There are no universally recognised data protection standards, but regional and international bodies have created internationally-agreed-upon codes, practices, decisions, recommendations, and policy instruments. The most significant instruments are:
- The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (No. 108), 1981 as amended in 2018;
- The Organization for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Data (1980) as amended in 2013;
- The Guidelines for the regulation of computerized personal data files (General Assembly resolution 45/95 and E/CN.4/1990/72).
Other regional frameworks also exist, including the APEC Privacy Framework – Asia-Pacific Economic Cooperation. And some data protection laws have extra-territorial reach, for example the European Union General Data Protection Regulation (GDPR) applies to controllers and processors who aren’t based in the EU, as long as they are processing the data of people who are in the EU, and that processing relates to the offering of goods or services in the EU, or amounts to monitoring their behaviour.
Where a comprehensive data protection law exists, organisations (public or private) that collect and use personal data have the obligation to handle this data according to this law. Please therefore refer to your own jurisdiction’s laws, but this section provides an overview of the various things to look out for. However this is not an exhaustive list of all potential data protection concerns – for fuller guidance on data protection, please refer to our full guide.
i. Data sources
The very first step in assessing data processing by a technology is to understand where the data is collected, i.e. where it comes from. You may have identified this at the stage of assessing the technology’s data collection/capture system (see tech investigation above), but can supplement this analysis with any documentation about the technology or partnership (e.g. contracts, MoUs, Data Protection Impact Assessments, Data Processing Agreements…), and consider any:
- Datasets/databases that will feed into the technology
- Lists of data subjects or categories of data subjects whose data will be processed (e.g. general members of the public, suspects, victims or witnesses of crime, individuals who live in X area…)
- Sources of data (e.g. will data come from any existing databases, or from particular government departments, authorities?)
Once you understand where the data comes from, you should assess whether the data collection or sharing is lawful (i.e. is it authorised by a lawful basis such as consent of the data subject, or a legal obligation to share this data), and whether this lawful basis is explicitly stated in the documentation. Lawfulness of data collection will depend on the jurisdiction to which the partnership or technology is subject to.
ii. Lawfulness and fairness
Personal data must be processed in a lawful, fair, and transparent manner. This principle is key to addressing practices such as the selling and/or transfer of personal data that is negligently or fraudulently obtained.
Lawfulness means that data must be processed in a way that meets a legal ground for processing. You should assess the lawfulness of processing for each type or category of data that will be processed by the technology, and for each purpose of processing. For example, if data from a database of faces of general members of the public will be processed to cross-check against a mugshot database, you should assess (1) whether each database was compiled with a lawful ground for processing (note that this requires not only ensuring that the public authority has a lawful ground for collecting the faces in the first place (as addressed by the previous section) and building the database, but also ensuring that if the databases were compiled by a private company, it also had a lawful ground for collecting the data in the first place), and (2) whether the process of cross-checking relies on a lawful ground for processing.
The grounds for processing most commonly found in data protection laws are:
- Consent of the data subject
- Necessity of the processing for the performance of a contract with the data subject or to take steps to enter into a contract
- Necessity of the processing for compliance with a legal obligation
- Necessity of the processing to protect the vital interests of a data subject or another person
- Necessity of the processing for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessity of the processing for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
This is a broad principle that should govern all aspects of the processing – the collection of data, the purpose of processing, and the consequences of processing. To assess fairness, you should assess whether the authority controlling the processing has considered the reasonable expectations of data subjects in light of the context and purpose of processing, the risks to their fundamental rights and freedoms, and the general relationship between the controller and the data subjects (e.g. is there some link or relationships between the two that would make data subjects expect such processing to take place).
iii. Transparency and the right to be informed
Whether processing is fair will also depend in great part on whether sufficient transparency about the processing is provided to data subjects. Individuals should be informed when their personal data is being collected, and they must be able to obtain information about its processing. When assessing the deployment of a technology, you should identify whether and through what mechanisms data subjects are informed about the processing of their data.
At the point of data collection, and every time data will be processed for a purpose not envisaged at the time of collection, data subjects should be provided with at least the following information (both when they have provided the data directly to the controller, and when the controller has obtained it from another source):
- information as to the identity of the controller (and contact details)
- the purposes of the processing
- the lawful ground(s) for processing
- the categories of personal data that will be processed
- the recipients of the personal data
- whether the controller intends to transfer personal data to a third country and what safeguards are provided for the transfer
- the period for which the personal data will be stored
- the rights of the data subject (such as right of access, right to object, rights to rectify, block and erasure, rights related to profiling and automated decision making, right to data portability)
- the right to lodge a complaint with the supervisory authority
- the existence of profiling, including the legal basis, the significance and the envisaged consequence of such processing for the data subject
- the existence of automated decision-making and at the very least meaningful information about the logic involved, the significance and the envisaged consequence of such processing for the data subject
- the source of the personal data (if not obtained from the data subject)
- whether providing the data is obligatory or voluntary
- the consequences of failing to provide the data
- If individuals are not informed, you should assess whether an exemption to the right to be informed applies. This could be, for example, if denying the right to be informed is necessary and proportionate to prevent or detect crime, for safeguarding national security, or for health, social work, or education purposes. However, any exemption from this right should be provided for in law, and should be justified and supported by a necessity and proportionality assessment. For more details on exemptions please refer to this section of our Data Protection Guide on General Provisions, Definitions and Scope
iv. Data storage and access controls
Once you are satisfied (or not!) that the data will be processed lawfully, fairly, and transparently, you should consider where and for how long the data will be stored. The first question to ask is whether the data will be stored on servers held by the public authority, or by the company, or some other third party (e.g. a processor). You might have identified this at the stage of assessing the technology’s data storage system (see tech investigation section above). This will affect the distribution of responsibilities for ensuring security of the data and managing access controls.
Personal data, at rest and in transit, as well as the infrastructure relied upon for processing, should be protected by security safeguards against risks such as unlawful or unauthorised access, use and disclosure, as well as loss, destruction, or damage. Please refer to the tech section of this handbook for further details on what to look out for. Security safeguards should be detailed in the documentation surrounding the partnership, with clear assignment of responsibilities between the public authority, the company, and any third party.
To assess the suitability of access controls, you should consider what kind of access will the company have to data. In particular, if the data is stored on the company’s servers, you should check whether the company will have full access to the data, or whether its access will be restricted so that only the public authority has access to it. Although even if the data will be stored on the government’s or authority’s servers, the company may be granted access, so do check the fine print. Rules about access controls should be provided for in the partnership documentation, with clear and strict exceptions for e.g. emergency access, maintenance access and other.
Contracts sometimes grant companies access to data for things like “improving their services”, “performing analytics on their product’s performance”, etc. You should be wary of these and question exactly what form the company’s access will take, and whether it will effectively be benefiting from access to a public authority’s database in order to develop its own services, and thereby profit from the partnership beyond the monetary value of the contract.
v. International data transfers
You should assess whether the data storage, access or other transfer arrangements will involve data being transferred to another country (e.g. if the contracting company is located in the US). The basic principle is that any transfer of personal data to a third country should not lower the level of protection of individuals’ privacy rights. Different jurisdictions have different laws governing how a transfer to a third country can be guaranteed to be “adequate” in terms of rights protections, but you should usually check:
- Has your country/jurisdiction found that the territory where data will be transferred provides “adequate” protection for individuals’ rights (i.e. is there what is often called an “adequacy decision” in place)?
- Has the specific transfer been reviewed and authorised by a supervisory authority?
- Is there an agreement in place with standard data protection clauses approved by a supervisory authority?
Exceptions to restrictions on international data transfers may apply. If an exception is purported to apply, it should be provided for in law, and carefully reviewed so that it is not too broadly interpreted or open to abuse, and the transfer remains compliant with human rights standards.
You may consider other issues in relation to international data transfers. For example, if the data that will be transferred is highly sensitive or relating to highly vulnerable populations, even if an adequacy decision or other safeguards are in place, you may want to consider whether the receiving country has laws or practices that allows it to request the data – and therefore whether there is potential harm to individuals if this data ends up in the hands of the receiving country’s government.