Transparency

All PPP documentation should be made publicly available – and where legitimate concerns around disclosure of sensitive information arise (such as state secrets or national security information), it should be made available on a confidential basis to relevant independent oversight bodies (with appropriate clearance/access rights) who can evaluate their adequacy and require changes if necessary (see for example in Argentina how the right of access to public information interacts with exceptions for reasons of national security - in Spanish only). Any redactions from these documents when made publicly available must be strictly justifiable, and reviewable by an independent oversight body if necessary or challenged. Public procurement contracts should be made public (this is already a requirement in many jurisdictions). Wider PPP documentation must provide meaningful information as to the substance of the partnership, to enable understanding of the impact on the public and citizens’ fundamental rights.

PPP documentation should typically include the following (depending on the nature of the technology and services provided, some assessments may or may not be required):

• Contracts, procurement information, Memorandums of Understanding (MoUs), and any other documents providing details of the partnership
• Data Sharing Agreements (‘DSA’) or Data Processing Agreements (‘DPA’)
• Human Rights Impact Assessments (‘HRIA’)
• Data Protection Impact Assessments (‘DPIA’) or Privacy Impact Assessments (‘PIA’)
• Algorithmic Impact Assessments (‘AIA’)
• Records of data processing

Authorities should keep an updated public record of surveillance technologies used or deployed within their jurisdiction. The record should contain details and purpose of the technologies, their coverage (geography, time), and identified risks to individuals’ rights and measures taken to mitigate those.

Issue addressed

Very limited information publicly accessible – painstaking efforts from CSOs are required to obtain limited and restricted responses to requests for information

Example(s) of abuse

Palantir and the UK government: information about Palantir’s collaboration with UK government departments has been very limited. PI and other CSOs have repeatedly attempted to obtain further information but were given little additional and sometimes contradictory information.

Companies involved in PPPs should waive commercial confidentiality and make their technologies fully auditable by any third party, to enable understanding of (1) what data the company and its technology have access to, (2) how the technology analyses the data and draws conclusions (including disclosure of algorithm parameters), and (3) what role the technology performs in the public authority’s decision-making process. Such information should be available for public scrutiny prior to contracting. If details of the workings of a particular technology cannot be disclosed for specified and valid grounds of serious commercial harm to the company, an independent oversight body bound by duties of confidentiality should be granted full access to all details of the technology required to establish those details.

Issue addressed

Commercial interests or intellectual property rights prevent disclosure of details of a technology or system

Example(s) of abuse

Amazon and the UK NHS: the contract obtained was largely redacted for reasons of Amazon’s commercial interest. After PI’s challenge, the UK’s data protection authority ordered partial disclosure.

Electronic voting in Paraguay: machines were made available for auditing, but neither the source code nor the hardware were open for auditing.

When personal data is envisaged to be processed as part of a PPP, any provisional or final documentation should include details of prospective and actual data processing activities, including at a minimum:

• Categories of data subjects (note the use of wide terms such as “members of the public” tends to demonstrate that authorities have not properly reflected on the impact of the processing)
• Types of personal data, with purposes of processing for each
• Sources of personal data (where the data will be obtained) and legal basis for obtaining from each of those sources

This information should be published in policies directed at populations whose data will be processed.

Issue addressed

Lack of clarity about whether and what type of personal data is or will be processed

Example(s) of abuse

Palantir and the Cabinet Office for the Border Flow Tool: it took PI months and multiple Freedom of Information (‘FOI’) requests to understand what kind of personal data Palantir would be processing – the public contract only mentioned processing of data on “members of the public”.

PPP contracts should give explicit details of the company’s access to data (whether for software maintenance, customer support, audit logs or emergency purposes), and provide for corresponding safeguards to ensure security and proper handling of the data. DPIAs should assess the risks of citizens’ data (especially if highly sensitive data) transferring to private hands and consider the suitability of associated access rights, security, retention and deletion measures.

Issue addressed

Lack of clarity as to the type and level of access to data granted to the company

Example(s) of abuse

Palantir and the NHS: the contract contradicted the DPIA conducted with regards to Palantir’s access to data.

Legislation guaranteeing suitable access to public interest information must exist or be passed. PPP documentation ought to be available for public consultation under such legislation. When a PPP is set up, a person or entity within the relevant public authority should be designated responsible for providing access to information about the deployment of a technology and related services, and their contact details should be available on any publicly accessible website notifying the deployment of the technology or within the public PPP documentation.

Issue addressed

Public access to information about PPPs is often hindered by the lack of, or unsuitability of, a legal or procedural framework for access to information (e.g. FOIA legislation)

Example(s) of abuse

Huawei surveillance cameras in Valenciennes: PI’s numerous requests to the city of Valenciennes bounced around for months because no defined entity was designated as responsible to respond to our requests.