The collection and processing of personally-identifiable data is central to the work of both international organisations working in the humanitarian sector (IHOs) and non-governmental organisations (NGOs) in protecting and delivering essential aid to hundreds of millions of vulnerable individuals. With the increased adoption of new technologies in recent years, and the increased complexity of data flows and the growth in the number of stakeholders involved in the processing, there has been an increasing need for data protection guidelines that IHOs and NGOs can apply in their work. This was highlighted first in the 2013 report by Privacy International entitled: “Aiding Surveillance”, and was also recognised by the International Conference of Privacy and Data Protection Commissioners in its Resolution on Privacy and International Humanitarian Action adopted in Amsterdam in 2015 (Amsterdam Resolution).
This need has led to publication of the new Handbook on Data Protection in Humanitarian Action prepared jointly by the Data Protection Office of the International Committee of the Red Cross (ICRC) and the Brussels Privacy Hub, a research institute of the Vrije Universiteit Brussel (VUB) in Brussels. It has been drafted in consultation with stakeholders from the global data protection and international humanitarian communities, including IHOs and humanitarian practitioners, data protection authorities, academics, NGOs, and experts on relevant topics. The drafting committee for the Handbook also included the Swiss Data Protection Authority; the Office of the European Data Protection Supervisor (EDPS); the French-speaking Association of Data Protection Authorities (AFAPDP); the UN High Commissioner for Refugees (UNHCR); the International Organisation for Migration (IOM); and the International Federation of Red Cross and Red Crescent Societies (IFRC).
Content of the Handbook
The Handbook addresses questions of common concern in the application of data protection in international humanitarian action, and is addressed to staff of IHOs and NGOs who are involved in the processing of personal data, particularly those in charge of advising on and applying data protection standards. It is hoped that it may also prove useful to other parties, such as data protection authorities, private companies, and others involved in international humanitarian action.
Compliance with personal data protection standards requires consideration of the specific scope and purpose of humanitarian activities to provide for the urgent and basic needs of vulnerable individuals. Both data protection and humanitarian action have the dignity of the individual at their core. The Handbook thus regards data protection and international humanitarian action as compatible, complementary to, and supporting each other.
The Handbook recognizes that the right to the protection of personal data is not an absolute right, and should be considered in relation to the overall objective of protecting human life and dignity, and be balanced with other fundamental rights and freedoms, in accordance with the principle of proportionality. For example, it may be necessary to balance, on the one hand, data protection rights with, on the other hand, the objective of ensuring access to and security of victims of armed conflict and other situations of violence. This requires high levels of confidentiality and in certain circumstances limitations on data access rights, as well as historical and humanitarian accountability of stakeholders in humanitarian emergencies, which implies in some cases long-term retention of data. It also recognises, however, that due to the extreme and volatile environment in which humanitarian action often takes place, diligent application of data protection principles is key, and that non-compliance with data protection can have more severe consequences than in non-emergency settings.
The first part of the Handbook deals with basic principles of data protection and their application in the context of humanitarian action. This includes issues such as vulnerability of data subjects and implications for the identification of suitable legal bases for data processing, as well as the difficulties involved identifying clear-cut categories of sensitive data; emergencies and implications on the data protection rights of individuals; data controllers’ responsibilities such as data security, impact assessments, and accountability; and international data sharing.
The second part deals with the use of specific new technologies in the context of international humanitarian action. This includes data analytics and ‘Big Data’; drones and remote sensing; biometrics; cash transfer programming; cloud services; and mobile messaging apps. The Handbook also addresses the use of data protection impact assessments. Specific examples are included to assist readers in applying protection for data processing.
Creating international frameworks for data protection
Data protection is an area of human rights law which is of great and growing concern at an international level, but which lacks a firm, clear-cut legal basis in international law, beyond some important instruments such as the Council of Europe Convention 108.
As the UN General Assembly re-affirmed in its latest resolution on the right to privacy in the digital age issued on 19 December 2016, the right to privacy is protected in international human rights instruments such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights. However, as has been discussed previously in EJIL: Talk!, the current legal situation fails to present a clear international framework for data protection, which is closely related to privacy but not synonymous with it, as a separate right.
Just as was the case with the Data Protection Policy of the UN High Commissioner for Refugees (UNHCR) and the ICRC Rules on Personal Data Protection, both published in 2015, the Handbook was inspired by a wide variety of data protection instruments, without being based solely on any single one. These instruments include the 1990 United Nations General Assembly Guidelines for the Regulation of Computerized Personal Data Files adopted by GA Resolution 45/95;the OECD Guidelines (in their 2013 version); the 1981 Council of Europe Convention (Convention 108); and the 2009 Madrid Resolution. Other important instruments have also been taken into account, such as the 1995 EU Directive 95/46; the EU General Data Protection Regulation 2016/679 (GDPR); and the Amsterdam Resolution.
The Handbook’s starting point is the need recognised in the Amsterdam Resolution to provide data protection guidance in the humanitarian sector. It seeks to further the objective of the Amsterdam Resolution to meet the demand for co-operation in the development of guidance expressed by international humanitarian actors, taking into consideration the specificities of their actions and the need for these to be facilitated.
Privileges and immunities of International Organisations
As highlighted in the Amsterdam Resolution, the international community has entrusted specific tasks of a humanitarian nature to certain international organisations. The privileges and immunities they generally enjoy, notably immunity from jurisdiction in countries where they work, ensure they can perform their mandate in full independence. Accordingly, they are responsible for the processing of data according to their own rules, in line with international standards, and subject to the control of and enforcement by their own compliance systems across their work. This is in line with General Assembly Guidelines 1990 referred to above, which apply also to international organisations and require them to designate the authority statutorily competent to supervise the observance of the guidelines.
This consideration is key, since in humanitarian emergencies, the privileges and immunities of an IHO may be the first line of protection for the personal data of vulnerable individuals, particularly in the context of armed conflicts and other situations of violence. This was highlighted also in the Amsterdam Resolution, which states at page 3 that “Humanitarian organizations not benefiting from Privileges and Immunities may come under pressure to provide data collected for humanitarian purposes to authorities wishing to use such data for other purposes (for example control of migration flows and the fight against terrorism). The risk of misuse of data may have a serious impact on data protection rights of displaced persons and can be a detriment to their safety, as well as to humanitarian action more generally”. The Handbook also considers the important implications for the analysis of flows of personal data within, from, and to international organisations.
The Handbook is a response to the growing calls for increased guidance in the application of data protection principles in the area of humanitarian action. Data protection is particularly important in ensuring the application of the humanitarian principle of “do no harm” to new technologies adopted in a humanitarian context. Drafted with input from both communities and taking into account legal frameworks from around the world, the Handbook represents an important step in demonstrating how data protection and humanitarian action can complement each other and mutually strengthen their objective to further the dignity of vulnerable individuals.