DPGA Launches Strengthened Privacy and Data Security Framework for Digital Public Goods Standard

In an increasingly digital world where data has become a critical asset, privacy and data security have emerged as fundamental rights and essential safeguards for individuals and communities. From healthcare systems and financial services, to educational platforms and humanitarian aid delivery, digital solutions handle vast amounts of sensitive personal information that require appropriate protection and responsible handling. For users of digital solutions around the world, robust privacy measures are not just important but an essential part of preventing exploitation, and mitigating harm.

The Digital Public Goods Standard is a set of specifications and guidelines designed to maximise consensus about whether a digital solution conforms to the definition of a digital public good (DPG) as defined in the UN Secretary General’s Roadmap for Digital Cooperation. As part of this, in order to be considered a digital public good, solutions must be designed and developed to comply with privacy and other applicable laws (Indicator 7 of the DPG Standard) as well as to anticipate, prevent, and do no harm by design (Indicator 9).

Recognising the importance of privacy and data security to achieve these aims, the Digital Public Goods Alliance is pleased to announce these updates to the DPG Standard. The updates introduce six new requirements as well as an annexure of privacy and data security best practices, which serve as a practical guide for applicants seeking to improve their digital solutions. These changes are the result of a consultative process and will strengthen the design and development of open solutions seeking DPG recognition. The criteria will apply to all new solutions seeking certification in the DPG Registry and will be collected from existing DPGs during their annual review.

Formation of Privacy Expert Group for driving DPG Standard Enhancement

In April 2024, the DPGA Secretariat, in collaboration with the Open Knowledge Foundation, assembled a distinguished Privacy Expert Group comprising neutral privacy professionals from legal, technical and multilateral sectors. This expert group was specifically tasked with addressing critical gaps in privacy compliance within the existing DPG Standard and aligning DPGs with global best privacy practices.

The expert group, co-led by DPGA Secretariat’s Standards Lead, Amreen Taneja, and Open Knowledge Foundation representatives, Renata Avila (CEO) and Patricio Del Boca (Technical Lead), worked alongside Thomas Shone from the Netherlands, Godfrey Kutumela from South Africa, Clarissa Luz from Brazil, Marie C. Bonnet from France, Puneet Bhasin from India, Emma Day from the United Kingdom and Aparna Bhushan from the United States. This geographic diversity ensured that the updated requirements could accommodate local legislation and regional privacy ecosystems while maintaining global applicability.

The expert group focused on three objectives:

1. Conducting a gap analysis and risk assessment to identify shortcomings in privacy compliance within the DPG Standard;

2. Defining clear parameters for privacy compliance under Indicator 7 to be embedded in the assessment process, with the aim of ensuring fair criteria for both small scale and larger DPGs; and

3. Proposing an annex to Indicators 7 and 9(a) that sets out recommended best practices for privacy and data security, strongly encouraged for applicants to adopt.

Privacy Requirements for the DPG Standard

The Privacy Expert Group's recommendations were submitted to the DPG Standard Council as part of the Standard's governance process. The Standard Council reviewed and adapted these recommendations, ensuring they could be effectively incorporated into the DPG review process while maintaining accessibility for applicants.

The updated requirements, now mandatory for all DPG applicants, are structured around six fundamental privacy concepts that are be addressed through specific questions in the application process. These questions are designed to extract critical information traditionally found in extensive documentation such as Privacy Impact Assessments (PIAs), Data Protection Impact Assessments (DPIAs), and Data Retention Policies that would be required by the DPG Review team for assessing the design and development aspects of the product, while ensuring the process remains accessible to applicants ranging from large organisations to small scale innovators.

Six New Privacy Considerations for DPG Applicants

1. Data Minimisation: Applicants must now answer: ‘Is this the minimum amount of PII data required for your solution to function properly?’ This question ensures alignment with global privacy regulations like GDPR (General Data Protection Regulation), by demonstrating that DPGs collect only the minimum amount of Personally Identifiable Information (PII) necessary for functionality, particularly important when serving vulnerable populations.

2. User Consent Mechanisms: The application process now requires responses to: ‘How does your solution communicate to the user that you are collecting their PII data?’ This addresses the critical need for transparency in obtaining and managing user consent, ensuring compliance with frameworks such as GDPR and the California Consumer Privacy Act (CCPA) while empowering users to make informed choices about their data.

3. Data Usage Transparency: Two key questions in the application process address this aspect: ‘Please provide your privacy policy or any relevant documentation that outlines consent management procedures, the reasons for collecting and processing PII data, and any processes in place for handling subject requests.’ and ‘Where in the solution is PII data being processed or used? And which components of the solution allow access to this data?’. These questions ensure that applicants clearly articulate their data practices, demonstrating compliance with the principle of purpose limitation and operational transparency.

4. Adherence to Privacy-By-Design Principles: Applicants must answer the question: ‘Which mechanisms does your solution provide to delete PII data?’ This question evaluates applicants’ readiness to handle data retention and deletion responsibly, highlighting mechanisms for addressing user requests and preventing indefinite data storage. Solutions with strong privacy-by-design features reflect a commitment to ethical data practices and regulatory compliance.

5. Transparency Around Data Retention: Using the same question as privacy-by-design, this requirement ensures that solutions have clear data retention and deletion procedures, demonstrating compliance with regulations that mandate minimising risks associated with prolonged data storage while fostering trust among users, particularly in solutions serving marginalised communities.

6. Data Governance and Access Controls: The question ‘Where in the solution is PII data being processed or used? And which components of the solution allow access to this data?’ also addresses the need for secure data management, ensuring that PII is protected against breaches and misuse through robust governance mechanisms that align with principles of data isolation and segregation.

Best Practices Annexure Launched

Alongside the mandatory requirements, we have released a comprehensive annexure of privacy and data security best practices that, while not mandatory, are highly encouraged for all DPGs. This detailed guidance document provides a practical roadmap for both small and large-scale open solutions seeking to align with industry standards.

This annexure encompasses four critical areas of privacy and data security practices.

1. Privacy Governance and Accountability establishes policy-level best practices, including comprehensive privacy policies that align with international standards, consideration of non-PII and group data risks, and governance accountability measures such as designating Data Protection Officers and establishing independent ethics review processes.

2. Compliance Documentation and Proofs provides guidance on essential documentation, including Data Protection Impact Assessments, data flow mapping, retention and disposal policies, security issue communication protocols, training records, and third-party vendor management. These documentation requirements ensure that DPGs maintain comprehensive records of their privacy practices and can demonstrate compliance when required.

3. Technical and organisational safeguards outline best practices for implementation requirements for minimum data protection controls, including robust authentication and access controls with role-based access and multi-factor authentication, comprehensive logging and auditing systems, state of the art encryption for data in transit and at rest, systematic vulnerability management, data isolation and localisation measures, and privacy enhancing technologies such as differential privacy and federated learning.

4. Lifecycle Management and Oversight ensures that privacy considerations are embedded throughout the entire data lifecycle, including ongoing risk monitoring, audit readiness, and change management processes that assess privacy and security implications during product updates.

How Privacy Enhancements Strengthen the Digital Public Goods Ecosystem

These enhanced privacy requirements represent a significant advancement in ensuring that DPGs anticipate, prevent, and do no harm in the design and development of their solutions. By embedding effective privacy safeguards into the design and development stages of DPGs, these updates enable DPGs to better serve users and communities while upholding critical privacy rights. The privacy-focused approach is particularly crucial for DPGs serving vulnerable populations, who face heightened risks from data misuse or unethical practices.

Aligned with global privacy standards, these updates aim to strengthen the credibility and long-term sustainability of digital public goods, making them more trustworthy to partners, funders, and international initiatives. They also establish privacy compliance as an integral part of DPG evaluation, reinforcing both operational efficiency and ethical practice across the ecosystem.

As DPGs play an increasingly vital role in advancing the UN Sustainable Development Goals, these enhanced privacy protections ensure they can fulfill their mission while maintaining the trust and confidence of the communities they serve. Through these comprehensive updates to the DPG Standard, we aim to lead the way in establishing ethical frameworks for digital development, ensuring that DPGs create maximum positive impact while upholding fundamental principles of privacy and security essential for sustainable global progress.