Preamble – Aim of the Data Protection Policy
IDPoor (“Identification of Poor Households”, IDPoor) is a mechanism developed by the IDPoor department of the Cambodian Ministry of Planning to identify poor and vulnerable households so that they can access benefits such as social transfers, healthcare, and other targeted social services. The MOP-IDPoor department believes that promoting human dignity is at the core of all aspects of social protection, whether digital or otherwise. IDPoor collects, stores and disseminates a great amount of personal data of its beneficiaries. This data requires adequate protection to avoid any harm caused to individuals.
This Data Protection Policy is based on globally accepted, fundamental principles of data protection. With this policy, the MOP-IDPoor department aims to ensure that it collects, stores and handles data fairly, transparently and with respect towards human rights. It is a framework document which should provide orientation to the MOP-IDPoor department as well as its partners.
Article 1 – Scope of the Data Protection Policy
This Data Protection Policy applies to all activities in the scope of the IDPoor process, and to all personal data that IDPoor holds on identified or identifiable individuals.
Article 2 – Definitions
Any person whose personal data is being processed is a data subject. Data subjects are all individuals whose data is processed in the scope of the IDPoor process (hereinafter called “beneficiaries”), as well as indidviduals or organisations who register as data users in the websystem or public IDPoor app (hereinafter called “data user”).
The data controller is the individual or the ministry/organisation that, alone or together with others, decides why and how personal data is processed. The Ministry of Planning has been mandated by the Royal Government of Cambodia to implement the IDPoor procedures and is the data controller.
The data processor is the individual or organisation that processes data on behalf of a data controller. In IDPoor, sub-national implementers such as Provincial Departments of Planning (PDOPs), Commune/Sangkats and volunteers qualify as data processors.
Processing of personal data means any operation to such data, for example data collection, recording, organization, use, transmission to partner organizations, deletion or destruction. Whenever personal data is processed, it needs to be protected to prevent exposing individuals to harm.
Article 3 – Categories of data processed by IDPoor
MOP-IDPoor’s Data Protection Policy applies to all sets of personal data, currently stored, maintained and handled by MOP-IDPoor, and more specifically data on IDPoor’s beneficiaries.
The categories of data sets collected and stored by MOP-IDPoor are described below.
3.1 Beneficiary data
Personal data means any information on a person, that allows them to be identified either directly or indirectly by reference to a specific characteristic. Characteristics may include a name, an identification number, physical, mental, cultural or social characteristics.
When such data is unprotected, individuals may be exposed to harm, stigmatization or discrimination because they are identified as beneficiaries of the IDPoor programme. This runs contrary to the objectives of IDPoor of helping vulnerable people.
Personal and contact data collected are in particular:
- Names of individuals
- Postal or living addresses
- Email addresses
- Telephone numbers
- Identity card and passport
- Date of birth
- Identification of relatives
- Housing situation (of household)
- Assets (of household)
Sensitive personal data is a particular sub-category of personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms. It typically includes information revealing personal characteristics (including physical appearance), as well as information such as:
- Health status (HIV) / Disability
- Indigenous group
- IDPoor classification (of household)
- data relating to children (including age, photos)
- photos of household members
3.2 Data users
- First name and last name
- Email address and/or Telephone number
- Organisation details (Name, address, telephone number and email address)
- Personal details of the responsible person (Title, Position in the organisation, telephone number)
Article 4 – Application of National Laws and sources of authority
The Cambodian Ministry of Planning and the department of IDPoor are subject to Cambodian laws. To-date, Cambodia has not yet enacted any comprehensive data protection legislation.
Cambodia law has several provisions on the right to privacy, which is protected in broad terms under Article 40 of the Constitution of the Kingdom of Cambodia 2010 (“the Constitution”). Furthermore, under Article 31 of the Constitution, rights described in the Charter of the United Nations and the Universal Declaration of Human Rights (“UDHR”) have been recognised and ratified, and thereby carry legal force in Cambodia. Further legislation related to the right of privacy are Articles 10 (personal rights), 11 (right to an injunction in case risk of infringement of personal rights), 12 (elimination of the effects of an infringement of a personal right), 13 (compensation for any damage suffered from an infringement of their personal rights) and Article 336 (requirement of consent for an agreement to be valid) of the Civil Code of the Kingdom of Cambodia 2007, Articles 301 and 302 of the Criminal Code of the Kingdom of Cambodia 2009.
In the absence of a comprehensive data protection legislation in Cambodia, and, consequently, the creation of an independent Data Protection Authority, MOP-IDPoor’s data protection focal person will handle data subject requests such as objections and suggestions until a comprehensive data protection legislation has been established.
Article 5 – Principles for Processing Personal Data
5. 1. Purpose specification
The moment their personal data is being collected, IDPoor explains to the data subject why the data is being collected, and how it is going to be used (processed) and kept. This principle recognizes that personal data belongs to the individual’s private sphere.
Personal data is only to be used for the legitimate purpose of providing social services to poor and vulnerable persons. It shall not later be used in a way that is incompatible with those stated purposes. Subsequent changes to the purpose are only possible to a limited extent and require justification. A purpose change is considered incompatible if data subjects might consider the further processing unexpected, inappropriate, or otherwise objectionable.
Further data processing for statistical, scientific and historical purposes shall be considered compatible with the initial purposes of the data collection, if it is not used to take decisions with respect to the data subjects.
5. 2. Fairness, Lawfulness and Transparency
Personal data is collected and processed in a legal and fair manner, and the individual rights of data subjects need to be protected. This means that nobody is coerced into giving personal information and no unfair practices shall be used by tricking data subjects into giving information. Individual data can be processed when the data subject agrees to it (voluntary consent). If the data subject does not give consent to the data processing, registration in and use of the database is not possible.
IDPoor ensures that data collection and processing is transparent, meaning that personal data is not used in ways that data subjects would not expect, were not informed of and are not otherwise aware of. When the data is collected, the data subject is informed of:
- The purpose of data processing;
- On what legal basis their data is being processed
- Third parties to whom the data might be transmitted
5. 3. Data minimization
Collected data shall be adequate, relevant and limited (i.e., minimal) in relation to the purposes for which they are collected and their further processing. This means IDPoor only collects, processes and shares the data that is needed to identify poor or vulnerable persons, and not for future, unspecified purposes.
5. 4. Confidentiality and Data Security
Personal data is to be kept secret. IDPoor and its staff treats it as confidential and secures it with suitable physical, organisational and technical measures to prevent unauthorized access, unauthorized or unlawful processing or distribution, as well as accidental or deliberate loss, destruction, modification or disclosure. Data users have to agree to a confidentiality clause included in the IDPoor data sharing agreement in writing.
Certain categories of personal data are considered sensitive and additional protection measures apply.
5. 5. Retention limitation
Personal data shall be kept, in a form which permits identification of data subjects, solely for the period of time that is necessary for the purposes for which it was processed.
Personal data in the IDPoor database may be stored for longer periods for archiving, statistical, scientific or historical research purposes. In these cases, appropriate safeguards should be put in place to protect the rights and freedoms of the data subjects, such as protection against unauthorised access, abuse or disclosure.
5. 6. Accuracy and Up-to-datedness of Data
Personal data on file must be correct, complete, and – where necessary – kept up to date. Personal data is used to identify the vulnerability and poverty status of households. If the data is not accurate, households may not be able to access social services despite their eligibility. IDPoor is conceived in such way that households have the possibility to apply for registration in the database, or rectification of their data stored therein, at any time. Households are also re-assessed periodically to update their data and verify their vulnerability and poverty status.
Article 6 – Rights of the Data Subject
All individuals who are the subject of personal data held by IDPoor are entitled:
- To inquire which personal data relating to him/her has been stored, how the data was collected, and for what intended purpose. Individuals are informed of the possibility that personal data is transmitted to third parties. If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented.
- To request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis does not apply anymore, for example if the IDPoor mechanism ceased to exist.
Article 7 – Transmission of Personal Data to Third Parties
Transmission of personal data to third parties requires consent of data subjects. Users of IDPoor data are required to use the data only for the defined purposes such as providing social services to the poor, or research purposes. Whenever data is transmitted to a data user outside IDPoor, this recipient must agree to the terms of the IDPoor data sharing agreement.
Article 8 – Possibility to request the update of data and to provide feedback and complaints
All IDPoor beneficiaries can contact the MOP-IDPoor department and sub-national implementers via the Public IDPoor app to request rights as listed in Article 6 – Rights of the Data Subject. The MOP-IDPoor department has set up a Complaint Response Mechanism via its Public IDPoor App to ensure that any data subject can contact IDPoor to verify the data IDPoor holds about them. Any request by individuals should be followed up and corrections will be made wherever appropriate.
Beneficiaries can also file a request to update their data stored in the IDPoor database. If third parties file a request to update data on behalf of a beneficiary, they need to provide evidence that they have been authorized by the beneficiary to do so. This is to ensure that personal information is only shared with the person it relates to or authorized third parties.
Article 9 – Confidentiality of Processing
Any unauthorized collection, processing, or use of such data by MOP-IDPoor staff and implementers is prohibited. Any data processing undertaken by an MOP-IDPoor staff or implementer that he/she has not been authorized to carry out as part of his/her legitimate duties is unauthorized. Members of staff and implementers shall only have access to the data necessary to accomplish a task. Duly-authorized members of staff may have only access to personal information necessary for the type and scope of the task in question (“need to know” principle). This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities.
MOP-IDPoor staff and implementers are forbidden to use personal data for private or commercial purposes, to disclose it to unauthorized persons, or to make it available in any other way. Supervisors must inform staff members about the obligation to protect data secrecy. This obligation shall remain in force even after employment has ended.
IDPoor encourages its staff and stakeholders to report suspected cases through the following means:
- Staff can report malpractices using standard lines of hierarchy
- Beneficiaries and their representatives can report using the Complaints and Response Mechanism (CRM) in the Public IDPoor App.
IDPoor will not tolerate false accusations which are designed to damage a member of staff’s reputation. Anyone found making false accusations will be subject to investigation and disciplinary action.
Article 10 – Accountability
IDPoor is responsible to ensure that the legal requirements, and those contained in this Data Protection Policy, for data protection are met.
As part of its organisational measures to keep data safe, IDPoor has appointed a data protection focal person. Supervisorsmust ensure that members of staff and implementers are sufficiently trained in data protection. Compliance with these requirements is the responsibility of the relevant members of staff.
Article 11 – Implementation of the policy
This policy has been approved by IDPoor on 12th October 2022 and comes into effect immediately.
It is shared with all MOP-IDPoor department staff, IDPoor implementers at provincial and Commune/Sangkat level, data users and is available on request by other parties.