C. Accountability and Oversight
Another important aspect of assessing the governance of a public-private partnership requires analysing any accountability and oversight mechanisms in place, including any mechanisms through which the partnership was first established (e.g. public procurement processes).
You should check that certain documents and processes are in place so that the contracting state and company are accountable, that there is proper oversight, and adequate redress mechanisms. Note that you should consider the entire life cycle of the partnership. First at the procurement stage, has the procurement process for this contract followed local or international procurement rules? And are those procurement rules adequate? Has there been adequate transparency throughout the procurement process?
Human rights risk and impact assessments and/or data protection/privacy impact assessments should normally be performed prior to the award of any contract. They must be performed diligently, following proper templates approved in your jurisdiction or otherwise recognised by global civil society. An example would be The Danish Institute for Human Rights’ Human rights impact assessment guidance and toolbox. A proper impact assessment must (in particular, but amongst others) perform a necessity and proportionality assessment that properly considers risks to individuals’ rights.
You should then consider whether there is there any independent oversight, which would ensure the partnership remains circumscribed to its stated purpose, to detect abuses or resulting harm, and to require redress. Where and how is this defined and established?
When a public-private partnership is deployed, an independent oversight body (e.g. a data protection supervisory authority, an investigatory powers oversight body…) should be designated, to be responsible for (1) reviewing, approving or rejecting new proposals for use of the technology or system deployed as part of the partnership, (2) undertaking regular audits of the technology deployment including public consultations on the impact of a technology on the rights of civilians and the achievement of its intended objective(s), and (3) receiving grievances and mediating those between the public and the entities using the technology. This independent oversight body should be given appropriate resources (human and financial) to be able to perform its duties.
If these documents and processes have been put in place, they will help you see if the technology deployment is legal, necessary, and whether it’s a proportionate response to the issue it’s intended to solve. If they haven’t, it’s important that you try to determine whether the solution is appropriate or if it’s overpowered or overreaching – you can, amongst others, write to the relevant public authority to ask that they put these documents or processes in place.
Next you should consider whether the partnership is governed by certain transparency standards or legal requirements. If so, are these adequate?
You can then consider how the partners involved will be held accountable with regards to the consequences of the technology deployment. Accountability requires that the duties, responsibilities, and standards be defined, appropriate, and assigned amongst parties involved. Are there appropriate mechanisms that enable third parties to scrutinise and challenge the consequences?
Any public-private partnership should be governed by appropriate policies governing and documenting the various requirements mentioned above, such as what data will be processed, who has access to data under what conditions, what safeguards must be in place to mitigate risk to individuals, which independent body will be responsible for overseeing the deployment, etc. Such policies should also govern the public authority’s use of the technology and define clear boundaries for the purpose and use of the technology, with an exhaustive list of authorised uses and a non-exhaustive list of prohibited uses. They should also provide redress mechanisms, by outlining processes for complaints handling and enforcement of sanctions for violations of the policies, and assigning responsibilities and redress obligations to both the state and the company.
The safeguards we have outlined above are, we believe, a reasonable framework of protections to enforce the responsibilities outlined in the United Nations Guiding Principles on Business and Human Rights, and ensure that public-private surveillance partnerships do not result in human rights abuses.
For further guidance on the various safeguards that should govern public-private surveillance partnerships, please refer to PI’s PPP safeguards.