Data Protection by Design or by Default
With the Covid-19 pandemic, there is a greater focus on development and deployment of technological innovations that would be key in addressing the social, financial and public health impacts of the crisis. Some of these innovations include contact tracing mobile applications and Artificial Intelligence to predict infection patterns, assist in coming up with a Covid-19 vaccine and identify persons at greater risk. While there are mixed reactions on the deployment of these technologies, the focus of this article is on what privacy and data protection strategies should be adopted by data controllers and data processors.
In a previous article, I argued that data controllers who wish to process data in these Covid-19 times must undertake data impact assessments. Before carrying out data protection impact assessments, data processors should ensure that their innovations protect personal data by design or by default. It is important to note that the strategies discussed here would minimise the legal exposure of data controllers and data processors. A data subject may file a petition arguing that a data controller or data processor is processing or processed data in violation of provisions of the Data Protection Act, in effect infringing on the data subject’s constitutional right to privacy.
Section 41 of the Data Protection Act, 2019 provides for data protection by design or by default. A key principle of the Act is that data controllers and data processors would engage in self-regulation; adopting strategies that would ensure compliance with the Act. Section 41(1) provides that every data controller or data processor should implement appropriate technical and organisational measures which are designed to implement the data protection principles in an effective manner and to integrate necessary safeguards for that purpose into the processing.
Section 41(3) further states that a data controller or data processor should implement appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose is processed, taking into consideration, the amount of personal data collected, the extent of its processing, the period of its storage, its accessibility and the cost of processing data and the technologies and tools used. Section 41(4) sets out measures that a data controller or data processor shall consider, these include –
to identify reasonably foreseeable internal and external risks to personal data under the person’s possession or control and to establish and maintain appropriate safeguards against the identified risks; to ensure pseudonymisation and encryption of personal data; to provide for access to personal data in a timely manner in the event of a physical or technical incident, and to verify that the safeguards are effectively implemented and to ensure that the safeguards are continually updated in response to new risks or deficiencies.
How then would data controllers and data processors developing and deploying technological innovations practically ensure compliance with the Data Protection Act?
One, the initial designs of the innovation must be formulated in a manner that guarantees the protection of the rights of data subjects. Data subjects should be able to offer prior and informed consent to the use of the innovation and processing of their personal data, also, they should be informed of the purpose of the data processing beforehand. It is instructive to note that mere ticking of a consent box does not constitute prior and informed consent.
Data controllers and data processors should develop and make public user policies that clearly outline the above in a language that majority of data subjects understand. Long convoluted policies shrouded in legalese and technical terms would not cut it. The policies ought to be in plain language and data controllers should avoid using boiler plate policies that are acontexual.
Two, the innovations should only process data proportion to the purpose of processing. The designs ought to avoid collecting and storing data that is not necessary. This means the designs should from the outset outline the data designated for processing. For example, it would not be proportional for a contact tracing application to collect fingerprints and DNA data from data subjects.
Three, security of data is key. This is applicable to personal data made available for processing and other general data within the control of the data controllers and data processors. Where a data controller or data processors is not keen on the security of personal data from data subjects, it is probable that their data which may include trade secrets is also not secure. This calls for a corporate data protection culture within data controllers and data processors. Management, employees and agents of the data controllers and data processors ought to be well versed with the provisions of the Constitution and the Data Protection Act. One way I address this matter is working with data controllers and data processors to formulate and adopt institutional data protection policies.
Four, data controllers and data processors should appoint data protection officers in line with Section 24 of the Act. The role of the data protection officer is to advise the data controller or data processor and their employees on data processing requirements provided under the Act, ensure on behalf of the data controller or data processor that the Act is complied with, facilitate capacity building of staff involved in data processing operations, provide advice on data protection impact assessments and co-operate with the Data Commissioner and any other authority on matters relating to data protection.
Lastly, data protection impact assessments ought to be carried out before deployment of the innovation. I have discussed this in a previous article available here – Data Protection Impact Assessments https://www.laibuta.com/data-protection/data-protection-impact-assessments/.