In late 2019 and early 2020, DAI and our partner, Caribou Digital, worked closely with the U.K. Foreign, Commonwealth & Development Office to analyse identification and registration systems in protracted and recurrent crises. For those interested in reading more about the research, the report can be found here.
In this post—the first of a two-part series—we dig into some of the issues around consent and other legal bases for data processing in humanitarian and development contexts identified in our research. For other blogs about our research, see our comments on interoperability and the risks and benefits of management information systems at the humanitarian-social protection nexus.
Consent and Why it Matters in Humanitarian Settings
In the face of strong power imbalances between humanitarian and development agencies and beneficiaries, corresponding obligations are needed to ensure the protection of the fundamental rights of the poorest and most marginalised people. The need to obtain consent can be seen as an essential corresponding obligation of the right to privacy. This right is enshrined in key international legal instruments such as the Universal Declaration of Human Rights (Art. 12) and the International Covenant on Civil and Political Rights (Art. 17), and has been interpreted by the United Nations (UN) Human Rights Committee to extend to data protection.
Kenya HSNP payment staff assisting elderly beneficiaries as they fill in their bank account opening forms at Qilta, Marsabit.
As humanitarian and development agencies move toward digital tools for data collection and analysis, informed consent helps ensure that beneficiaries have control of their digital identities and that the right to privacy is implemented in the digital space. In December 2016, the UN General Assembly adopted a resolution affirming the right to privacy in the digital age that specifically references consent: expressing concern that “individuals often do not provide their free, explicit, and informed consent,” and calling upon all States to “develop or maintain legislation, preventive measures, and remedies addressing harm from the sale or multiple resale or other corporate sharing of personal data without the individual’s free, explicit, and informed consent.”
The General Assembly’s own Guidelines for the Regulation of Computerized Personal Data Files require obtaining consent before using data other than for the purpose for which it was collected. However, these guidelines include a “humanitarian clause,” which provides for derogation “when the purpose of the file is the protection of human rights and fundamental freedoms of the individual concerned or humanitarian assistance.” Such exceptions, particularly in emergency or humanitarian contexts, along with other legal avenues for data processing, are common features of many policies and guidelines. These exceptions will be discussed further in the next post of this series.
The consent requirement (with exceptions) also features strongly in key regional/transnational legal frameworks (for example, the African Union, Asia-Pacific Economic Cooperation, Organisation for Economic Co-operation and Development, Commonwealth, and the European Union’s General Data Protection Regulation (GDPR)). Nongovernmental organisation, civil society organisation, and UN agency guidelines (including International Committee of the Red Cross, World Food Programme, Open Society, and International Organization for Migration) also note the importance of consent and either require it or include it as one of a small number of lawful bases for data processing.
Key Requirements for True Consent
In addition to this general convergence regarding the importance of consent, there is also convergence on the definition and interpretation of consent. As in the UN General Assembly’s definition above, many data protection laws require consent that is informed, explicit, and freely given. For example, the GDPR requires consent given to be a “freely given, specific, informed and unambiguous indication”. Similarly, the African Union’s Malabo Convention states that: “Consent of data subject means any manifestation of express, unequivocal, free, specific and informed will by which the data subject or his/her legal, judicial or treaty representative accepts that his/her personal data be subjected to manual or electronic processing.”
The Office of the Privacy Commissioner of Canada notes that for consent to truly be informed, data subjects must understand any meaningful residual risks (i.e. risk remaining after mitigation measures are implemented) involved, which it defines as “a risk that falls below the balance of probabilities but is more than a minimal or mere possibility.” If there is a likely or probable risk of harm (i.e. above the balance of probabilities), the guidelines unsurprisingly consider data collection inappropriate. The definition includes both direct and “foreseeable” risks, such as the risk, after transfer to a third party, of unauthorised use by an employee of that third party, or a breach of the third party’s systems. Defining and assessing the level of these risks in a fragile, conflict-affected context is likely to be difficult. During a data collection exercise—particularly when providing urgent, life-saving support—how can the data collector articulate risks of future processing by an unknown third party (for example, the government established after a protracted conflict and conciliation process) in a manner that can be fully understood and consented to by a person in extreme, immediate need?
The U.K. Information Commissioner’s Office (ICO) interprets the need for freely given consent to require “giving people genuine choice and control over how you use their data” and the ability to “refuse consent without detriment”; it also advises that relying on consent is inappropriate where there is a significant power difference between the parties, or where the consent will act as a “precondition” for accessing services. Putting this into action, the ICO recently concluded that a website that offered free access to news stories if the user accepted cookies, but required the user to pay for a subscription if they rejected cookies, was not obtaining “freely given” consent as there was no free option that did not include data collection and storage that was not necessary for the core purpose of the site (publishing news stories).
Toward a Global Definition
All of these examples demonstrate the increasing convergence globally on a definition of consent that recognises the need for both clear information on the implications of the consent, and that true consent relies on a freely given choice, which requires alternatives. “Digitalisation-related risks are heightened when the system is not understood by users, when it is not voluntary (or if there is no other option for obtaining assistance).” The UN Special Rapporteur on Extreme Poverty and Human Rights raised concerns that policies around “digital by choice” are usually “digital only” in practice, and advocated for a genuine non-digital option. Providing an alternative that allows for user choice, and considers socio-economic (e.g. an alternative to fingerprinting when fingerprints may be worn by labour) and cultural factors (such as providing an alternative to facial recognition for women who wear head coverings) is not only good human-centred design practice, but also allows for genuine informed consent. By providing an alternative, users are not forced to provide data they are not comfortable with—or not aware of the consequences of—to obtain the goods or services they need. This is particularly acute in humanitarian scenarios where the services can be life-saving or life-changing.
While it may be challenging to develop and offer alternatives in early and/or acute phases of a humanitarian crisis, options can be explored through research outside of such crises, to ensure these options are available when a crisis strikes. In addition, during protracted crises, there may be more time and opportunities to develop these alternatives, even where the aid remains essential and life-saving, providing greater opportunities to seek valid (i.e. not forced), informed consent. Moreover, data protection standards more broadly should continue to improve as a crisis response stabilises. Not only should data use be explained, but beneficiaries should be able to confirm the data held on them and their families, to correct any inaccuracies, and exercise a right to delete or limit access to this data. When considering the transition to building government systems, this would seem by definition to no longer be a humanitarian situation and separate consent would need to be sought for such a change of use (discussed further in our next blog in this series).
Data Controllers Bear Responsibility
In short, beneficiaries should not have to forego rights to privacy and data protection to realise other rights, such as the rights to social protection and an adequate standard of living enshrined in the International Covenant on Economic, Social, and Cultural Rights.
Consent is no substitute for protecting beneficiary rights by ensuring adherence to other core data protection principles such as data minimisation, minimum data retention, and data protection and security—under a rights-based approach, consent should not be used as an “excuse” to provide lower levels of protection than is feasible, merely because beneficiaries “consented” to this approach. “Individuals forfeit a good deal of control over their personal data once it has been disclosed. Data controllers, therefore, bear the bulk of responsibility for ensuring good practice and privacy-preserving outcomes.”
Of course, during a humanitarian response, it may not be possible to provide the level of information and the alternatives needed to ensure consent is informed and freely given. In these situations, it will be necessary to rely on an alternative legal basis, such as vital interest or important grounds of public interest. We discuss this further in our next post in this series.
Note: Though this research was funded through the U.K. Government’s Better Assistance in Crises programme, the views expressed in this blog are entirely those of the authors and do not necessarily represent the government’s views or policies.