Skip to main content Accessibility help

We use cookies to distinguish you from other users and to provide you with a better experience on our websites. Close this message to accept cookies or find out how to manage your cookie settings.

Close cookie message
×
Hostname: page-component-78c5997874-4rdpn Total loading time: 0 Render date: 2024-11-08T18:43:18.807Z Has data issue: false hasContentIssue false

Part I - Data Protection Principles in Humanitarian Action

Published online by Cambridge University Press:  24 October 2024

By
Massimo Marelli
Edited by
Massimo Marelli
Massimo Marelli
Affiliation:
International Committee of the Red Cross (ICRC) and Universiteit Maastricht, Netherlands
Type
Chapter
Information
Handbook on Data Protection in Humanitarian Action , pp. 11 - 74
Publisher: Cambridge University Press
Print publication year: 2024
Creative Commons
Creative Common License - CCCreative Common License - BYCreative Common License - NCCreative Common License - ND
This content is Open Access and distributed under the terms of the Creative Commons Attribution licence CC-BY-NC-ND 4.0 https://creativecommons.org/cclicenses/

Chapter 2 Basic principles of data protection

2.1 Introduction

Humanitarian Organizations collect and process the Personal Data of individuals affected by Humanitarian Emergencies in order to perform humanitarian activities. Working primarily in Humanitarian Emergencies, they operate in situations where the rule of law may not be fully in force. In such situations, there may be limited, if any, access to justice and respect of the international human rights framework. In addition, Personal Data protection legislation may be embryonic or non-existent, or not entirely enforceable.

An individual’s right to Personal Data protection is not an absolute right. It should be considered in relation to the overall objective of protecting human dignity, and be balanced with other fundamental rights and freedoms, in accordance with the principle of proportionality.Footnote 1

As the activities of Humanitarian Organizations are carried out primarily in Humanitarian Emergencies, they operate in situations where the protection of the Personal Data of affected populations and staff is often necessary to safeguard their security, lives and work. Accordingly, Personal Data protection and Humanitarian Action are complementary and reinforce each other. However, there may also be instances of friction where a balance between different rights and freedoms needs to be struck (e.g. between the freedom of expression and information and the right to data protection, or between the right to liberty and security of a person and the right to data protection). The human rights framework aims to ensure respect for all human rights and fundamental freedoms by balancing different rights and freedoms on a case-by-case basis. This approach often requires a teleological interpretation of rights,Footnote 2 i.e. one that prioritizes the purposes the rights serve.

Example:

Data protection law requires that individuals be given basic information about the Processing of their Personal Data. However, in a Humanitarian Emergency it is necessary to balance this right against other rights, and in particular the rights of all affected individuals. It would therefore not be necessary to inform all individuals of the conditions of data collection prior to receiving aid, if this would seriously hamper, delay or prevent the distribution of aid. Rather, the Humanitarian Organizations involved could provide such information in a less targeted and individualized way with public notices, or individually at a later stage.

Some Humanitarian Organizations with a mandate under international law need to rely on specific working procedures, in order to be in a position to fulfil their mandate. Under international law these mandates can justify derogations from the principles and rights recognized in Personal Data Processing.

For example, it may be necessary to balance, on the one hand, data protection rights with, on the other hand, the objective of ensuring the historical and humanitarian accountability of stakeholders in Humanitarian Emergencies. Indeed, in Humanitarian Emergencies, Humanitarian Organizations may be the only external entities present, and may be the only possibility for future generations to have an external account of history as well as to provide a voice to victims.Footnote 3 Furthermore, data from Humanitarian Organizations may also be needed to support the victims of armed conflicts and other situations of violence or their descendants, for example in documenting their identity and legal status, submitting claims of reparations, etc. Data retention by Humanitarian Organizations may be of fundamental importance particularly considering that in Humanitarian Emergencies few or no other records may be available.

Confidentiality may also be of fundamental importance for some Humanitarian Organizations, as it may be an essential precondition for the ongoing viability of Humanitarian Action in volatile environments, to ensure acceptance by parties to a conflict and people involved in other situations of violence, proximity to people in need and the safety of their staff. This may have an impact, for example, on the extent to which Data Subject access rights may be exercised.Footnote 4

The boxed checklist sets out the main points explained in detail in this Handbook, which should be considered when dealing with data protection, in relation to the purpose or purposes for which data are processed.

  • Is there Processing of Personal Data?

  • Are individuals likely to be identified by the data processed?

  • Does the information require protection even if it is not considered to be Personal Data?

  • Have (if applicable) local data protection and privacy laws been complied with?

  • For what purpose are the data being collected and processed? Is the Processing strictly limited to this purpose? Does this purpose justify the interference with the privacy of the Data Subject?

  • What is the legal basis for Processing? How will it be ensured that the data are processed fairly and lawfully?

  • Is the Processing of Personal Data proportionate? Could the same purpose be achieved in a less intrusive way?

  • Which parties are Data Controllers and Data Processors? What is the relationship between them?

  • Are the data accurate and up to date?

  • Will the smallest amount of data possible be collected and processed?

  • How long will Personal Data be retained? How will it be ensured that data are only retained as long as necessary to achieve the purpose of the Processing?

  • Have adequate security measures been implemented to protect the data?

  • Has it been made clear to individuals who is accountable and responsible for the Processing of Personal Data?

  • Has information been provided to individuals about how their Personal Data are processed and with whom they will be shared?

  • Are procedures in place to ensure that Data Subjects can assert their rights with regard to the Processing of Personal Data?

  • Will it be necessary to share data with Third Parties? Under what circumstances will Personal Data be shared with or made accessible to Third Parties? How will individuals be informed of this?

  • Will Personal Data be made accessible outside the country where they were originally collected or processed? What is the legal basis for doing so?

  • Have Data Protection Impact Assessments been prepared to identify, evaluate, and address the risks to Personal Data arising from a project, policy, programme, or other initiative?

2.2 Basic data protection conceptsFootnote 5

Data protection law and practice limit the Processing of Personal Data of Data Subjects, in order to protect individuals’ rights.

Processing means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination or erasure.

Personal Data means any information relating to an identified or identifiable natural person.

A Data Subject is a natural person (i.e. an individual) who can be identified, directly or indirectly, in particular by reference to Personal Data.

Some data protection laws include the additional category of Sensitive Data in the concept of Personal Data. For the purposes of the present Handbook, Sensitive Data means Personal Data, which if disclosed may result in discrimination against, or repression of, an individual. Typically, data relating to health, race or ethnicity, religious/political/armed group affiliation, or genetic and biometric data are considered to be Sensitive Data. All Sensitive Data require augmented protection even though different types of data falling under the scope of Sensitive Data (e.g. different types of biometric data) may present different levels of sensitivity. Given the specific environments in which Humanitarian Organizations work and the possibility that various data elements may give rise to discrimination, setting out a definitive list of Sensitive Data categories for Humanitarian Action is not meaningful. For example, in some situations, a simple list of names may be very sensitive, if it puts the individuals on the list and/or their families at risk of persecution. Equally, in other situations, data collected to respond to Humanitarian Emergencies may need to include data that in a regular data protection context would be considered to be Sensitive Data and the Processing of such data would be, in principle, prohibited, but in the local culture and the specific circumstances may be relatively harmless. Therefore, it is necessary to consider the sensitivity of data and the appropriate safeguards to protect Sensitive Data (e.g. technical and organizational security measures) on a case-by-case basis.

It is important to remember that during Humanitarian Emergencies, Processing data can cause severe harm even when the data cannot be considered Personal Data. Humanitarian Organizations should therefore be prepared to apply the protections described in this Handbook to other types of data as well, when failing to do so in a particular case would create risks to individuals.

Example:

A Humanitarian Organization inadvertently reveals the number of individuals in a stream of people who are fleeing a situation of armed violence and publishes online aerial imagery related to this. One of the armed actors involved in the violence, which is the reason people are fleeing, then uses this information to locate the displaced population and targets them with reprisals. The number of individuals in a group and the aerial imagery (subject to the resolution and other factors potentially making it possible to identify individuals) is not by itself Personal Data, but such data can be extremely sensitive in certain circumstances. The Humanitarian Organization should have protected this data and not revealed it.

It is also important to understand the distinction between Data Controller and Data Processor. A Data Controller is the person or organization who alone or jointly with others determines the purposes and means of the Processing of Personal Data, whereas a Data Processor is the person or organization who processes Personal Data on behalf of the Data Controller. Finally, a Third Party is any natural or legal person, public authority, agency, or any entity other than the Data Subject, the Data Controller or the Data Processor.

Example:

An International Humanitarian Organization collects information about the identity of individuals in a Humanitarian Emergency in order to provide them with aid. In order to do this, it engages the services of a local non-governmental organization (NGO) to help deliver the aid, which needs to use the identification information originally collected by the Humanitarian Organization. The two organizations sign a contract governing the use of the data, under which the International Humanitarian Organization has the power to direct how the NGO uses the data and the NGO commits to respect the data protection safeguards required by the Humanitarian Organization. The NGO also engages an IT consulting company in order to perform routine maintenance on its IT system in which the data are stored.

In the above situation, the International Humanitarian Organization, the NGO and the IT consulting company are Processing the Personal Data of the individuals, who are the Data Subjects. The International Humanitarian Organization is a Data Controller, and the NGO is a Data Processor, while the IT consulting company is a Sub-Processor.

2.3 Aggregate, pseudonymized and anonymized data sets

As mentioned above, it is outside the scope of this Handbook to discuss the Processing of data that does not relate to individual persons, such as data that have been rendered anonymous in such a way that a Data Subject is no longer identifiable.

Where aggregate data are derived from Personal Data, and could in certain circumstances pose risks to persons of concern, it is important to ensure that the Processing, including sharing and/or publication, of such data cannot lead to the Reidentification of individuals.Footnote 6

The Anonymization of Personal Data can help meet the protection and assistance needs of vulnerable individuals in a privacy-friendly way. The term Anonymization encompasses techniques that can be used to convert Personal Data into anonymized data. When aiming to anonymize data, it is essential to ensure that data sets containing Personal Data are fully and irreversibly anonymized, i.e. that Reidentification is not possible. Anonymization processes are challenging, especially where large data sets containing a wide range of Personal Data are concerned and may pose a greater risk of Reidentification.Footnote 7

“Pseudonymization”, as distinct from Anonymization, means the Processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person. This may involve replacing the anagraphicFootnote 8 data in a data set with a number. Sharing registration/identification numbers instead of names is good practice, but does not amount to Anonymization.

The application of Pseudonymization to personal data can reduce the risks to the Data Subjects concerned by reducing the likelihood that they will be reidentified. The term “Reidentification” describes the process of turning allegedly anonymized or pseudonymized data back into Personal Data through the use of data matching or similar techniques.Footnote 9 Pseudonymization can also help controllers and processors meet their data protection obligations. Nevertheless, not every Pseudonymization technique fulfils data protection requirements on its own, and Pseudonymization techniques that may work in one specific case may not be sufficient to protect Personal Data in other cases.Footnote 10

Data protection principles have to be applied carefully when assessing these techniques, and risk analysis tools have to be apt to evaluate whether the mitigation techniques applied are effective. Principles such as purpose limitation and retention are of particular importance here, as they can help ensure that existing pseudonymized databases are not repurposed for new projects or combined with newer ones. Additionally, there will always be a trade-off between adding confidentiality to a data set and reducing its utility. Many privacy-preserving techniques work by perturbing (i.e. altering or obfuscating) the data to be released, resulting in data that, depending on scope, might be less useful for the purposes of the sharing or research.Footnote 11

Prior to sharing or publicizing anonymized data, it is important to ensure that no Personal Data are included in the data set and that individuals cannot be re-identified. If the risk of Reidentification is deemed to be reasonably likely, the information should be considered to be Personal Data and subject to all the principles and guidance set out in this Handbook. It can be very difficult to assess the risk of Reidentification with absolute certainty. Generally speaking, Reidentification becomes significantly more likely where no mitigation measure is taken to protect Personal Data. This can be possible, for instance, where an entity holds certain data sets concerning the affected populations, which can then be combined with the Processed Data to generate new information about Data Subjects or the groups to which they belong.

For example, prior to sharing or publishing aggregate data, it is important to ensure that the data sets do not divulge the actual location of small, at-risk groups, such as by mapping data like country of origin, religion, or specific vulnerabilities to the geographical coordinates of persons of concern.

2.4 Applicable law and International Organizations

Humanitarian Action involves a large number of actors, such as Humanitarian Organizations, local authorities and private entities. As far as Humanitarian Organizations are concerned, some of them are NGOs subject to the jurisdiction of the country in which they operate, while others are International Organizations with privileges and immunities allowing them to perform the mandate attributed them by the community of states under international law in full independence.

As far as NGOs are concerned, the rules for determining applicable data protection law depend on a number of different factual elements. This Handbook does not deal with issues of applicable law; any questions in this regard should be directed to the NGO’s legal department or data protection office (DPO).Footnote 12

In addition to any law that the NGO may be subject to, Personal Data Processing is controlled by its own internal data protection policy or rules, any contractual commitments and any other relevant applicable rules. The guidance contained in this Handbook should always be applied without prejudice to these rules and obligations. This guidance is based on recognized best practices and standards and it is recommended that International Organizations take this into consideration when designing or interpreting their data protection rules and policies for Humanitarian Action.

International Organizations enjoy privileges and immunities, in particular, to ensure they can perform the mandate attributed to them by the international community under international law in full independence, and are not covered by the jurisdiction of the countries in which they work. They can therefore process Personal Data according to their own rules, subject to the internal monitoring and enforcement of their own compliance systems; in this regard they constitute their own “jurisdiction”.Footnote 13 This aspect of International Organizations has specific implications, in particular for International Data Sharing, which will be discussed in detail in Chapter 4: International Data Sharing.

2.5 Data Processing principles

Personal Data Processing undertaken by Humanitarian Organizations should comply with the following principles.

2.5.1 The principle of the fairness and lawfulness of Processing

Personal Data should be processed fairly and lawfully. The lawfulness of the Processing requires a legal basis for Processing operations to take place, as detailed in Chapter 3: Legal bases for Personal Data Processing. The other crucial component of fairness of the Processing is transparency.

Any Processing of Personal Data should be transparent for the Data Subjects involved. The principle of transparency requires that at least a minimum amount of information concerning the Processing be provided to the Data Subjects at the moment of collection, albeit subject to the prevailing security and logistical conditions, as well as with regard to the possible urgent nature of the Processing. Any information and communication relating to the Processing of Personal Data should be easily accessible and easy to understand, which implies providing translations where necessary, and clear and plain language should be used. More detailed information about information notices that should be provided prior to or at the time of data collection are described in greater detail in Section 2.10.2 – Information notices.

2.5.2 The purpose limitation principle

At the time of collecting data, the Humanitarian Organization should determine and set out the specific purpose(s) for which data are processed. The specific purpose(s) should be explicit and legitimate. In particular, the specific purpose(s) that may be of relevance in a humanitarian context may include, for example:

  • providing humanitarian assistance and/or services to affected populations to sustain livelihoods;

  • restoring family links between people separated due to Humanitarian Emergencies;

  • providing protection to affected people and building respect for international human rights law/international humanitarian law (IHL), including documentation of individual violations;

  • providing medical assistance;

  • ensuring inclusion in national systems (for example for refugees);

  • providing documentation or legal status/identity to, for example, displaced or stateless people;

  • protecting water and habitat.

Humanitarian Organizations should take care to consider and identify, as far as is possible in emergency circumstances, all possible purposes contemplated and that may be contemplated in any Further Processing prior to the collection of the data, so as to be as transparent as possible.

2.5.2.1 Further Processing

Humanitarian Organizations may process Personal Data for purposes other than those initially specified at the time of collection where the Further Processing is compatible with the initial purposes, including where the Processing is necessary for historical, statistical or scientific purposes.

In order to ascertain whether a purpose of Further Processing is compatible with the purpose for which the data were initially collected, account should be taken of:

  • the link between the initial purpose(s) and the purpose(s) of the intended Further Processing;

  • the situation in which the data were collected, including the reasonable expectations of the Data Subject as to their further use;

  • the nature of the Personal Data;

  • the consequences of the intended Further Processing for Data Subjects;

  • appropriate safeguards;

  • the extent to which such safeguards would protect the confidentiality of Personal Data and the anonymity of the Data Subject.

The situation in which the data were collected, including the reasonable expectations of the Data Subject as to its further use, is a particularly important factor, recognizing that when Data Subjects provide data for one purpose they generally understand that a range of associated humanitarian activities may also be involved and, in fact, may have an expectation that all possible humanitarian protection and assistance may be extended. This is particularly important in humanitarian situations, because an improperly narrow understanding of compatibility could prevent the delivery of humanitarian benefits to Data Subjects.

Consequently, purposes strictly linked to Humanitarian Action, and which do not incur any additional risks unforeseen in the consideration of the initial purpose, are likely to be compatible with each other and, if this is confirmed, Personal Data can legitimately be processed by Humanitarian Organizations beyond the specific purposes for which the Personal Data were originally collected, as long as the Humanitarian Organization does so within the framework of Humanitarian Action. In principle, Further Processing should be permissible if this is necessary and proportionate to safeguard public security and the lives, integrity, health, dignity or security of affected individuals in Humanitarian Action. This requires a case-by-case assessment and cannot be presumed across the board.

Even where the purpose of Further Processing is exclusively related to Humanitarian Action, Processing for a new purpose may not be deemed compatible if the risks for the Data Subject outweigh the benefits of Further Processing, or if the Further Processing entails new risks. This analysis depends on the circumstances of the case. Circumstances leading to this conclusion include risks that Processing may be against the interests of the person to whom the information relates or his/her family, in particular, when there is a risk that the Processing may threaten their life, integrity, dignity, psychological or physical security, liberty or their reputation. This can include consequences such as:

  • harassment or persecution by authorities or other Third Parties;

  • judicial prosecution;

  • social problems;

  • serious psychological suffering.

Examples of circumstances in which Further Processing may be considered incompatible include cases where the Personal Data have been collected as part of the information necessary to assist in the tracing of a Sought Person. Processing this information further in order to request that the relevant authorities carry out an investigation into the possible violations of the applicable law (for example, in the context of civilian population protection activities) may not be compatible as Further Processing. This is due to the possible detrimental consequences of the intended Further Processing for Data Subjects and the likely difficulty of providing appropriate safeguards.

Should the intended purpose of Further Processing not be compatible with the purpose for which the data were initially collected, the data should not be further processed, unless it is deemed appropriate to do so under another legal basis. In this case, additional measures may be required depending on the basis that applies.Footnote 14

Further Processing of Personal Data should also not be considered compatible if the Processing conflicts with any legal, professional or other binding obligations of secrecy and confidentiality, or with the principle of “do no harm”.

Data aggregation and Anonymization may be used as a method of decreasing the sensitivity of the data to allow data use for ancillary cases, and make the Further Processing compatible.

Example:

Data collected to provide food and shelter during a humanitarian operation may also be used to plan the provision of medical services to displaced persons. However, Processing the data collected (if not aggregated/anonymized) to help plan the Humanitarian Organization’s budgetary needs for the coming year cannot be deemed to be compatible Further Processing.

2.5.3 The principle of proportionality

The principle of proportionality is at the core of data protection law. It is applicable throughout the data Processing cycle and may be invoked at different stages of data Processing operations. It requires consideration of whether a particular action or measure related to the Processing of Personal Data is appropriate to its pursued aim (e.g. is the selected legitimate basis proportionate to the aim pursued? Are technical and organizational measures proportionate to the risks associated with the Processing?).

The data handled by Humanitarian Organizations should be adequate, relevant and not excessive for the purposes for which they are collected and processed. This requires, in particular, ensuring that only the Personal Data that are necessary to achieve the purposes (fixed in advance) are collected and further processed and that the period for which the data are stored, before being anonymized or deleted, is limited to the minimum necessary.Footnote 15

The principle of proportionality is particularly important for cross-functional needs assessments conducted by Humanitarian Organizations either internally or between agencies. When carrying out these assessments Humanitarian Organizations are at risk of gathering amounts of data that are excessive to the purpose, for example by conducting surveys with several hundred data fields to be filled, which may or may not be used at a later stage. In these situations, it is important to be able to distinguish between what is “nice to know” and what is “necessary to know” in order to assist affected people. Humanitarian Organizations also need to weigh their need for data against the potential harm to individuals of such data being collected, as well as the risk of “assessment fatigue” and potentially raising unrealistic expectations among the people they seek to help.

Limiting the amount of data collected may not always be possible. For example, when a new Humanitarian Emergency arises, the full extent of humanitarian needs may not be known at the time of data collection. Therefore, the application of this principle may be restricted in exceptional circumstances and for a limited time if necessary for the protection of the Data Subject or of the rights and freedoms of others.

It is also possible that the purpose at the time of collection is particularly broad because of the emergency. In such cases, a large collection of data could be considered necessary. It could then be reduced later depending on circumstances. In considering whether a flexible interpretation of proportionality is acceptable when a new Humanitarian Emergency arises, the following factors should be taken into account:

  • the urgency of the action;

  • proportionality between the amount of Personal Data collected and the goals of the Humanitarian Action;

  • the likely difficulties (due to logistical or security constraints) in reverting to the Data Subject to gather additional data, should additional specified purposes become foreseeable;

  • the objectives of the particular Humanitarian Organization’s action;

  • the nature and scope of the Personal Data that may be needed to fulfil the specified purposes;

  • the expectations of Data Subjects;

  • the sensitivity of the Personal Data concerned.

Example:

A Humanitarian Organization collects Personal Data to provide humanitarian assistance to a group of vulnerable individuals in a disaster area. At the outset of the action, it was not possible to determine the specific needs of the people affected and what assistance and programmes would be required immediately or further down the line (e.g. the destruction of sanitation facilities could generate the risk of diseases spreading). Accordingly, the Humanitarian Organization in question engages in a broad data collection exercise with the purpose of fully assessing the needs of the people affected and designing response programmes. After the emergency has ended, it turned out that although Humanitarian Action was required, sanitation was restored in time to avoid the spread of diseases. As a result, the Humanitarian Organization may now need to delete the data initially acquired to address this specific concern.

In all cases, the necessity of retaining the data collected should be periodically reviewed to ensure application of the data minimization principle.

2.5.4 The principle of data minimization

The principle of data minimization closely relates to the principle of proportionality. Data minimization seeks to ensure that only the minimum amount of Personal Data is processed to achieve the objective and purposes for which the data were collected. Data minimization requires limiting Personal Data Processing to the minimum amount and extent necessary. Personal Data should be deleted when they are no longer necessary for the purposes of the initial collection or for compatible Further Processing. Data must also be deleted when Data Subjects have withdrawn their Consent for Processing or justifiably object to the Processing. However, even in the above circumstances Personal Data may be retained if they are needed for legitimate historical, statistical or scientific purposes, or if the Humanitarian Organization is under an applicable legal obligation to retain such data, taking into account the associated risks and implementing appropriate safeguards.

To determine whether the data are no longer necessary for the purposes for which they were collected, or for compatible Further Processing, Humanitarian Organizations should consider the following:

  • Has the specified purpose been achieved?

  • If not, are all data still necessary to achieve it? Is the specified purpose so unlikely to be achieved that retention no longer makes sense?

  • Have inaccuracies affected the quality of Personal Data?

  • Have any updates and significant changes rendered the original record of Personal Data unnecessary?

  • Are the data necessary for legitimate historical, statistical or scientific purposes? Is it proportionate to continue storing them, taking into account the associated risks? Are appropriate data protection safeguards applied to this further storage?

  • Have the Data Subject’s circumstances changed, and do these new factors render the original record obsolete and irrelevant?

2.5.5 The principle of data quality

Personal Data should be as accurate and up to date as possible. Every reasonable step should be taken to ensure that inaccurate Personal Data are deleted or corrected without undue delay, taking into account the purposes for which they are processed. The Humanitarian Organization should systematically review the information collected in order to confirm that it is reliable, accurate and up to date, in line with operational guidelines and procedures.

In considering the frequency of review, account should be taken of (i) logistical and security constraints, (ii) the purpose(s) of Processing, and (iii) the potential consequences of data being inaccurate. All reasonable steps should be taken to minimize the possibility of making a decision that could be detrimental to an individual, such as excluding an individual from a humanitarian programme based on potentially incorrect data.

2.6 Special data Processing situations

The following are a few common data Processing situations that require more specific explanation.

2.6.1 Health purposes

Improper handling (including disclosure) of Health Data could cause significant harm to the individuals concerned. Accordingly, Health Data should be considered as particularly sensitive and specific guarantees should be implemented when Processing such data. This also applies to other Sensitive Data. Health Data are also increasingly becoming a target for cyber attacks. Humanitarian health-care providers should process data in accordance with the World Medical Association (WMA) International Code of Medical EthicsFootnote 16 which includes specific professional obligations of confidentiality.

Humanitarian Organizations may process Health Data for purposes such as the following:

  • preventive or occupational medicine, medical diagnosis, provision of care or treatment;

  • management of health-care services;

  • reasons of vital interest, including providing essential and life-saving medical assistance to the Data Subject;

  • public health, such as protecting against serious threats to health or ensuring high standards of quality and safety, inter alia for medicinal products or medical devices;

  • historical, statistical or scientific research purposes, such as patient registries set up for improving diagnoses and differentiating between similar types of diseases and preparing studies for therapies, subject to conditions and safeguards.

Health Data should be kept separate from other Personal Data, and should only be accessible by health-care providers or personnel specifically delegated by the humanitarian health-care providers to manage Health Data under confidentiality guarantees ensured by employment, consultant or other contracts and only for such predefined data management purposes, or by personnel carrying out research under confidentiality and other data protection guarantees ensured by employment, consultant or other contracts and only for such predefined research purposes.

Humanitarian Organizations engaged in protection or assistance activities may also process Health Data, for example, when this is necessary to locate persons unaccounted for (where Health Data may be required to identify and trace them) or to advocate for adequate treatment of individuals deprived of their liberty, or for the establishment of livelihood programmes addressing the needs of particularly vulnerable categories of beneficiaries (such as people suffering from malnutrition or particular diseases).Footnote 17

2.6.2 Administrative activities

Humanitarian Organizations typically process Personal Data for employment purposes, career management, assessments, fundraising, marketing and other administrative requirements. In some instances, this may also include sensitive Processing activities such as, for example, GPS tracking of their vehicles for fleet and security management. In some operational circumstances, the Processing of staff Personal Data may be particularly sensitive due, for example, to the geopolitical conditions in which certain humanitarian assistance is provided. In these cases, additional safeguards will be necessary, to the extent possible, in the Processing of such data.

2.7 Data retention

Each category of data should be retained for a defined period (e.g. three months, a year, etc.). When it is not possible to determine at the time of collection how long data should be kept, an initial retention period should be set. Following the initial retention period, an assessment should be made as to whether the data should be deleted, or whether the data are still necessary to fulfil the purpose for which they were initially collected (or for a further legitimate purpose). If so, the initial retention period should be renewed for a limited period of time.

When data have been deleted, all copies of the data should also be deleted. If the data have been shared with Third Parties, the Humanitarian Organization should take reasonable steps to ensure such Third Parties also delete the data. This consideration should be taken into account in initial reflections as to whether to share data with Third Parties and should be expressed in any data sharing agreement.Footnote 18

2.8 Data security and Processing security
2.8.1 Introduction

Data security is a crucial component of an effective data protection system. Personal Data should be processed in a manner that ensures appropriate security of the Personal Data, such as preventing unauthorized access to or use of Personal Data and the equipment used for the Processing. This is even more the case for the volatile environments in which Humanitarian Organizations often operate.

Any person acting under the authority of the Data Controller who has access to Personal Data should not process them except in a manner compliant with any applicable policies as explained in the present Handbook.

In order to maintain security, the Data Controller should assess the specific risks inherent in the Processing and implement measures to mitigate those risks. These measures should ensure an appropriate level of security (taking into account available technology, prevailing security and logistical conditions and the costs of implementation) in relation to the nature of the Personal Data to be protected and the related risks. This includes measures involving:

  • training of staff and partners;

  • management of access rights to databases containing Personal Data;

  • physical security of databases (access regulation, water and temperature damage, etc.);

  • IT security (including password protection, safe transfer of data, encryption, regular backups, etc.);

  • discretion clauses;

  • Data Sharing Agreements with partners and Third Parties;

  • methods of destruction of Personal Data;

  • standard operating procedures for data management and retention;

  • any other appropriate measures.

These measures are intended to ensure that Personal Data are kept secure, both technically and organizationally, and are protected by reasonable and appropriate measures against misuse, unauthorized modification, copying, tampering, unlawful destruction, accidental loss, improper disclosure or undue transfer (collectively, “Data Breach”). Data security measures should vary depending, inter alia, on the:

  • type of operation;

  • level of assessed data protection risks;

  • nature and sensitivity of the Personal Data involved;

  • form or format of storage, transfer and sharing of data;

  • environment/location of the specific Personal Data;

  • prevailing security and logistical conditions.

Data security measures should be routinely reviewed and upgraded to ensure a level of data protection that is appropriate to the degree of sensitivity applied to Personal Data, as well as the possible development of new technologies enabling enhanced security.

The Data Controller is responsible for:

  • setting up an information security management system. This includes establishing and regularly updating a data security policy based on internationally accepted standards and on a risk assessment. The policy should consist of, for example, physical security guidelines, IT security policy, email security guidelines, IT equipment usage guidelines, guidelines for information classification (i.e. classifying information as public, internal, confidential or strictly confidential), a contingency plan and document destruction guidelines.

  • developing the communication infrastructure and databases in order to preserve the confidentiality, integrity and availability of data, in compliance with the security policy.

  • taking all appropriate measures to protect the security of data processed in the Data Controller’s information system.

  • granting and administering access to databases containing Personal Data, including ensuring access is granted on a need-to-know basis.

  • the security of the facilities which enable authorized personnel to access the system.

  • ensuring that the personnel given access to data are in a position to fully respect security rules. This includes relevant training, a pledge of discretion and/or duty of confidentiality clause in the employment contract to be signed before access to databases is granted.

  • maintaining a register of personnel having access to each database, and updating it when appropriate (e.g. personnel being given different responsibilities who no longer require access).

  • if feasible, keeping a historical log and potentially running audits of personnel having had access to a database, for as long as the data processed by such personnel are present in the database.

Personnel should process data within the limits of the Processing rights granted to them. Personnel with higher access rights or responsible for administering access rights may be subject to additional contractual obligations of confidentiality and non-disclosure.

2.8.2 Physical security

Each Data Controller is responsible for:

  • laying down security rules defining procedural, technical and administrative security controls that ensure appropriate levels of confidentiality, and physical integrity and availability of databases (whether physical or IT-based), based on the prevailing risks identified;

  • ensuring that personnel are informed of such security rules and comply with them;

  • developing appropriate control mechanisms to ensure that the security of data is maintained;

  • ensuring adequate electrical and fire safety standards are applied to storage locations;

  • ensuring storage volumes are kept to a strict necessary minimum.

2.8.3 IT security

The Data Controller should:

  • lay down security rules defining procedural, technical and administrative controls that ensure appropriate levels of confidentiality, integrity and availability for the information systems used, based on risk assessment;

  • develop appropriate control mechanisms to ensure that data security is maintained;

  • introduce specific security rules for a part of the IT communication infrastructure, a database, or a specific department if necessary, for instance where particularly sensitive or critical Personal Data are being processed.

All email correspondence, internal and external, containing Personal Data should be processed on a need-to-know basis. Recipients of email correspondence should be carefully selected to avoid the unnecessary dissemination of Personal Data to individuals who do not need such Data in the context of their role. Private email accounts should not be used to transfer Personal Data.

Remote access to servers and the use of home-based computers should comply with the standards set out in the Data Controller’s IT Security Policy. Unless absolutely necessary for operational reasons, the use of Internet outlets and unsecured wireless connections to retrieve, exchange, transmit or transfer Personal Data should be avoided.

Staff members handling Personal Data should take due care when connecting remotely to the Data Controller’s servers. Passwords should always be protected, regularly changed and not be automatically entered through “keychain” functions.Footnote 19 Staff should check that they have logged off properly from computer systems and that open browsers have been closed.

Special consideration must be given to securing laptops, smartphones and other portable media equipment, especially when working in a difficult environment. Portable media equipment should be stored in safe and secure locations at all times.

Portable or removable devices should not be used to store documents containing Personal Data classified as sensitive. If this is unavoidable, Personal Data should be transferred to appropriate computer systems and database applications as soon as possible. If flash memory such as USB flash drives and memory cards are used to temporarily store Personal Data, they should be kept safe, and the electronic record must be encrypted. Information should be deleted from the portable or removable device once it has been stored properly, if no longer needed on the portable device.

Effective recovery mechanisms and backup procedures should cover all electronic records, and the relevant information and communications technology (ICT) officer should ensure that backup procedures are performed on a regular basis. The frequency of backup procedures should vary according to the sensitivity of the Personal Data and available technical resources. Electronic records should be automated to allow for easy recovery in situations where backup procedures are difficult due to, inter alia, regular power outage, system failure or disasters.

When electronic records and database applications are no longer needed, the Data Controller should coordinate with the relevant ICT officer to ensure their permanent deletion.

2.8.4 Duty of discretion and staff conduct

The duty of discretion is a key element of Personal Data security. The duty of discretion involves:

  • all personnel and external consultants signing discretion and confidentiality agreements or clauses as part of their employment/consulting contract. This requirement goes together with the requirement that personnel should only process data in accordance with the Data Controller’s instructions.

  • any external Data Processor being contractually bound by confidentiality clauses. This requirement goes together with the requirement that the Data Processor should only process data in accordance with the Data Controller’s instructions.

  • the strict application of the guidelines for information classification based on their confidentiality status.

  • ensuring that Data Subject requests are properly addressed and accurately recorded in the Data Subject’s file in a secure and confidential manner, and that such requests are not shared with Third Parties.

  • limiting the risk of leaks by having only authorized personnel in charge of the collection and management of data from confidential sources, and ensuring these personnel access documents according to the applicable guidelines for information classification.

Personnel are responsible for attributing levels of confidentiality to the data they process based on the applicable guidelines for information classification, and for observing the confidentiality of the data they consult, transmit or use for external Processing purposes. Personnel who originally attributed the level of confidentiality may, at any time, modify the level of confidentiality that they have attributed to data, as appropriate.

2.8.5 Contingency planning

The Data Controller is responsible for devising and implementing a plan for protecting, evacuating or safely destroying records in case of emergency.

2.8.6 Destruction methods

When it is established that retention of Personal Data is no longer necessary, all records and backups should be safely destroyed or rendered anonymous. The method of destruction shall depend, inter alia, on the following factors:

  • the nature and sensitivity of the Personal Data;

  • the format and storage medium;

  • the volume of electronic and paper records.

The Controller should conduct a sensitivity assessment prior to destruction to ensure that appropriate methods of destruction are used to eliminate Personal Data. In this regard, the following three paragraphs are based on information taken from the IOM Data Protection Manual:Footnote 20

Paper records should be destroyed by using methods such as shredding or burning, in a way that does not allow for future use or reconstruction. If it is decided that paper records should be converted into digital records, following accurate conversion of paper records to electronic format, all traces of paper records should be destroyed, unless retention of paper records is required by applicable national law, or unless a paper copy should be kept for archiving purposes. The destruction of large volumes of paper records may be outsourced to specialized companies. In these circumstances the Data Controller should ensure that, throughout the chain of custody, the confidentiality of Personal Data, the submission of disposal records and the certification of destruction form part of the contractual obligations of the Data Processors, and that the Data Processors comply with these obligations.

The destruction of electronic records should be referred to the relevant ICT personnel because the erasure features on computer systems do not necessarily ensure complete elimination. Upon instruction, the relevant ICT personnel should ensure that all traces of Personal Data are completely removed from computer systems and other software. Disk drives and database applications should be purged and all rewritable media such as, inter alia, CDs, DVDs, microfiches, videotapes and audio tapes that are used to store Personal Data should be erased before reuse. Physical measures of destroying electronic records such as recycling, pulverizing or burning should be strictly monitored.

The Data Controller should ensure that all relevant contracts of service, memoranda of understanding (MOUs), agreements and written transfer or Processing contracts include a retention period for the destruction of Personal Data after the fulfilment of the specified purpose. Third Parties should return Personal Data to the Data Controller and certify that all copies of the Personal Data have been destroyed, including the Personal Data disclosed to its authorized agents and subcontractors. Disposal records indicating time and method of destruction, as well as the nature of the records destroyed, should be maintained and attached to project or evaluation reports.

2.8.7 Other measures

Data security also requires appropriate internal organizational measures, including regular internal dissemination of data security rules and their obligations under data protection law or internal rules for organizations enjoying privileges and immunities to all employees, especially regarding their obligations of confidentiality.

Each Data Controller should attribute the role of data security officer to one or more persons of their staff (possibly Admin/IT) to carry out security operations. The security officer should, in particular:

  • ensure compliance with the applicable security procedures and rules;

  • update these procedures, as and when required;

  • conduct further training on data security for personnel.

2.9 The principle of accountability

The principle of accountability is premised on the responsibility of Data Controllers to comply with the above principles and the requirement that they be in a position to demonstrate that adequate and proportionate measures have been undertaken within their respective organizations to ensure compliance with them.

This can include measures such as the following, which are all strongly recommended in order to allow Humanitarian Organizations to meet data protection requirements:

  • drafting Personal Data Processing policies (including Processing Security policies);

  • keeping internal records of data Processing activities;

  • creating an independent body to oversee the implementation of the applicable data protection rules, such as a Data Protection Office, and appointing a Data Protection Officer (DPO);

  • implementing data protection training programmes for all staff;

  • performing Data Protection Impact Assessments (DPIAs);Footnote 21

  • registering with the competent authorities (including data protection authorities), if legally required and not incompatible with the independence of an international organization or with the principle of “do no harm”.

2.10 Information

In line with the principle of transparency, some information regarding the Processing of Personal Data should be provided to Data Subjects. As a rule, this information should be provided before Personal Data are processed, although this principle may be limited when it is necessary to provide emergency aid to individuals.

Data Subjects should receive information orally and/or in writing. This should be done as transparently as circumstances allow and, if possible, directly to the individuals concerned. If this is not possible, the Humanitarian Organization should consider providing information by other means, for example, making it available online, or on flyers or posters displayed in a place and form that can easily be accessed (public spaces, markets, places of worship and/or the organizations’ offices), radio communication, or discussion with representatives of the community. Data Subjects should be kept informed, insofar as practicable, of the Processing of their Personal Data in relation to the action taken on their behalf, and of the ensuing results.

The information given may vary, depending on whether the data are collected directly from the Data Subject or not.

2.10.1 Data collected from the Data Subject

Personal Data may be collected directly from the Data Subject under the following legal bases:Footnote 22

  • vital interest of the Data Subject or of another person;

  • public interest;

  • individual Consent;

  • legitimate interest of the Humanitarian Organization;

  • legal or contractual obligation.

Some of the information to be provided to Data Subjects in each of the above cases will vary depending on the particular circumstances. A priority in this respect is that the information provided must be sufficient to enable them to exercise their data protection rights effectively.Footnote 23

2.10.2 Information notices

In the specific cases where Consent may be used as the legal basis,Footnote 24 the individual must be put in a position to fully appreciate the risks and benefits of data Processing, otherwise Consent may not be considered valid.

When using Consent or when the Data Subjects are exercising their rights to object to the Processing or to access, rectify and erase the data, detailed information will need to be provided. It is important to note that the Data Subject may object to the Processing or withdraw their Consent at any time. The following are the types of information to be provided when Consent is the legal basis:

  • the identity and contact details of the Data Controller;

  • the specific purpose for Processing of their Personal Data and an explanation of the potential risks and benefits;

  • the fact that the Data Controller may process their Personal Data for purposes other than those initially specified at the time of collection, if compatible with a specific purpose mentioned above and an indication of these further compatible purposes;

  • the fact that if they have given Consent, they can withdraw it at any time;

  • circumstances in which it might not be possible to treat his/her Personal Data confidentially;

  • the Data Subject’s rights to object to the Processing and to access, correct and delete their Personal Data; how to exercise such rights and the possible limitations on the exercise of their rights;

  • to which third countries or International Organization/s the Data Controller may need to transfer the data in order to achieve the purpose of the initial collection and Further Processing;

  • the period for which the Personal Data will be kept or at least the criteria to determine it and any steps taken to ensure that records are accurate and kept up to date;

  • with which other organizations, such as authorities in the country of data collection the Personal Data may be shared;

  • in case decisions are taken on the basis of automated Processing, information about the logic involved;

  • an indication of the security measures implemented by the Data Controller regarding the data Processing.

Under other legal bases for Processing, the responsibility for conducting a risk analysis rests with the Data Controller, and it is sufficient to provide more basic information. The following is recommended as the minimum information that should be provided in the case of a legal basis other than Consent:

  • the identity and contact details of the Data Controller;

  • the specific purpose for Processing of their Personal Data;

  • whom to contact in case of any questions concerning the Processing of their Personal Data;

  • with whom the data will be shared, in particular if they may be shared with authorities (e.g. law enforcement authorities) or entities in another territory or jurisdiction.

Additional information must be provided where necessary to enable individuals to Consent and exercise their rights of access, objection, rectification, erasure and/or if the Data Subject requests more information.Footnote 25

In exceptional circumstances where, due to prevailing security and logistical constraints, including difficulties gaining access to the field, it is not possible to provide this information immediately or at the place where individuals are located, or where the data have not been collected directly from the Data Subject, the information should be made available as soon as possible in a way that is easy for individuals to access and understand.Footnote 26 Humanitarian Organizations should also refrain from collecting extensive data sets from affected populations until this information can be adequately provided, unless absolutely necessary for humanitarian purposes.

2.10.3 Data not collected from the Data Subject

Where the Personal Data have not been obtained from the Data Subject, the information set out under Section 2.10.2 – Information notices, above, depending on the legal basis used for the collection of data, should be provided to the Data Subject within a reasonable period after obtaining this data, having regard to the specific circumstances in which the data are processed or, if a disclosure to another recipient is envisaged, at the latest when the data are first disclosed, subject to logistical and security constraints. This requirement will not apply where the Data Subject already has the information or where providing it is impossible or would involve a disproportionate effort, in which case the measures outlined above in Section 2.10 – Information should be considered.

Example:

Information may be provided after obtaining the data, for example, where a protection case is documented involving multiple victims and the information is collected from only one of them or from a third source, or where lists of displaced persons are collected from authorities or from other organizations for the distribution of aid.

2.11 Rights of Data Subjects
2.11.1 Introduction

The respect of Data Subjects’ rights is a key element of data protection. However, the exercise of these rights is subject to conditions and may be limited as explained below.

An individual should be able to exercise these rights using the internal procedures of the relevant Humanitarian Organization, such as by lodging an inquiry or complaint with the organization’s DPO. However, depending on the applicable law, and in cases where the Data Controller is not an International Organization with immunity from jurisdiction, the individual may also have the right to bring a claim in court or with a data protection authority. In the case of International Organizations, claims may be brought before an equivalent body responsible for independent review of cases for the organization.Footnote 27

2.11.2 Access

A Data Subject should be able to make an access request orally or in writing to the Humanitarian Organization. Data Subjects should be given an opportunity to review and verify their Personal Data. The exercise of this right may be restricted if necessary for the protection of the rights and freedoms of others, or if necessary for the documentation of alleged violations of international humanitarian law or human rights law.

With due consideration for the prevailing situation and its security constraints, Data Subjects should be given the opportunity to obtain confirmation from the Humanitarian Organization, at reasonable intervals and free of charge, whether their Personal Data are being processed or not. Where such Personal Data are being processed, Data Subjects should be able to obtain access to them, except as otherwise provided below.

The Humanitarian Organization’s staff should not reveal any information relating to Data Subjects, unless they are provided with satisfactory proof of identify from the Data Subjects and/or their authorized representative.

Access to documents does not apply when overriding interests require that access not be given. Thus, compliance by Humanitarian Organizations with a Data Subject’s access request may be restricted as a result of the overriding public interests or interests of others. This is particularly the case where access cannot be provided without revealing the Personal Data of others, except where the document or information can be meaningfully redacted to blank out any reference to such other Data Subject/s without disproportionate effort, or where the Consent of such other Data Subject/s to the disclosure has been obtained, again without disproportionate effort.

Access that would jeopardize the ability of a Humanitarian Organization to pursue the objectives of its Humanitarian Action or that creates risks for the security of its staff will always constitute an overriding interest. This may also be the case for internal documents of the Humanitarian Organizations, disclosure of which may have an adverse effect on Humanitarian Action. In such cases, the Humanitarian Organization should make every effort to document the nature of the overriding interests, to the extent possible and subject to prevailing circumstances.

Communication to Data Subjects on the information set out in this section should be given in an intelligible form, which means that the Humanitarian Organization may have to explain the Processing to the Data Subjects in more detail or provide translations. For example, just quoting technical abbreviations or medical terms in response to an access request will usually not suffice, even if only such abbreviations or terms are stored.

It may be appropriate to disclose Personal Data to family members or legal guardians in the case of missing, unconscious or deceased Data Subjects or of Data Subjects’ families seeking access for humanitarian or administrative reasons or for family history research. Here too, the staff of Humanitarian Organizations should not reveal any information unless they are provided with satisfactory proof of identity of the requesting person and proof of legal guardianship/family link, as appropriate, and they have made a reasonable effort to establish the validity of the request.

2.11.3 Correction

The Data Subject should also be able to ensure that the Humanitarian Organization corrects any inaccurate Personal Data relating to them. Having regard to the purposes for which data were processed, the Data Subject should be able to correct incomplete Personal Data, for instance by providing supplementary information.

When this involves simply correcting factual data (e.g. requesting the correction of the spelling of a name, change of address or telephone number), proof of inaccuracy may not be crucial. If, however, such requests are linked to a Humanitarian Organization’s findings or records (such as the Data Subject’s legal identity, or the correct place of residence for the delivery of legal documents, or more sensitive information about the humanitarian status of, or medical information concerning, the Data Subject), the Data Controller may need to demand proof of the alleged inaccuracy and assess the credibility of the assertion. Such demands should not place an unreasonable burden of proof on the Data Subject and thereby preclude Data Subjects from having their data corrected. In addition, Humanitarian Organization staff should require satisfactory proof of identify from the Data Subjects and/or their authorized representative before carrying out any correction.

2.11.4 Right to erasure

A Data Subject should be able to have their own Personal Data erased from the Humanitarian Organization’s databases where:

  • the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed and/or further processed;

  • the Data Subject has withdrawn their Consent for Processing, and there is no other basis for the Processing of the data;Footnote 28

  • the Data Subject successfully objects to the Processing of Personal Data concerning them;Footnote 29

  • the Processing does not comply with the applicable data protection and privacy laws, regulations and policies.

The exercise of this right may be restricted if necessary for the protection of the Data Subject or the rights and freedoms of others, for the documentation of alleged violations of international humanitarian law or human rights law, for reasons of public interest in the area of public health, for compliance with an applicable legal obligation, for the establishment, exercise or defence of legal claims, or for legitimate historical or research purposes, subject to appropriate safeguards and taking into account the risks for and the interests of the Data Subject. This can include the interest in maintaining archives that represent the common heritage of humanity. In addition, Humanitarian Organization staff should require proof of identify that satisfies them that the Data Subjects are who they say they are before carrying out any erasure.

Example:

A Humanitarian Organization suspects that a request for erasure is being made under pressure from a Third Party, and that erasure would prevent the protection of the Data Subject or documentation of an alleged violation of international humanitarian law or human rights law. In such a case, the Humanitarian Organization would be justified in refusing to erase the data.

2.11.5 Right to object

Data Subjects have the right to object, on compelling legitimate grounds relating to their particular situation, at any time, to the Processing of Personal Data concerning them.

The exercise of this right may be restricted if necessary if the Humanitarian Organization has compelling legitimate grounds for the Processing which override the interests, rights and freedoms of the Data Subject. Such grounds may include, for example, the protection of the Data Subject or the rights and freedoms of others, the documentation of alleged violations of international humanitarian law or human rights law, the establishment, exercise or defence of legal claims, or legitimate historical or research purposes, subject to appropriate safeguards and taking into account the risks for and the interests of the Data Subject. In these cases, the Humanitarian Organization should:

  • inform the organization’s DPO, if there is one

  • inform, if possible, the Data Subject of the Humanitarian Organization’s intention to continue to process data on this basis

  • inform, if possible, the Data Subject of his/her right to seek a review of the Humanitarian Organization’s decision by the DPO or the competent state authority, court or equivalent body in the case of International Organizations.

In addition, Humanitarian Organization staff should require proof of identify that satisfies them that the Data Subjects are who they say they are before accepting an objection.

2.12 Data sharing and International Data Sharing

Humanitarian Emergencies routinely require Humanitarian Organizations to share Personal Data with Data Processors and Third Parties, including those based in other countries, or with International Organizations. Data protection laws restrict International Data Sharing, which means any act of making Personal Data accessible outside the country in which they were originally collected or processed, as well as to a different entity within the same Humanitarian Organization not enjoying the status of International Organization, or to a Third Party, via electronic means, the Internet or others.Footnote 30

Data sharing requires due regard to all the various conditions set out in this Handbook. For example, since data sharing is a form of Processing, there must be a legal basis for it, and it can only take place for the specific purpose for which the data were initially collected or further processed. In addition, Data Subjects have rights in relation to data sharing and must be given information about it. The conditions governing International Data Sharing are given in Chapter 4: International Data Sharing.

Chapter 3 Legal bases for Personal Data Processing

3.1 Introduction

Under the principle of the lawfulness of data Processing outlined in Chapter 2: Basic principles of data protection, a legitimate legal basis is required in order for Personal Data Processing operations to take place.

In their humanitarian work, Humanitarian Organizations may rely on the following legal bases to process Personal Data:

  • vital interest of the Data Subject or of another person;

  • public interest;

  • Consent;

  • legitimate interest;

  • performance of a contract;

  • compliance with a legal obligation.

In the emergency situations in which Humanitarian Organizations usually operate, it can be difficult to fulfil the basic conditions of valid Consent, in particular that it is informed and freely given. For example, this can be the case where consenting to the Processing of Personal Data is a precondition to receive assistance. It could also apply to human resources, for example, if consenting to the Processing is a condition for recruitment.

Processing by Humanitarian Organizations may often be based on vital interest or on important grounds of public interest,Footnote 1 for example in the performance of a mandate established under national or international law. This would require that the following conditions be met:

  • in the case of vital interest, having sufficient elements to consider that in the absence of Processing the individual could be at risk of physical or moral harm. In the case of important grounds of public interest, being clear that the specific Processing operation is within a mandate established for the Humanitarian Organization under national, regional or international law, or that the Humanitarian Organization is otherwise performing a specific task or function that is in the public interest and is laid down by law.

  • providing clear information to the individual as to the proposed Processing operation.

  • ensuring the individual has a say and is in a position to exercise the right to object.Footnote 2 In any case, the opportunity to object to the Processing should be offered as soon and as clearly as possible, preferably at the moment of data collection. If the Data Subject provides adequate justification for their objection to the Processing, and if the Processing is not necessary for any other legal basis (e.g. Section 3.3 – Vital interest, or Section 3.4 – Important grounds of public interest), then the Processing of the Data Subject’s Personal Data should cease.

Relying on an appropriate legal basis does not discharge a Humanitarian Organization of its responsibility to assess the risk, for an individual, a given group or the Humanitarian Organization itself, of collecting, storing or using Personal Data. In cases involving particularly high risks, Humanitarian Organizations should consider whether it is not more appropriate to refrain from collecting and/or Processing the data in the first place. Such risks may be immediately evident from the Humanitarian Organization’s experience or hidden in the complexity of the data flows inherent in a new technological solution. The performance of a Data Protection Impact Assessment (DPIA) therefore remains a key tool to ensure that all relevant risks are identified and mitigated.Footnote 3

3.2 Consent

Consent is the most popular and often the preferred legal basis for Personal Data Processing. However, given the vulnerability of most people affected by Humanitarian Emergencies and the nature of Humanitarian Emergencies themselves, many Humanitarian Organizations will not be in a position to rely on Consent for most of their Personal Data Processing. In particular, the choice of another legal basis is appropriate when:

  • The Data Subject is not physically in a position to be informed and give free Consent, either because, for example, he/she is a Sought Person, or he/she is unconscious.

  • The Humanitarian Organization is not in a position to inform and obtain the Consent of the Data Subject due to the prevailing security or logistical conditions in the area of operations.

  • The Humanitarian Organization is not in a position to inform and obtain the Consent of the Data Subjects due to the scale of the operation that needs to be carried out. This can be the case, for example, (i) when preparing lists for distribution of humanitarian assistance to large numbers of displaced people, or (ii) when authorities provide Humanitarian Organizations with lists of protected persons, under a provision deriving from international humanitarian law or human rights law.

  • In the organization’s assessment, the Consent of the Data Subject cannot be valid due, for example, to the Data Subject being particularly vulnerable (e.g. children, elderly or disabled persons) at the time of giving Consent, or having no real choice to refuse Consent due to a situation of need and vulnerability, including a lack of alternative to the specific assistance being offered and the data Processing involved.

  • New technologies are involved, characterized by complex data flows and multiple stakeholders, including Data Processors and sub-Data Processors in multiple jurisdictions. This makes it difficult for an individual to fully appreciate the risks and benefits of a Processing operation and, therefore, take the responsibility for it as entailed by giving Consent. In this case, other legal bases, which require Humanitarian Organizations to take more responsibility for the assessment of risks and benefits of Processing, would be more appropriate.

It should be noted that obtaining Consent is not the same as providing information about data Processing (Section 2.10 – Information). That is, even when Consent cannot be used, informational requirements still apply, including information on the rights to objection, erasure, access and rectification.

The following requirements must be fulfilled in order for Consent to be valid.

3.2.1 Unambiguous

Consent should be fully informed and freely given by any appropriate method. This means that the Data Subject signifies their agreement to the Processing of their Personal Data. Consent may be given in writing or, where written Consent is not possible, orally or by another clearly affirmative action by the Data Subject (or by his or her guardian, as applicable).

3.2.2 Timing

Consent should be obtained at the time of collection or as soon as it is reasonably practical thereafter.

3.2.3 Validity

Consent should not be regarded as freely given if the Data Subject has no genuine and free choice, or is unable to refuse or withdraw Consent without detriment, or has not been informed sufficiently in order to understand the consequences of the Personal Data Processing.

3.2.4 Vulnerability

The Data Subject’s vulnerability should be taken into account when considering the validity of Consent. Assessing vulnerability involves understanding the social, cultural and religious norms of the group to which Data Subjects belong and ensuring that each Data Subject is treated individually as the owner of his/her Personal Data. Respect for the individual implies that each person is regarded as autonomous, independent and free to make his/her own choices.

Vulnerability varies depending on the circumstances. In this respect, the following factors should be considered:Footnote 4

  • the characteristics of the Data Subject, such as illiteracy, disability, age, health status, gender and sexual orientation;

  • the location of the Data Subject, such as a detention facility, resettlement camp, remote area;

  • environmental and other factors, such as unfamiliar surroundings, foreign language and concepts;

  • the Data Subject’s position in relation to others, such as belonging to a minority group or ethnicity;

  • social, cultural and religious norms of families, communities or other groups to which Data Subjects belong;

  • the complexity of the envisaged Processing operation, particularly if complex new technologies are employed.

Example:

A Humanitarian Organization carries out an assessment of a Humanitarian Emergency. In doing so, it collects data on possible beneficiaries, including information about household livelihood and specific vulnerabilities with a view to developing a suitable assistance programme, which may include nutrition, health and protection components. This involves collecting and Processing a great deal of Personal Data. The organization should inform the individuals it interviews about the purposes for which the data collection will be used, but it would not be meaningful to base the data collection on their Consent. Such individuals have no meaningful possibility to give Consent to data collection, because they are in an extremely vulnerable position and have no genuine choice but to accept whatever Processing operation may be involved in accepting the aid offered. Another legal basis should be identified, and the relevant information provided, including the option to object to the envisaged Processing.

3.2.5 Children

Children are a particularly vulnerable category of Data Subjects, and the best interests of the child are paramount in all decisions affecting them. While the views and opinions of children should be respected at all times, particular care should be taken to establish whether the child fully understands the risks and benefits involved in a Processing operation and to exercise his/her right to object and to provide valid Consent where applicable. Assessment of the vulnerability of children will depend on the child’s age and maturity.

The Consent of the child’s parent or legal guardian may be necessary if the child does not have the legal capacity to Consent. The following factors should be taken into account:

  • providing full information to the parent or legal guardian and obtaining the signature of the parent or guardian to indicate their Consent;

  • ensuring that the Data Subject is clearly informed and his/her views are taken into account.

3.2.6 Informed

Consent should be informed if it is to be accepted as the legal basis for Processing. This requires that the Data Subject receive explanations in simple, jargon-free language, which allows for full appreciation and understanding of the circumstances, risks and benefits of Processing.Footnote 5

3.2.7 Documented

Where Processing is based on the Data Subject’s Consent, it is important to keep a record of it to be able to demonstrate that the Data Subject has consented to the Processing. This may be done by requesting a signature or cross mark witnessed by a Humanitarian Organization or, in case of oral Consent, documentation by a Humanitarian Organization that Consent has been obtained. The practice, not unknown in the humanitarian world, to ask for the impression of a fingerprint solely to confirm Consent is highly problematic since it can amount to the collection of biometric data and should therefore be avoided. For an analysis of the risks involved in the collection of biometric data, see Chapter 8: Biometrics.

When using Consent, it is important to record any limitations/conditions for its use, and the specific purpose for which Consent is obtained. These details should also be recorded in all databases used by Humanitarian Organizations to process the data in question and should accompany the data throughout the Processing.

Where Consent has not been recorded, or no record of Consent can be found, the data should not be processed further (including transferred to a Third Party if there is no record of Consent for the transfer) unless it is possible to do so under a legal basis other than Consent (e.g. vital interest, legitimate interest or public interest).

3.2.8 Withholding/withdrawing Consent

If Data Subjects expressly withhold Consent, they should be advised about the implications, including the effect this may have on assistance that might or might not be rendered by Humanitarian Organizations and/or Third Party organizations. If, however, assistance could not be provided in the absence of Consent, note that Consent could not be considered as a legal basis for the Processing.Footnote 6

Data Subjects have the right to object to the Processing and withdraw any Consent previously given at any stage of data Processing. In cases in which a Humanitarian Organization suspects that Consent is being withdrawn under pressure from Third Parties, it is likely that the Humanitarian Organization may be in a position to continue Processing the Personal Data of the Data Subject on another basis, such as vital interests being at stake (see Section 3.3 below).

3.3 Vital interest

When Consent cannot be validly obtained, Personal Data may still be processed if the Humanitarian Organization establishes that this is in the vital interest of the Data Subject or of another person, i.e. where data Processing is necessary in order to protect an interest which is essential for the Data Subject’s life, integrity, health, dignity or security or that of another person.

Considering the nature of Humanitarian Organizations’ work, and the emergency situations in which they operate, Processing of data by Humanitarian Organizations may be based on the vital interest of a Data Subject or another person in the following cases:

  • The Humanitarian Organization is dealing with cases of Sought Persons.

  • The Humanitarian Organization is assisting authorities with the identification of human remains and/or tracing the family of the deceased. In this case the Personal Data would be processed in the vital interest of the family members.

  • The Humanitarian Organization is assisting an individual who is unconscious or otherwise at risk, but unable to communicate Consent.

  • The Humanitarian Organization is providing medical care or assistance.

  • The Processing, including disclosure, of information is the most appropriate response to an imminent threat against the physical and mental integrity of the Data Subjects or other persons.

  • The Processing is necessary to provide for the essential needs of an individual or a community during, or in the aftermath of, a Humanitarian Emergency.

In these cases, however, the Humanitarian Organization should, if possible, ensure that the Data Subjects are aware of the Processing as soon as possible, that they have sufficient knowledge to understand and appreciate the specified purpose(s) for which Personal Data are collected and processed, and are in a position to object to the Processing if they so wish. This can be achieved preferably through direct explanations at the moment of the collection and, for example, during distributions of assistance, using posters, group explanations or by making further information available on leaflets or on websites when affected people are registered or aid is distributed.Footnote 7

Example:

A Humanitarian Organization needs to collect Personal Data from vulnerable individuals following a natural disaster in order to provide vital assistance (e.g. food, water, medical assistance, etc.). It may use the vital interests of the individuals as the legal basis for the collection of Personal Data, without the need to obtain their Consent. However, it should (1) ensure that this legal basis is used only to provide such assistance; (2) offer the individuals the right to object; and (3) process the data collected in accordance with its privacy policy, which should be available to Data Subjects upon request. It should provide all relevant information about the data Processing, for example through posters, or group explanations, or by making further information available on leaflets or websites when affected people are registered or aid is distributed.

3.4 Important grounds of public interest

Important grounds of public interest are triggered when the activity in question is part of a humanitarian mandate established under national or international law or is otherwise an activity in the public interest laid down by law. This, for example would be the case for the International Committee of the Red Cross (ICRC), National Societies of the Red Cross/Red Crescent, the United Nations High Commissioner for Refugees (UNHCR), the United Nations Children’s Fund (UNICEF), the United Nations World Food Programme (WFP), the International Organization for Migration (IOM), and other Humanitarian Organizations performing a specific task or function in the public interest, which is laid down by law, insofar as the Processing of Personal Data is necessary to accomplish those tasks.Footnote 8 In this case, the term ‘necessary’ is to be strictly construed (i.e. the data Processing should be truly necessary, rather than just convenient,Footnote 9 to fulfil the relevant purpose).

Cases where this legal basis may be relevant include distributions of assistance, where it may not be practicable to obtain the Consent of all the possible beneficiaries, and where it may not be clear whether the life, security, dignity and integrity of the Data Subject or of other people are at stake (in which case ‘vital interest’ may be the most appropriate legal basis for Processing).

Other scenarios where this legal basis may be relevant include the Processing of Personal Data of persons in detention, where this type of activity is within the mandate of the Humanitarian Organization in question. This may happen, for example, when the Processing of Personal Data relates to persons deprived of their liberty in an armed conflict or other situation of violence, where the Humanitarian Organization has not yet been in a position to visit the Data Subject deprived of liberty and therefore obtain his/her Consent and, subsequently, if Consent is not considered as a valid legal basis due to the vulnerability of the Data Subjects, linked to their deprivation of liberty.

In these cases, too, the Humanitarian Organization should, if possible, ensure that the Data Subjects are aware of the Processing of their Personal Data as soon as possible and that they have sufficient knowledge to understand and appreciate the specified purpose(s) for which Personal Data are collected and processed, and are in a position to object to Processing at any point if they so wish.

3.5 Legitimate interest

Humanitarian Organizations may also process Personal Data where this is in their legitimate interest, in particular, where it is necessary for the purpose of carrying out a specific humanitarian activity listed in their mission, and provided that this interest is not overridden by the fundamental rights and freedoms of the Data Subject. In all of these situations, the term ‘necessary’ is to be strictly construed (i.e. the data Processing should be truly necessary, rather than just convenient,Footnote 10 to fulfil the relevant purpose).

Legitimate interest may include situations such as the following:

  • The Processing is necessary for the effective performance of the Humanitarian Organization’s mission, in cases where important grounds of public interest are not triggered.

  • The Processing is necessary for the purposes of ensuring information systems and information security,Footnote 11 and the security of the related services offered by, or accessible via, these information systems, by public authorities, Computer Emergency Response Teams (CERTs), Computer Security Incident Response Teams (CSIRTs), providers of electronic communications networks and services, and by providers of security technologies and services. This could, for example, include preventing unauthorized access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

  • The Processing is necessary for the purposes of preventing, evidencing and stopping fraud or theft.

  • The Processing of Personal Data is necessary for the purposes of anonymizing or pseudonymizing Personal Data.Footnote 12

  • The Processing is necessary for the establishment, exercise or defence of legal claims, regardless of whether in a judicial, administrative or any out-of-court procedure.

  • The Processing is necessary to make the work of the organization more effective and efficient.

Example:

A Humanitarian Organization processes Personal Data in the course of scanning its IT systems for viruses; verifying the identity of beneficiaries for anti-fraud purposes; and defending itself in a legal proceeding brought by an ex-employee. All these Processing activities are permissible based on the legitimate interest of the organization.

3.6 Performance of a contract

Under this legal basis Humanitarian Organizations may process Personal Data where it is necessary for the performance of a contract to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract. Once again, the term ‘necessary’ is to be strictly construed (i.e. the data Processing should be truly necessary, rather than just convenient, to fulfil the relevant purpose).

This will generally be the case with regard to data Processing for the following purposes:

  • the management of human resources files, including recruitment;

  • the management of relations with suppliers of goods/services;

  • relationships with donors.

Example:

A Humanitarian Organization keeps personnel files about its staff in order to fulfil its employment obligations to them. This is permissible in order to perform its contractual employment obligations to its staff. On the other hand, if the same organization has outsourced its data Processing to a Third Party in the same country where its headquarters are located, granting access to its databases to the outsourcing firm will not be regarded as necessary for the performance of its contract with the firm, since the choice to outsource data Processing was a choice of convenience rather than a matter of necessity. In this case it should be considered whether the legitimate interest of the organization would be a suitable legal basis.

3.7 Compliance with a legal obligation

Under this legal basis, Humanitarian Organizations may process Personal Data where it is necessary to comply with a legal obligation to which Humanitarian Organizations are subject, or to which they submit. This may be the case, for example, in the area of employment law, or for organizations not benefiting from privileges and immunities, if this is necessary to comply with an enforceable legal obligation.

Example:

In the country where a Humanitarian Organization operates there is a legal obligation to provide information to the social security and tax authorities about wage payments made to staff. If the organization is subject to domestic law, this is permissible based on the legal obligation to which the organization is subject.

However, given the environment in which Humanitarian Organizations operate, the following factors should be taken into account when considering a legal obligation as a basis for the Processing. These will be relevant in particular when authorities require access to Personal Data for law enforcement, intelligence or other purposes:

  • existence of the rule of law and separation of powers in the country requiring access to the data;

  • respect for human rights, including the right to effective judicial redress;

  • existence of an armed conflict or a situation of violence, where the authority requiring access may represent a party;

  • nature of the data, and whether inferences could be made from the data leading to discrimination or persecution (for example, if names or data relating to food needs reveal religious affiliation or ethnicity, if Health Data reveal sexual orientation in a country where homosexuals are persecuted, or if the Data Subject whose data are being requested faces the death penalty);

  • whether the Humanitarian Organization enjoys privileges and immunities, and the obligation is not, therefore, enforceable.

In this respect, it is also important to stress that Humanitarian Organizations should consider whether any legal obligation to disclose data applicable to them may put their Data Subjects at risk of discrimination, persecution, marginalization or repression, in which case they should consider not engaging in data collection in the first place.

3.7.1 The disclosure of Personal Data to authorities

Issues may arise regarding the disclosure and transfer of Personal Data by Humanitarian Organizations to authorities, particularly when they represent a party to a conflict or an actor in other situations of violence. Such disclosure may be problematic for Neutral, Impartial and Independent Humanitarian Action. This is particularly true if disclosure is prejudicial to a Data Subject in view of his/her humanitarian situation, or where such transfers would jeopardize the organization’s security or its future access to persons affected by armed conflict or violence, to parties to a conflict, or to information necessary to perform its mandate.

Humanitarian Organizations enjoying privileges and immunities as International Organizations should ensure that their specific status is respected and refuse to accede to such requests unless necessary in the best interest of the Data Subjects and Humanitarian Action. When a Humanitarian Organization enjoying privileges and immunities needs to transfer data to Humanitarian Organizations that do not enjoy such privileges and immunities, the risk that the recipient may not be in a position to resist such requests should be taken into account. This risk is specifically recognized in the International Conference of Privacy and Data Protection Commissioners’ Resolution on Privacy and International Humanitarian Action of 2015:Footnote 13

Humanitarian organizations not benefiting from Privileges and Immunities may come under pressure to provide data collected for humanitarian purposes to authorities wishing to use such data for other purposes (for example control of migration flows and the fight against terrorism). The risk of misuse of data may have a serious impact on data protection rights of displaced persons and can be a detriment to their safety, as well as to Humanitarian Action more generally.

As a specific measure to address this very concern, the 33rd International Conference of the Red Cross and Red Crescent in 2019, in its Resolution on Restoring Family Links while respecting privacy, including as it relates to Personal Data protection urged:Footnote 14

States and the Movement to cooperate to ensure that personal data is not requested or used for purposes incompatible with the humanitarian nature of the work of the Movement, […], or in a manner that would undermine the trust of the people it serves or the independence, impartiality and neutrality of RFL services.

Chapter 4 International Data Sharing

4.1 Introduction

Humanitarian Emergencies know no borders and regularly create the need for Humanitarian Organizations to share data with other entities across borders to provide the necessary humanitarian response. Accordingly, ensuring efficient cross-border flows of Personal Data between different countries is essential to the work of Humanitarian Organizations. In addition, the adoption of new technologies in humanitarian responses requires the involvement of multiple Data Processors and Sub-Processors which are, almost inevitably, established in various jurisdictions other than that where the Humanitarian Emergency takes place. This may be the case, for example, when cloud-based solutions are used by Humanitarian Organizations to process Personal Data, in which case data may be hosted in the territory where the organization is headquartered, and service providers may be acting as Data Processors and Sub-Processors in a number of jurisdictions.Footnote 1

As discussed in Section 2.4 – Applicable law and International Organizations, some Humanitarian Organizations are International Organizations which enjoy privileges and immunities to ensure they can perform the mandate attributed to them by the international community under international law in full independence. Accordingly, they process Personal Data according to their own rules, which apply across their work irrespective of the territory they operate in, and are subject to the control of and enforcement by their own compliance systems.Footnote 2 Thus, they constitute their own “jurisdiction”, and data flows within them, for example between HQ and field locations or between field locations, and between them and their subordinate bodies, do not fall within the scope of this chapter.Footnote 3

The following are just a few examples of entities with which a Humanitarian Organization may need to share data across national borders:

  • offices within the same non-governmental organization (NGO) operating in different countries;

  • other NGOs, International Organizations, and United Nations agencies;

  • government authorities;

  • Data Processors such as service providers, consultants or researchers collecting and/or Processing Personal Data on behalf of the Humanitarian Organization;

  • academic institutions and/or individual researchers;

  • private companies;

  • museums.

International Data Sharing includes any act of making Personal Data accessible outside the country or International Organization where they were originally collected or processed via electronic means, the Internet or others. Publication of Personal Data in newspapers, the Internet or via radio broadcast usually counts as data sharing if it makes it possible for data to be accessed across borders.

International Data Sharing includes any act that results in Personal Data being transferred, shared or accessed across national borders or with International Organizations. Accordingly, International Data Sharing may involve one of the following situations:

  • The Humanitarian Organization transfers data to an organization in another jurisdiction. The receiving entity is a new Data Controller, which determines the means and purposes of Processing.

  • The Humanitarian Organization transfers data to an organization in another jurisdiction, but remains the entity which decides on the means and purposes of Processing, and the receiving entity processes Personal Data exclusively according to the instructions of the sharing entity. In this case, the receiving entity is a Data Processor.

Both these scenarios involve a risk that, once Personal Data are shared, they lose some or all of the protection that they enjoyed when they were processed exclusively by the Humanitarian Organization. In both of these scenarios, therefore, it is important to ensure that all reasonable measures are put in place by the sharing organization to avoid unintentional loss of protection.

It should not be forgotten that data sharing is a Processing operation and is therefore subject to all the requirements set out in the previous chapters.Footnote 4 This chapter explains the additional precautions Humanitarian Organizations should take whenever carrying out International Data Sharing.

4.2 Basic rules for International Data Sharing

In order to provide protection for International Data Sharing, all of the following steps should be followed:

  • Any data protection rules or privacy requirements applicable to the data sharingFootnote 5 (including any data protection or privacy requirements of local law, if applicable) have been satisfied prior to the transfer.

  • A legal basis must be provided for the transfer.

  • An assessment should be carried out to determine whether the transfer presents any unacceptable risks for the individual (e.g. discrimination or repression).

  • The organization that initiates the transfer must be able to demonstrate that adequate measures have been undertaken to ensure compliance with the data protection principles set forth in this Handbook by the recipient entity in order to maintain the level of protection of Personal Data with regard to International Data Sharing (accountability).

  • The individual should be informed about the recipient(s) of the transfer. The transfer should not be incompatible with the reasonable expectations of the individuals whose data are transferred.

4.3 Providing a legal basis for International Data Sharing
4.3.1 Introduction

As mentioned above, this Handbook is designed to assist in the application and respect of data protection principles and rights in humanitarian situations. It does not, however, replace or provide advice on domestic legislation on data protection, where such applies to a Humanitarian Organization that does not benefit from the privileges and immunities enjoyed by an International Organization. It should therefore be noted that the considerations covered in this chapter are in addition to any requirements of local law that may apply in the country from which the data are to be transferred, insofar as they apply to a particular Humanitarian Organization. Dozens of countries in all regions of the world have enacted data protection laws that regulate International Data Sharing. In order to assess such laws, the Humanitarian Organization should consult with its Data Protection Officer (DPO), legal department and/or local legal adviser.

4.3.2 Legal bases for International Data Sharing

International Data Sharing may be carried out:

  • when the transfer serves the vital interests of Data Subjects or other persons;

  • for important grounds of public interest, based on the Humanitarian Organization’s mandate;

  • for the legitimate interest of the Humanitarian Organization, based on the organization’s declared mission, in cases when this interest is not overridden by the rights and freedoms of the Data Subjects and the Humanitarian Organization has provided suitable safeguards for the Personal Data;

  • with the Consent of the Data Subject;

  • for the performance of a contract with the Data Subject.

These legal bases are used in similar ways to their application in Personal Data Processing.Footnote 6 In addition, as International Data Sharing involves additional risks, the factors listed below in Section 4.4 – Mitigating the risks to the individual should be given due consideration.

4.4 Mitigating the risks to the individual

The following factors are important when carrying out International Data Sharing:

  • Risks may be lower if the transfer is to an organization that is subject to the jurisdiction of a country or to an International Organization that has been formally assessed as adequate from a data protection point of view. In general terms, this means that the recipient of data is in a country, or is an international organization, that has been formally determined to have a regulatory regime for data protection in line with high international standards, including an independent supervisory authority, freedom from mass surveillance and access to judicial redress for individuals. However, only a small number of countries have been found to offer adequate protection in a formal sense by national or regional governmental authorities. This means that relying on an adequacy finding is unlikely to be of use to Humanitarian Organizations in most circumstances. Adequacy is not a prerequisite for International Data Sharing, but is a factor to be taken into account.

  • Appropriate safeguards should be used for International Data Sharing, when this is logistically feasible, such as contractual clauses binding the recipient to provide appropriate data protection or checking whether the recipient is committed to complying with a code of conduct on Personal Data protection.

  • The Humanitarian Organization should be accountable for the International Data Sharing it engages in.

These last two factors are considered in more detail below.

Example:

A humanitarian NGO has its headquarters in Country X and wants to transfer files containing Personal Data on vulnerable individuals to whom it provides humanitarian services to another NGO in Country Y. The files will be made available by putting them on its secure web-based platform, allowing the organization in Country Y to access them. Country Y has been formally found to provide an adequate level of data protection by the public authorities of Country X. Making the files available on the web-based platform qualifies as International Data Sharing, but the transfer may take place on the basis that there is an adequate level of protection in Country Y, subject to the further considerations set out under Section 4.4.1 – Appropriate safeguards/Contractual clauses, below.

4.4.1 Appropriate safeguards/Contractual clauses

One of the measures for a Humanitarian Organization to consider when deciding on the mitigation of the risks involved in International Data Sharing is to ensure that the recipient puts appropriate safeguards in place to protect Personal Data.

In practice, such safeguards may be provided by a legally binding contractual agreement, developed by the Humanitarian Organization itself or adapted from other internationally recognized sources, by which the organization and the party to which the data are transferred commit to protect the Personal Data in question on the basis of the data protection standards that apply to the Humanitarian Organization.

The European Commission has issued standard contractual clauses for transfers from Data Controllers to Data Controllers and to Data Processors established outside the European Union/European Economic AreaFootnote 7 for Humanitarian Organizations subject to EU data protection law or wishing to use these clauses.

Another factor to consider when deciding on risk mitigation is whether the other party involved in data sharing is committed to a code of conduct covering Personal Data ProcessingFootnote 8 and the extent to which such a code of conduct is applied in practice, whether it is binding and enforceable or not.

Even when a legal basis exists for the transfer and mitigating measures are put in place, it may not be appropriate to carry out International Data Sharing, because of factors such as the following:

  • The nature of the data could put individuals at risk.

  • There are good reasons to believe that the parties receiving the data may not be able to ensure that they receive adequate protection.

  • The conditions in the country where the data are to be sent make it unlikely that they will be protected.

  • The data are being processed on the basis that they are protected by an International Organization’s immunity from jurisdiction and the receiving organization does not enjoy such immunity.

Example:

A Humanitarian Organization that is an International Organization with offices in Country X wants to transfer files containing Personal Data on vulnerable individuals to whom it provides humanitarian services to an NGO in the same country. As a transfer from an International Organization to an organization subject to the jurisdiction of X, the sharing constitutes International Data Sharing. The Humanitarian Organization signs standard contractual clauses with the NGO. However, there is a significant danger that an armed group may attack the facilities of the NGO. The NGO also has a record of losing data that is sent to it. The Humanitarian Organization should seriously consider not transferring the data, irrespective of contractual clauses being signed.

To identify and address or mitigate such risks properly, a DPIA should be carried out.Footnote 9 In case of doubt, the Humanitarian Organization’s DPO should be consulted.

4.4.2 Accountability

It is important for the Humanitarian Organization that initiates the transfer to be able to demonstrate that adequate and proportionate measures have been undertaken to ensure compliance with basic data protection principles with regard to International Data Sharing. The Humanitarian Organization is accountable to the Data Subject whose data are being shared. This can include measures such as the following:

  • keeping internal records concerning data Processing and, in particular, a log of the transfer and a copy of the data transfer agreement made with the party to which the Personal Data are being transferred, if applicable;

  • appointing a DPO;

  • drafting Personal Data Processing policies, including a data security policy;

  • performing and keeping a record of the DPIA(s) relating to the transfer;

  • registering the transfer with the competent authorities (i.e. data protection authorities), if required by applicable law.

For any International Data Sharing, appropriate measures should be used to safeguard the transmission of Personal Data to Third Parties. The level of securityFootnote 10 adopted and the method of transmission should be proportionate to the nature and sensitivity of Personal Data and to the risks involved. It is also advisable to consider this factor as part of any DPIA to further specify the precautions to be taken.

4.5 Data Controller/Data Processor relationship

In the event that a Data Processor is employed by a Data Controller, irrespective of whether the Data Processor is located in a country other than that of the establishment of the Data Controller, their relationship should as much as possible be governed by a binding agreement to protect the Processing of the Personal Data that are shared between them.

A number of issues may have to be clarified in the relevant contractual documents, in order to ensure that Personal Data are properly protected, for example:

  • whether the retention policies of the Data Processor are acceptable (e.g. mobile phone operators/financial institutions are subject to domestic data retention requirements);

  • what additional types of data are collected by the Data Processor as part of the Processing (e.g. for mobile phone operators, geolocation and other phone metadata);

  • whether the Processing of Personal Data by the Data Processor follows the instructions provided by the Data Controller;

  • how Personal Data are disposed of by the Data Processor after the contracted Processing.

Chapter 5 Data Protection Impact Assessments (DPIAs)

5.1 IntroductionFootnote *

The Processing of Personal Data can increase risks for individuals, groups and organizations, as well as society as a whole. The purpose of a Data Protection Impact Assessment (DPIA) is to identify, evaluate and address the risks to the Data Subject – arising from a project, policy, programme or other initiative. A DPIA should ultimately lead to measures that contribute to the avoidance, minimization, transfer and/or sharing of data protection risks. A DPIA should follow a project or initiative that requires Processing of individuals’ data throughout its life cycle. The project should revisit the DPIA as it undergoes changes or as new risks arise and become apparent.

Here are examples of when a DPIA is appropriate:

  • The offices of the Humanitarian Organization have been looted once too often. The Humanitarian Organization wants field offices either to dispose of their paper files or send them to headquarters and to rely instead on a cloud-based storage system. Should field offices do away with paper, CDs and flash drives?

  • A local NGO or authority approaches a Humanitarian Organization saying it wants to reunite family members separated because of violence in the country. It wants the Humanitarian Organization to supply all the information it has on missing persons in the country. Should the information be shared? If so, how much personal information should be shared in order to trace missing persons? Under what conditions should personal information be disclosed?

  • A tsunami sweeps away dozens of coastal villages. Thousands of people are reported missing. How much personal information should the Humanitarian Organization collect from the families of persons unaccounted for? Should it be as much information as is available, or should there be limits? Should it include information on health or genetic data, religious affiliation or political views, or other information which, if disclosed, could potentially give rise to significant harm to the individuals concerned?

  • Should Humanitarian Organizations publish pictures of unaccompanied children who are unaccounted for on the Internet? Should the Humanitarian Organization produce posters with these pictures? Under what circumstances?

The DPIA can play a key role in determining who might be adversely affected by privacy or data protection risks, and how they might be harmed.

This chapter is a step-by-step guide for Humanitarian Organizations on how to conduct a DPIA and what should be included in a DPIA report. Appendix 1 contains a template for a DPIA report.Footnote 1 Although a DPIA report is not the end of a DPIA process, it is crucial to its success. The report helps the Humanitarian Organization identify the privacy impacts of a proposed project and what must be done to ensure that the project protects Personal Data. It also helps the Humanitarian Organization reassure stakeholders that it takes their rights to privacy and data protection seriously and that it seeks the views of those who might be affected by or interested in the programme. Humanitarian Organizations should consider making the DPIA report or, at least, a summary of it available to stakeholders.

5.2 The DPIA process

This section provides a guide through the steps necessary to undertake a DPIA. There are different approaches to conducting DPIAs. The following guidance draws on best practices from a range of sources.Footnote 2

5.2.1 Is a DPIA necessary?

Any organization that collects, processes, stores and/or transfers Personal Data to other organizations should consider conducting a DPIA, the scale of which will depend on the severity of the risks assessed by the organization. A Humanitarian Organization may not be aware of all relevant data protection risks beforehand, and certain risks may only become apparent during the course of the DPIA. The Humanitarian Organization may view the risks as being so small that they do not justify a DPIA. Some risks may be real, but still relatively small, so the DPIA process and report may be correspondingly short. Other risks may be very serious, and the Humanitarian Organization will want to conduct a thorough DPIA. There is no one-size-fits-all solution.

5.2.2 The DPIA team

The second step involves identifying the DPIA team and setting the terms of reference. The DPIA team should include or consult the Humanitarian Organization’s DPO. Depending on the scale of the DPIA to be undertaken, the DPIA team could include experts from the Humanitarian Organization’s IT, legal, operations, protection, policy, strategic planning, archives and information management, and public relations groups. The team undertaking the DPIA should be familiar with data protection requirements as well as the Humanitarian Organization’s confidentiality rules and codes of conduct. Importantly, it should also include staff familiar with the planned project. Setting the terms of reference includes planning the time frame for the DPIA, the scope of the DPIA, the stakeholders to be consulted, the budget for the DPIA, and the steps that will be taken after the DPIA in terms of review and/or audit.

5.2.3 Describing the Processing of Personal Data

The DPIA team should prepare a description of the programme or activity to be assessed. The description should include:

  • the aims of the project;

  • the scope of the project;

  • linkages with other projects or programmes;

  • the team responsible for the programme or activity;

  • a brief description of the type of data that will be collected.

Mapping data flows is a key step of any DPIA. In mapping the information flows of a particular programme or activity, the DPIA team should consider the following questions:

  • What type of Personal Data is being collected, from whom and why?

  • How will that data be used, stored and/or transferred?

  • Who will have access to the Personal Data?

  • What security measures are in place to protect the Personal Data?

  • For how long will those data be retained or when will they be deleted? Have different layers of data retention been identified? This can include steps such as (1) storing data deemed sensitive for up to X days, (2) pseudonymizing data then storing the data for a longer time period, and finally (3) full deletion of the data.

  • Will the data undergo any aggregation, Pseudonymization, or Anonymization to protect sensitive information?

5.2.4 Consulting stakeholders

Identifying stakeholders is an important part of conducting a DPIA. Stakeholders include anyone who is interested in or affected by a data protection risk, possible processors, and Sub-Processors. Stakeholders may be internal and/or external to an organization. The need for and value of consulting external stakeholders will depend on how serious the Humanitarian Organization considers the risk to be. For a Humanitarian Organization, consulting stakeholders is a way to identify risks and/or solutions it may not have considered. It is also a way of raising awareness about data protection and privacy issues. The views of stakeholders should be taken into consideration in the DPIA report and recommendations. In order to ensure that the consultation is effective, stakeholders should be provided with sufficient information about the programme and given the opportunity to express their views. There are different ways to engage stakeholders, so the DPIA team should determine the most appropriate one depending on the programme or activity.

5.2.5 Identify risks

One way to identify risks is to create a spreadsheet listing privacy and data protection principles, threats to those principles, vulnerabilities (susceptibility to the threats), and risks arising from the threats and vulnerabilities. A threat without a vulnerability or vice versa is not a risk. A risk arises when a threat acts to exploit a vulnerability.

5.2.6 Assess the risks

A data protection risk assessment addresses the likelihood or probability of a certain event and its consequences (i.e. impact). One can assess the risks by undertaking one or more of the following steps:

  • Consult and deliberate with internal and/or external stakeholders to identify risks, threats and vulnerabilities.

  • Evaluate the risks against agreed risk criteria.Footnote 3

  • Assess the risk in terms of likelihood and severity of impact.

  • Assess against the necessity, suitability and proportionality tests.

Assessing the severity and likelihood of anticipated risks: precautionary principle

The criterion of severity of impact refers to the “magnitude of the risk or its impact if it materializes”.Footnote 4 The determination thereof involves asking various questions including but not restricted to: how many people will it put at risk? What kinds of risks may it generate (e.g. threat to the life, security, dignity and rights of individuals; discrimination; economic harm; reputational harm; risk that an individual may not be in a position to exercise a data protection right; risk that Third Parties may gain access to data, etc.)? What are the profiles of people to whom such risks might be posed (in particular, whether this would include vulnerable people, i.e. those belonging to groups that are particularly susceptible to harm)?Footnote 5

It should be noted that in certain Humanitarian Emergencies, such as situations of armed conflict or violence, there can be an assumption that risks can have particularly severe impacts if they materialize.

The likelihood of potential risks refers to the chances that the risk will materialize, and that it will materialize with the possible severity identified under the above analysis. In Humanitarian Emergencies it is often difficult to assess the likelihood of a risk materializing, particularly taking into consideration the limited availability of incident documentation. This will often mean that there will be limited or no documented evidence of a risk materializing. Lack of evidence should not be taken to mean that a risk is unlikely to materialize or to materialize with the possible level of severity identified. On the contrary, the identification of a risk with possible significant impact, combined with the inability to determine the likelihood thereof in the absence of evidence, should itself be an indicator of a high risk that deserves careful mitigation as part of the DPIA. The possible severity of the risk if it materializes, the nature, context and the purposes of the Processing activity in a humanitarian context should therefore inform the way in which the criterion of likelihood is interpreted and applied.

In this regard, it is suggested that the precautionary principle should be taken into account in the framework of a DPIA. The precautionary principle is a principle commonly used in other sectors (such as regulation of the environment, health and pharmaceuticals, etc.), informing decision-making in risk management,Footnote 6 which calls for particular caution where “a phenomenon, product or process may have a dangerous effect, identified by scientific and objective evaluation” but the available evidence “does not allow the risk to be determined with sufficient certainty”.Footnote 7 While this does not involve examining in depth every hypothetical risk, the precautionary principle requires that in the face of situations in which “there is uncertainty with regards to the existence or extent of risks … protective measures … [should be taken] … without having to wait until the reality and seriousness of those risks become fully apparent”Footnote 8.

5.2.7 Identify solutions

This step involves developing strategies to eliminate, avoid, reduce or transfer the privacy risks. These strategies could include technical solutions, operational and/or organizational controls and/or communication strategies (e.g. to raise awareness). The following example has been provided by OCHA’s Centre for Humanitarian Data, and is based on their work on this subject.Footnote 9

EXAMPLE: Statistical disclosure control in Humanitarian Data management

Data from household surveys, needs assessments and other forms of microdata are critical to determining the needs and perspectives of people affected by crises. This type of data also presents unique risks that should be identified as part of a DPIA process and mitigated before data sharing. Even after names, phone numbers and other direct identifiers are removed from microdata, it may still be possible, through the combination of key variables such as location or ethnicity, to reidentify individuals in the data set or disclose confidential information.

Statistical Disclosure Control (SDC) refers to a set of statistical methods used to assess and reduce the risk of Reidentification or the disclosure of confidential information in order to facilitate the safe sharing of microdata.

The SDC process includes three steps:

  1. (1) Assess the risk of disclosure: Assess the probability that disclosure could occur for individual respondents within a given data set by conducting a disclosure risk assessment.

  2. (2) Reduce the risk of disclosure: Lower the disclosure risk by applying one or more Statistical Disclosure Control techniques.

  3. (3) Quantify information loss: Quantify the information loss and assess the utility of the treated data in line with the original purpose for which they were collected.

Assess the risk of Reidentification

The first step in the SDC process is to conduct a disclosure risk assessment. This helps determine the likelihood of a disclosure taking place and the type of mitigation measures that might be necessary before sharing the data. Conducting a disclosure risk assessment requires selecting the indirect identifiers that are most likely to lead to Reidentification or the disclosure of confidential information, and using statistical methods to calculate different measures of risk.

Common key variables found in humanitarian microdata include age, gender, ethnicity, marital status, religion, income, location and other forms of geographic information. Depending on the context, almost any variable could be considered an indirect identifier (referred to as key variables). Selecting key variables thus requires an understanding of the context and data environment in which the data were produced.

Common risk measures include k-anonymity, l-diversity and individual and global disclosure risk. The Humanitarian Organization will need to set thresholds to be reached for each of the risk measures in order to share the data.

Reduce the risk of Reidentification

The second step in the SDC process is to reduce the disclosure risk to below the agreed threshold. There are two main strategies for reducing disclosure risk. The first is through non-perturbative methods, which reduce the detail in the data through the suppression or data generalization. For example, continuous key variables such as age or income may be recoded into age or income brackets. This process of replacing a data value with a less precise one can be an effective method for reducing disclosure risk while maintaining the analytical power of the data. The second set of methods, known as perturbative methods, aims to limit disclosure risk by altering data values in order to create uncertainty around the true value. Because these methods deliberately change data values, they should be applied with caution.

Quantifying information loss

The application of SDC will always lead to some information loss. In some cases, the information loss would be so high that the data lose their utility. Information loss must be evaluated with respect to the intended uses of the data. In the final step of the SDC process, the disclosure risk is reassessed to determine whether the application of SDC techniques has reduced the disclosure risk to an acceptable level and to evaluate the information loss. The goal of the SDC process is to find the optimal point at which the utility of the data for the intended users is maximized while the disclosure risk is reduced to an acceptable level.Footnote 10

5.2.8 Propose recommendations

The DPIA team should produce a set of recommendations based on the outcome of the previous steps. Recommendations may include a set of solutions, changes at the organizational level and potentially changes to the Humanitarian Organization’s overall data protection strategy or that of the programme. A set of recommendations should be included in the DPIA report.

5.2.9 Implement the agreed recommendations

The DPIA team should prepare a written report on the considerations and findings of the DPIA. As organizations will need to conduct DPIAs regularly, the length and level of detail of a DPIA report will vary greatly. For example, if an organization is considering publication of Personal Data for research purposes, it should produce documentation reflecting the full details of its data protection impact analysis. Conversely, an organization that is deciding whether to switch from using one brand of word-processing software to another should consider data protection issues, given that the software will be used to process personal information, but a detailed DPIA may not be necessary (unless the software involves new data flows in a cloud environment).

In addition to documenting and implementing data protection decisions, a Humanitarian Organization should consider whether it would be useful for Data Subjects or to the public to understand the considerations underlying its data protection decision-making. Accordingly, the organization might then share the report (in whole or in part) with relevant stakeholders. Sharing the DPIA report may also be a way of raising awareness and inviting further comments or suggestions from stakeholders. However, in some cases, the Humanitarian Organization may decide against sharing the DPIA report if it contains sensitive information (e.g. for reasons of physical security, continuity of operations, access, etc.). In such cases, the Humanitarian Organization could consider sharing a summary of the DPIA report or a redacted version.

5.2.10 Provide expert review and/or audit of the DPIA

Humanitarian Organizations should ensure that a data protection expert, such as the organization’s Data Protection Officer (DPO) or their staff, reviews or audits the implementation of the DPIA. In the interest of an accurate audit, the DPIA report must contain a methodology section.

5.2.11 Update the DPIA if there are changes in the project

The Humanitarian Organization should update the DPIA if the activity covered by it changes in some significant way or if new data protection risks emerge.

Footnotes

Chapter 2 Basic principles of data protection

1 The principle of proportionality in this context should not be confused with the principle of proportionality under international humanitarian law (IHL). The principle of proportionality as discussed here requires that Humanitarian Organizations take the least intrusive measures available when limiting the right of data protection and access to Personal Data in order to give effect to their mandate and to operate in emergencies.

2 In line with the humanitarian clause in the UN Guidelines for the regulation of computerized personal data files adopted by General Assembly Resolution 45/95 of 14 December 1990.

3 See ICRC, “ICRC WWI Prisoner Archives Join UNESCO Memory of the World”, 15 November 2007: www.icrc.org/en/doc/resources/documents/feature/2007/ww1-feature-151107.htm.

4 See Els Debuf, “Tools to do the job: The ICRC’s legal status, privileges and immunities’, International Review of the Red Cross, Vol. 97, No. 897–898, 2015, pp. 319–344: https://doi.org/10.1017/S181638311500051X.

5 The terms defined below are also given in the Glossary at the beginning of the Handbook.

6 See UK Statistics Authority, National Statistician’s Guidance: Confidentiality of Official Statistics – GSS, accessed 6 January 2022: https://gss.civilservice.gov.uk/policy-store/national-statisticians-guidance-confidentiality-of-official-statistics.

7 See UK Information Commissioner’s Office (ICO), Anonymisation: Managing Data Protection Risk Code of Practice, ICO, Wilmslow, Cheshire, November 2012: https://ico.org.uk/media/1061/anonymisation-code.pdf.; see also EU Article 29 Working Party Opinion 05/2014 on Anonymisation Techniques:https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf.

8 “Anagraphic”, in Wiktionary, 14 November 2020: https://en.wiktionary.org/w/index.php?title=anagraphic&oldid=61117548.

9 Note, “identified” does not necessarily mean “named”; it can be enough to be able to establish a reliable connection between particular data and a known individual.

10 See: Athena Bourka and Prokopios Drogkaris, eds., Data Pseudonymisation: Advanced Techniques and Use Cases, European Union Agency for Cybersecurity (ENISA), 28 January 2021: www.enisa.europa.eu/publications/data-pseudonymisation-advanced-techniques-and-use-cases.

11 Gregory J. Matthews and Ofer Harel, “Data confidentiality: A review of methods for statistical disclosure limitation and methods for assessing privacy”, Statistics Surveys, Vol. 5, 1 January 2011, pp. 1–29: https://doi.org/10.1214/11-SS074.

12 See Section 1.2 – Objective.

13 For more on this matter, see Massimo Marelli, “The law and practice of international organizations? interactions with personal data protection domestic regulation: At the crossroads between the international and domestic legal orders”, Computer Law and Security Review, Vol. 50, 2023, 105849: https://doi.org/10.1016/j.clsr.2023.105849.

14 See Chapter 3: Legal bases for Personal Data Processing.

15 See Section 2.7 – Data retention.

16 WMA – The World Medical Association, International Code of Medical Ethics, 9 July 2018: www.wma.net/policies-post/wma-international-code-of-medical-ethics.

17 See Subsection 2.5.2.1 – Further Processing.

18 See Section 2.12 – Data sharing and International Data Sharing, and Chapter 4: International Data Sharing.

19 A keychain or password manager is an application or hardware function that enables users to store and organize several passwords centrally under one master password.

20 International Organization for Migration (IOM), IOM Data Protection Manual, pp. 83–84.

21 See Chapter 5: Data Protection Impact Assessments (DPIAs).

22 See Chapter 3: Legal bases for Personal Data Processing.

23 See Section 2.11 – Rights of Data Subjects.

24 See Section 3.2 – Consent.

25 See Section 2.10 – Information, and Section 3.2 – Consent.

26 See Section 2.10 – Information.

27 See ICRC, “The ICRC Data Protection Commission”, 22 January 2016: www.icrc.org/en/document/icrc-data-protection-independent-control-commission; “Commission for the Control of INTERPOL’s Files (CCF)”, accessed 17 October 2021: www.interpol.int/en/Who-we-are/Commission-for-the-Control-of-INTERPOL-s-Files-CCF.

28 See Section 3.2 – Consent.

29 See Section 3.4 – Important grounds of public interest, and Section 3.5 – Legitimate interest.

30 See Chapter 4: International Data Sharing.

Chapter 3 Legal bases for Personal Data Processing

1 See Section 3.3 – Vital interest, and Section 3.4 – Important grounds of public interest.

2 See Chapter 2: Basic principles of data protection.

3 See Chapter 2: Basic principles of data protection.

4 International Organization for Migration (IOM), IOM Data Protection Manual, pp. 45–48.

5 See Section 2.10 – Information.

6 See Section 3.2 – Consent, fourth bullet point.

7 See Section 2.5.1 – The principle of the fairness and lawfulness of Processing, and Section 2.10 – Information.

8 For example, the ICRC has a mandate under the four Geneva Conventions and Additional Protocol I to act in the event of international armed conflict. The ICRC has a right of humanitarian intervention in non-international armed conflict. See: ICRC, “The ICRC’s Mandate and Mission”, Page, International Committee of the Red Cross, Geneva, 6 August 2014: www.icrc.org/en/mandate-and-mission.

9 See example at Section 3.6 – Performance of a contract.

10 See example at Section 3.6 – Performance of a contract.

11 Information security may include preservation of confidentiality, integrity and availability of information, as well as other properties such as authenticity, accountability, non-repudiation and reliability. See: International Organization for Standardization (ISO), “ISO/IEC 17799:2005 | Information Technology – Security Techniques – Code of Practice for Information Security Management”, ISO Geneva, 2005–2006): www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/03/96/39612.html.

12 See Section 2.3 – Aggregate, Pseudonymized and Anonymized data sets. Pseudonymization means Processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without additional information.

13 International Conference of Data Protection and Privacy Commissioners, Resolution on Privacy and International Humanitarian Action.

14 International Conference of the Red Cross Red Crescent Movement, Restoring Family Links While Respecting Privacy, Including as It Relates to Personal Data Protection, Resolution, International Conference of the Red Cross Red Crescent Movement, December 2019, para. 11: https://rcrcconference.org/app/uploads/2019/12/33IC-R4-RFL-_CLEAN_ADOPTED_en.pdf.

Chapter 4 International Data Sharing

1 See Chapter 10: Cloud Services.

2 Massimo Marelli, “The law and practice of international organizations? interactions with personal data protection domestic regulation: At the crossroads between the international and domestic legal orders”, Computer Law and Security Review, Vol. 50, 2023, 105849: https://doi.org/10.1016/j.clsr.2023.105849.

3 See Section 2.4 – Applicable law and International Organizations.

4 See Chapter 2: Basic principles of data protection and Chapter 3: Legal bases for Personal Data Processing.

5 See Chapter 2: Basic principles of data protection.

6 See Chapter 3: Legal bases for Personal Data Processing.

7 See European Commission, “Standard Contractual Clauses for Data Transfers between EU and Non-EU Countries”, Text, European Commission – European Commission, 4 June 2021: commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

8 See for example: International Conference of the Red Cross Red Crescent Movement, “Restoring Family Links Code of Conduct on Data Protection”, 18 January 2016: www.icrc.org/en/document/rfl-code-conduct.

9 See Chapter 5: Data Protection Impact Assessments (DPIAs).

10 See Section 2.8 – Data security and Processing security.

Chapter 5 Data Protection Impact Assessments (DPIAs)

* The author thanks Trilateral Research for permission to use their material on Data Protection Impact Assessments, and Alessandro Mantelero and Nahide Basri for their input and feedback.

1 See Appendix 1 — Template for a DPIA report.

2 David Wright, “Making Privacy Impact Assessment more effective”, The Information Society, Vol. 29, No. 5, 2013, pp. 307–15: https://doi.org/10.1080/01972243.2013.825687; Information and Privacy Commission New South Wales, Guide to Privacy Impact Assessments in NSW Information and Privacy Commission New South Wales, May 2020: www.ipc.nsw.gov.au/guide-privacy-impact-assessments-nsw; International Organization for Standardization (ISO), “ISO/IEC 29134:2017 | Information Technology – Security Techniques – Guidelines for Privacy Impact Assessment”, 2016–2017: www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/06/22/62289.html.

3 For definitions of risk terms, see International Organization for Standardization (ISO), ISO Guide 73:2009(En), risk management – vocabulary, 2009: www.iso.org/obp/ui/#iso:std:iso:guide:73:ed-1:v1:en.

4 Centre for Information Policy Leadership, Risk, High Risk, Risk Assessments and Data Protection Impact Assessments under the GDPR: CIPL GDPR Interpretation and Implementation Project, 21 December 2016: www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl_gdpr_project_risk_white_paper_21_december_2016.pdf.

5 Wright, “Making Privacy Impact Assessment more effective”.

6 European Commission, Communication from the Commission on the precautionary principle, available at: op.europa.eu/en/publication-detail/-/publication/21676661-a79f-4153-b984-aeb28f07c80a/language-en.

7 Footnote Ibid.

8 The Court of Justice of the European Union, the Judgement of the Court of 5 May 1998. United Kingdom of Great Britain and Northern Ireland v Commission of the European Communities Case C-180/96 ECLI:EU:C:1998:192.

9 See OCHA Center for Humanitarian Data, “An Introduction to Disclosure Risk Assessment”, The Centre for Humanitarian Data (blog), accessed 23 March 2022: https://centre.humdata.org/learning-path/disclosure-risk-assessment-overview.

10 For more information on SDC in the humanitarian sector, consult the following resources: OCHA Center for Humanitarian Data, “An Introduction to Disclosure Risk Assessment“; OCHA Center for Humanitarian Data, “Statistical Disclosure Control”, The Centre for Humanitarian Data (blog), accessed 23 March 2022: https://centre.humdata.org/guidance-note-statistical-disclosure-control; “Statistical Disclosure Control for Microdata: A Practice Guide for SdcMicro”, SDC Practice Guide documentation, accessed 23 March 2022: https://sdcpractice.readthedocs.io/en/latest.

Save book to Kindle

To save this book to your Kindle, first ensure coreplatform@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle.

Note you can select to save to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

Available formats
×

Save book to Dropbox

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Dropbox.

Available formats
×

Save book to Google Drive

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Google Drive.

Available formats
×