Legal and regulatory frameworks
Protecting individual privacy rights
Legislation should provide for the protection of personal information and privacy, including data security. Measures to ensure confidentiality and protect against misuse are critical for, among other reasons, promoting trust and confidence in the system, thereby maximising the likelihood that the will support and comply with obligations to provide complete and accurate information in a timely manner. The law should contain privacy protections that reflect the following basic principles:
- Collect only what is necessary for the purpose – an effective way of promoting good privacy practice is to collect the minimum amount of personal information that is necessary to meet a clearly defined and articulated purpose.
- Data should be anonymised – for use outside of official civil registry business, data should be anonymised in such a way that individuals cannot be identified based on the characteristics of their record.
- Use or disclosure for purpose – the registry should minimise the risk of individuals being surprised as to how their personal information is managed, including by ensuring personal information is generally only used or disclosed for the purpose for which it was collected.
- Ensure transparency – a high degree of transparency should accompany the implementation and operation of the registry, including openness on how the system handles personal information and permitting individuals access to their personal information and, where necessary, the ability to challenge and correct mistakes.
- Secure handling of personal information – an element of enhancing privacy will be measures that improve how securely personal information can be handled, whether while in storage, during transmission or during use.
Legislation should also state that information on individual event records is not to be disclosed except to specifically authorised persons, such as the registrants themselves, their legal representatives, a close relative (such as a spouse, parent or child), or other person having a direct right to the record. Procedures for sharing files with other authorised agencies should be documented in advance.
The investment plan, written by the World Bank and WHO, provides an overview of the common issues and challenges with CRVS systems and opportunities for improvement. Section 2 contains information on privacy and personal information: World Bank (2014). Global civil registration and vital statistics scaling up investment plan 2015–2024. World Bank, Washington DC.
United Nations Department of Economic and Social Affairs Statistics Division (1998). Handbook on civil registration and vital statistics systems: Preparation of a legal framework. United Nations, New York.