3.1.4 Data protection issues
Like many past health crises, the Covid-19 crisis will (and already does) raise many questions about the protection of personal data and the risks for the people concerned (including stigmatization, social isolation, job loss and indirectly mental health), especially with regard to the mass surveillance tools put in place by the (mainly governmental) actors and the applications for tracing contaminated persons.
For more information, see the monitoring carried out by Privacy International, here.
It is essential that, despite the urgency, NGOs keep in mind, in reorganizing their activities, the basic “Do no harm”principle.
The alternatives outlined above, compared to other digital equivalents probably already in place, entail more limited problems. The main elements to be taken into account:
- Most of the solutions mentioned require resorting to private third party actors (both solution providers but also in some cases telephone network operators or even aggregators). The choice of the latter (who will be your subcontractors) will therefore have to be made by integrating their capacity to meet their legal obligations in terms of data protection (sufficient security of the system, sufficiently fine granularity of rights, location of stored data in accordance with the different national legislations to which you are subject etc.) but also by scrupulously checking their general conditions (no possible re-use of collected data for other purposes). Do not hesitate also to inquire about the reputation of subcontractors (e.g. dubious practices known in the past, etc.). Contracts will need to be carefully considered and validated if necessary by the legal services of your NGO.
See also OCHA’s note on private partnerships.
- Sharing sensitive information (such as data on domestic violence, reproductive health, location of vulnerable people, etc.) by phone or SMS is generally strongly discouraged. In the current context, you may not have any other options than those mentioned above. Before choosing a type of solution, it is imperative to carry out a contextual impact analysis (DPIA)1 (even if it is very brief) based on the sensitivity of the messages that are to be exchanged, before making sure that the risk/benefit trade-off is acceptable. In many situations, it may be considered that the risk generated by the data collection itself is higher (for example, that the SMS is read by a third party with access to the phone or that the conversation is overheard) than the need for tracking data. In other contexts, it may be considered that SMSs, although unsecure and easily intercepted, may be an appropriate means of communication because it is easily accessible and more discreet for collecting data from vulnerable women (rather than using encrypted messaging applications for example). In this case, remember to provide appropriate advice to the people contacting you (delete the SMS if the information shared is sensitive) and above all to choose rigorously the time and day on which you send SMS messages to vulnerable people. Also make sure that telephones are not shared between members of the same household (especially with regard to sensitive data such as domestic violence).
- Possible coordination with other actors will probably require, even more than usual, the need to exchange data: remember to check that you have the consent of the data subjects and to assess the added value of the transfers before carrying out the transfer (DPIA cf. above). Anticipate also the issue of “data exchange agreements” between organizations. If you need to share data, anonymize them as much as possible. Under no circumstances share personal or sensitive data as open data.
See for example the procedure on HDX: Three ways to share data on HDX.
- The solutions you will use will automatically generate quantities of metadata (data related to the call or SMS sending: location of the person, time of the call, etc.). You must be aware of this aspect and include it in your risk analysis (risk of re-use of this metadata by private or governmental third parties).
- As with any data collection, you will need to adapt your data protection protocols. Use calls only if beneficiaries have given their prior consent (and understand the risks of using this type of means) and make sure you include the possibility of not being contacted again, regardless of the means used (“opt out”). In particular, consider adapting your consent messages to your new means of communication (clearly explain who is calling, what will or will not be done with the data, ensure that the person is in a suitable/secure place to have the conversation) and strictly apply the data minimization principles. For example, it is very unlikely that recording conversations during telephone interviews/surveys is relevant. Also consider systematically de-identifying and aggregating shared data as much as possible, including internally within your organization (if you cannot completely anonymize it). Implementing remote data collection will probably mean reviewing [the rights management and user accounts of your systems] (more people than usual will probably need to access them), so that only those who need to access the data can do so.
To go further on this topic, see :
- section 4.1.2 Tool focus - KoBoToolbox - Thinking through your account set-up of the Mobile data collection toolbox,
- section 6.5 Keep, classify, access of the Responsible data management toolbox.
- You will probably find yourself very quickly with a large amount of information (phone list, SMS, etc.) for which you will need to apply minimum retention times (SMS conversations for a few weeks or months maximum, for example) and apply maximum security precautions (limiting access, encryption, etc.).
- Explain, sensitize, train, explain, sensitize, train, explain, sensitize, train (ad vitam æternam) your teams to the risks posed by this type of mechanism, the reason for the measures implemented as well as the reason for the confidentiality clauses in their contracts. When it comes to data protection, the human factor (and the risk of unintentional error) is generally neglected in favor of system security, even though it is often the primary cause of data breaches (unintentional leakage, etc.).
Some additional resources:
- WFP - Carry out mobile phone surveys responsibly (including IVR, SMS etc. in the margin).
- Frontline SMS - data integrity guides and lessons learned on sensitive data collection
- GSMA - guidelines on the protection of privacy in the use of mobile phone data for responding to the Ebola outbreak
- CICR - Humanitarian Futures for Messaging Apps (Opportunities and Risks of Messaging Applications in Humanitarian Settings)
- ICRC - Data protection handbook (Chapter 11 on mobile messaging app)
- ICRC - The Humanitarian Metadata Problem - Doing No Harm in the Digital Era
By way of conclusion
Finally, as soon as the situation allows it again, consider returning to more traditional modes of data collection and communication, as over-use of remote communication tools can easily generate a feeling of “comfort” and acceptance of reduced proximity (erroneous feeling of “control of the situation”…).
Furthermore, before continuing - possibly - the new methods of remote data collection and exchange set up during the crisis, remember to carry out a thorough evaluation (even a quick one) of these methods and to give feedback to the teams to see how they can be improved.