ICTworks

Informed consent is recognized as an integral part of responsible data practices by international development and humanitarian organizations.

Much debate, however, surrounds the nature of “consent” obtained, practical aspects of obtaining informed consent in different development and humanitarian contexts, and whether digital technologies increasingly used to collect, and share data allow meaningful “consent”.

Some even argue that “informed consent” is realistically impossible in humanitarian contexts like disaster relief, and with the pervasive sharing of digital data makes “informed” consent simply an illusion.

Informed consent: Why should we get it?

Notwithstanding the debate about improving and simplifying both consent forms and the consent process in general, informed consent is increasingly a legal requirement (for example Article 6(1) of the GDPR) and recognized as the right of data contributors under the data protection laws in many jurisdictions globally.

More importantly, informed consent is rooted in ethical standards, particularly the principle of respect for persons, which means recognizing individuals as “autonomous agents” who have the ability to make informed or considered choices and to determine if those choices are consistent with their interests.

This principle also sets the moral requirement to protect those with diminished autonomy, including those who are especially vulnerable to harm and whose ability to make free choices are restricted.

In the context of international development and humanitarian assistance, informed consent for data collection both reaffirms the commitment to upholding the dignity of individuals who are served and to “doing no harm” especially to the vulnerable, marginalized, and disenfranchised.

What should the informed consent process look like?

While no one approach is likely to fit all contexts, best practices and ethical principles support that the consent process should include (but not be limited to) these key elements, at a minimum:

• A statement that the individual is providing data voluntarily and that they can withdraw consent at anytime;
• A statement that declining to provide data now (or in the future) will not impact their ability to receive the services or humanitarian assistance delivered;
• A description of the purpose of data collection in language that is understandable to a lay person;
• Information on why and what types of data (for example, personal identifiers, financial details, photos, health status etc.) are being collected, described in simple understandable language, and whether they will be contacted again for collecting additional data; and
• Information on who data will be shared with (for example, when required contractually by the donor or legally by the host government), what types of data, and whether personal identifying information will be shared;
• Information on how long data will be stored, and whether/how data will be archived;
• A reasonable description of foreseeable benefits to the individual and/or their community;
• A reasonable description of potential harm to individuals/groups from loss of privacy and confidentiality and what steps are being taken to mitigate those risks.

Additional key considerations include providing information about rights to remove or correct data, the “right to be forgotten” and rights to redress, particularly in jurisdictions where individuals legally control access to their data such as the EU and others.

Getting consent: all about the context

As much of the experience collecting data in international development and humanitarian programs indicates, there are many challenges to obtaining informed consent, like language, low literacy levels, and resource constraints.  Practitioners will, however, need to pay explicit attention to specific socio-cultural and religious contexts that can impact how consent is sought including who gives consent, who obtains consents, and how consent is obtained.

Culturally appropriate consent processes must actively engage community members and be cognizant of power asymmetries, between different participants (such as by gender, age, social group affiliation (e.g. indigenous groups, LGBTQ community), and especially between those providing consent and those obtaining it. Without recognizing and addressing these differentials actively, there is increased risk that consent may neither be voluntary or informed.

Practitioners also need to be sensitive to groups/communities or individuals who are at risk for increased harm due to demographic (e.g. member of a religious group, tribe etc.) or other sensitive information about their behaviors (for example, MSM), profession (such as sex workers) or health status (HIV+).

Harms may be physical, reputational, economic or other and may occur unintentionally, sometimes due to how participants are contacted, selected, how the data is collected (e.g. if geographical data is automatically linked when data are collected digitally) and for several other reasons. The potential for harm must be weighed carefully  against the benefits of collecting data from such individuals and groups and must be transparently communicated during the consent process.

It is especially important to consider alternative and multiple approaches to obtaining consent and for collecting data from individuals/groups that may be subject to stigmatization, criminal prosecution, and/or persecution.

For example, when simply having a written record of consent provided may identify such individuals, and put them in harm’s way, oral consent may be ethically recommended.  When contacting the person/persons in their residence/work place somehow “outs” them and increases risk of harm, interacting individually or with groups in “safe spaces” may be the best approach for seeking consent.

In some cases, getting group consent may be recommended to avoid identifying individuals inadvertently later down the road.  In these situations, active efforts must be taken to assure that all individuals are able to make free and that individuals are not feeling pressure to conform with the group in making choices about providing data.

These are but a few, but in no way exhaustive, considerations on the for what and how to of obtaining informed consent.  The process of obtaining informed consent is deeply contextual, depending on socio-cultural, geographic, political, legal, and other variables and the type and sector of development/humanitarian context (for e.g. health vs financial, routine health vs pandemic or disaster relief).

The growing number of tools, templates, policies and guidelines from development and humanitarian organizations/actors is much needed not only to represent the diversity of development /humanitarian programs but also the “real world” experience of practitioners.

The healthy debate over the need for, and the challenges in informed consent process have furthered innovation and commitment of practitioners trying to get it right, for example by allowing participants to define what informed consent looks like, developing multimedia resources, alternative forms of engagement (e.g. traditional storytelling) to convey key concepts about data collected and their uses , and to improve participant understanding.

Much more needs to be done and a bigger box of resources can only help in getting right- sized and right -styled informed consent.

Going Digital: What it means for informed consent?

It comes as no surprise to most development practitioners that much of the ongoing debate and argument on the why, what, and how of getting consent, is related to the increasing use of digital technologies (phones, sensors, social media platforms etc.), the digitization of data, ever expanding digital data sources (big data, open data sets) and analytical tools (machine learning, artificial intelligence).

Much has been written about how “going digital” complicates the nature of consent itself and the processes for obtaining it.   Some common considerations emerging from these deliberations include:

1. Digital technologies present both new challenges and opportunities for getting informed consent.
2. Digital data present new risks (from possibility of re-identification, breaches in data security, etc.) that one must consider actively in responsible data practices, especially how transparently these risks are communicated during the consent process.
3. User agreements and “terms and conditions” associated with platforms, apps and other digital technologies cannot be considered equivalent to informed consent.
4. Digital approaches may not always be suitable for providing informed consent, depending on, for example, the digital literacy of the participants, connectivity and other variables, but especially the profile of risk due to digital “footprints”, including loss of privacy and confidentiality, that could pose serious risks of harm to vulnerable individuals and groups.
5. Digital approaches provide new opportunities for improving the consent process, including reducing risks of “outing” people, improving understanding of key components to make more “informed” decisions (for example presenting key information in accessible, digestible ways such as videos, animations, checking understanding through quick tests or games, modularizing key information), and for longer and dynamic engagement to obtain consent for additional/new uses of data, to collect participant preferences.
6. Communicating concepts of data privacy, security and associated risks transparently during consent process, although challenging, is necessary to inform contributors of their choices.

What is responsible practice when informed consent is not possible?

In certain contexts, predominantly in humanitarian response programming, the power imbalance between the program participant and Humanitarian Organization is so great as to render any attempt at informed, freely given consent void under governing law and commonly held ethical standards.

Using the EU GDPR as a high watermark, Recital 43 states that “in order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.”

In humanitarian response programming, humanitarian organizations stand-in as a public authority at the request of the host government to provide basic services to affected program participants. It can be rightly assumed that any request from the humanitarian organization for personally identifiable information, likely for the purposes of registration and the provisioning of services, will be considered as a requirement to obtain services by the program participant.

Due to the imbalance of power, any consent obtained will be coerced and would not be legally admissible.

In these contexts, the duty of care is significantly heightened. We are charged with both providing emergency services to our program participants and ensuring that any personal data processing conducted is truly in the best interest of the participant.

In place of freely given consent, we must make appropriate, risk-based decisions that both accomplish our mission and protect our program participants. From an ethical perspective this is where the principle of beneficence would apply. This principal is in essence captured by two complementary actions: (i) do not harm and (ii) maximize possible benefits and minimize possible harms.

This is a difficult tightrope to walk, but it is not impossible. Here are some suggestions:

1. Data Minimization – The first, and easiest, mitigation strategy for eliminating privacy risk is to collect only the data that is necessary to execute the program. Ask yourself…am I able to accurately, effectively execute my mission without this data? If the answer is yes, consider not collecting it.
2. Consider an Alternate Legal Basis for Processing – Per the EU GDPR, there are six lawful bases for processing personal data. We’ve already discussed consent. Contractual and legal obligation are not applicable in the humanitarian response context. However, there are three that should be considered:
   1. Vital Interest – The lawful basis of vital interest may be used when the processing of personal data is necessary to protect a program participants life. In their Handbook on Data Protection in Humanitarian Action, ICRC states that vital interest can be used in the following situations:
      • Humanitarian organizations are dealing with cases of Sought Persons;
      • Humanitarian organizations are assisting authorities with the identification of human remains and/or tracing the family of the deceased. In this case the Personal Data would be processed in the vital interest of the family members;
      • Humanitarian organizations are assisting an individual who is unconscious or otherwise at risk, but unable to communicate consent;
      • The processing, including disclosure, of information is the most appropriate response to an imminent threat against the physical and mental integrity of the Data Subjects or other persons; or
      • The processing is necessary to provide for the essential needs of an individual or a community during, or in the aftermath of, a humanitarian emergency.
   2. Public Task – The lawful basis of public task is applicable when a humanitarian organization is processing personal data in exercise of official authority. This would only apply if performing a public function at the request of a host government when the government has bestowed official authority to do so.
   3. Legitimate Interest – The lawful basis of legitimate interest functions as a catch all when the above preferred legal bases are not applicable. It is the most flexible but hardest to defend. Determining applicability can be broken down into a three-part test:
      • Purpose Test: are you pursuing a legitimate interest? The GDPR specifically mentions fraud prevention and IT security as legitimate interest but does not provide an exhaustive list.
      • Necessity test: is the processing necessary for that purpose? Necessary means the processing is a targeted and proportionate way of achieving the purpose.
      • Balancing test: do the individual’s interests override the legitimate interest? The processing must be reasonably expected by the individual. If it is not, or may cause unjustified harm, the individual’s interests override the legitimate interest of the humanitarian organization.
3. Document Your Decision – Once you’ve come to a decision on what you will collect and why you believe you have the lawful basis to do so, document it. The most appropriate mechanism to do so is a Privacy Impact Assessment (PIA), or Data Protection Impact Assessment (DPIA) if you are required to comply with the EU GDPR.
4. Don’t Eliminate Informed Consent– Even though the consent is not legally admissible, that does not eliminate the need for humanitarian organizations to inform their program participants of the data that is being collected, why it is necessary and lawful to collect, how it will be used, and who it will be shared with. Continue to follow the previously mentioned best practice even when consent is not pursued.

Getting informed consent in the widely varying contexts of international development and humanitarian assistance is by no means straight forward. Indeed, the details of getting and tracking informed consent need to be fully aligned with the overall plan for collecting, sharing, using, disposing and/or archiving data.

Planning with, and training data collectors in best practices for obtaining consent, as well as including them in consultations with community representatives or participant groups will help them better understand risks to individuals/groups and communities and culturally appropriate ways to obtain consent.

And, perhaps most importantly, development and humanitarian practitioners/organizations must continue to freely share their “real-world” experiences, best practices, and new solutions, as the entire development community embraces data driven approaches for effective and efficient programs.

Subhashini Chandrasekharan is currently the Ethical Legal Social Issues research lead in the All of Us Research Program at  the National Institutes of Health (NIH).  As a AAAS STPF fellow (2015-2017) in the USAID Global Development, she led and contributed to research underlying the recently released Considerations for Using Data Responsibly at USAID.  The views presented here are her own and do not represent those of the All of Us Research Program or the NIH.

Joel Urbanowicz is Director of Digital Workplace Services at Catholic Relief Services. He has acted as co-chair of the NetHope Data Protection and Information Security working group for the past three years. He served as a member of the advisory committee for the recently released Considerations for Using Data Responsibly at USAID and contributed to its content and recommendations.

Join #5DaysofData Twitter Chat on May 16

Join @USAID_Digital, @mSTAR_Project, @DIAL_community, @GlobalDevLab, @ICT_Works and the responsible data community for a #5DaysofData Twitter Chat to learn how you can use data responsibly and ensure that data risk is regularly considered and addressed.

#5DaysofData Twitter Chat
May 16, 2019 – 12pm EST – 16:00GMT – Your Timezone

We’ll spend a hectic hour tweeting questions, answers, ideas, and concerns. Join us or just follow along using the #5DaysofData hashtag on twitter.