As digital is increasingly integrated into development, privacy protection will become more critical (and more complex), especially for individuals with greater vulnerability to harm. USAID is working to better understand these challenges and develop effective approaches for putting privacy protection into practice. These insights will inform USAID’s efforts in the coming year to develop guidelines for responsible collection, use and management of data (including its storage, sharing, reuse, release, and disposal) using digital technologies in our programs.
We had a conversation with over 20 development professionals from a number of organizations including NGOs, companies and foundations on Principle 8: Address Privacy and Security at a lunch session organized as part of the Principles of Digital Development launch event on February 29th in Washington, D.C.
Does this topic interest you too? Then sign up to get invited to Technology Salons like this one.
Many participants at the session noted that privacy protection especially when it comes to actual practice in field-based digital programs is very challenging and identified the dearth of practice-oriented guidance a critical gap. Some also believed there was tension between the need to operate in an open fashion in accordance with Principle 6: Use Open Standards, Open Data, Open Source, and Open Innovation and the need for privacy protection (Principle 8).
The group identified four main themes of challenges for practical application of privacy protection principles and policies.
1. Institutional Ownership Is Needed
Participants agreed that it was unclear where responsible data and privacy policies would sit within their organizations. They recognized the challenge that although privacy policies may “sit” with one team or with one person, it should be an organizational/institutional effort; a shared policy with shared responsibility. Indeed, like technology itself, responsible data use should be treated as a horizontal, not a vertical.
For example, some noted that the EU data protection policy makes privacy protection a compliance requirement, which may lead to these policies residing in the general counsels office. Other participants noted that these policies currently live in the Monitoring and Evaluation (M&E) departments of their organizations. However they also said that data is not collected for M&E purposes alone and that these teams do not have the resources to take on the job of ensuring responsible practices for the whole organization.
While some organizations do have Institutional Review Boards (IRBs), participants said there is a lack of clarity on the fuzzy boundaries between research and other types of data collection like monitoring and evaluation. Others noted that IRBs might not have the necessary skills and technical expertise to understand the risks of data collection and use through digital platforms (e.g. mobile phones, social media platforms etc.) compared to other methods (surveys, interviews etc.).
Lastly, participants said that while a corporate IT team is essential if programs want to do privacy and data protection well, it wasn’t IT department’s responsibility alone. They emphasized the need for stronger partnership between Program and IT staff on these issues. This further highlights the need for institutional ownership of privacy policies so incentives and processes can be aligned across different teams (IT, M&E and Program staff.) for adoption of responsible data approaches.
2. Engagement with Local Partners to Implement Privacy Policies is Key
Participants emphasized the need for educating and engaging local partners about data and privacy protection principles/policies to get true adoption of responsible data practices. Some in the group described experiences of getting pushback from in-country government ministries and partners, due to perceptions that organizations were being overly cautious about these issues or that “Western” values of privacy and security were being pushed onto local partners.
Moreover there is a perception that the threat models, a technique used to help identify privacy risks, vulnerabilities, and countermeasures, may be more aligned with concerns about “big brother watching” in the Western context while developing countries have different concerns. Some also described resistance to data protection because of perceptions that it would hold up service delivery. Many agreed that it is critical to educate and engage local field staff and partners about digital security. This issue raised is one for both donors and implementing partners to move beyond just policy at headquarters, but to take the necessary time and resources to engage and educate local partners.
3. There Are Costs to Putting Privacy Policies into Practice
Many in the group acknowledged that there is a need for a deeper understanding of the financial resources needed for effective implementation, both in terms of hiring more technical staff and acquiring higher quality information security technology tools.
Participants described risks due to the tendency of some organizations to simply throw a digital intervention together that is easy to do and low cost, such as a network or a social media page. Additionally, risks arise from the misconception among some development organizations or NGOs that because they are nonprofit organizations or working in emergency response situations, their networks will not be the targets of cyber attacks.
Some participants added that because most development organizations are not working with unrestricted funds, it is hard to make the case for funding information security as its own requirement both with donors and within their own organizations. Participants described alternative approaches to building information security, such as tapping into private sector corporate social responsibility for expertise and training on data security and privacy.
Some suggested public-private partnerships to acquire these resources while others cautioned about the due diligence needed to manage those partnerships, including being careful in negotiating data sharing agreements so they are responsible.
4. Understand the Legal Landscape
There was much discussion on challenges with understanding the legal landscape of privacy protection in different jurisdictions and countries. Participants discussed both differing positions between EU and the US and noted the need for more information on data sovereignty, privacy and other relevant laws in each country.
The group identified some freely available resources like the data protection policies visual map from DLA piper and Capture the Ocean. Participants also noted the need for greater understanding of local enforcement of these laws in different countries.
These conversations highlight a clear need for practical guidance on a myriad of issues surrounding collection, storage, sharing, and release of data in development. More open conversations between development sector actors, donors, local partners, and beneficiaries that get into the weeds, can help us move towards practical solutions grounded in the realities of international development.
USAID is listening to and learning from the development community and encourages you to share your experiences, ideas and lessons learned. Tell us in the comments.
By Subhashini Chandrasekharan, AAAS S&T Policy Fellow, and Mark Cardwell, from USAID’s Global Development Lab.