Big Data Also Means Big Privacy and Security Challenges

The age of big data brings with it new privacy and security concerns. Today, more than ever, international non-governmental organizations (INGOs) use data to design and deliver their projects worldwide. While this flow of data has greatly improved our understanding of various issues and allowed us to better address challenges, it has also created new dilemmas. How do organizations deal with privacy issues and ensure compliance with many different data privacy laws in the various countries where they work? What measures are they taking to ensure that data security and privacy is well understood within their organizations and that the collected data is used responsibly?

This was one of the key topics explored at the ICT4D conference held recently in Hyderbad, India, where the Microfinance Gateway was a media partner. The event coincided with the recent global cyberattack, which affected over 200,000 people in more than 100 countries, exposing the vulnerability of organizations to data security breaches.

In one of the most engaging ICT4D plenary sessions – “Data Security and Privacy” – representatives of four international organizations shared their thoughts about a common challenge of using data effectively to design and implement programs while ensuring people’s rights of consent, privacy, security, and ownership of the data that they collect. The members of the plenary included Karl Lowe from Catholic Relief Services, Derek Ho from Mastercard, Neal McCarthy from Oxfam, and Al Lutz from World Vision International.

The following are the three main Gateway takeaways from the discussion.

Over 100 data privacy laws, but no coherent definition of privacy

It is estimated that there are over 100 data privacy laws adopted by countries worldwide. Such laws were designed to protect personal data, which is regularly collected, stored, and analyzed by a wide range of actors including local and international NGOs, businesses, and governments. The issue is that most of these laws do not define privacy, leaving it up to a wide range of interpretations. This lack of a clear definition presents a great challenge for international NGOs who need to comply with privacy laws in different countries where they implement projects from financial inclusion to agriculture, health, and education. Often, in order to avoid issues of non-compliance, organizations apply the most stringent definitions so that they can protect the privacy and rights of those whom they serve. This, in turn, affects their ability to use data effectively for program design and delivery.

Promoting open data and safeguarding data privacy are two important goals that are often in conflict

Data collection and analytics allow organizations to design better targeted programs, allocate resources more efficiently, and measure the impact of their work. That’s why promoting open data, which is freely used, re-used, and shared, is an important goal of the international development sector.  There is no question, however, that whether data is used to design programs for expanding financial inclusion or address the needs of people living in fragile conditions, protecting the privacy of beneficiaries is critical. To this end, it is becoming increasingly important for organizations to nurture a data protection culture among their staff to ensure responsible use of data.

Organizations need to start developing standards and tools to deal with data privacy and security including anonymization, a technique used in data privacy protection that involves masking or deleting personally identifiable data. Oxfam is the first international NGO to adopt a responsible data policy emphasizing key individual rights: the right to be counted and heard; the right to dignity and respect; the right to make an informed decision; the right to privacy; and the right to not be put at risk – not just physical risk, but political and psychological risk as well.

As data rapidly moves to the cloud, it will be more difficult to safeguard privacy

We are aggressively moving to the cloud, which will lead to easier data transportability but new challenges for safeguarding privacy. The advantage is that cloud service providers will be able to address the security issues as they develop data security expertise and capacity that NGOs don’t have. However, international organizations and other actors in the business of collecting, storing, and using data are ultimately the ones who must be responsible for their data’s security. Based on the collection limitation principle, organizations should reconsider how much data they need and limit the amount of personal information they collect.

Recently, several international organizations and members of the tech industry called on donor agencies to help establish industry-wide standards for data privacy in order to protect the most vulnerable people.