This blog is part of a series on the use of management information systems (MIS) in humanitarian crises. In our last piece, we talked about how informed consent can be difficult in humanitarian settings, but that is not an excuse for failing to protect the privacy of beneficiaries. In this blog, we focus on what to do where consent is not possible.
Data Processing Beyond Consent
Conversations around data responsibility in the humanitarian sector often centre around the idea of digital agency and the sense of ownership of one’s data, along with an increasing focus on obtaining consent for data collection and processing. As discussed in our previous blog, during a humanitarian response, it may not be possible to provide the level of information and the alternatives needed to ensure consent is informed and freely given. Most importantly, a person who has no other option but to “consent” to receive life-saving services cannot provide valid consent due to a lack of free choice. Nonetheless, the inability to provide consent does not mean that services cannot be provided. This is common in humanitarian settings, and requires relying on another lawful basis for data processing. All major data protection standards and laws (International Committee of the Red Cross (ICRC), General Data Protection Regulation, Organisation for Economic Co-operation and Development, African Union, etc.) recognise other lawful bases for data processing beyond consent. The ICRC Handbook on Data Protection summarises these as:
1. Vital interest: Where data processing is necessary to protect an interest that is essential for the data subject’s life, integrity, health, dignity, or security or that of another person.
2. Important grounds of public interest: When the activity in question is part of a humanitarian mandate established under national or international law.
3. Legitimate interest: When a specific humanitarian activity is listed in a humanitarian organisation’s mission and provided that this interest is not overridden by the fundamental rights and freedoms of the data subject. In all of these situations, the term “necessary” is to be strictly construed (i.e. the data processing should be truly necessary, rather than just convenient, to fulfil the relevant purpose).
4. Performance of a contract: Where it is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract. Once again, the term “necessary” is to be strictly construed.
5. Compliance with a legal obligation: Where it is necessary to comply with a legal obligation to which humanitarian organisations are subject. For example, in the area of employment law, if this is necessary to comply with an enforceable legal obligation like the obligation to pay tax on wages.
Where one of these alternative legal standards is met, it can be relied upon in place of the otherwise impossible to achieve informed and freely given consent. However, while this may apply for an initial data processing exercise, it may not necessarily apply to future uses and sharing of that data, as discussed below.
Onward Data Sharing and Legal Bases for Data Processing
There is increasing pressure to share information with other humanitarian and development actors and governments, with the goal of achieving greater impact and/or value for money. However, if consent is not an appropriate basis for the initial data collection, it is similarly unlikely to be sufficient to form the basis for data transfer to a third party. This is particularly problematic in fragile and conflict-affected states, where:
1. It is unclear who will form the future government, and therefore to whom beneficiaries are providing their consent.
2. Government systems are not yet established, limiting the data collector’s ability to explain, and the beneficiary’s ability to understand and make a decision regarding the risks involved in the data transfer.
3. Timeframes for establishing government systems are unknown, risking reliance on out of date, and therefore inaccurate, data when these systems are developed, violating principles of accuracy and minimum retention periods for data collection.
4. Potential bias in data collection where the government is a party to combat, as those who are not aligned with the government may be less likely to provide consent, and may therefore be under-represented in the data collected, impacting data accuracy and impartial future service delivery.
5. The uncertainties around the data that may be needed for unknown future government systems (or use by any other party interested in providing services to beneficiaries) may encourage data over-collection, in violation of data minimisation principles.
To address this uncertainty, there may be a temptation to take advantage of “click-wrap contracts” through which a data subject is encouraged to “consent” to extensive terms and conditions around onward data sharing and to agree that the data collector and/or processor can unilaterally amend the agreement to other use of the data subject’s personal data at any time. While the advent of digital contracts that can be so easily amended (as compared to paper documents which are generally seen as fixed documents requiring fresh signatures, and an opportunity to review terms, to authorise amendments), this can hardly be seen as informed and freely given consent. Ultimately, we need to consider: Are we sharing data without consent to save lives in a context where consent is impossible? Or are we doing so for other reasons?
As with the initial data collection, the transfer of data can be based on another legal basis. However, absent exigent circumstances that require transfer without consent, it may be difficult to justify a transfer on this basis. It also runs the risk of breaching trust between beneficiaries and nascent government systems, or the entities that conducted the initial data collection, if beneficiaries feel that they do not have control over their own data.
Even where consent can be relied upon for the initial data collection, and in a more stable context where government systems are well-established (for example, during disaster response where agencies provide support to an established government that is not embroiled in conflict), concerns about over-collection of data remain. This will be particularly problematic where those collecting data have not first coordinated with the government, to understand what information is needed to effectively support government systems.
Strong coordination with government is necessary both to ensure the data collected is useful, while still meeting data minimisation principles, and to fully understand the government’s intended use of the data, to adequately inform and gain freely given consent from beneficiaries. This may need to include explaining likely onward sharing by government—for example, to third-party service providers contracted by the government, or even with other governments as part of cross-border information sharing agreements.
Where We Go From Here
There remain significant challenges for goals to increase efficiency and effectiveness in the transition to greater government control over social assistance. However, there are other ways to support governments toward this goal, including in ways that encourage greater accountability to beneficiaries, such as technical assistance on data collection and privacy, the development of ethics and privacy impact assessments for data collection, and training for beneficiaries on data protection and privacy rights, to support efforts to involve beneficiaries in the co-design of systems that respond better to their needs, data protection or otherwise. Such an approach aligns with movements toward a rights-based approach to data protection, rather than a narrow focus on technical compliance, and the “interest of the international community in embedding data protection more strongly in international human rights law.”
If this topic interests you, the full report from the “Review and Analysis of Identification and Registration Systems in Protracted and Recurrent Crises” work can be found here.
Note: Though this research was funded through the U.K. Government’s Better Assistance in Crises programme, the views expressed in this blog are entirely those of the authors and do not necessarily represent the government’s views or policies.