Technology and the internet play a significant role in our daily lives, and protecting personal information has become a growing concern. In the social sector, the collection and handling of sensitive information from hundreds and thousands of beneficiaries and stakeholders must be done with the utmost care. As a tech company that creates technology for the social sector, we strive to protect the personal information of individuals and communities we work with every day. One of our priorities during the process of developing systems for different organizations is to ensure that those systems are secure. Let’s dig deep into what data privacy actually means and how we can protect the personal information (PII) of our subjects
Data Privacy revolves around how we collect, store and share our data and being in the social sector, the data of hundreds and thousands of beneficiaries and stakeholders is collected hence it is important to keep in mind data privacy at all times.
Being mindful of what data is being collected? And why?
The moment we decide to collect information on our beneficiaries, stakeholders, volunteers, etc. we have to be vigilant about what kind of data is being collected.
Organizations should always clearly communicate to individuals and communities how their personal information is being collected, used, and shared. Provide them with the opportunity to opt out or provide consent for the collection and use of their personal information. You can look at the following list of questions to keep a check that you are making sure the subject is informed and given consent to data collection:
- Have you informed the data subjects about the specific purposes for which their personal data will be used?
- Does your organization have a privacy policy in place for its staff (e.g. employees, contractors and volunteers)?
- Are there visible signs or notices informing data subjects that their data will be collected?
- Is consent the basis for processing personal data? If so, is the consent process compliant with the relevant requirements?
- If you rely on consent, are data subjects told that they can withdraw their consent at any time and do you have a process for dealing with withdrawals of consent?
Limit data collection to what is necessary. Only collect the personal information that is necessary for the specific purpose for which it is intended. Avoid collecting unnecessary information, which increases the risk of a data breach. In general please try & stay away from KYC data, GPS location, and mobile numbers unless it is required for a specific purpose.
Instead of focusing on data collection formats, start from what you want to analyse for decision-making and then only collect data points which are absolutely important.
Technical and Organizational measures to protect the data being collected!
Organizations that work with vulnerable communities must ensure the security of their beneficiaries’ personal information. Here are some measures that could be taken to ensure the secure storage of data:
- Encryption: Encrypting personal data is an effective way to protect it from unauthorized access. This can be done by using industry-standard encryption algorithms such as AES or RSA.
- Secure Storage: Personal data should be stored in a secure location, such as a secure server or a cloud-based storage solution with proper access controls. This will ensure that only authorized personnel can access the data.
- Access Controls: Implementing strict access controls is crucial for secure data storage. This includes setting up user accounts and permissions, as well as regularly reviewing and revoking access as needed. Organizations can implement role-based access control- a security technique that allows access to resources and data based on the role or job function of the user, rather than their individual identity.
- Data Backup: Regularly backing up personal data is important in case of any data loss or breaches. The backup should be stored in a secure location and protected with encryption.
- You may also need to check any specific state-specific data privacy or storage guidelines. For eg: In India, data collected from Indian citizens should reside in Indian territory (Data centres should be based out of India)
- Regular monitoring and auditing: Regularly monitoring and auditing data storage systems for any security breaches or vulnerabilities can help identify and address any potential issues.
- Adherence to OWASP guidelines & general VAPT assessment always helps.
It’s important to note that these are just a few examples of measures that can be taken to ensure the secure storage of personal data. Organizations should work with legal and privacy experts to ensure that they are compliant with all applicable laws and regulations related to data protection.
