A paucity of privacy: Humanitarian, development organisations need beneficiary data protection policies

The drive for accountability in aid spending has put humanitarian and development agencies under pressure to collect an ever-growing amount of data about those who receive their assistance. Donors also increasingly demand that new technologies are deployed to ensure aid reaches those it is targeted at; preventing people from fraudulently using refugees’ identities, for example, was a key motivation behind UNHCR’s recent introduction of biometric technology to register Syrian refugees in Jordan.

Despite collecting a vast amount of personal information on a growing array of subjects, few major organisations distributing development and humanitarian aid have explicit policies around protecting beneficiary data. Organisations that are not known to have beneficiary data protection policies include some of the largest players in the field: Oxfam, Save the Children, CARE, and Action Against Hunger. In addition to failing to respect beneficiaries’ right to privacy and protection of personal data, the lack of explicit policies in this area can have significant adverse – albeit unintentional – consequences.

Humanitarian and development organisations collect a range of data, from name and location to detailed medical information. Some of this data is collected without an assessment of whether it is really required to achieve the programme’s objectives or whether its collection might put beneficiaries at risk, now or in the future. In some situations, even collecting the most basic information is risky. For instance, the use of mobile phone networks to transmit information is a practice that is particularly problematic, as networks may be subject vulnerable to interference or state surveillance.

In addition, some humanitarian and development organisations may willingly pass beneficiary information on to donors or other third parties, such as commercial partners, without a clear knowledge of what that information may be used for. A family receiving food aid might consent to giving information about their circumstances to an aid organisation, but not know that the data is later going to be used for commercial exploitation or other purposes. In passing on information to state actors, meanwhile, humanitarian and development organisations may unwittingly facilitate state surveillance, adding pieces to the jigsaw of information that allows a state to track and monitor an individual’s life.

Existing efforts to protect beneficiary information

There are increasing efforts in the humanitarian and development communities to improve practices regarding beneficiary data protection. The sudden rush to develop guidelines and standards reflects a growing recognition that existing frameworks are inadequate.

• The most developed standards come from the International Committee of the Red Cross whose Professional standards for Protection Work carried out by humanitarian and human rights actors in armed conflict and other situations of violence contain statements such as, “[p]rotection actors seeking information bear the responsibility to assess threats to the persons providing information, and to take necessary measures to avoid negative consequences for those from whom they are seeking information.”
• A recent report by the New America Foundation, Dialing Down Risks: Mobile Privacy and Information Security in Global Development Projects proposes principles for promoting privacy in the context of the use of mobile phones.
• A consortium of non-governmental organisations, led by the Cash Learning Partnership, is working to develop guidelines around protecting beneficiary data in e-transfer programmes.
• The UN Refugee Agency, UNHRC, and the World Food Programme are known to be developing internal guidance around beneficiary data protection.
• There have also been industry-driven initiatives, such as the Guidelines for the Use of SMS in Natural Disasters, produced by the GSMA, an influential association of mobile operators. These guidelines recognise the importance of keeping text messages confidential and hosted on a secure platform, as well as the need to obtain consent before transferring personal data to third parties.

Going forward

The momentum is building for better data protection standards in the humanitarian and development field. The 2013 World Disasters Report states bluntly that “[h]umanitarian organizations need clear guidelines and standards for how and by whom the information that they collect will be processed, used and stored.” This echoes the call in a recent major UN report, Humanitarianism in a Networked Age, for humanitarian organisations to develop “‘Do No Harm’ standards for the ethical use of new forms of data, including protocols for protecting privacy and guaranteeing informants’ safety”. These calls must be heeded if humanitarian and development organisations are to retain the confidence and trust of the communities they serve.

“Transformation through Innovation” is a key theme of the first-ever World Humanitarian Summit to be convened by the UN Secretary-General in 2016. Technology and its promises are at the forefront of development thinking; the challenge now is to use new technology to advance, rather than stymie, progress in promoting human rights, particularly the right to privacy and protection of personal data. Humanitarian and development organisations need to step up to the task and take a hard look at their practices to ensure they are upholding human rights and the rule of law wherever they are working.