“First, Do No Harm” — Privacy, Data Security, and the POPI Act
Civic Tech Innovation Network Workshop: Tshimologong Precinct, 19 July 2017
Doctors have to follow a rule that before they help others, they must first make sure that they do not harm them. We believe people working in civic tech should adopt a similar approach concerning personal data. Many civic tech projects gather personal data from people. In South Africa, crowdsourcing initiatives like Yowzit, or community monitoring projects like that run by Black Sash collect personal information. Other platforms like Amandla.mobi and Grassroot help people organise campaigns and communicate with each other. In these cases and many others, we need to ask important questions about privacy, and security of data: What information do we collect from our users and partners? What do we use it for? How do we secure it? What is our data retention policy? And finally, how well do we inform the people whose data we have about our answers to these questions?
[Update: Book tickets here: https://www.eventbrite.com/e/first-do-no-harm-privacy-data-security-and-the-popi-act-tickets-35976323151]
For a community so intrinsically concerned with transparency and accountability, this gap indicates a worrying lack of self-awareness and policy maturity, and potentially puts people at risk. As Berdou and Shutt write in their report:
“[I]n the age of big data, where information about citizens can be collected and combined from many different sources — including website cookies and social media accounts — careless data handling can render citizens vulnerable to data profiling and targeting (Solove 2004; Gandadharan 2012).”
Beyond the ethical implications, there is also a legislative requirement. The Protection of Personal Information (PoPI) Act compels all South African institutions to behaviour in a responsible manner when collecting, processing, storing or sharing people’s personal information. Institutions will be held accountable — in the form of fines and legal censures — for any abuse or compromise of their customer, user or client personal information. Ignorance is not a mitigating factor.
We will share more information about the event in our next newsletter and via our Facebook page soon.
[Update: See the confirmed speakers, and book tickets here: https://www.eventbrite.com/e/first-do-no-harm-privacy-data-security-and-the-popi-act-tickets-35976323151]