Lesson 2.4 Personal Data Protection

Learning outcomes

At the end of this lesson, learners will (be able to):

• Understand the way personal data protection regulations impact the collection, management and storage of farmers‘ personal data

• Identify the rights and duties of organizations collecting personal data

• Identify the actions needed to protect personal data

1. Introduction

Profiling farmers and capturing farm-level data is an essential step towards building services that are critical for smallholder farmers to increase their production and their income. As presented in Unit 1, this profiling activity can be conducted by different types of actors such as agribusinesses, farmers’ groups, cooperatives or ICT service providers. This activity is about collecting and storing data about farmers and farms that are, by their nature, classified as personal data. In many countries, the collection, storage and management of personal data is regulated by specific legislation at the national, regional and/or continental level. Even in countries where there is no regulation on this matter, the international trend shows that more and more countries are moving towards adopting such legislation, particularly with regard to electronic communications. Finally, some examples have demonstrated that the implementation of personal data protection (PDP) measures, beside its ethical dimension, is also a powerful way to develop trust between farmers and organizations collecting and managing farm-level data. It is therefore strongly recommended for anyone implementing a farmer profiling platform or farmers’ registry to implement best practices and common approaches to personal data protection, even when the country-specific law does not make those approaches mandatory.

This section will present the core principles of personal data protection legislation, the obligations that organizations collecting personal data have to follow, and the best practices that should be implemented.

2. Definitions

A common description of personal data is all information that can be attributed to a living individual person. Data is also considered personal if it can be combined with other data to make attribution to living individuals possible. This information can take various formats such as an identification number (e.g. social security number) or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (e.g. name and first name, date of birth, biometric data, fingerprints, DNA…). Based on this definition, the process of collecting farmers’ data, as soon as it includes elements such as name or phone number or address or GPS coordinates falls into the category of processing of personal data. Figure 1 below shows the types of data classified as personal.

Figure 1 Types of data classified as personal. (Source: iocea)

Personal data protection is commonly defined as laws designed to protect citizens’ personal information. As of 2018, 120 countries around the world have data protection/privacy laws and 40 other countries have pending bills or initiatives (source). The map below (Figure 2) gives an overview.

Figure 2 Personal data protection around the world. (Source: CNIL)

It is important to note two important elements:

• Even in countries without a specific national regulation, some regional, continental or international treaties ratified by the country may provide a legal framework for the personal data protection. Some of the most well-known treaties include:

  • (a) Convention 108 “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” from the Council of Europe, ratified by 55 countries;

  • (b) African Union “Convention on Cybersecurity and Personal Data Protection”, ratified by 14 countries;

  • (c) CEDEAO additional act A/SA.1/01/10 on Personal Data protection within CEDEAO (Economic Community of West African States).

• Most regulations apply to both electronic and paper-based collection and management of personal information. For example, a farmers’ organization may have kept track of its members’ details on paper for decades and may not have realized that such a repository falls under PDP legislation that was enacted in the meantime; the farmers’ organization is now infringing the law and risks penalties provisioned in that law.

3. Commonalities and differences between legislation

Each country that has adopted a form of personal data protection legislation has used its own template and wordings. However, across all legislation, there are numerous commonalities that appear in all laws, and some elements that appear in several laws when the legislation is more protective. The paragraphs below summarize these commonalities and additional elements.

It is important to note that the personal data protection landscape is currently evolving very rapidly all over the world. This evolution is triggered by two main factors:

• The EU General Data Protection Regulation: the European Union enacted a new regulation, the EU General Data Protection Regulation, that came into force on 25 May 2018. As the EU states, “The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. The regulation fundamentally reshapes the way in which data is handled across every sector, from healthcare to banking and beyond.” This new regulation is now serving as a reference for many countries and they are updating their older legislation to meet this new standard now perceived as the most protective regulation for citizens.

• The numerous cases of illegal exploitation of personal data collected by major companies (Facebook, Google, etc.) and used by international firms and governments for non-ethical activities. The most well-known recent case is the Cambridge Analytica story where personal data of millions of Facebook users were used for political advertising purposes. Similar, but more farmer-related, examples include the use of farm-level data (e.g. availability of specific commodities) by intermediaries that are able to maximize their profit in business matching due to information on location and availability of goods.

These factors are now creating a momentum for all countries to adopt or update their personal data protection regulations.

3.1. Commonalities between legislations

The following elements are the core of any personal data protection legislation.

• Scope of the law: PDP legislation always covers data collection and exploitation. The term ‘processing personal data’ usually used in legislation covers any activity related to collection, storage and use of personal data. For example, if a farmers’ organization collects and stores farmer profiles, and shares this information with an ICT service provider, it must obviously comply with PDP legislation. But an ICT provider who has access to and use of personal data, even if it does not directly collect it, must also comply with the PDP legislation and, e.g., must get individual consent for further sharing or use not covered by this consent.

• The need to make explicit the data to be collected: an organization collecting personal data must inform the person involved of the list of information that has been collected, explicitly or not, and stored. Some information may indeed be explicitly requested during interview (e.g. name, commodity grown, etc.), but some information is not explicitly captured (e.g. address or GPS coordinates that could be filled automatically or by the collector without asking the person directly). The person has therefore to be informed on all the information collected[1].

• The need to make explicit the purpose of the collection: the person must be informed about the purpose of the collection and the use that the organization collecting the information will make of it. From country to country there are differences in the level of details for usage. Some legislation requires a detailed description of usage which does not allow any other application without a renewed consent. Under other legislation the description of use can be a wide-open statement (e.g. the information will be used to design and build services for the surveyed farmers). It is obvious that the latter does not bring much confidence to the person; the current trend (e.g. with GDPR) and the recommended best practices is the former.

• The need to make explicit the data sharing policy: the organization collecting the data must make explicit its sharing policy. From country to country there are differences in the level of detail for the sharing policy. Sometimes legislation requires a detailed description of the list of third parties that will have access to the data, the part of the data they will have access to and their usage of the data. A change of usage, of data access level or of the list of third parties will require a renewed consent. Under other legislation the description of the sharing policy can be a wide-open statement (e.g. the information may be shared with any third party that has the objective of designing and building services for the surveyed farmers). It is again obvious that the latter policy does not bring much confidence to the person. There is a trade-off to ensure that individuals can provide their informed consent, to ensure the maximum impact of the data collection, and to support the emergence of new innovative services without requiring massive investment in renewing consent. As a best practice, it is recommended that different categories of actors are identified (public agencies, ICT service providers, financial institutions, …) and a specific sharing policy with a rationale is explained to the person. The GDPR is aligned with this approach and requires that each data use-case is individually presented and agreed by the person.

• The need to collect explicit informed consent: people providing their personal data must explicitly give their consent for usage and sharing. Some legislation, like GDPR, forbids a global consent and requires individual validation in each case. Most legislation requires that the presentation of the data usage and sharing is done in understandable and intelligible terms. The organization doing the collection must ensure that the person gives an informed consent.

• The need to protect collected data: all legislation requires that an organization collecting and storing personal data put in place all measures to protect the personal data along the whole chain from the data collection point to the central repository and on to the third-parties where the data is accessed.

• The need to offer a means of verification and update: all legislation requires that an organization collecting and storing personal data put in place a means for people whose details are collected to query the organization to know about all the data the organization stores about themselves. Anyone whose details are stored has the right to know what those details are and has the right to update them.

3.2. Additional components in more protective legislation

Apart from the provisions listed in the previous section, which appear in most PDP legislation, there are other elements that appear in a significant amount of legislation. In particular, it is worth mentioning the following:

• Official declaration: much legislation establishes an independent authority to control data processing by public and non-public organizations and to give fines. When such an authority is established by law, that law also usually makes mandatory the declaration of any personal data collection or processing. The authority provides official forms and processes to be followed for this declaration.

• Opt-out mechanism: much legislation requires an entity collecting data to offer a mechanism to people who were recorded to opt out of the repository, a posteriori after the data collection. The person has the right to request to be deleted from the storage of the entity.

• Security breach report: when legislation establishes an independent authority, it is usually mandatory to report to this authority any security breach that may have led to unauthorized access to personal data. Some legislation even requires that the entity informs individuals whose details have been accessed.

4. Best practice for capturing and managing farmers’ data

PDP legislation creates obligations and duties for organizations collecting and managing farmers’ data. In countries where such legislation applies, they always include penalties and sanctions for entities infringing the law. Those penalties provide a strong incentive for organizations to comply with the law. In countries where there is no legislation, organizations profiling farmers are strongly encouraged to implement the measures presented below for two main reasons:

• The quick evolution of the PDP landscape across the world is likely to lead to all countries adopting such legislation in the next decade. While the implementation of PDP measures in the design of a farmer data collection project does not bring extra costs, the implementation of such measures at a later stage is far more costly. Indeed, not only does it require all the platform components (data collection forms, central repository, etc.) to be updated, but also means that a new complete data collection for all members in the repository is required.

● The implementation of PDP measures has significant benefits for the data collection task. Indeed, farmers are nowadays reluctant to provide accurate farm data without understanding why these data are collected and with whom they will be shared (e.g. for tax risks, etc.). The trust relationship induced by the implementation of PDP measures is a critical success factor for such tasks. The following video, https://vimeo.com/262555014, about a farmer profiling project in a tea factory in Uganda illustrates this point.

The measures to comply with PDP regulations (or to implement best practice) spread over the different stages of the creation of any data collection & exploitation project:

• Stage 1: design of the data collection process

• Stage 2: data collection

• Stage 3: exploitation of data collected.

They also involve/apply to different actors, as a data collection and exploitation project usually involves different actors:

• the organization responsible for the repository of information (e.g. a farmers’ organization or a cooperative)

• the technical partner in charge of implementing the ICT elements[2] (mobile data collection tools, central repository application, …)

• the data collectors who are in direct contact with people from whom the personal data are collected

• third parties accessing the repository of information for reuse.

Sometimes one actor has two roles, e.g. the organization in charge of data collection has ICT capacities and doesn’t need a technical partner. However, this set of actors is the most common in real-life projects.

4.1. Stage 1: Design of a data collection process

The preparation stage is usually the most important phase and also the weightiest in terms of measures to implement. After the list of data to be collected is finalized, the following steps have to be implemented:

• Official Declaration: If the law requires it, the first action is to fill in the official declaration and submit it to the authority appointed by the law.

• Memorandum of Understanding (MoU) with Technical partner(s): Before any activities are started, there is usually an MoU signed between the organization in charge of the data collection process and the technical partner. This MoU must have a few specific sections:

  • A section on data ownership: the MoU should explicitly give full ownership of the data to the organization in charge of the process. The technical partner should explicitly agree not to use the data it will have access to in its own commercial interest or to share it with third parties without the consent of the organization. Data reuse by the technical partner(s) should follow the same rules and processes as all other data sharing agreement between the organization in charge of the farmers’ data and third parties interested in accessing and using the data.

  • The technical partner should explicitly commit to raise awareness and train those of its staff assigned to the project on the sensitivity of personal information, and the need for complete confidentiality.

Sometimes the technical partner is aware of the administrative procedures that are required in the country. The MoU may therefore assign the execution of the official declaration to the technical partner, on behalf of the organization in charge of the data.

• Data collection and sharing agreement: One of the key steps in PDP is to inform individuals about the rationale for the data collection, the information to be collected, and the data sharing agreements with third parties. In order to address these three points, the most efficient approach is to design a data collection and sharing agreement that will integrate these elements and will then be presented to each person whose personal data are collected. The agreement must be written in simple and clear terms (and not in legal jargon) so that it is easily understandable for the person involved. For data sharing aspects, there is a trade-off to make. It is neither practical nor efficient to list all organizations that will have access to the information, because any new third-party agreement will require an update of the agreement and a new capture of the consent on the new version. However, it is critical to develop trust to explicitly identify the different categories of actors such as public agencies, extension service providers, financial institutions, etc. that are considered, and the authorized uses of information for each of these actors.

• Data access and verification: The organization in charge has to implement a process for anyone to be able to access and update all the data about him/herself and his/her business. The process should be clearly stated in the data collection and sharing agreement and should be easily accessible to people. One easy way to implement this process is the provision of a phone number to call to access data and provide updates.

• Opt-out procedure: As a best practice (or required by the law), the organization in charge should implement a process for anyone to opt out from the repository. The process should be clearly stated in the data collection and sharing agreement and should be easily accessible to people. An easy way to implement this process is the provision of a phone number to call to opt out.

• Data collection form: The data collection form (paper or digital) should include specific questions:

  • an explicit capture of the fact that the person was given a detailed presentation of the data collecting and sharing agreement and understood it;

  • an explicit capture of the consent of the person to participate in the data collection;

  • it is also recommended to add a question capturing the fact that the person understood how to opt out from the process.

• Training of organization staff: to ensure that they understand the importance of protecting people’s privacy the staff of the organization in charge of the repository should be trained about the sensitivity of personal data and the need for confidentiality. If the local PDP regulation defines penalties and sanctions, they should be included in the training.

• Training of data collectors:

  • Data collectors should also be trained on the sensitivity of the personal data and the need for confidentiality, similarly to organization staff. In the case of paper-based collection, specific paper protection measures should be included. In the case of ICT-based collection, the training should include measures to protect the equipment, the need to notify the organization as soon as a breach is detected, and the importance of not sharing access logins.

  • Data collectors should also be specifically trained on the presentation of the data collection and sharing agreement, which is the cornerstone of the PDP.

• Protection of mobile equipment: for ICT-based data collection, the software and the mobile equipment used must implement basic protection features. This includes:

  • The use of login/password to access data on the equipment. Many data collection tools do not require the authentication of the data collector and the central repository authenticate the mobile equipment. Such an approach should be banned. In such situations, if a data collector loses their mobile equipment, anyone finding it can access the personal data already collected and available on the tablet and could even pollute the central repository by sending bogus data. Even if the login process is cumbersome, it is an essential security element. The login should also include an automatic logout after a time of inactivity

  • The ability to remotely erase the equipment: all modern equipment nowadays offers a mechanism for remotely erasing all the data they have after the equipment is lost or stolen. Operating systems like Android or iOS offer users an option to declare their equipment lost, and at the next online connection the equipment can be erased and blocked. However, such functionalities have to be installed and activated before it becomes available. The equipment has therefore to be prepared accordingly before being provided to data collectors

• Central repository requirements: The central repository where all data is stored should also implement a series of specific measures (these measures are only related to PDP, there are obviously other requirements as those described in lesson 1.2). These requirements include:

• The implementation of different access levels: it is critical to ensure that specific people access only the information they are supposed to. For example, a data collector should be able to access only the data about the people they survey. The central repository should therefore implement a multi-dimensional access mechanism to ensure that various categories of people can use the repository of information but access only the information they are authorized to access (and described as such in the data collection and sharing agreement). The access level should at least integrate the following dimensions

  • Per category of information: the repository should allow access to only a subset of an individual record. For example, access may be granted to access details of about productions, but not about individual details (name, phone, gender, etc.).

  • Per criteria on the individual record: the repository should grant access to a subset of all records based on specific criteria (geography, gender, commodity, etc.).

• The monitoring of access and detection of security breaches: The central repository should put in place monitoring processes to detect unusual activities and detect proactively any security breach.

4.2. Stage 2: Data collection

At the data collection time, when all elements are in place, the most important tasks to conduct before starting the data collection are:

• the presentation of the data collection and sharing agreement

• the capture of explicit consent during the data collection process.

The data collection should then start only after those steps are completed.

4.3. Stage 3: Exploitation of data collected

Finally, when the repository of information is populated, the organization in charge of the repository may grant access to third parties for them to exploit and reuse the data. At that stage, the most important element is the MoU with each third party that must include some specific paragraphs:

• The MoU should include the authorized usage of the information (the piece of information that will be used, the rationale and objectives). These elements have also to appear in the data collection and sharing agreement.

• The MoU should explicitly forbid the third party to share with any other parties the information, or to publish the personal information.

• The MoU should explicitly require the third party to raise awareness and train its staff accessing the information on the sensitivity of personal information, the need for complete confidentiality and the associated legal risks and penalties.

• The MoU should explicitly require the third party to report any security breach.

5. Summary

The aim of this section was to raise awareness on personal data protection legislation that impacts any actor collecting, accessing and processing identifiable farmers’ data. Entities such as farmers’ organizations, cooperatives or ICT service providers may inadvertently infringe such legislation by lack of awareness on their existence, on the duties they put on these entities, and on the risks (penalties) they face. At the same time personal data protection legislation also offers opportunities to develop a trust relationship between entities and farmers that then lead to greater engagement and greater impact. Given the rapid change in the personal data protection landscape, and given these opportunities it is recommended that organizations, even in countries without legislation, implement the personal data protection best practices that spans from MoU between partners to data collection operational processes. These measures are particularly relevant to farmer profiling platforms as presented in Lesson 1.2.

Bibliography

African Union, Convention on Cybersecurity and Personal Data Protection, https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf

Banisar, D. 2019. National Comprehensive Data Protection/Privacy Laws and Bills 2019, (Article 19), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1951416

CEDEAO, additional act A/SA.1/01/10 on Personal Data protection https://www.afapdp.org/wp-content/uploads/2018/06/CEDEAO-Acte-2010-01-protection-des-donnees.pdf

Council of Europe, Convention 108 and Protocols, https://www.coe.int/en/web/data-protection/convention108-and-protocol

Owoyesiga, H. 2018. Video: Value of Data Sharing Agreement in farmer profiling at Igara Growers Tea Factory Ltd., Uganda, CTA, Wageningen, Netherlands. https://vimeo.com/262555014

Footnotes

[1] It is important to note that the level of detail depends on each legislation. In some legislation, information is defined in broad terms such as household information, or production information. In some others, each piece of information must be explained.

[2] Note that most of the recommended measures in the sub-sections below are related to the case of a digital ICT-based repository where all information is centralized in a software platform. Some specific measures apply to specific cases when the data is collected using a mobile application or when the central repository is online.