Personal data is everywhere. It’s there when we’re on social media, it’s there when we use our search engine, when we email, go grocery shopping, transfer money, and it’s there in our Netflix queue waiting to be binge-watched.
Like a valuable commodity, it’s sold at a large scale and used to tailor ads and services to our individual needs, catch criminals, and, unfortunately, it is also used for unedifying activities like identify theft, fraud, and extortion.
While few people might associate public procurement with personal data, there can be personal data in contracting documents that, if made public, could be used in spear phishing campaigns, cyber attacks, identity theft, and other forms of fraud. Think, for example, of names linked to dates of birth, signatures, residential addresses, and nationalities that may be included in contracts, proposals, or invoices, especially when services are procured from small companies or individual consultants. Depending on the context, even the knowledge that a person works on controversial issues could be problematic, as could salary or day rate information.
No wonder people are increasingly nervous about sharing their personal data, and concerned that businesses and the government might misuse it.
In a world where government contracts are becoming ever more open, there is a natural tension with the protection of personal privacy of individuals.
On the one hand, citizens are entitled to know how their tax money is spent. Governments need to be accountable to its citizens and demonstrate that the procurement process was fair, that the contract was awarded to the right bidder, and that the contract was implemented correctly.
On the other hand, the privacy of individuals working on these contracts should not be endangered.
From research and interviews conducted for our Confidentiality Project, it turns out that this time around, we can have our cake and eat it, too: procurement entities can take certain steps to be accountable to its citizens and safeguard the privacy of individuals involved.
Personal data can only be disclosed if the law permits (or requires) it.
Privacy laws (or Data Protection Acts or Personal Data Protection Acts, as they are sometimes called) legislate and regulate the use of personal data, the way personal data should be handled, and give legal rights to people who have information stored about them.
Privacy laws differ from country to country, and there are large differences in terms of requirements for handling personal data across countries.
For example, under the European Union Directive on Data Protection, personal data can be collected only under strict conditions and for a legitimate purpose. The Directive also mandates that each EU nation pass a national privacy law and create a Data Protection Authority to protect the privacy of its citizens and investigate incidents. Those national laws, in turn, come in several flavors, and emanate from various traditions and cultures. But the common European history resulted in the backbone of a basic European principle: privacy is a human right, and non-disclosure, as opposed to openness, of personal data is the default position.
When collecting personal data for law enforcement purposes, for example, in the EU there are restrictions on the further use and dissemination of data collected, as well as limits related to the purpose of data collection. In the United States, as a comparison, such limitations and restrictions hardly exist.
To make things a tad more complicated, in most countries, there are exemptions to privacy laws, which typically consist of other laws that allow for the disclosure of certain personal data. As you might have guessed, these also differ by country.
For example, in the UK, alongside a stringent Data Protection Act, the Companies Act (2006) requires disclosure of certain information of all companies registered in the UK, including the full name of the company director, his/her nationality, his/her country of residence, his/her date of birth, and his/her correspondence address, which is all available online. In Norway, in an aim to combat tax evasion, the government makes personal data about taxpayers available online, which includes names, ID number, and information about wealth, income, and taxes paid.
Procurement legislation may also touch upon disclosure of certain personal data. In Chile, for example, the Procurement Act establishes the public nature of certain procurement documents containing personal data.
Where the law permits (but doesn’t require) disclosure of personal data, the risks of disclosure on affected individuals should be assessed.
Where the law permits disclosure of personal data in contracting documents, the government authority responsible for disclosing such documents should assess what the potential impacts of disclosure on the affected individual could be. Even if the law permits for disclosure, in practice such disclosure can still harm the affected individual.
If disclosure of certain personal data in contracting documents is required by law, it is not necessary to assess potential harm.
Assessing potential harm can be done by conducting a so-called privacy impact assessment (PIA). A PIA is a tool for identifying and assessing privacy risks of a project, or, in this case, disclosing contracting documents throughout the procurement cycle. PIAs have been used by the government in New Zealand, Canada, the UK, and Hong Kong, and are now required under the EU Data Protection Regulation (article 33), which requires that an assessment be performed before personal data of citizens is processed.
Rather than conducting a privacy impact assessment for every procurement, procurement agencies should conduct a strategic privacy impact assessment to cover all their public procurements at a national level, unless there is a specific reason for conducting sector- or region-specific PIAs.
The potential harm of disclosing personal data is context dependent and can differ significantly per country and per sector. In some countries, disclosure of certain personal data is commonplace and without repercussion.
While we said it was possible to have our cake and eat it, too, it requires the recipe to be carefully assembled and ingredients to be carefully mixed: for example, the public interest also needs to be stirred in. Ukraine, Georgia, and Colombia deliberately made the policy decision to disclose personal data in public contracting documents in an effort to combat deeply rooted corruption and re-establish trust in society.
Besides assessing potential risks and impacts of disclosing personal data, conducting a PIA can help the procurement authority to:
- Identify what personal data is collected, and explain how it will be maintained, protected, shared, and disclosed;
- Ensure conformance with applicable legal, regulatory, and policy requirements for dealing with personal data; and
- Evaluate alternatives to disclosure of personal data in order to minimize privacy risks, while still allowing the government to be accountable to its citizens.
In order to minimize harm as a result of disclosure of personal data OR where the disclosure of personal data is not permitted by law, anonymising or aggregating certain personal data so that it becomes non-identifiable might be possible.
The PIA should assess alternatives to disclosure of personal data that can be used in order to minimize privacy risks, while still allowing the government to be accountable to its citizens. Equally, in case the law doesn’t permit disclosure of certain personal data in contracting documents, alternatives should be assessed.
Such alternatives could include anonymizing or aggregating certain personal data so that it becomes non-identifiable to the individual. Once non-identifiable, it can no longer be considered personal data (and therefore Data Protection Acts do not apply).
The PIA would then determine the privacy risks associated with disclosing non-identifiable personal information, such as re-identification.
To be accountable to citizens, it may not be strictly necessary to disclose personal contact information, passport/ID information, personal bank details, and full dates of birth of people involved in government contracts. What is relevant information, for example, is company and organisational contact information and the job title of the signatories to the contract so that these can be held accountable. Other personal data could be redacted, with a justification for redaction provided.
For example, Companies House in the UK decided not to disclose the full date of birth of the directors of companies registered in the UK, because it was believed to negatively impact the privacy and safety of those individuals. As a mitigation measure, it was decided to disclose only the month and year of birth.
Instead of disclosing detailed individual invoices (which may include detailed information about day rates linked directly to the names of persons working on the project, for example), contracting authorities may opt to aggregate the amounts spent on the implementation of a contract and disclose a separate list of people working on the project.
Anonymizing personal data may be another option. For example, for positions up to Director level, the UK government discloses the number of Full Time Equivalents (FTE) it employs against a certain pay scale and generic job titles. Only at the director level is the person’s full name and salary information disclosed.
The principle that privacy operates in an inverse relationship to power should be applied.
The latter UK example reflects the notion that government employees with a high level of seniority and responsibility, such as those employees that are responsible for major decisions and expenditures, are regarded as carrying a greater level of accountability, which should go hand-in-hand with higher levels of transparency and disclosure of personal data and information. Asset and income declaration of politicians is an example of where a position of power in the public sector means a high level of disclosure of certain personal data in order to improve accountability and show how public money is spent.
The same true for the private sector, which is why persons authorized to represent and sign contracts on behalf of a company should expect a higher level of disclosure of their personal data. In another example, in order to improve corporate trust and deter money laundering, the United Kingdom requires public disclosure of the name, date of birth, nationality, country of residence, address, and level of shares and voting rights of ‘People with Significant Control’ over UK-registered companies. This disclosure makes it clear who ultimately owns and controls UK companies.
Of course, depending on the context, there can be valid exemptions here too.
It is good practice to be open about what personal data is collected, how it is used, shared, and secured.
Organisations handling personal data should follow the Openness Principles, which require organisations to be open about what personal data they collect, how it used, shared, and secured.
This applies to companies bidding for public contracts, who use personal data of their employees. Language about the collection, use, sharing, and securing of personal data could be incorporated in employment contracts or policies, for example.
It also applies to government procurement entities, who should explicitly state in the tender documents which personal data will be disclosed, and how other personal data will be stored and used in the various procurement phases.
What is your experience with personal data disclosure? Your feedback is welcome!
The arguments presented above are based on desktop research, and interviews with public, private, and civil society representatives working in public procurement. We’d be curious to hear your feedback and experience and we will update and refine our understanding on how to balance privacy and openness as part of our Confidentiality Project.
Here at the OCP, we are also carefully considering privacy issues in our own Open Contracting Policy – learning from this research and our own implementation.
Do you disclose personal data in contracting documents? Have you experienced any negative impacts as a result of disclosing such data? Do you use anonymization or aggregation, and, if so, in what way?