Page 17 - ITU-T Focus Group Digital Financial Services – Consumer Experience and Protection
P. 17
ITU-T Focus Group Digital Financial Services
Consumer Experience and Protection
3.4 Data Protection and Privacy
Data protection and privacy measures are concerned with the way that data is collected, stored, shared and
exploited. This is important for consumers because the misuse of data may result in identity theft, damage to
a user’s credit profile, unsolicited offers, nuisance calls and the influx of fraudulent or unsolicited messages
among other risks and harms. This area of consumer protection in DFS is in very early stages, with little law
and regulation in existence.
Many new users of DFS are creating a ‘digital footprint’ for the first time. This refers to the accumulation of
data which takes places when a consumer uses their digital device (McKee, Kaffenberger, & Zimmerman, 2015).
In recent study carried out by Makulilo (2015) on data privacy for DFS in Africa, it was noted that there are
many opportunities for data abuse and leakage due to extended value chains and many players involved
in a transaction. In addition, there may be incentives for data commoditization for things such as targeted
advertising. Makuilio claims that in Uganda the government has misused data on claims of national security
and then passed it on to business entities to promote their services through unsolicited messages.
Early considerations in data privacy include:
Table 4: Data protection and privacy
Key issues Examples
1. ENCRYPTION OF DATA Where feasible, data related to DFS is encrypted both when in transportation and
when stored. The systems in place which encrypt data are regularly tested and
problems addressed.
2. ACCESS RESTRICTION TO As a measure to prevent the misuse of data, providers implement levels of
CONSUMER DATA authorization and/or separation of roles to ensure that employees, agents, or
business partners are not able to access the entirety of a consumer’s data without
justification.
3. INFORMED CONSENT Customers are clearly and effectively informed of what data will be collected and
how it will be used, prior to its collection and use, and are given the option to con-
sent or not.
4. MINIMISATION OF DATA Providers limit the amount of personal data they collect from consumers to only
COLLECTION AND LIMITATION what is necessary for the purpose. Providers limit the retention of data and destroy
OF RETENTION data after it is used for its intended purpose.
5. PROTECTION OF PERSONAL Providers ensure that personal data is maintained securely, and there are authen-
DATA tication systems in place. There are repercussions in place when personal data is
misused.
6. CLEAR POLICY ON DATA Providers should have a data collection and handling policy which states what types
COLLECTION AND SHARING of data will be collected and under which circumstances it may be shared.
9
