Data Responsibility in Cash and Voucher Assistance – a toolkit for 2021
Five years have passed since ELAN’s widely-used Data Starter Kit was published. The CALP Network has now updated this toolkit for 2021 to provide you with the latest information on data privacy and security in humanitarian work. Two case studies have also been published to accompany the toolkit. Here’s what’s in the toolkit, why it’s needed and how to use it.
A rapidly evolving context requires updated tools
The world of data, and organizational capacities for data responsibility are all evolving and changing very quickly. The CVA space itself has changed significantly since ELAN’s data starter kit was published five years ago.
Since 2016, the volume of CVA has grown from $2.8 billion in 2016 to $5.6 billion in 2019, and CVA now comprises around 18% of all international humanitarian assistance. Roles and partnerships in CVA are changing, with even greater coordination required across multiple partners, including government ministries, UN agencies, Red Cross Red Crescent Movement (RCRCM), national and international NGOs as well as across each of their respective data systems. CVA’s increased reliance on digital channels has led to greater involvement of banks, mobile network operators (MNOs), micro-finance institutions, and new financial-technology providers.
The amount of data being collected, stored, used and shared across CVA partners is consistently growing. For example, some implementing partners use large, established systems that incorporate digital identity (Digital ID) or biometrics for identification. At the same time, we are seeing new and updated data privacy laws such as the European Union’s General Data Protection Regulation (GDPR) being introduced around the world. These place new requirements on organizations who manage personal and other forms of sensitive data.
Somewhat surprisingly, a data paradox is at play: while awareness about data responsibility, our duty of care, and our responsibility for safeguarding programme participants’ data is at an all-time high, at precisely the same point practitioners who are faced with day to day data management situations in CVA programming report feeling paralyzed, unsure of how best to handle these (sometimes recurring, sometimes unique) situations.
Our hope for this toolkit is that it could help actors overcome, to an extent, this sense of paralysis of analysis.
What’s in the new toolkit?
The updated toolkit offers a gold standard for which to strive, whilst recognising that change is not a one step process and the gold standard may not be operationally feasible or practical for every organization. The toolkit offers guidance on what questions to ask and what to consider when making decisions about data in CVA. It also provides recommendations and underlying principles for how to successfully approach data protection. What’s more, while it focused on CVA, the toolkit has much wider application and offers a valuable guide for any humanitarian.
The toolkit delves deeper into some areas than its 2016 predecessor, and uses an adapted “data lifecycle” approach, in recognition that there are normally several cycles of data collection and processing during any CVA effort:
- Political economy of data analysis. In the first phase of the data lifecycle, the toolkit recommends assessing the context in which CVA is taking place and the capacity of the various partners or potential partners. It recommends a “political economy of data” analysis to understand power dynamics and data values in the context. This accompanies other assessments such as a review of pertinent legal frameworks and donor compliance requirements and can be integrated into the standard assessments done for CVA.
- Data Controllers and Data Processors. The toolkit lays out considerations that have emerged with new data sources and new data laws such as the GDPR, for example, the roles of data controllers and data processors and common scenarios where these roles require definition.
- Consent and Legitimate Interest. Also linked with the GDPR is the need to determine under which lawful basis data will be collected. This has been an ongoing challenge, given the difficulty of ensuring informed, active and transparent consent in many humanitarian data collection and processing contexts. The toolkit lays out some considerations for determining lawful bases for data collection.
- Emerging issues in data collection and processing. The emergence of COVID-19 has meant that much data collection is done remotely. Know your Customer and Anti Money Laundering requirements have become stricter over the past few years. Some agencies have begun linking biometric ID and Digital ID with cash. The use of automated decision-making algorithms is also on the rise. The toolkit provides orientation for these emerging data concerns.
- Data sharing. A major challenge with CVA’s increasing reliance on coordination is data sharing among multiple partners. The toolkit lays out considerations for mitigation risks that accompany data sharing and offer some resources for developing data sharing agreements.
- Critical data incidents. The potential for harm if data is breached or leaked, whether intentional or unintentionally, or through some type of forced data sharing (for example, when enumerators or other staff are threatened with violence or other retaliation if they do not give up data) is ever present. The toolkit provides guidance on how to prepare for this type of incident.
Beyond the technical – underlying principles for good data protection
This toolkit goes beyond the technical and procedural aspects of managing data responsibly, safely and efficiently. It goes further by describing the underlying approaches, principles and ways of working that support the safe, ethical and effective management of data.
Listen to Linda Raftree’s @meowtree top three tips for how your organisation can better handle its humanitarian data. For more advice and insights come to our “Data Simplified, Protection Amplified” webinar on March 11 – register here https://t.co/hmrX3RfRyK pic.twitter.com/FfdwPKUwz2
— CaLP (@calpnetwork) March 4, 2021
To source this information, we spoke with over forty CVA practitioners from different organizations and a cross-organization advisory committee. Some of the key points we heard were that:
- Data responsibility is about more than just data. Personal and sensitive data have become a commodity that is used by different actors for all kinds of purposes – those that help and those that harm. A whole ecosystem has grown up around data collected and processed through CVA. Data can confer power and economic benefit to those who handle it. It is critical for practitioners to understand the political economy of data.
- Data responsibility requires contextualization, creativity, capacity and collaboration. Different organizational mandates and motivations, power dynamics and levels of skills and knowledge are at play. Practitioners need to find agile and adaptive ways to mitigate risks and harms associated with data, especially in conflict-affected or fragile contexts. Protecting data can sometimes put humanitarian staff and frontline workers at risk.
- Data responsibility is not a solo activity – it requires well-rounded teams. Different parts of an organization and multiple types of expertise are needed to ensure data protection and to mitigate potential data-related harms in CVA. Technical skills such as information security, data systems administration, data analysis and architecture; legal and business administration, and compliance are needed, as well as an understanding of finance; gender, inclusion, protection and safeguarding. Soft skills like negotiation and consensus-building and also key.
The toolkit and accompanying case studies are now available
In summary the ‘Data Responsibility Toolkit’ offers a ‘gold standard‘ to which organizations should aspire to reach in their handling of data and identifies both legal and ethical implications of data treatment – it also provides steps that can be taken to reach that standard.
Accompanying the toolkit we have also published two case studies. One shines a spotlight on remote digital targeting approaches within a pandemic context, and the other at issues of data sharing with government authorities.
Taken as a collection, these resources provide you with the tools and information you need to significantly improve data responsibility in your CVA work.
The case studies and the toolkit are available on the CALP Network’s website now.
In the Photo: A cash recipient’s thumbprint is recorded at a WFP cash transfer point in Dagouji, Zinder, Niger. Credit: WFP/Simon Pierre Diouf. July 2019.