The right to privacy forms the basis for exercising the freedom of opinion, freedom of assembly and freedom of association. Data privacy is an expression of the right to privacy and encompasses the protection of personal data and the right to informational self-determination. Data privacy concerns an individual’s right to decide about the use of their data and, therefore, needs to be actively considered part of the DC’s work. You can find information about data privacy and digital security at the German DC under “Digital Privacy”.
Data privacy becomes relevant as soon as personal data, which is to say, data on a person’s age and sex, as well as their usage of applications, for example, is collected and stored. In Germany and the European Union, the General Data Protection Regulation (GDPR) is superordinate to national legislation and governs this protection of personal data. Among other things, the GDPR applies to all organisations and institutions domiciled in the EU, regardless of where the data is collected or processed. Other data privacy legislation must be observed outside of the European Union.
The Responsible Data Guidelines
Especially in developing countries, there is often a lack of local legal framework conditions guaranteeing sufficient protection of personal data in digital spaces. Local legislation on the protection of personal data has either not been developed sufficiently, or it is lacking entirely.
For this purpose, the GIZ has developed the Responsible Data Guidelines (RDG). The purpose of the RDG is to assist with orientation in development cooperation in order to guarantee sufficient data privacy in digital projects, even where their is a lack of local legal framework conditions, and to ask the right questions in these situations. The RGD are relevant especially if partner institutions that are not bound to the GDPR control personal data (which is to say, decide whether and how data is processed). For these cases, we recommend observing the RDG in addition to applying the valid local legislation. They are based on internationally recognised, general principles of data protection.
Guidelines for responsibly handling personal data
Planning: Responsible data practice should play a fundamental role during project conception and planning. On the one hand, this means considering national legal foundations and your organisation’s guidelines. On the other, it means planning processes for the project so that data is handled carefully and time and resources are given consideration – for example, for security audits or additional feedback loops.
Data collection: Inform the people concerned about the data collection and ask for their consent. This is key! Also develop clear processes for using and storing data. You need to take the following questions, among others, into consideration: Where is the data exclusively stored? And for which clearly defined period of time?
Data storage and information security: Who at your organisation is responsible if data is lost or if there are security gaps? Discuss your project with this person. Not least, the technical capacities of your partners are also essential: Do they have sufficient technical equipment and expertise? If not, you need to plan additional funds for capacity-building measures in your budget. Make sure you know what to do in the event of a serious loss of data. Develop guidelines for action before that happens.
Data usage: Anonymise data to the greatest extent possible. Only selected persons should have access to the data.
Data publication: You should plan different levels of data processing. For instance, you should share only raw data with project partners. Make written agreements with the parties that will use the data further. The risks that you perceive concerning data handling do not necessarily dovetail with other people’s perceptions. Obtain different opinions about risks before you publish data.
Data archiving: Ask about data archiving right at the beginning of the project. Otherwise, people usually forget about it. However, responsible data archiving also means only very specific data is stored for further usage. All other data needs to be deleted.
Where do we go from here? Responsible handling of data is an ongoing process, not a one-time matter of duty. Stay on the ball. Use additional resources, create structures, and establish contact people within your organisation.
The Responsible Data Guidelines guide you through the planning and implementation processes of projects and are supplemented by a toolbox with step-by-step instructions. The toolbox also contains a conversation guide that helps address personal data handling with partners. It is important to note that data privacy is context dependent and needs to be re-evaluated in every project scenario. Responsibly handling data means respecting the rights of the people to which the data relates and, in the process, also considering legal, ethical and security-related aspects across the entire “lifecycle” of the data in addition to privacy.
- The Responsible Data Guidelines of the GIZ
- A poster of the Responsible Data Principles
- A summary der Responsible Data Guidelines
- A Toolbox for the Responsible Data Guidelines
- Responsible Data Handbook by The Engine Room
- Digital Security at Mediadev of Deutschen Welle
- ICT Regulatory Tracker of the ITU
- Overview over national data privacy laws worldwide
- ITU Global Cyber Security Index