D. Checklist – Governance

Data protection and privacy

• Once you’ve assessed where the data comes from, have you assessed whether the data collection or sharing is lawful?
  • Is this lawful basis explicitly stated in the documentation of the partnership?
• Is the data being collected in ways that people could reasonably expect?
• Have the data controllers considered the risks to the fundamental rights and freedoms of the people whose data will be collected?
• What will the consequences be of people’s data being processed in this way?
• Will individuals be informed when their personal data is being collected?
  • through what mechanisms?
  • does an exemption exist in this case? is it justified? is it supported by a necessity and proportionality assessment?
• Are individuals able to obtain information about the data processing?
  • through what mechanisms?
• How long will the data be stored?
• Who will host the data?
• Are there appropriate safeguards protecting data at rest and in transit?
  • Are these detailed in the documentation surrounding the partnership?
  • Is there a clear assignment of responsibilities between the contracting parties?
• What kind of access will the company(ies) involved have to data?
• Will data be transferred across borders?
  • If Yes: does the country it is being transferred to have a lower, higher, or same level of protection of individual’s rights?
  • Has your country/jurisdiction found that the territory where data will be transferred provides “adequate” protection for individuals’ rights (i.e. is there what is often called an “adequacy decision” in place)?
  • Has the specific transfer been reviewed and authorised by a supervisory authority?
  • Is there an agreement in place with standard data protection clauses approved by a supervisory authority?
  • If No: is the contract relying on an exemption? Is that exemption provided for in law? Is that transfer compliant with human rights standards?

Accountability and oversight

• Has the procurement process for this contract followed an appropriate procurement framework?
• Is the contract with the company in accordance with national and international standards?
• Is the technology solution necessary and a proportionate response to the issue it’s intended to solve?
• Have the company(ies) involved in the contract adopted an explicit and public policy commitment to meet their responsibility to respect human rights?
• Have the parties conducted risk assessments examining the actual and potential human rights impacts of the proposed tools and services offered (human rights due diligence and impact assessments) prior to the award of the contract, and kept these updated during the deployment?
• Does the partnership documentation provide for any independent oversight?
  • Where and how is this defined?
  • Does the oversight body have the appropriate resources to perform its role?
• Are there standards or legal requirements around transparency?
  • Are these standards/requirements adequate?
  • Are these standards/requirements being met?
• Are there any accountability mechanisms for the public body involved in this contract?
• Are there any accountability mechanisms for the private body involved in this contract?
  • Has the private body set up internal accountability mechanisms for the implementation of human rights policies?
  • Does it have processes in place to provide redress?
• Can third parties scrutinise and challenge these accountability mechanisms or their consequences?
• What, if any, are the policies that govern and document any of these requirements?
• Do they include rules regarding the public authority’s use of the technology, with clear boundaries for the purpose and use of the technology?
• Are there any redress mechanisms outlined in the contract for violations of these policies? Do they include adequate sanctions and enforcement of those sanctions?