Policy Objective Establishes the principles and guidelines by which personally identifying consumer data is collected, stored, used and shared by PSI and its global network members.
I. Guiding Principles
In accordance with the principles outlined in PSI’s Data Protection Policy, the PSI Consumer Data Protection Policy (CDPP) establishes the principles and guidelines by which personally identifying consumer data is collected, stored, used and shared. Personally identifying consumer data collected by PSI and its global network members must:
- Be obtained only for specific, lawful purposes
- Be processed fairly, lawfully and in accordance with the rights of data subjects
- Be adequate, relevant and not excessive
- Be as accurate as practically possible
- Be protected in appropriate, legally compliant ways
- Be retained only for as long as is lawful and necessary
- Not be transferred outside PSI to any entity unless that entity also ensures an adequate level of protection
In addition,
• PSI informs individuals, in a concise, transparent, and easily accessible manner, using clear and plain language, as to how PSI handles their personal data
• PSI honors individuals’ requests for information about PSI’s processing of personal data and for the deletion, restriction of processing or rectification of the same, where required by law or donor regulation
For definition of personally identifying data, please see section II. Terms and Definitions. Please note that the definitions used in this policy are relevant to PSI’s context and are applicable to data that PSI collects. They may not match the definition of “personal data” that other policies or government regulations, such as the EU GDPR, may reference. If PSI is required under a donor/funder award to comply with GDPR or “GDPR like principles”, please seek guidance from PSI HQ legal department or write to Navendu Shekhar (nshekhar@psi.org)/ Daniel Messer (dmesser@psi.org)/ Nina Nathani (nina.nathani@psi.org).
II. Terms and Definitions
Breach
A data breach is a failure in organizational systems of data storage, access, transfer and protection that leads to the unauthorized disclosure, access, alternation or destruction of identifying data. Breaches are commonly accidental, caused by human error, carelessness or by a lack of data security processes. They can also be malicious, caused by deliberate,unauthorized data transfer or internal or external attacks on an organization’s data systems.
Coded data
Identifying data that has been replaced with a number, letter, symbol, or combination thereof (i.e., the code); and a key to decipher the code exists, enabling linkage of the identifying information to the private information or specimens.
Consumer
For the purposes of the CDPP, consumer is defined as any individual (beneficiary or provider) who receives products, services or outreach, or who interacts with PSI for program design, implementation or research. This includes users of PSI products, clients or patients of PSI, network member or franchise services, recipients or beneficiaries of PSI behavior change communication activities, or subjects, co‐creators or participants of PSI research, marketing or design activities.
Indirectly identifying data
Information that can reasonably be expected to identify an individual through a combination of indirect identifiers. Data sets should not contain more than 2 pieces of indirectly identifying information; it is believed that 2 or more pieces of indirectly identifying information could be used to successfully identify a respondent.
Personally identifying data
Information that identifies a specific individual through direct identifiers (e.g. name, personal/national identification number, personal health number, GPS coordinates to household or workplace, home addresses, work addresses and phone numbers).
Protected data
Diagnosis, treatment, medical conditions, information about previous access to medical services, experience or perpetration of violence, membership to key populations, biometric data. These data could be captured or created in course of conducting research, program activities or providing health care service.
III. Scope of the Policy
PSI and its network members collect, store, and use personally identifying data to design, implement, and evaluate programs, to conduct research, to provide medical interventions, to provide care and to report disease occurrence as a partner in surveillance activities. Mobile and digital technologies, including electronic health records and e‐referral systems, are used by PSI to uniquely identify consumers and to improve coverage, follow‐up, productivity, and efficiency in health service provision.
PSI makes a commitment to our consumers, and to our donors and partners, that personally identifying data will be stored securely, managed responsibly and used legitimately. To aid the organization in fulfilling that commitment, PSI has promulgated this organization‐wide consumer data protection policy.
The CDPP sets forth PSI’s standards for data collection, storage, use and sharing, which represent the minimum requirements that must be adopted by network members who collect personal identifying information to be compliant with the CDPP. Guidelines for implementation and enforcement of this policy are detailed in an accompanying document.
The CDPP is intended to strike the balance between protecting consumers’ personal data and ensuring that PSI can use such data for the legitimate purpose of providing quality public health programming and healthcare. Compliance with the policy also mitigates risk for the organization and its network members.
IV. About This Document
This CDPP applies to all personally identifying consumer information collected, stored or used by or on behalf of any PSI program, marketing, or research activity. Personal information or data collected, stored, or used only by or on behalf of procurement, finance or personnel/human resources is excluded from the scope of this policy.
The requirements of the CDPP apply to:
• Any and all software and hardware where identifying consumer‐level data is collected and/or stored; and
ll personally identifying consumer data collected and/or stored as part of a PSI program, intervention or partnership, regardless of whether it is electronic or paper based.
For the purposes of the CDPP, consumer is defined as any individual (beneficiary or provider) who receives products, services or outreach, or who interacts with PSI for program design, implementation or research.
V. Standards for Consent and for Data Collection, Storage, Use, and Sharing
A. Standards for Consent
PSI seeks active consent from consumers for the collection and use of their personally identifying data prior to any data collection. Where there are opportunities for further engagement, PSI obtains active consent for these purposes and for every new purpose of engagement thereafter. Active, informed consent uses clear and succinct language to provide consumers with information detailing the personally identifying data that PSI will collect, how it will be used, who will have access to the data and how long the data will be stored.
B. Standards for Data Collection
PSI collects the minimum amount of personally identifiable information necessary to conduct program, marketing, services or research activities. PSI assesses the need for collecting personally identifying information against the risk that collecting such data could present to consumers. This policy applies to personally identifiable consumer data collected by any available means, whether electronically or paper.
C. Standards for Data Storage
PSI adheres to operating procedures outlined in the Monitoring and Evaluation Standard Operating Procedures for Keeping Client Data Secure & Confidential and PSI’s IT Policies (global and local) for the secure storage and handling of personally identifying data. This includes password protection, encryption, locked storage units, and physically secure areas, as appropriate. Adherence to these standards is extended to vendors who collect and store personal data on behalf of PSI.
2 This includes users of PSI products, clients or patients of PSI, network member or franchise services, recipients or beneficiaries of PSI behavior change communication activities, or subjects or co‐creators of or participants in PSI research, marketing or design activities.
D. Standards for Data Use
PSI minimizes the number of persons or entities that may access personally identifiable data held by PSI and its network members. Personnel are granted access to personally identifying data based on PSI Consumer Data Classification Table included within the CDPP’s implementation guidance. Access to personal data is approved by the system administrator /project manager and monitored monthly, or as indicated in a research protocol.
E. Standards for Data Sharing
Consumer identifying data may only be shared internally and externally in accordance with the PSI Consumer Data Classification Table included within the CDPP’s implementation guidance. Unless specific exclusions apply (e.g., legitimate public health purposes), external sharing of data is limited to de‐identified data.
F. Standards for Biometric Data
The collection of biometric data presents both an opportunity for innovation and increased risk to PSI consumers. Any new initiative that intends to collect biometric data from consumers must be submitted for review by the TI Governance Council. Approval for biometric data collection will take into consideration local laws, local context, foreseeable risks to the consumer, benefits, vendor capabilities, and data protection measures. The risks to consumers must not outweigh the benefits to consumers and PSI.
VI. Roles and Responsibilities
Everyone who works for or with PSI has some responsibility for ensuring that personally identifying consumer data is collected, stored and handled appropriately and lawfully. Any questions regarding this policy and PSI’s data protection practices should be sent by email to nshekhar@psi.org or by writing to: Evidence Department at PSI, 1120 19th Street, NW, Suite 600 Washington, DC 20036. Alternatively, you can telephone 202.785.0072.
A country office usually has a local system administrator (usually on the M&E team). This system administrator has access rights and the ability to control users and data in the system.