledge and be able to distinguish between “personal data” and “sensitive personal data”, you can look at this capsule:

In the GDPR, the expression “data subject”, which is also used in this section, refers to the person from whom personal information is obtained, such as surname, first name, or in some cases sensitive information such as their health or ethnicity for example.

GDPR rules are based on several ethical principles, in connection with responsible data management, which ensure a high degree of protection of the fundamental rights of data subjects. Compliance with these principles makes it possible to improve practices among the populations receiving aid.

To know and understand these principles, you can look at this capsule:

To collect and process data, a “legal basis” must be chosen, which justifies the reasons for processing (see principle of lawfulness discussed in the previous section).

As a reminder, there are 6 legal basis explained in the capsule below. You can also refer to section 2.1 of this toolbox.

a. Provide information on the activities for which the data is being collected

Whatever the legal basis chosen to collect personal data, in the context of a distribution project or awareness-raising activities for example, it is essential in terms of accountability towards the persons concerned and their free will, to provide them with information about the latter. This information should cover:

  • the nature and objectives of the project, e.g.: the context of the project, its partners and donors
  • the project’s specific objectives
  • the possibility for people to participate or not in the program.

It is important to disclose this information in an intelligible way, taking into account the specific environment of the person and particularly the social, cultural, family and individual context. For example, by avoiding the use of terms based on abstract concepts far removed from the realities of the individual, such as the lawfulness of processing or data governance, or by using an inappropriate level of language (e.g. sustained).

In this section on consent, we deal with specific consent to the collection and use of personal data. This consent is to be distinguished from consent for the intervention itself, i.e. ensuring that the person actually wishes to participate in the assistance program. Of course, consent must also be obtained, even in cases of urgent need, in order to respect the individual’s wishes.

Consent to intervention and consent to data collection and use are sometimes difficult to separate. Consent to the collection of personal data is often dependent on participation in the intervention. For example, the distribution of food aid to a targeted group of people, in a densely populated intervention zone, requires knowledge of the first and last names of the recipients, in order to know which people to distribute it to and allow them to participate.

On the other hand, sometimes consent to an intervention does not require the collection of personal data. For example, the distribution of hygiene kits in a small, isolated community, by an organization with sufficient resources to distribute them to all its members.

Here’s a decision tree to help you take both types of consent into account, below. This diagram is not an exhaustive representation of all the particular and variable situations in the field, but it does represent the distinction between consent to intervention and consent to the collection and use of personal data. It is in line with the recommendations made in this section, namely, to respect the obligation to inform those affected, and the information and advice on consent to data collection, described in the following sub-section.

image info

In this sub-section, the question of when to use consent as a legal basis for collection is addressed; how to implement it is discussed in the human pillar and affected populations.

Consent as the legal basis for data collection and processing must be “informed” to be valid. This means that the individual’s agreement must manifest itself in “a clear affirmative act” (according to the GDPR) and be freely given, i.e. without the feeling that his or her refusal could be detrimental. Consent must also be informed, meaning containing information, i.e. the person must know information about the collection and use of their data in order to be able to give their opinion.

Here are the conditions for obtaining “informed” consent, taken from the article on consent in the Data Handbook written by the Engine room:

  • Provide specific information on the purpose of collecting and processing personal data and the associated risks. This includes information on:
    • the nature and objectives of the project, as described in the previous section
    • the nature and purpose of the collection
      • The precise purpose of collecting and processing the data to be collected
    • how the data will be used, both internally and externally, and in particular :
      • how the data will be used, how long it will be kept…
      • whether or not data will be shared; if so, how this will be done
    • the risks that the use of the data may pose, based on the DPIA/risk analysis carried out (see section 5.1) -thinking about the right level of information to be provided so that data subjects can give their consent or not, without information overload.
    • the rights of individuals to withdraw their consent/review their data
  • Verify people’s ability to understand the issues in question
    • Information must be provided in an easily understandable, jargon-free way
    • Participants must be given the opportunity to have their questions answered.
  • Verify the willingness of those concerned to participate
    • Their consent must express a clear willingness
    • Their consent must be free of coercion or promises
    • Ideally, only involve people who have no power over the people concerned, which is difficult if not impossible in some contexts.

We have listed the conditions that must be met for consent to be informed. It is clear that actors of international solidarity use consent as a legal basis for data collection far more often than in situations where all these conditions are met. The situation of vulnerability in which aid recipients often find themselves, due to the urgency of their needs for example - which can encourage them to say yes without thinking - is too little considered. Using consent in this type of context is therefore inappropriate, giving the impression of taking the easy way out to justify oneself, rather than taking a genuine informed consent approach.

The degree of vulnerability can be measured by the following elements:

  • directly related to the person concerned: state of health / hunger / need, disability, gender, literacy level,
  • accessibility of the person: remote area, incarceration, lack of freedom of movement,
  • social, cultural, community and religious environment{: ethnicity, respect for social norms,
  • other factors to be taken into account: difficulty of comprehension linked to the use of a foreign language, complex concepts and new technologies, etc.

In situations of vulnerability, an imbalance is created, and people are forced (or feel forced) to accept the processing of their data in order to receive help, which is necessary, even vital. It is therefore difficult for them - and hypocritical to think that it is possible - to give their “informed” consent to the collection and use of their personal data.

This is why it is recommended that NGOs question the legal basis used for data collection and give priority to other legal basis than consent for the processing of personal data. The consent validity is not sufficiently solid and requires a set of conditions that are rarely met in the field.

If you believe that the conditions for “a freely given, specific, informed and unambiguous” consent (according to the GRPD), as discussed in the previous section, are met for the envisaged collection, then you can of course use this as the legal basis for collecting and using personal data.

However, there are situations where consent remains absolutely the legal basis to use: when the data to be collected is sensitive, such as: capturing photos, videos or testimonials on sensitive subjects or biometric data, such as fingerprints.

Because of the high data protection stakes associated with these types of data, it is strongly recommended to do everything you can to ensure that the conditions are met, and therefore to obtain the consent of individuals to collect and use their sensitive personal data, or else to choose not to collect the data at all. For this particular type of data, consent must be explicit, i.e. an express statement (if possible, in writing).

When consent is obtained, there are obligations to ensure that the consent is respectful of the persons’ wishes and to certify that they have indeed consented. It is the organization responsibility to:

  • record consent, to demonstrate its validity, and update it regularly
  • document the conditions under which consent was obtained, in particular by proving that information was provided to the person
  • provide the means (e.g. complaints mechanisms) to enable individuals to exercise their rights, in particular the right to withdraw their consent

In collections where consent cannot be applied, NGOs may prioritize legitimate interests or safeguarding the vital interests of the person. However, this implies that NGOs must inform data subjects about the purpose of the personal data collection and how their data are used. Asking for consent to the intervention itself from the populations is also part of the responsibility to be upheld by Humanitarian Aid and International Development actors.

a. Safeguarding vital interests

Safeguarding a person’s vital interests can be used when processing is necessary to meet the basic needs of an individual or community, during or after a humanitarian emergency.

This legal basis may apply where consent cannot be obtained, and where it may not be clear whether the life, safety, dignity and integrity of the data subject or others is at stake.

Examples of situations in which an NGO can use this basis:

  • it helps a person who is unconscious or at risk, but who is unable to communicate consent,
  • data processing is necessary to meet the basic needs of an individual or community, during or after a humanitarian emergency,
  • it deals with cases of missing persons},
  • it helps authorities identify human remains and/or locate the family of the deceased. In this case, personal data would be processed in the vital interest of the family members.
  • it provides medical care or life-saving assistance,
  • the processing, including disclosure, of information is the most appropriate response to an imminent threat to the physical and mental integrity of data subjects or others.
b. Legitimate interest

NGOs can choose this legal basis when the data processing pursues a legitimate interest, which has a limited impact on the fundamental rights of the data subject and corresponds to their reasonable expectations on the processing of his or her data. Reasonable expectations mean that “the processing of data should not surprise the data subjects”: these expectations “constitute a contextual element in the assessment of the elements involved”.

In other words, when NGOs consider the processing of data to be “necessary”, legitimate interest can be used. The term “necessary” must be interpreted strictly (and not simply to achieve the intended purpose).

This legal basis should not be a default choice, but decided on after examining the situation, balancing the interests of the processing with those of the data subjects and ensuring that no other less intrusive measure for the privacy and rights of the persons exists.

Warning: the legitimate interest must not be contrary to the rights and freedoms of the data subjects, especially if said person is a child. In this case and depending on the context, it is preferable to give preference to consent or safeguarding the vital interest.

Here are some examples of situations in which an NGO may choose legitimate interest, where data processing is necessary for the effective performance of its mission, to ensure the security of information and information systems, and the security of associated services or to anonymize or pseudonymize personal data{.

Good practices: It is recommended to save the choice of legal basis in the data processing register (see subsection 3.3) and to document it, in order to argue the approach leading to said choice.

It is important to inform the data subjects of the legal basis, in layman’s terms of course, so as to contextualize the circumstances in which their data are collected and processed.

To help you determine whether consent is the most appropriate legal basis for your situation, here is the list of questions created by the CNIL, used internally by some NGOs and that we have adapted, which helps answer this question, depending on the data processing activity in question.

12 situations in which consent is NOT valid in the context of data processing:

  • The data collection operation is related to a vital/emergency operation
  • The collection operation is necessary/essential to the distribution of aid
  • The logistical and security conditions prevailing in the area of operations do not allow the NGO to inform people and obtain consent
  • People are not in capacity to be informed about the processing of their data (illiteracy, unknown environment, foreign languages, complex technologies…)
  • The data subjects are not in a position to give their consent (displaced persons, protected under IHL, missing persons, unconscious persons…)
  • The data subjects are minors, unless they are accompanied by an adult legal guardian, who may give his or her consent
  • The data subjects are unable to give their consent: a factor is likely to suppress their ability to discern, such as very advanced age
  • The data subject is unable to give his or her consent freely
  • The data subject may not revoke his or her consent without impacting the provision of the service
  • Collection of consent cannot be documented (have traceability)
  • The data subject’s refusal of consent has a negative impact on the aid

It is also possible to create an organisation-specific tool to help determine the choice of legal basis, depending on the form of data processing activity and on the data category (existence or not of sensitive data)