00:00:00 Introduction

Before we get started, I just wanted to take a couple of minutes and tell you about ActivityInfo. BeDataDriven was founded with the mission to help social impact organizations do their work more effectively using data. We do this by both developing and helping organizations implement ActivityInfo. ActivityInfo is an end-to-end solution for M&E data management that is built on a relational data model. It has all the tools you need to manage data across the entire data life cycle in a single system.

It provides web and mobile applications for data collection in the field or in the office, either connected or disconnected. It features intuitive built-in tools and an expression language that help validate data at the point of entry and clean data sets inputted from other systems. There is a robust cloud-based system architecture that ensures that data stored in the system is always available without any need to manage hardware or cloud environments. There are also data management capabilities to help organize data and provide access to those that are permitted. Lastly, there are powerful analytic and data visualization tools that help you extract value out of your M&E data for better decision-making.

00:02:06 Data protection legislation

There are two parts to this webinar. The first part is looking at the key concepts, which is where we will spend most of the time trying to understand the building blocks of data privacy, data protection legislation, and how those relate to monitoring and evaluation. Then we will wrap up by looking at roles and responsibilities followed by some Q&A.

Let's start with data protection legislation. These are a set of laws that are intended to protect how information about natural persons is processed, used, and shared. The one that really came first and heralded this change is the GDPR, the European Union General Data Protection Regulation. However, in parallel to this, many countries from South Africa to the Philippines, the United States, and Colombia have adopted their own data protection legislation. Those of us working internationally now have a whole web of these laws.

What makes this web of new legislation somewhat manageable is that they take inspiration from the EU GDPR and use many of the same ideas, concepts, and frameworks. That is what we are going to focus on today. If you can master these concepts, they should help you in understanding the legislation that applies in your country or region, though you will have to look at the specifics.

00:06:00 What is personal data?

The GDPR defines personal data to mean any information relating to an identified or an identifiable natural person. This is key language. Obviously, if you say a specific person is 42 years old, that is personal data because that is information relating to someone you can identify. However, if you refer to a job title at a specific company, that is also identifiable because you can figure out who that person is. It is not enough just to have somebody's name there; anything that can be used to identify what this data refers to can be considered personal data.

Let's look at some examples. If you are collecting data on schools, such as the number of classrooms or drinking water sources, this is not personal data because it does not relate to a natural person. A school is not a person.

Consider a dataset with gender, age, and the results of an HIV test. While this is data about people, at this level of detail, there is no way to identify who we are talking about. We just know it is a male; we don't know the country or city. Therefore, this is not personal data in the sense of the legislation because the person cannot be identified. However, if you have a dataset with names and test results, that is clearly personal data because the people are identified.

What about a dataset with email addresses, education, and language? An email address can be used to identify who we are talking about, similar to an IP address. Even if we don't have their name, we can distinguish who this person is.

Now consider a dataset with just a participant number. This can be a trick question. If somewhere else in your organization you have a way of linking that participant number to a name and email address, then this is still personal data. We will look at pseudo-anonymization later, which is a great technique, but as long as there is a way to find this number somewhere else, this person could be identified, and this data is personal data under the legislation.

Finally, consider data about a person's role, gender, and the specific school they work in. If you cross-check information about job title, gender, company name, and city, you can easily identify the person. For example, there may be only one 35-year-old primary school teacher at a specific school. This is enough information to identify the person. When you have this much detail, you have to be very careful because this is still identifiable information.

00:16:40 Processing personal data

Processing is the next concept, and it is a very broad term. It means any operation which is performed on personal data. Whether that is automated, reading focus group transcripts, sending emails, collection, recording, storage, or dissemination. Anytime you are using the data, it falls under the definition of processing. Whenever you are doing any of this with personal data, it is going to be falling under these laws.

00:17:50 Data controllers and processors

The data controller is the entity that determines the purposes and the means of processing personal data. We contrast that to the processor, which is the entity that processes personal data on behalf of the controller.

To make this concrete, if you are an NGO providing health or education services, and your organization decides what personal data is needed to provide those services, you are the controller. You are determining the purposes of this data and the means of processing it.

The other half of this is when you use software from another company, hire a consultant, or contract another company to do data analysis. That other entity is a processor. The big difference is about decision-making power. A software provider does not decide what data to collect or what you do with it. Their only job as a processor is to make sure they follow your instructions.

00:20:50 Lawful basis for processing

If you are processing personal data as the controller, it is your responsibility to have a lawful basis for doing so. By default, you do not process personal data unless you have a reason. There are six bases listed in the legislation, but for monitoring and evaluation NGOs, three are most relevant: consent, legal obligation, and legitimate interest. We will focus on consent and legitimate interest.

Consent must be freely given, specific, informed, and unambiguous. It is not enough to just say "I consent to processing." It has to be specific about what data you are storing and what you are going to do with it. For consent to be a lawful basis, there has to be a real choice. If you ask someone fleeing conflict for consent to process their data to receive aid, is that a real choice? If you are not prepared for people to say no and still provide services, consent might not be the most appropriate lawful basis.

Legitimate interest is another basis. The law understands that an organization needs to process personal data to function. For example, providing cash vouchers to flood victims requires collecting names. In that case, legitimate interest is likely more appropriate than consent. However, legitimate interest requires you to apply a three-part test: purpose, necessity, and balance.

00:30:50 Data subject rights

When you collect information about people, those people are called data subjects, and they have certain rights.

It is a balancing act between the rights of the data subject and the needs of the controller.

00:35:00 Anonymization and pseudo-anonymization

Anonymization results in anonymous data, which is the opposite of personal data. It is not identifiable and can never be related to an individual. For example, a report stating that 75% of those surveyed used a family planning method is anonymous.

Pseudo-anonymization is the processing of data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information. For example, using case numbers instead of names. It is still personal data covered by the law because if you have the key to link the number to a name, the person is identifiable. It is a great technique to reduce risk, but it remains personal information.

00:36:40 Cross-border data transfers

If you collect data in one country, can you send it to a consultant or company in another country? The principle is that the protections of the GDPR (or relevant law) should stay with the data. Regulators do not want a situation where data is moved to a country with weaker laws to avoid responsibilities.

Generally speaking, you have to ensure that the rights of the data subjects are protected. One way to do this is through "adequacy." This is when the EU recognizes that a country's data protection laws afford the same level of protection as the GDPR. Countries like Uruguay, and recently the USA (under specific frameworks), have adequacy decisions.

Another basis is binding corporate rules. If an NGO transfers data to a country office within the same organization, and that organization has binding rules on data protection, that is considered a lawful transfer. If you do not have adequacy or binding corporate rules, you may need to consult an expert or the data protection authority.

00:43:50 Roles and responsibilities

As an NGO, you are usually the data controller. You decide what data to collect and how to process it. You have obligations to your data subjects and the Data Protection Authority. In some countries, like Kenya or the Philippines, you may be required to register with the authority.

When you use software or hire a consultant, they are the data processor. A Data Processing Agreement (DPA) is what activates this relationship. It ensures the processor acknowledges their obligations to process data only according to your instructions and to report breaches.

The controller is responsible for choosing an appropriate processor. If you use software that breaches confidentiality, that is partly your responsibility for not vetting them. The DPA should list roles, sub-processors (like cloud providers), penalties, the specific data being processed, and the technical and organizational measures taken to secure the data.

00:52:20 Questions and answers

Is it possible for a respondent to withdraw consent during data interpretation or visualization?

Yes, absolutely. If you collected data on the basis of consent, they have the right to withdraw it, and you would need to remove their data from the dataset. If you used legitimate interest, they cannot withdraw consent (since that wasn't the basis), but they can object to the processing. You then have to discuss whether to accept or refuse that objection based on your legitimate grounds.

What precautions should be taken when there is no data authority in your country?

Even if there is no active data protection authority, the principles these laws lay out are useful good practices. You can look at resources like DLA Piper's "Data Protection Laws of the World" to see the status of laws in your country. For example, the DRC has a digital code law. Regardless of enforcement, applying these principles is generally for the best.

For evaluations commissioned to service firms, who signs as controller and processor?

In this case, the service firm doing the evaluation is the data processor because you are giving them instructions and providing the data. You are the controller responsible for the lawful basis. You should sign a Data Processing Agreement with them. This applies even if the data is pseudo-anonymized, as it is still identifiable. It is always a good idea to sign a DPA to make roles and responsibilities clear.

Does data privacy cover hard copy data?

Yes. It does not matter if it is on a computer or printed on paper. If you are processing personal data, whether with pen and paper or digitally, it is covered by the law.