When partnering, what are the considerations do I need to think about regarding sharing beneficiary data?
Generally, sharing beneficiary data is a very large red flag. Beneficiary data is considered sensitive data, so you need to be wise when dealing with it. And in reality, data sharing is about data governance.
Therefore, it is good to consider four elements – purpose, legality, consent, and mechanics.
1. Purpose – why are you sharing beneficiary data? What are you trying to achieve by sharing the data? When the data was originally collected what was the original purpose and is sharing the data in line with that purpose? What are the potential harms (short term and long term) that could come from sharing the data? What is your ‘partner’ going to do with the data? How long will they have access to it? Keep it? When will it be deleted.
2. Legality – are you legally allowed to share the data you are being asked to? It is good practice to involve your legal team in this. However, in general, different countries and organisations have laws and policies around sharing sensitive data. It is good practice to follow them. Understand where the data will travel. For example, if it will leave the country in which the beneficiary resides, ensure your legal team knows this. In short, don’t assume the legality has been checked.
3. Consent – Assuming you have already collected the data, double check what consent was collected from the beneficiary. At minimum, check to see you have their consent to share their data with a partner. If this is not explicit, then you need to go back to the beneficiaries to request it. And always be aware of the ‘power’ you have as an organisation, so don’t just ‘ask’ for their consent, go out of your way to ensure they understand what they are consenting to. Check and double check their understanding before you consider you have their consent.
4. Mechanics – This is all about the how you actually share the data. Critically, your how must be linked to your why. And ideally, you are not sharing any sensitive data or at least the bare minimum. A good practice is to hold the shared data in ‘place’ in a ‘common place’ so that it is not in the ‘control’ of one organisations. But rather in a collective. (If it’s deduplication you are trying to achieve, see the series of posts I wrote earlier).
Also with Mechanics, you need to consider Direction, Frequency, and Method. So is the data flowing one way, two way, or multidirectional? Is the sharing a one off, every Friday at 3pm, or in real time? And then the method. Never send the sensitive data over email. Are you going to use USB sticks? Secure and encrypted cloud folders? Zero Knowledge Proofs? And critically, whatever method you use, when and how will the data be deleted from the sharing method (i.e. USB stick) and who will have access to the data ‘in transit’ and when it is at its destination?
It is not an exhaustive list, but should get you thinking and discussing. And it assumes that normal privacy impact assessments and data protection impact assessments have been conducted. Additionally, it assumes security assessments of the partner(s) IT systems have also been done.
And lastly, I hope it goes without saying, decisions like this should never be made by one person. Always involve a diverse group of people with diverse backgrounds. Ideally, involve beneficiaries as well.