Protecting people’s personal data is an essential part of protecting their life, integrity, and dignity. This makes data protection a crucial part of humanitarian work.
People in need of humanitarian action often belong to vulnerable groups — individuals who are already experiencing some form of suffering or hardship. It behooves those charged with handling their personal data not to add to those woes.
Humanitarian action are activities that aim to support people affected by conflict, natural disasters, and other crises — including a pandemic. This past year, we’ve seen countless examples being carried out by different organizations.
Among them, the Philippine government’s Social Amelioration Program (SAP) has caught people’s attention given the very public way it manages personal data. The SAP is the distribution system for the government’s emergency subsidy for low-income households most affected by the unending community lockdown.
The Department of Social Welfare and Development (DSWD), which is the primary agency in charge of the distribution, hosts on its website a public database of all qualified beneficiaries. It has a search function that allows anyone to identify the beneficiaries in specific local government units (LGUs). The LGUs themselves post their beneficiary lists on their own websites or social media pages. Also, during distribution operations, they usually take photos that end up on their social media accounts or those of specific government officials.
Many have asked rather publicly whether these practices are allowed or at the very least appropriate, given our existing laws and regulations. Are they really necessary?
A brief statement released last April 8 by the National Privacy Commission (NPC) suggests that, from a data protection perspective at least, this is an issue worth looking into. The Commission urged LGUs to “practice transparency with responsibility” when they post on social media the names of SAP beneficiaries. It recommended strict adherence to the principle of proportionality, and noted that, while LGUs are not prohibited from disclosing essential information to the public, they should be “mindful” of their “concomitant responsibilities as personal information controllers”.
The problem with the statement was that it was too broad to be of real use. It did not evaluate the current practices of the DSWD and LGUs and simply offered general recommendations susceptible to many different interpretations. For example, how exactly does one “practice transparency with responsibility” in this scenario? What are these “concomitant responsibilities” that LGUs, as PICs, should be mindful of? Ask ten LGUs and one is likely to get ten different responses.
To get some actual answers, one has to understand that SAP is essentially a cash transfer program (CTP). A common survival and recovery tool during humanitarian emergencies. While it has many proven benefits, its effectiveness and appropriateness for a particular situation are usually determined by prevailing circumstances.
What is clear, though, is that CTPs need to process personal data in order to work. Personal data are collected, stored, and cross-matched in order to determine eligibility and to avoid common issues like duplicate claims or fraud. Through it all, compliance with data protection laws and regulations is paramount.
These are some key data protection concepts that should inform SAP and other CTP operations:
- Legal Bases for Processing. Government CTPs almost always have the backing of laws and a bunch of implementing rules. Implementing agencies should keep their actions within the boundaries set by those policies. They should avoid unsanctioned use of CTP datasets for unrelated purposes. If those other purposes are necessary, or if the CTP is a private one, other legal bases like consent must be availed of.
- Data Protection Principles. The NPC mentioned one principle integral to CTP operations: proportionality (i.e., a CTP shall collect and disclose only those personal data it needs to work). But there are still others just as important. Purpose limitation is one. It should be clear to would-be recipients what their data will be used for. Once obtained, those data must only be processed for the declared purpose of their collection and other compatible uses. Retention limitation is another relevant principle. It demands that the collected data be disposed of once the purpose for their collection has been met, unless there are lawful grounds for a longer retention period (e.g., for audit purposes).
- Data Subject Rights. The menu of rights granted by the Data Privacy Act of 2012 (DPA) to all individuals relative to their personal data must be upheld. Among them, the “Right to Rectification” is often useful. There are many stories of qualified recipients who are denied financial assistance because of some errors in the CTP database. There should be a quick and easy process through which they can request for the correction of their data so that they are not deprived of the benefit due them.
- Outsourcing. Implementing CTPs is a complex operation and requires a lot of moving parts. Government agencies or LGUs usually secure the services of third parties to augment their work force. Whenever third parties are involved, the organizers must make sure engagements are covered by appropriate contracts that feature the provisions required by the DPA’s implementing rules.
- Data Sharing. Sharing CTP datasets with third parties who may have their own reasons for wanting access to such trove of information is discouraged or should at least be kept to a minimum. This is an area where personal data are most prone to abuse or misuse. It goes without saying, of course, that the CTP organizer should make sure its legal bases cover all its data sharing activities.
- Privacy Impact Assessments. Some may consider PIAs an unnecessary burden given the kind of environments (i.e., emergencies) CTPs are usually needed in. That point is well taken. However, no one is saying a PIA should be done during an actual emergency. It may be performed during the design phase of a CTP or after one has already been completed, as some form of post-activity audit. At the very least, the PIA will help plug the gaps and make the next CTP operation more secure.
The DSWD and its fellow line agencies, together with their LGU partners, should keep these things close to their chest. Judging from the practices we are all witness to right now, these were never considered in the design and implementation of the SAP. And that’s not good.
The pandemic is more than a year old. That nobody could have foreseen it and its implications is no longer a valid excuse. Just last month, the NPC lauded the LGUs, alongside the Department of the Interior and Local Government, for the latter’s policy requiring LGUs to appoint Data Protection Officers (DPOs) by February 26 this year. Where are those DPOs now? What roles are they playing in all these humanitarian initiatives?
It bears repeating here: humanitarian work entails data protection work. Let’s make sure that is always the case.
The author is a lawyer, artist, photographer, and privacy advocate. Additional information and queries may be sent to [email protected].