3 minute read
Data Protection?
246 | Revisiting Targeting in Social Assistance
social programs. In the not so distant past, information collected by social programs was mostly in paper form and not very extensive. As such, it did not raise substantial issues of data privacy21 nor trigger complex responses to ensure data protection.22 With the generalization of digital information flows and increased use of digital technologies in social programs—ID systems, biometric data, interlinked data for eligibility determination, and digital payment systems—concerns about data privacy and data protection have become important (box 4.6).
Data privacy risks can arise from any activity that collects, stores, or processes personal data. Among the information collected by social programs, most concerns are related to management of personal data (any information relating to an identified or identifiable individual), other personally identifiable information (information that permits the identity of an individual to be directly or indirectly inferred, or any information
BOX 4.6
Why Should Social Protection Practitioners Care about Data Protection?
Social protection systems process (collect, use, store, and disclose) the personal data of applicants and program beneficiaries. These data need protection. Why?
• If personal data are not adequately protected, the data subjects’ right to privacy may be violated and individuals may suffer material, physical, or symbolic harm. • Data protection is essential to create trust among social protection authorities, their staff, and clients. Lack of trust may restrain the access of vulnerable populations to social protection services and benefits, as they may fear that sharing their personal information will lead to harm, discrimination, stigmatization, or surveillance, among other risks. • For social protection practitioners, compliance with organizational or legal data protection and privacy frameworks is important to avoid penalties. • Social protection and privacy are human rights and, therefore, interdependent. This means that one needs the other to be fulfilled. Both are equally important.
Source: SPIAC (forthcoming); Enabling Digital & GIZ (2020).
Improving Targeting Outcomes through Attention to Delivery Systems | 247
that is linked or linkable, or may be attributed, to that individual, including street address, email, telephone, IP address, geolocation, biometric, or behavioral data), and sensitive data (sexual orientation, membership in an ethnic minority group, trade union, and so forth). As social programs deal with socioeconomic data as well as data sourced from multiple government systems through interoperability and data integration protocols, the social protection sector must ensure that a process for protection of personal data is in place.
Data protection legislation and institutions should protect the use of personal information against risks such as exposure of personal data, data and identity theft, discrimination or persecution, exclusion, unjust treatment, and surveillance. Protecting personal data is a critical aspect of the design of systems enabling a relationship of trust (Alston 2019; Bashir et al. 2021; Ohlenburg 2020; Sepulveda Carmona 2018. Data protection legislation typically offers protections for applicants and beneficiaries, such as the rights to object, access, rectify incorrect records, erase, and restrict processing to what is minimally required to operate the program, as well as the right to notification in case of processing, breach, and so forth.
The United Nations Personal Data Protection and Privacy Principles23 are important for the delivery system of social protection programs. The United Nations High-Level Committee on Management 2018 highlights the importance of having data processed in a fair and legitimate manner, considering the person’s consent and best interests and processed and retained consistently with specified purposes. In addition, it highlights the importance of keeping data accurate and up-to-date to fulfill the specified purposes and the need to process the data with due regard to confidentiality, using appropriate safeguards (organizational, administrative, physical, and technical) to protect the security of personal data.
To realize the desired and/or legislated standards of data protection, there are several concrete design and administrative arrangements that social protection programs can implement. Box 4.7 describes two such examples. First, the case of Turkey offers an example of an established social registry with good data privacy and data protection practices. The registry was developed a decade ago, before the adoption of the General Data Protection Regulation by the European Union. It was also before the recent debate about data privacy in the digital age, including the risk associated with automatic authentication through facial recognition (without the explicit and meaningful consent of the person being identified). The second example, from Morocco, presents a recent, holistic case of development of a data privacy and data protection framework for a twin unique ID registry and social registry.
