(2/3) Deep dive into beneficiary de-duplication in the Nigerian context: Compliance with data protection laws

This article is the third in a series of articles I’m writing about our findings and learnings in the context of the piloting of a blockchain-based technology to address the beneficiary deduplication problem in Nigeria.

The purpose of the pilot is to test whether a blockchain-based technology can be used to detect duplicate beneficiaries in Nigeria. The technology was previously piloted and proven effective and efficient in detecting duplicate beneficiaries in Syria; so, the aim is to build on the success of Syrian pilot and deploy the same technology in Nigeria, while taking into consideration the differences between the Syrian and Nigerian contexts. The first sprint of the pilot was all about raising awareness of the problem, announcing the pilot, gathering momentum, and encouraging humanitarian actors to participate in the pilot.

In this sprint, we wanted to engage with humanitarian agencies and experiment with some of the most important assumptions that would encourage and motivate them to participate in the pilot, namely: their data collection and management workflows, the use of biometrics, as well as compliance with data protection laws and regulations. In this article, we’ll cover the results of the data protection laws compliance experiment.

The de-duplication platform involves some beneficiary data processing to function. Although, no data is stored or shared by the platform, this processing may be a cause of concern for humanitarian agencies because compliance with data privacy and protection laws is a huge obligation and a sensitive matter for most agencies in the humanitarian space. Therefore, in this experiment, we wanted to test whether the proposed technology complies with the Nigerian laws and regulations in that regard.

Key takeaways

• Data protection laws impose certain restrictions on data collection, gives rights to data owners, and require certain measures to be in practice by agencies collecting and storing personal data.
• GeniusChain requires minimal processing of personal data that is performed on the devices of agencies using the system.
• Agencies can maintain their compliance with data protection laws by expanding the consent obtained from beneficiaries for the collection and processing of their data to cover the minimal uses of GeniusChain.

Data protection laws compliance experiment

One of the most important concerns that organizations have is the protection of the beneficiary data that they collect and process on a regular basis. The issue of data privacy and protection is so important that governments all around the world have regulations in place to ensure that organizations and individuals are collecting, storing and processing data in way that guarantees the safety and security of data, and that people have the right to access their data and information and control what can be done with it. Humanitarian data is especially sensitive because of the vulnerabilities and risks faced by recipients of humanitarian aid and the difficulties obtaining free and informed consent from crisis-affected populations.

The purpose of this experiment was to learn about the data privacy and protection regulations and their requirements in Nigeria, and test whether the proposed technology complies with those requirements. Further, the experiment intended to provide some insights to agencies on what needs to be done to ensure they maintain their compliance status while using the system.

To test our assumption of the system’s compliance with data regulations, we carried out desk research of the compliance requirements and examined what organizations should do to maintain their compliance with each one while using the system. In collaboration with the FTH team, we gathered several resources about local regulations and desk research was conducted on them.

Below is a brief overview of the compliance requirements, how the system handles and processes data, as well as some insights on how to remain compliant with regulations while using the system.

Brief overview of compliance requirements

The main purpose of data protection regulations is to ensure that personal data is being collected, processed and stored in a manner that guarantees that: (I) the data is being secured and protected against breaches and unlawful access, (ii) data is being collected responsibly and that unneeded data is not being collected, and (iii) owners of the data, about whom data is being collected and processed, know what data is being collected and why, and that they have the right to control what can be done with their data, and also the right to delete it any time they want. Data regulations usually define certain terms and conditions that apply to data processing, as well as actions that the parties collecting and processing data need to take, in order to accomplish these three objectives.

The relevant law that organizations operating in Nigeria are required to comply with is the Nigeria Data Protection Regulation (NDPR), which was published in 2019. Another important relevant law is the General Data Protection Regulation (GDPR), which is the European version of the law on data protection. Both laws are essentially the same, in terms of the requirements for compliance, with minor differences in some terms and conditions, as well as the language. For humanitarians, in addition to NDPR and GDPR, they’re required to comply with international humanitarian law (IHL) and humanitarian principles which add another layer of protection and restriction on the processing, handling and sharing of humanitarian data. We’re concentrating on NDPR for this article.

Before briefly going over the law’s requirements, it is important to understand some terms and their definitions, namely: personal data, data subject, data controller, and data processing. Personal data is intended to mean every piece of information that can be used to identify (or is relevant to) an individual, such as their name/surname, date of birth, address, national identity number, picture, IMEI number, or any other information that can be used to directly or indirectly identify a Nigerian citizen locally and abroad. Sensitive personal data is the same as personal data, but requires additional care and protection, such as religious beliefs, sexual tendencies, health, race, ethnicity, political views, trades union membership, criminal records. Data subject is an identifiable natural person, who can be identified directly or indirectly with personal data. Data controller is an individual or an entity that is responsible for processing or handling personal data of data subjects. Data processing refers to operations performed on personal data, either manually or automatically, such as collection, structuring, storage, adaptation, alternation, retrieval, consultation, use disclosure by transmission, dissemination or otherwise making available.

There are many terms, conditions, and requirements that the NDPR lays out to accomplish the three objectives mentioned above; listing all of them is beyond the scope of this blog article, but just to give an example on the nature of those requirements, below are some of the most notable and key ones:

• The data controller is required to obtain a consent from the data subject that specifies the data that will be collected, the purpose of collecting the data, where it will be stored, and how/why it will be processed, and for what purposes, and whether it will be transferred and to whom.
• Data collection and processing should be performed for lawful and legal purposes. Further, data collection can be performed without consent if the data is being collected as a part of a contract between the data controller and data subject, and the data collection is necessary for the data controller to deliver work required as per the contract.
• The data controller should provide the data subject with information on how to request access to their personal data, as well as on how to request the deletion of that data. The data controller should make their contact details available and be responsive to such requests.
• The data controller should recruit a data protection officer who oversees the enforcement of data protection laws and ensures compliance with its requirements.
• The data controller must install equipment, tools, controls and procedures to ensure the security and safety of personal data stored in their possession and must prevent data breaches and unauthorized access to personal data. The data controller should report data breaches to data subjects in a timely manner to prevent/mitigate damages of such breaches.

Data processing needs of GeniusChain

GeniusChain does not store or process any personal data on GeniusTags servers. There is only very limited processing of beneficiary data, but that is performed on the organization’s devices. Therefore, many of the compliance requirements of relevant laws and regulations do not apply to GeniusChain; which makes it much easier to maintain compliance status for organizations that use the platform. In the Syria pilot, beneficiary UIDs were generated right on the smartphones used for data collection by field officers; the agencies there needed no changes to their existing compliance measures because the data never left their devices.

The only processing performed on beneficiary data by GeniusChain is when specific beneficiary data end points are used to generate a UUID of the beneficiary on the organization’s data collection smartphone device. Once a UUID is generated, GeniusChain discards the beneficiary data that was used and then only shares the UUID with the backend server and the blockchain for duplication detections. Other information is shared with backend server such as the project name, and the field officer’s account that collected the data.

All information shared with the backend server can never be used for re-generating the beneficiary personal data. The UUID is generated by applying a hash function on the beneficiary data to generate a hash code, and that hash code is then used as the beneficiary’s UUID. There are two properties of hash functions that make them the perfect fit for generating beneficiary UUIDs; the first property is that hash codes can never be reverse engineered to generate the beneficiary data, and the second property is that the slightest change in beneficiary data changes the hash code completely (e.g., if a beneficiary’s first name was changed from “John” to “Jon”, then a hash code that is completely different than the previous one is generated). This means that two agencies can capture the same data and, using GeniusChain, produce the same UUID and flag a duplicate, without having to share any personalized data with each other.

Maintaining compliance while using GeniusChain

As per our research and knowing the data processing needs of GeniusChain mentioned above, the organization can maintain its compliance status with data protection regulations by obtaining a consent from beneficiaries that their data will be processed in the manner explained above, and that a UUID will be generated for them and used for duplication detection purposes. Organizations may also want to explain to beneficiaries that UUIDs cannot be decoded to generate their personal information, and that only organizations that already have their information would be able to associate their UUID with them. In humanitarian contexts, it may be difficult to obtain informed consent from crisis-affected people freely and fairly like in other non-crisis contexts. Therefore, organizations need to maintain compliance with the principles and guidelines provided by IASC (Inter-Agency Standing Committee) on data protection, which are consistent with the NPDR and GDPR laws.

So, based on our research, we believe that organizations can update their existing data processing consent forms with the above information for all future data collection efforts. I should mention that these are merely findings of our research; but organizations need to consult with a data protection specialist that can provide more detailed advice on how an organization can maintain compliance on a case-by-case basis.