“First, Do No Harm” — Privacy, Data Security, and the POPI Act

Civic Tech Innovation Network Workshop: Tshimologong Precinct, 19 July 2017

What privacy policies do you have in place to protect your users’ personal information? Picture: Maxpixel.freegreatpicture.com

Doctors have to follow a rule that before they help others, they must first make sure that they do not harm them. We believe people working in civic tech should adopt a similar approach concerning personal data. Many civic tech projects gather personal data from people. In South Africa, crowdsourcing initiatives like Yowzit, or community monitoring projects like that run by Black Sash collect personal information. Other platforms like Amandla.mobi and Grassroot help people organise campaigns and communicate with each other. In these cases and many others, we need to ask important questions about privacy, and security of data: What information do we collect from our users and partners? What do we use it for? How do we secure it? What is our data retention policy? And finally, how well do we inform the people whose data we have about our answers to these questions?

[Update: Book tickets here: https://www.eventbrite.com/e/first-do-no-harm-privacy-data-security-and-the-popi-act-tickets-35976323151]

In a recent study, “Shifting the spotlight: understanding crowdsourcing intermediaries in transparency and accountability initiatives” (PDF, 992KB) Evangelia Berdou and Cathy Shutt found that only half of a sample of 20 African and Asian civic tech projects acting as “crowdsourcing intermediaries” had a published privacy policy. Six of them failed to explain the sequence of actions that submitted information would trigger (such as whether this would be shared with governmental departments and in what format), and only two made their collected information available in a suitable format for further analysis.

For a community so intrinsically concerned with transparency and accountability, this gap indicates a worrying lack of self-awareness and policy maturity, and potentially puts people at risk. As Berdou and Shutt write in their report:

“[I]n the age of big data, where information about citizens can be collected and combined from many different sources — including website cookies and social media accounts — careless data handling can render citizens vulnerable to data profiling and targeting (Solove 2004; Gandadharan 2012).”

Beyond the ethical implications, there is also a legislative requirement. The Protection of Personal Information (PoPI) Act compels all South African institutions to behaviour in a responsible manner when collecting, processing, storing or sharing people’s personal information. Institutions will be held accountable — in the form of fines and legal censures — for any abuse or compromise of their customer, user or client personal information. Ignorance is not a mitigating factor.

Does your organisation have an internal or published privacy policy and how far along are you in thinking about your privacy and data security? The Civic Tech Innovation Network will be hosting a morning event at Tshimologong in Johannesburg on 19 July 2017. Join us for expert advice and insightful case studies from your civic tech peers, to guide you in getting to grips with these privacy and data security issues, as well as treating citizen data with the necessary respect it deserves.

We will share more information about the event in our next newsletter and via our Facebook page soon.

[Update: See the confirmed speakers, and book tickets here: https://www.eventbrite.com/e/first-do-no-harm-privacy-data-security-and-the-popi-act-tickets-35976323151]