New e-transfer principles a good step towards better privacy practices
Through the Aiding Privacy project, Privacy International is promoting the development of international standards around data protection in the humanitarian and development fields and working with relevant organisations to make this happen.
A new contribution towards this goal, Protecting Beneficiary Privacy: Principles and operational standards for the secure use of personal data in cash and e-transfer programmes, was released last week by the Cash Learning Partnership (CaLP) and represents a welcome to addition to the sparse landscape of standards and guidelines to protect privacy and ensure data protection in humanitarian and development initiatives.
The CaLP has led a consortium of non-governmental organisations to produce new principles and operational standards around protecting beneficiary privacy in cash and “e-transfers” – electronic transfers of money, often via mobile phone banking systems, vouchers that are authenticated through mobile phones, or ATM cards.
What are e-transfers?
The CaLP is an initiative of several large NGOs, including Oxfam, Save the Children and Action Against Hunger, established in 2011. It reflects “a growing recognition in the humanitarian sector that in an emergency, cash transfers and vouchers can be appropriate and effective tools to support people affected by disasters.” Increasingly, these cash transfers are taking place through electronic means. To give an example, in 2009 Concern Worldwide and Oxfam began a programme to improve access to food in Nairobi’s slums. The programme involved making cash transfers to beneficiaries through mobile banking:
The cash transfer was paid monthly through M-Pesa, a mobile phone system for transferring money operated by the phone company, Safaricom. Oxfam and Concern staff provided monthly lists with phone numbers to Safaricom, who would then send an SMS to the recipients. The beneficiaries would then go to a Safaricom kiosk, show the text message, and collect their money.
Some of the risks to privacy that such initiatives entail are obvious – bad storage practices that lead to beneficiaries’ personal data falling into the wrong hands, lists of beneficiaries being used for discriminatory purposes. Others are more insidious – generating data that can be used by third parties for surveillance, requiring beneficiaries to subscribe to services that may have poor data protection practices, information collected from beneficiaries being used for purposes for which it was not originally intended, such as commercial exploitation.
The Principles and Operational Standards
The Principles and Operational Standards therefore mark an important step in raising awareness about the importance of privacy and data protection in humanitarian settings. The principles elucidated are significant: that organisations should “protect by design” the personal data (that is, any data that directly or indirectly identifies or can be used to identify a living individual) they obtain from beneficiaries and “understand data flows and risks”, as well as ensuring “appropriate technical and operational security standards” and “quality and accuracy”. They should also obtain consent from beneficiaries around the use of their personal data and only hold data for as long as is necessary.
Significantly, the principles start with a recognition of the centrality of respecting the privacy of beneficiaries: “[o]rganisations should respect the privacy of beneficiaries and recognise that obtaining and processing their personal data represents a potential threat to that privacy". They end with the need to establish redress mechanisms for privacy violations.
The authors of the Principles and Operational Standards describe them as “an attempt to establish good practice within the sector for the collection and processing of beneficiary data”. Protecting Beneficiary Privacy is a good step in this direction, containing some useful guidance for humanitarian organisations around the collection, management and storage of beneficiaries’ personal data. It is accompanied by another publication, E-Transfers in Emergencies: Implementation Support Guidelines, which also reiterates the Principles.
Projects like the Principles and Operational Standards help build towards the goal of international standards around data protection in the development and humanitarian fields. They also illustrate the growing willingness of humanitarian and development organisations to engage with privacy and data protection issues. Even the recognition that there is a problem that requires addressing is a great step towards better practice. There is much more good work in this area to look forward to.