Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Why we work on refugee privacy

Few understand why we focus on refugee privacy.  Funders don’t understand it so don’t fund it; the public see the plight of refugees as seen on TV, not as a privacy issue; and often times the international community does everything it can to increase scrutiny of refugees. In this blog, I highlight the privacy issues facing refugees and how these issues can jeopardize refugees’ safety as much as any of the environmental, social, or political risks refugees encounter.

Refugees are amongst the world's most vulnerable people. They are vulnerable to the people they are fleeing, and the countries from which they are fleeing. They are vulnerable in the countries within which they are hosted as they seek refugee status. They are vulnerable as refugees. Their families and loved ones remain vulnerable in their country of origin. As refugees seek resettlement in a safer country, they are also vulnerable, this time to the whims and demands of that country’s government.

Information about these refugees is also vulnerable. Loss, theft, abuse, misuse, and unintended actions threaten the lives of these individuals. Putting it bluntly, getting privacy wrong will get people arrested, imprisoned, tortured, and may sometimes lead to death.

For four years we have been working with the UN refugee agency, UNHCR, to help improve this situation. Unfortunately for UNHCR, it too is vulnerable in this environment. Last week we delivered a training session to UNHCR staff and we were heartened how far the organisation has come in realising how difficult this challenge has become. It certainly wasn't a universal sentiment when we first began engaging with UNHCR. 

We have signed a non-disclosure agreement with UNHCR so we are unable to openly discuss some of the cases of which we are aware, but we are able to speak in abstract about some of the risks refugees face.  We felt it was essential that the public becomes aware of yet another case where we must protect privacy in order to protect lives.

Setting the scene

In simplified terms, refugees are protected by States.  States are the only actors that can grant asylum. The vast majority of States do so on the basis of the 1951 Refugee Convention that defines who is a refugee and what rights and obligations s/he has. One of UNHCR’s roles is to supervise the Refugee Convention but depending on the circumstances in each country where it operates, the agency takes on quasi-state roles in order to protect and assist refugees.

UNHCR operates in more than hundred countries around the world. This is its great operational advantage – to be close to its “beneficiaries” – but also an important challenge. It needs to operate in many different jurisdictions, with many different authorities, host societies, local communities, widely differing and often difficult environments.

Many refugee hosting countries have neither privacy or data protection laws nor authorities that would enforce them. And while UNHCR can determine in Guidelines how it deals with personal data and benefits from privileges and immunities as any other UN institutions, refugees have the duty to conform to the laws and regulations of their host country.

Importantly, many of these host countries are developing their own surveillance systems.  Often funded by western governments and development foundations, governments across Asia, Africa, and Latin America are developing population registers, biometric registers, electronic medical registries, amongst others, and they are becoming keen to bring UNHCR data into their own systems.

The irony of protection

Millions of individuals around the world seek refuge UNHCR's banner. They seek protection under the international refugee protection scheme through recognition as a refugee. Normally, it is up to States to determine who is a refugee before granting asylum. However, a large amount of countries simply don’t carry out refugee status determination (RSD). In this case, UNHCR conducts the asylum procedure (or RSD) with its own staff in order to know to whom it needs to offer its protection and assistance services ranging from interventions with the host Government to assistance in food and non food items and sometimes organisation of resettlement to a third country. For this reason, high hopes and expectations are coupled with approaching a UNHCR office in the field. 

Sometimes the process is simple: tell the UNHCR staff at the point of registration that you are a specific ethnicity, faith, tribe, or citizen at risk (and internationally recognised as at risk), then you have a prima facie case of protection. So if you are Somali in Kenya, or Burmese in Thailand, you immediately qualify, in theory, for protection under the refugee conventions.

In this scenario, UNHCR must register your basic 'biodata': your name, your ethnicity, your tribal, religion. Health status and other categories are always helpful as supporting evidence. Some UNHCR operations have decided to collect biometrics in order to identify refugees and to reduce fraud, amongst a myriad of other rationalisations. (Note:  PI staff were external members of an evaluation team reviewing the deployment of biometrics in refugee operations; but until the evaluation is published we are unable to comment on this form of data collection openly.)

Then once registered by UNHCR, you are 'protected'.

In other cases where there is no prima facie case for a refugee, you have to make the case through your story as to why you are seeking refuge. The RSD process here is more challenging: what was the nature of persecution in your country of origin? why did you flee? Upon adequately, and often thoroughly explaining your reasons and the methods of seeking refuge (to assure UNHCR that you are not fabricating your status), you wait until UNHCR can complete the determination process and classify you as a refugee.

Protection, therefore, hinges on collecting sensitive information. The very same information that governments and companies around the world are often restricted from collecting, UNHCR must collect as part of its mandate. Refugees rarely object. They know the deal: give us your personal information and we will give you shelter. It is the offer that no man or woman or child would ever refuse.

This information is then assessed in the ultimate stage of resettlement. Once a foreign government agrees to accept refugees (often of a certain type), that government may seek additional information from UNHCR and the refugee prior to agreeing to admit that refugee. Otherwise, the refugee remains in the camps or in the host country as a refugee, often vulnerable to the conditions, environment, and possibly other more ominous dangers await. Some governments are considering in limited cases genetic information to confirm family relations; the UK Government at one point floated the idea of using genetic information to verify nationality, though fortunately it recently dropped the idea. Again, refugees would be theoretically foolish to resist the disclosure and sharing of information at this final stage. Submit information and be given a new life; refuse and continue to live at risk.

As you can now see, consent is hardly a safeguard against abusive processing of information.  Would you refuse to hand over personal information in exchange for shelter, safety, and a new life?  This is why in the privacy world, consent is merely one basic safeguard.  Much more is needed.

Who is at risk?

Refugees believe that they are giving the information to UNHCR, even though it may not be UNHCR actually managing the information. In our meetings with some community leaders (a very small subset of the large populations in the camps, of the small number of operations we visited), we found that they were concerned about their privacy and simultaneously were given little information about how their information is processed. They worried about how information could end up in their countries of origin, or could be used to their disadvantage.  They felt like the information belonged to them, and in some scenarios they took great care in protecting information about themselves and others.  Yet they knew they must submit this information to UNHCR in exchange for protection.

UNCHR does not have complete jurisdiction over the information they collect. They may collect vast amounts of information, but this information must often be shared with host governments and sent to resettlement countries. Information may be shared with 'Implementing Partners' including providers of food and health services. Information may be shared with non-governmental organisations seeking to assist refugees.

As we visited country after country (we spent time in Malaysia, Djibouti, Ethiopia and Kenya), camp after camp, and spoke with UNHCR staff members from other operations, we became downright terrified about how this information could be abused.  There are good reasons why it is often illegal to collect this type of information, and there are great reasons for keeping this information secure and not sharing it unless it is absolutely necessary and legally regulated.  These choices are conveniences that UNHCR cannot afford.

Here are some nightmare scenarios:

  • Data is stolen from a laptop or other device, which is then sold to bounty hunters, fraudsters, profiteers or human traffickers.
  • UNHCR releases an index of names of refugees in a given country of asylum.  This information finds itself in the hands of the country of origin.  A few days later, family members and associates of all the refugees are arrested.

While cases have emerged in the situations outlined above, let’s add some nuance to the scenarios to understand the ticking time bomb of unsecured and unregulated refugee information systems while we see the complexity of UNHCR’s challenges.

  • UNHCR shares an individual case file with the national immigration and border control authority of the country of asylum that in turn approaches the Embassy of the country of origin for confirmation of certain elements of the asylum application. A few days later, the family members who are in the country of origin are arrested.
  • A young refugee is been forced into a sexual relation and subsequently contracts HIV. This information risks being transferred to the local government authorities because of health data-sharing requirements. In turn, it could lead to forced return to her home country, and likely to her death by the hands of her own tribe.
  • Fellow UN agencies and other implementing partners are seeking access to the list of all individuals in a camp and their geographic locations (i.e. names and addresses), in order to distribute aid more efficiently.  Soon, the data can no longer be traced back to the point of origin, and errors that are discovered go uncorrected in the shared datasets.  Eventually, it becomes impossible to identify all the places where the data eventually reside as each organization continues to share this information with others.  A laptop is then stolen from one of these organisations and it is impossible to identify the nature of the risk.

In summary:  information that is sensitive and should not be collected is necessarily collected in this environment and may be shared; while information that is often considered innocuous such as name, family composition, address can in fact lead to disastrous consequences.

We can't also forget that UNHCR staff may be at risk as malicious third parties are keen to get access to IT resources in the field and more worryingly, to the data.

Who is at fault?

In any story of surveillance we are often quick to identify good and bad people. Who is to blame? Who can we appeal to, and who will remedy the situation? The complexity of the situation for UNHCR and the refugees makes this impossible to easily diagnose and rectify.

UNHCR cannot tell a host government that it will not share information on individuals who are under the jurisdiction of the host government. The agency normally operates on the basis of a host country agreement, thus always with the consent of the host country. If a refugee (determined by UNHCR or the Government) seeks protection from being detained or even sent back to his country of origin or a third country (of transit), at least some of his personal data needs to be shared with the authorities of the country of asylum that has a legitimate interest to know who should be considered to be legally on its territory.

But where there is State authority there is power and where is power there is potentially abuse. A government may determine for itself to create an HIV register, something that we find to be inimical to fundamental human rights. Should UNHCR help the government to populate that register? Similarly, a government may determine it wants to verify that there are no terrorists in its country -- how should UNHCR conduct the vetting of each individual, even in the case of prima facie refugees? 

In a final example, the immigration department of a country of resettlement can request the same, and additional information from UNHCR. Why would UNHCR reject such a request when the government could either refuse resettlement, or simply demand that the individual refugee submit the information directly to the government?

It is therefore of utmost importance that UNHCR is clear about what to share in terms of personal data with whom. While the agency is not entirely subject to national laws due to the United Nations’ privileges and immunities, it has to cooperate with national authorities in order to implement its mandate of refugee protection. Indeed, data sharing is just as much a condition to protect as it may be a danger for a refugee’s protection. In this situation, the agency is not only subject to its mandate but also to general standards of human rights as elaborated by the UN. Therefore, when collecting, processing, storing and most critically sharing personal data of refugees, UNHCR needs to bear in mind the privacy rights as well as overall refugee protection considerations in mind. Normally, that would go hand in hand. 

Despite this, UNHCR does not have a privacy policy that governs is collection and use of personal information.  In fact, though similar procedures and technologies are used in various operations, the practices may vary.  For example, in some camps they fingerprint babies, while in another operation they collect iris scans, and in other environments they collect significantly less information.

Finally, what about the refugee's rights? As mentioned above, refugee rights – whether those stipulated in the 1951 Convention or general Human Rights applicable to all – need to be respected first and foremost by the host country. Thus, while refugee law has no provision on privacy, the International Covenant on Civil and Political Rights does (Article 17). Depending on whether and how this provision is transposed in national law, a recognised refugee can also challenge any violations before the national courts to which s/he has access under Article 16 of the Refugee Convention. But this all too often remains nothing but a theory.

So what is needed?  At the very least:

  1. UNHCR has to start taking information security and privacy seriously and develop strong data privacy policies practices and embed these within their technologies. 
  2. Western governments and aid donors have to stop funding developing countries' national registration schemes and biometrics unless they are willing to promote privacy laws as well. 
  3. Most importantly, refugees have to be told about how their information is being used, why it is being collected, and how it will be protected.  They should be granted the same rights and everyone else, and not subjected to unnecessary pricking and prodding as the UK Government tried to do based on ridiculous ideas about genetics.

The respect of privacy is this area remains an ongoing challenge, and this is why we continue to volunteer our time (this entire area of activities for PI is unfunded – with alarming frequency funders have stated 'why should we fund this?' -- the vast majority of costs are unfunded and often at personal expense to PI staffers). We have to believe that this situation will get better, though we fear it will continue to deteriorate until there is a large scale disaster based on information leakage.  This is one of the modern world’s most interesting intellectual challenges and human rights challenges: how do you protect the world’s vulnerable people, being processed by a vulnerable organisation, collecting vulnerable information with vulnerable practices?

Add new comment