Data Protection in International Organizations and the New UNHCR Data Protection Policy: Light at the End of the Tunnel?

In May 2015 the United Nations High Commissioner for Refugees (UNHCR) published its Policy on the Protection of Personal Data of Persons of Concern to UNHCR (Data Protection Policy). The Policy may seem to be merely an internal guidance document addressed to the staff members of an international organization. However, as a subsidiary organ of the United Nations, established by the General Assembly pursuant to Article 22 of the UN Charter, working for millions of refugees and with thousands of other organizations active in the field of protection and assistance, UNHCR bears a certain responsibility when it sets internal standards which inevitably also have an external impact. Moreover, the Policy highlights the growing importance of data protection in international law, particularly for the work of international organizations.

Against this background, our blog addresses some interesting underlying legal issues of public international law raised by the Policy. In particular, it discusses the relevance of data protection to the work of international organizations, including UN agencies, and what level of data protection is appropriate and required for international organizations in general and UNHCR in particular, taking into account the humanitarian context in which the organization often operates.

Origins of the Policy

The processing of information of individuals falling within the mandate of UNHCR, i.e. refugees, asylum-seekers, returnees, stateless persons as well as internally displaced people (also referred to as persons of concern to UNHCR) has always been part of the organization’s daily work. This includes activities such as protection monitoring, assistance, registration, status determination, voluntary repatriation, and resettlement. As a result, UNHCR holds the records of millions of persons of concern. And these records routinely contain highly sensitive personal data. However, increased inter-agency cooperation, more sophisticated forms of assistance (e.g. cash assistance by mobile devices) requiring cooperation with the private sector as well as the general development of technology (e.g., the increased use of biometrics) caused the organization to replace its earlier internal “Confidentiality Guidelines” with a new High Commissioner’s Policy based on high standards of data protection.

An initial question was what to choose as the basis for such standards. As a UN agency, UNHCR naturally had to look at UN or other universal instruments, particularly those dealing with human rights. In fact, the roots of data protection can be found in international human rights law, in particular the right not to be subject to arbitrary interference with one’s privacy (Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights).  However, the protection of personal information is only one aspect of the right to privacy; the UN Human Rights Committee never had the chance to develop relevant “jurisprudence”, and its General Comment No. 16 of 1988 only dedicated one paragraph to the protection of personal information. Instead, data protection and privacy law was essentially developed at the national level, starting in the 1970s and 1980s. Today, over 100 countries around the world have adopted comprehensive data protection legislation. But the lack of international legal consensus on the detailed meaning of terms such as “data protection” or “data privacy” remains, reflecting the fact that conceptions of privacy differ among legal systems.

Emanating from the UN Human Rights Commission, there is however one guidance document at the UN level that is highly relevant for the work of international organizations, namely the 1990 United Nations General Assembly Guidelines for the Regulation of Computerized Personal Data Files.

The interesting aspect of these Guidelines is that the General Assembly requested not only governments to take them into account in their legislation and administrative regulations, but also asked “governmental, intergovernmental and non-governmental organizations to respect those guidelines in carrying out the activities within their field of competence.” Part A of the 1990 UN Guidelines lists several principles which are explicitly referred to as “minimum guarantees”: (1) lawfulness and fairness, (2) accuracy, (3) purpose-specification, (4) interested-person access, (5) non-discrimination, (6) power to make exceptions, (7) security, (8) supervision and sanctions, and (9) transborder data flows. Part B, which is specifically addressed to international organizations, states that “each organization should designate the authority statutorily competent to supervise the observance of these guidelines”, and that “a derogation from these principles may be specifically provided for when the purpose of the file is the protection of human rights and fundamental freedoms of the individual concerned or humanitarian assistance.”

However, bearing in mind that the UN Guidelines are referred to as “minimum guarantees”, the UNHCR Policy also considered other international instruments concerning the protection of personal data and individuals’ privacy. These included, for example, the 1980 OECD Guidelines, the 1981 Council of Europe Convention (Convention 108), the 1995 EU Directive 95/46, the 2005 APEC Privacy Framework, the 2010 Supplementary Act on Personal Data Protection of ECOWAS, and the 2012 Draft for an EU General Data Protection Regulation. The 2009 Madrid Resolution was particularly useful from UNHCR’s perspective, because it was drafted by experts from independent national data protection and privacy authorities, with the aim of constituting the basis for a future universally binding agreement, integrating multiple approaches and legislation from around the world.

Content of the Policy

The influence of the UN Guidelines and the Madrid Resolution is manifest in the concise and abstract style as well as the content of the UNHCR Policy, i.e. the terminology, definitions, principles and concepts it uses. This is true for the notions of personal data, processing of personal data, data subject, consent, data controller and data processor, all of which follow well-established definitions. The basic principles of the Policy are: (1) legitimate and fair processing, (2) purpose specification, (3) necessity and proportionality, (4) accuracy, (5) respect for individual rights, (6) confidentiality, (7) security, and (8) accountability and supervision. In addition, it introduces the concepts of breach notification and data protection impact assessments. With regard to data processing by implementing partners and the transfer of personal data to third parties, it requires respect for the same or comparable standards and basic principles as contained in the Policy. Three of the eight principles mentioned above deserve closer attention, namely legitimate processing, individual rights, and accountability and supervision.

Considering the privileges and immunities of the UN under the 1946 Convention on the Privileges and Immunities of the United Nations, the UNHCR Policy opted for the term “legitimate” instead of “lawful” processing. The Policy contains four possible grounds for data processing: the consent of the data subject, the vital or best interest of the data subject, the fulfillment of UNHCR’s mandate, and ensuring the safety and security of any individuals. There is a clear influence here of established data protection instruments, such as Convention 108 or Directive 95/46. Bearing in mind that meaningful informed consent may at times not be obtainable in the humanitarian context of UNHCR’s activities, the other legitimate bases, notably the fulfillment of UNHCR’s mandate (which is firmly rooted in public international law) and the vital or best interests of the data subject (which is influenced by concepts in the UN Convention on the Rights of the Child), are of particular significance.

The Policy breaks new ground for international organizations particularly in setting out the rights of data subjects (i.e. the rights to information, access, correction, deletion and objection). While the Policy does allow for restrictions on these rights when this is necessary to safeguard or ensure the overriding operational needs and priorities of UNHCR in pursuing its mandate, this clearly appears compatible with the humanitarian clause of the 1990 UN Guidelines. In its broad affirmation of data protection rights, the Policy provides an important contribution to make international organizations more accountable to respect individual human rights.

As to the accountability and supervision structure, the Policy allocates responsibility to existing functions in UNHCR, namely country Representatives as “data controllers”, assisted by the most senior protection staff as “data protection focal points” and “data processors”. An innovation is the introduction of a Data Protection Officer (DPO) at UNHCR Headquarters with the responsibility to monitor compliance with the Policy, providing advice and annually reporting to the Assistant High Commissioner for Protection. A DPO in a UN agency is a convincing response to the requirement under the 1990 UN Guidelines that organizations provide for an “authority competent to supervise” them.

Conclusions

While a lot will depend on actual implementation of the UNHCR Policy, it represents the first attempt by a UN agency to adopt a comprehensive, principled and universal approach to data protection. It is drafted to respond to the growing amount of challenges that not only UNHCR but all humanitarian organizations face. While there may often be tensions between the need to protect personal data and the fulfillment of humanitarian mandates, the UNHCR Policy shows that they should go hand in hand.

The growing adoption of data protection policies and procedures by international organizations, and the practice that results from their implementation, can be significant for the further gradual development of data protection in international law. The UNHCR Policy, which provides a useful paradigm for dealing with data protection issues in an international humanitarian context, may play an important role in this regard.