Data Protection and Privacy

OVERVIEW

The framework elements under this heading relate to the components of the system that ensure sensitive personal data is protected and that individual privacy is maintained. This is particularly important given the sensitive information that digital identity systems collect and manage, the potential for harm through their misuse, and the risk of data breaches. These elements should be viewed in conjunction with others within the framework - laws are only as effective as their application and implementation. The data protection and privacy element includes the following sub-elements: Data protection and privacy laws, Data handling by public and private actors, Data exchange practices and Cybersecurity.

Data protection and privacy laws

Sub-element Detail

Anchor Questions

Rights Implications

Example Scenarios

International standards

Existence of data protection law

Does the country have a data protection and privacy law?

With the legal and governance framework of data protection, the risk of unauthorized and unsafe use of a people's data by various actors for their benefit will be significantly lower.

Data protection and privacy law is in place.

UNDP 'Compendium of Data Protection and Privacy Policies and other Related Guidance within the United Nations Organisation and other Selected Bodies of the International Community', (2021): https://unstats.un.org/legal-identity-agenda/documents/Paper/data_protecton_%20and_privacy.pdf

‍

‍Council of Europe Guidance on National Digital Identity: https://rm.coe.int/prems-010823-gbr-2051-national-digital-identity-final-web-2762-4423-83/1680aa6b24

‍

‍UNDP 'Drafting Data Protection Legislation: A Study of Regional Frameworks' (2023): https://www.undp.org/publications/drafting-data-protection-legislation-study-regional-frameworks

‍

‍The Asia-Pacific Economic Cooperation (APEC) 'Privacy Framework' (2005): https://www.apec.org/docs/default-source/Publications/2005/12/APEC-Privacy-Framework/05_ecsg_privacyframewk.pdf

‍

‍The Association of Southeast Asian Nations (ASEAN) 'Framework on Digital Data Governance' (2018): https://asean.org/wp-content/uploads/2012/05/6B-ASEAN-Framework-on-Digital-Data-Governance_Endorsedv1.pdf

‍

‍ASEAN Framework on 'Personal Data Protection' (2016): https://asean.org/wp-content/uploads/2012/05/10-ASEAN-Framework-on-PDP.pdf

‍

‍The African Union Convention on CyberSecurity and Personal Data Protection: https://au.int/en/treaties/african-union-convention-cyber-security-and-personal-data-protection

‍

‍The Commonwealth Office of Civil and Criminal Justice Reform "Model Bill on the Protection of Personal Information' (2017): https://www.asianlaws.org/gcld/cyberlawdb/COM/P15370_6_ROL_Model_Bill_Protection_Personal_Information_2.pdf

‍

‍The Commonwealth Office of Civil and Criminal Justice Reform 'Model Privacy Bill (2017)': https://www.asianlaws.org/gcld/cyberlawdb/COM/P15370_9_ROL_Model_Privacy_Bill_0.pdf

‍

‍The Council of Europe Convention 108+: Convention on the Protection of Individuals with Regards to Automated Processing of Personal Data: https://www.coe.int/en/web/data-protection/convention108-and-protocol

‍

‍The European Union’s General Data Protection Regulation (GDPR): https://gdpr.eu/tag/gdpr/

‍

‍The Caribbean Community’s Harmonization of ICT Policies, Legislation and Regulatory Procedures in the Caribbean (HIPCAR) 'Privacy and Data Protection Model Policy Guidelines and Legislative Text' (2012): https://www.itu.int/en/ITU-D/Projects/ITU-EC-ACP/HIPCAR/Documents/FINAL%20DOCUMENTS/ENGLISH%20DOCS/privacy_and_data_protection_model%20policy%20guidelines.pdf

‍

‍The Organization of American States’ 'Updated Principles on Privacy and Personal Data' (2021): https://www.oas.org/en/sla/iajc/docs/Publication_Updated_Principles_on_Privacy_and_Protection_of_Personal_Data_2021.pdf

‍

‍The Organisation for Economic Co-operation and Development (OECD) 'Privacy Framework' (2013): https://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf

Structure of data protection authority

Does the country have an independent data protection authority?

There is an independent data protection authority with a legal mandate, financial resources and political independence to carry out its obligations and responsibilities.

‍

Is the law operational and enforced?

With the enforced and operational law, the risk of misue and/or breach of personal information will be significantly lower.

The law mandating the data protection authority is operational and enforced. Extenuating circumstances (such as delays between enactment and implementation) are covered by agreed procedures that ensure continuity of legal protection and mandate. If a data protection law has been passed but not enforced (possibly due to a transitionary period for data custodians), the government may opt to remove this period from the operations of identity authority.

Privacy and user ownership of data

Does any law or regulation specify consent of the individual as one basis for the collection and /or use of personal data?

With legal consent for data processing, trust and accountability for rights protections are strengthened.

There is a law that mandates consent from the individual as the basis for collection, processing and use of personal data.

Data handling by public and private actors

Sub-element Detail

Anchor Questions

Rights Implications

Example Scenarios

International standards

Data management practices grounded in research and global best practices

What is the best practice for data storage and handling? (e.g., centralised, decentralised, federated?) How protected is the citizen's data? What are the risks if there is a breach?

With the appropriate data protection and data management practices based on international best practices and research, the risk of unauthorised and unsafe use of a people's data by various actors for their benefit will be significantly lower.

Data management policies and guidelines reflect international best practice, including practices and recommendations for data ownership and oversight. The appropriate access control and its oversight mechanism is in place to ensure that the access to such data by the legitimate actors is limited for specific purposes only.

The Council of Europe Convention 108+: Convention on the Protection of Individuals with Regards to Automated Processing of Personal Data: https://www.coe.int/en/web/data-protection/convention108-and-protocol‍

‍

African Union Convention on Cyber Security and Personal Data Protection: https://au.int/en/treaties/african-union-convention-cyber-security-and-personal-data-protection

‍

‍UNDP 'Drafting Data Protection Legislation: A Study of Regional Frameworks' (2023): https://www.undp.org/publications/drafting-data-protection-legislation-study-regional-frameworks

‍

‍UNDP 'Drafting Data Protection Legislation', Chapter 7.2:https://www.undp.org/publications/drafting-data-protection-legislation-study-regional-frameworks

Who owns, manages and stores ID?(If the security sector is the main agency to own, manage and store ID, is there a comprehensive mechanism that limits the usage of the data for specific purposes only?)

Data processing practices

Are there any policies that require the collection and handling of data to be based on principles of data minimisation, being proportionate, and for a specific purpose?

Data processing forms the core of data handling and protection. Consent should be central to all data processing activities, and principles of data minimisation and proportionality will ensure that there is a minimum of personal data collected about an individual.

Data processing policies and guidelines reflect international best practice, including and recommendations for data processing and oversight. Consent from the data subject is obtained throughout data processing activities and principles of data minimization and proportionality applies.

European Commission Guidelines on Data Protection Impact Assessment (DPIA), 2017: https://ec.europa.eu/newsroom/article29/items/611236UNDP 'Drafting Data Protection Legislation', Chapter 7.2:https://www.undp.org/publications/drafting-data-protection-legislation-study-regional-frameworks

How long will data be stored, and what are the procedures for deleting data?

What is the role of the individual's rights and consent in any form of processing data?

Are the purposes of processing data, along with its parameters, and their needs available in the public domain? Have there been public consultations on data processing?

Rules on surveillance by public /private actors

Is there an administrative authority legally responsible for the protection of personal data?

With the dispute resolution mechanism in place and well communicated, people are able to access justice in case of mismanagement or abuse of personal data.

Any exemptions for the government needs to be routed through legal channels defined by the data privacy law in the country.

‍

‍Council of Europe Principles on National Digital Identity: https://rm.coe.int/prems-010823-gbr-2051-national-digital-identity-final-web-2762-4423-83/1680aa6b24

‍

‍UNDP 'Drafting Data Protection Legislation: A Study of Regional Frameworks' (2023): https://www.undp.org/publications/drafting-data-protection-legislation-study-regional-frameworksUNDP 'Drafting Data Protection Legislation', Chapter 7.3: https://www.undp.org/publications/drafting-data-protection-legislation-study-regional-frameworks

‍

‍UNDP: Drafting Data Protection Legislation, Chapter 8: https://www.undp.org/publications/drafting-data-protection-legislation-study-regional-frameworks

‍

‍UNDP: Drafting Data Protection Legislation, Chapter 8.3: https://www.undp.org/publications/drafting-data-protection-legislation-study-regional-frameworks

Are there any exemptions for the government from data protection obligations? Are they accessible to the public?

Data exchange practices

Sub-element Detail

Anchor Questions

Rights Implications

Example Scenarios

International standards

Rules on data sharing – information exchange

Are there any laws for cross border data exchanges?

With the dispute resolution mechanism in place and well communicated, people are able to access justice in case of mismanagement or abuse of personal data especially when the international data transaction is involved.

The country can be part of a regional data privacy framework as long as the technical standards defined by its nodal institution are met, and there is an alignment of legal principles.In the absence of the same, the data privacy law and technical standards should cover processes and liabilities of international data exchanges.

‍

‍Council of Europe Principles on National Digital Identity: https://rm.coe.int/prems-010823-gbr-2051-national-digital-identity-final-web-2762-4423-83/1680aa6b24

‍

‍UNDP 'Drafting Data Protection Legislation: A Study of Regional Frameworks' (2023): https://www.undp.org/publications/drafting-data-protection-legislation-study-regional-frameworks

‍

‍UNDP 'Drafting Data Protection Legislation', Chapter 7.3: https://www.undp.org/publications/drafting-data-protection-legislation-study-regional-frameworks

‍

‍UNDP: Drafting Data Protection Legislation, Chapter 8: https://www.undp.org/publications/drafting-data-protection-legislation-study-regional-frameworks

‍

‍UNDP: Drafting Data Protection Legislation, Chapter 8.3: https://www.undp.org/publications/drafting-data-protection-legislation-study-regional-frameworks

What are the service agreements in place to exchange data with other public or private institutions?

Is the country part of a regional data privacy framework that ensures adequacy standards for personal data transfer outside the region?

Is there a mechanism for periodic oversight of adequacy measures in all participating countries?

Cybersecurity

Sub-element Detail

Anchor Questions

Rights Implications

Example Scenarios

International standards

Cybersecurity policy and legislation defines public and private stakeholders design and delivery of services /products in the country's digital ID ecosystem

Is there a cybersecurity legislation or regulation? Has the country signed up to the Budapest convention on cybersecurity?

There is an imminent risk of cyber threats by malicious actors. Sensitive personal data being breached or leaked can lead to adverse scenarios. Especially when there is a dependency on digital IDs to access public services.

Periodic cyber threat analysis is conducted by a panel of experts and the results are published publicly. There are also model response scenarios ready in the case of a data breach.The Identity Authority has a transparent process by which enrolled individuals and the general public are notified when security events lead to disclosure of their personal data.

Council of Europe Budapest Convention on Cybercrime: https://www.coe.int/en/web/cybercrime/the-budapest-convention

‍

CoE Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data: https://www.coe.int/en/web/data-protection/convention108-and-protocol

African Union Convention on Cybersecurity and Personal Data Protection: https://au.int/en/treaties/african-union-convention-cyber-security-and-personal-data-protection

Drafting Data Protection Legislation: A Study of Regional Frameworks (UNDP 2023): https://www.undp.org/publications/drafting-data-protection-legislation-study-regional-frameworks UNDP: Drafting Data Protection Legislation Chapter 7.2: https://www.undp.org/publications/drafting-data-protection-legislation-study-regional-frameworks

‍

‍Organization of American States 'Declaration on Strengthening Cyber Security in the Americas' (2012): https://ccdcoe.org/uploads/2018/11/OAS-120307-DeclarationCSAmericas.pdf

‍

‍ISO/IEC 27001—Information security management systems: https://www.iso.org/standard/27001

‍

‍UK National Cyber-Security Centre Cyber Assessment Framework (CAF): https://www.ncsc.gov.uk/collection/caf