Data protection is the systematic application of a set of institutional, technical and physical safeguards that preserve the right to privacy with respect to the collection, storage, use, disclosure and disposal of personal data. Personal data includes all information that can be used to identify data subjects, which in the case of a humanitarian cash-based intervention means our programme beneficiaries.
Humanitarian agencies collect a wealth of personal data from individuals in all areas of programming, as well as in other areas such as fundraising and advocacy. Cash transfer programming is no exception. However actions to protect beneficiary data have lagged behind. Research in 2011 by the Cash Learning Partnership into new technologies being used on cash transfer programming found that humanitarian agencies lacked systems and processes for beneficiary data protection and data management. As we enter a digital age of programming the importance of protecting beneficiary data is being recognised.
Leaks of personal data have potential to result in individuals being targeted for violence or harassment, due to ethnicity, religion, medical history, or just because they have received aid or worked with international organisations. This is a major concern for aid agencies, whose mandate is to uphold the humanitarian principle of ‘do no harm’. Risks to the protection of beneficiary data are faced at every stage.
Where feasible and appropriate to the context, e-transfer technology is increasingly being adopted by aid agencies, which can allow programmes to reach affected populations at a large scale and in hard-to-reach environments. It is the adoption of e-transfer technology, and digital technology more generally on programmes, that is driving an increasing realisation within the humanitarian sector of the privacy risks associated with the collection, use, storage, sharing and disposal of beneficary data. A failure to understand or mitigate these new threats throughout the programme cycle can put people at risk and undermine the trust that humanitarian organisations require in order to do their work.
E-transfer programmes begin with the collection of personal data from beneficiaries. This personal data is often more extensive than that gathered in conventional aid distributions – for example, on some e-transfer systems, client ID is verified using biometric data and this requires the collection of highly personal data from beneficiaries such as photos, finger prints and retina scans.
Once collected this information is stored by the agency and will be used by the agency to prepare beneficiary lists. The data may be shared with partner agencies and wider stakeholders including for example, national governments administering social protection programmes , or potentially with donors who are funding the intervention. This raises a number of risk factors to be considered, for example:
There are several good practice approaches agencies can put in place to overcome some of the challenges associated with protecting beneficiary data on e-transfer programmes.
Challenges can be identified from an individual programme level, up to an organisational, sector and global level.
Analysis of existing humanitarian practices demonstrate that organisations are applying a number of solutions to these challenges. Some solutions originate from legislative guidance; others are developed in situ, in response to a programmatic challenge.
Many organisations are taking the following approach, that can be seen as emerging good practice in finding solutions pertinent to specific programme locations: