3.2. The Fair and Lawful Processing Principle

The primary principle of information protection laws is that personal information must

be processed fairly and lawfully. 41 Thus, the personal data a social protection programme collects must be obtained and processed fairly (reasonably) and lawfully. Unless specifically permitted by law, there should be no secret or covert information processing.

It means social protection programme applicants and beneficiaries must give their free, informed and specific consent for their information to be processed. Consent may be given explicitly or implicitly (i.e. by acting in ways that leave no doubt the data subject agrees to his/her data being processed). However, sensitive-data processing requires explicit consent

and must be unambiguous. 42 Generally, sensitive-data processing should be authorized by law. 43

To determine data processing is fair, attention should also be paid to the method by which the information was obtained. Fairness implies a person is not unduly pressured into supplying information about him/herself to social protection authorities.

Informed consent is particularly important when collecting biometric data from beneficiaries. Informed consent means data subjects must understand all implications related to the information they provide: why the biometric information is being collected; who will have access to it; how it will be protected, stored, transmitted, and accessed; what the time limit for its use and storage is; when it will be deleted. Considering the vulnerability of data subjects in non-contributory social protection programmes, the information should be provided in an accessible (easy to understand) manner, including when data subjects may be illiterate.

Due to the sensibility of biometric information, social protection programmes should ensure no persons will be denied service or access to benefits because of their inability or unwillingness to provide biometric data or use a biometric system. An alternative should be offered where possible, and system design should include alternative processes for those unable to access the system.

The Fair and Lawful Processing Principle should be respected in all programme- implementation phases. For example, registration processes should be properly and carefully undertaken in order to not unreasonably intrude on individuals ’ privacy. Guarantees should

be more stringent when the collected data is likely to give rise to discrimination, such as information on racial/ethnic origin or health status. This would be the case, for example, for programmes aimed at particularly vulnerable groups such as refugees or people with a specific health conditions (e.g. persons with disabilities or HIV and AIDS).

41 See Art. 5 of CoE Convention No. 108. 42 See CoE Convention No. 108; Explanatory Report to the Convention for the Protection of

Individuals with regard to Automatic Processing of Personal Data, Art. 6; and EU Data Protection Directive, Art. 8(2).

43 See Art. 7 of the EU Data Protection Directive. For exceptions, see Art. 8(2).

24 Is biometric technology in social protection programmes illegal or arbitrary? An analysis of privacy and data protection

Fair and lawful information processing also means that information should be kept for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. 44 This means social protection programmes should establish a retention policy that clearly indicates time-limits for using and storing information as well as how it will be subsequently removed or deleted from databases. If data is no longer needed, social protection authorities should delete it or store it only in a form that does not permit data-subject identification (i.e. it should be made anonymous). This is particularly relevant for biometric information such as fingerprint data. The European Court of Human Rights has ruled a lack of safeguards to preserve and delete biometric data is a privacy rights

violation. 45

Box 7. Lack of privacy in registration offices

If registration office designs neglect privacy and confidentiality issues, applicants may be deterred from providing all necessary information – or even from registering for a programme. An evaluation of the South African Child Grant found that processing applications occurred in the presence of other applicants in severely overcrowded, shared offices or in open spaces where strangers looked on. Interviewees reported this affected

people’s freedom to speak openly. Source: Goldblatt, Rosa and Hall, 2006.

 Do beneficiaries receive information on why information is being collected and how data will be used?

 How do beneficiaries express consent to share their personal information?  Have beneficiaries given free, informed and specific consent to data processing? If not,

is such processing necessary to carry out social protection authorities ’ obligations and exercise its specific rights? Is it authorized by national law and does that provide adequate safeguards?

 Are beneficiaries informed about who else will have access to the information? And how it will be protected, stored, transmitted and accessed?

 Has the personal information been collected in proper and careful ways in order to not unreasonably intrude on beneficiaries ’ privacy?

 Is a retention policy in place? Are beneficiaries informed about time limits on the use of stored information?

 Is personal information deleted as soon as data are no longer needed for programme objectives? If not, is the information retained in a non-identifiable form?

44 See Art. 6(1)(e) of the EU Data Protection Directive and Art. 5(e) of CoE Convention No. 108. 45 See ECHR case M.K. v. France, Application No. 19522/09, 18 April 2013.

Is biometric technology in social protection programmes illegal or arbitrary? An analysis of privacy and data protection 25