Earlier this year, CaLP, the ICT4D Conference, and the Grand Bargain Cash and Risk sub-workstream brought together humanitarian practitioners for a lively discussion on data protection challenges in the cash and voucher assistance (CVA) space. The main objectives of the webinar were to introduce and get acquainted with CaLP’s newly minted “Data Responsibility Toolkit: A Guide for CVA Practitioners” and the IFRC’s “Practical Guidance for Data Protection in Cash and Voucher Assistance”. Also, the webinar aimed to dispel myths around data responsibility and to discuss concrete approaches to responsible data management. This reflection is inspired by the excellent conversations that took place during the webinar when looked at through a partnership lens.
This event fell on the one-year anniversary of the declaration of the COVID-19 pandemic, which wasn’t intended; however, it is somewhat appropriate given the scale-up of CVA and the accelerated use of digital platforms over the last year. We’re seeing humanitarian needs rising in a way that was really hard to imagine just a year ago. CVA has become an increasingly important tool in the humanitarian toolbox and alongside this growth during COVID times, we’ve also seen an increased emphasis placed on social protection. According to Ugo Gentilini, global lead for social assistance at the World Bank, “this growth amounts to more than 1,400 social protection measures, of which about one-third took the form of cash transfers reaching over 1.1 billion people, or 14% of the world’s population. Relative to pre-COVID levels, cash transfer benefits nearly doubled, and coverage grew by 240%, on average” (World Bank).
Needless to say, it’s massive. So, within these trends it becomes absolutely critical to talk about data protection. While this topic is cross-cutting and not unique to cash transfers, when cash is digitized or we move to digital payments, it contains so many of the data protection components that we are most concerned about. As humanitarians, it is our core accountability to do no harm, and simply put, data protection IS protection from harm. Data responsibility is top of mind for humanitarians around the world and the cash community has continued to be a leader in this space like it has in so many others. At the outset of this webinar, many people may have been thinking “more guidance on data responsibility? The cash community already has quite a lot of this!” but with this increase growth comes increased complexity. In order to be able to navigate the emerging challenges, as well as the better understood ones, guidance must be updated and expanded upon when necessary.
Introducing the Guidance
The new IFRC guidance that was released in January of this year is specific to data protection in CVA and is meant to be practical guidance on data protection for cash practitioners. The IFRC guidance is seen as a complement to the CaLP Data Responsibility Toolkit, as the CaLP guidance covers a much broader range of topics while the IFRC guidance focusses on data protection more specifically. There is a level of trust in humanitarian organizations that can at times be quite fragile. This is why awareness and education are so immensely important – so that staff, volunteers, and other cash stakeholders are able to ensure their responsibilities in safeguarding beneficiary data. At the end of the day, both sets of guidance are not meant to scare or intimidate, but rather raise awareness to the potential risks that exist so that informed decisions and proper action can be taken.
While the need for more guidance on a growing topic makes sense, the case studies presented after the guidance discussion proved to be quite enlightening as far as the power partnerships can have in shaping the data responsibility conversation. For instance, one of the big questions that came up in the drafting of CaLP’s data responsibility guidance was around data sharing and how there are lots of power dynamics happening across agencies. Based on the case studies presented, it seems best practice to put data specific agreements in place with all organizations involved during the program design phase. For example, data processor agreements between partners and counterparts.
Partnership in Data Responsibility
From the financial service provider (FSP) / data processor perspective, one must ensure there is clarity on what the responsibilities are for both internal and external counterparts. This is true of most partnerships as far as clarifying roles and responsibilities but is much more important when it deals with beneficiary data. When dealing with individual versus multi-actor engagements, it is best to have a lot of up-front discussion on project structure, procedure, duties, etc. to help structure responsible data flows. Essentially, you want to design for data responsibility. This is exemplified by the case study from GiveDirectly.
In their example, GiveDirectly used a non-traditional approach to assess and target vulnerable people for cash transfers in Togo using machine learning. The work was carried out in partnership with GiveDirectly, the Government of Togo, UC Berkeley, and the telecoms companies in Togo. Essentially, GiveDirectly used data on user behavior from telecoms companies to target and pay more than 30,000 people living on less than $1.25 a day. The goal of this activity was to benefit a large number of people without needlessly compromising their personally identifiable information. The key to their success was having strong agreements in place before the outset of the program, however sometimes the particular context or atmosphere of the country where you hope to work may prevent this from happening – as can be seen in the case from the Cash Consortium Yemen (CCY).
In Yemen, there are multiple authorities and governments operating simultaneously which makes it near impossible to have everyone at the table during the program design phase. What data protection means in Yemen could be quite different to what it means in a place like Togo for instance. Another leading takeaway can be seen here in that context is king. What works in one country may not be the best solution for another. There is no one-size-fits-all solution! Sometimes other organizations or local authorities/governments dictate what can be and is collected, and in these cases constant negotiation is a must.
More importantly, the example in Yemen highlights several important issues to consider with partnerships in data protection. In Yemen they might not be allowed to operate if the CCY does not share certain datasets with the government, and as humanitarians they must decide what their red lines are as far as what they are willing and not willing to share. In situations like these, cash practitioners must walk a fine line over what is your limit of information sharing versus the delivery of assistance as fast as possible. On the whole, one must weigh the risks of data sharing against the potential impact that could be made.
This becomes particularly relevant in a country like Yemen where there are 22 million people in need with a context that keeps evolving. In Yemen, CCY wrestled with the tough question on how best to protect the data being gathered by themselves and their partners so that it does not fall into the wrong hands and cause problems. They looked at targeting, how they store beneficiary data, and how referrals work between each organization in order to determine the best way forward to protect that circle of information to ensure the delivery of assistance the safest way context allows. When considering all of this, there eventually comes a time when, as an organization, consortium, etc., a go- or no-go decision must be made. In Yemen, all humanitarian actors had to come together and discuss these issues as it cannot be dealt with at an organizational level or even a consortium level. While having all actors at the table to discuss data protection may be a bit of a pie in the sky dream, a consortium or partnering organizations will have much more negotiating power with authorities than would individual organizations.
Catholic Relief Service’s Position on Data Protection in CVA
CRS uses a beneficiary data and financial management tool called the Cash and Asset Transfer (CAT) Platform for providing CVA. The CAT Platform is built on the RedRose ONEPlatform operating system and customized for CRS (RedRose is the software developer, CAT is CRS’ software). The CAT platform handles a lot of sensitive information that, if accessed by the wrong people, could put CRS beneficiaries, partners, and programming at risk. CAT is designed to reduce risks and protect sensitive data. CAT uses a 3-tiered method to reduce risks and protect sensitive data. First, through “security by default,” CAT includes many back-end security features built into the system by RedRose, the software developers, including data protection customizations built for CRS. Second, CRS established a set of policies, procedures, and best practices for programming that hold us accountable to data protection and beneficiary privacy. Finally, each program using CAT is encouraged to self-assess threats to data in their context and establish an action plan to mitigate risks.
In sum, the discussions that took place during this webinar highlighted several aspects of partnership and collaboration as it relates to data responsibility in the CVA space and beyond. Trust between agencies is a challenge, particularly when policies differ on what data is shared and with whom. As an organization, you can follow all of the best practices in the world but when sharing data with partners there is no guarantee that it will be kept confidential or used inappropriately – often data is highly abused. Keeping in mind that context is king, with so many stakeholders involved in CVA the best advice is to be upfront and communicate constantly throughout the entire lifecycle of one’s data. This serves to highlight the importance of strong partnerships in the CVA space and beyond, and why partnerships have been the key theme to CRS’ ICT4D Partnerships Conference.
It is the responsibility of us all as humanitarians to start, continue, and expand these conversations within our own respective organizations!
The above is based on the CaLP webinar titled “Data simplified. Protection amplified. An essential conversation for CVA practitioners” that took place March 11, 2021. I certainly didn’t come close to covering everything, so don’t miss out on the whole conversation! You can find the recordings in English and Spanish here!
Paul S. Wiedmaier
ICT4D Knowledge Management & Communications Specialist
Catholic Relief Services (CRS)