Sweeping European privacy regulations are forcing the humanitarian sector to radically rethink how it handles data on tens of millions of people, interviews with experts and aid industry insiders reveal.
Aid agencies in Europe will have to change the way they fundraise at home and gather data abroad to comply with strict new EU data protection regulations that come into force in May.
Under the new law, the General Data Protection Regulation, individuals in the EU can demand to know what data an organisation holds on them and why, and insist on removal or changes. It also puts particular limits on the use of biometric data, like fingerprints or eye scans. The legislation sets up stringent standards and imposes severe fines.
But it’s not just European aid agencies that will need to get up to speed quickly on data protection. A wide range of interviews conducted by IRIN confirms that, as it lays down standards for transferring personal information into and out of Europe, the GDPR will push most international aid organisations and non-profits to change as well.
“From what I've seen, prioritising the rights of 'data subjects', as the GDPR calls them, has not been top of the agenda for humanitarian organisations,” Zara Rahman of The Engine Room, an advisory group working on data and technology issues, told IRIN.
Rahman argued in October, for example, that the digital registration of the Rohingya refugees has not had proper safeguards. And IRIN reports exclusively today on a tough internal audit revealing widespread failings in WFP’s data protection practice.
Aid agencies handle sensitive personal information about refugees, survivors of natural disasters, hospital patients, and many others. The UN’s estimate of the humanitarian caseload for 2018 is some 90 million people.
Overwhelmingly, that data is now held in digital form and may include biometrics, photographs, geographic coordinates, and family details, as well as records of entitlements and services received. Poorly managed personal data in situations of conflict or persecution can mean life or death.
Christine Knudsen, director of the standard-setting Sphere project for humanitarian NGOs, told IRIN there has been “a big jump in interest” about data protection and technology in the sector. She said Sphere subscribers have come to recognise that “poor data protection and management can put real people at real risk”.
The humanitarian sector runs on lists: of the needy, of the missing, even of the dead. In the Red Cross museum in Geneva, one exhibit is of giant cabinets stuffed with yellowed hand-written records of prisoners of war, some from 80 years ago.
Lists have names, and now people with names (at least in Europe) have new rights.
The GDPR is a “very, very important piece of legislation”, according to Massimo Marelli, head of the data protection office of the International Committee of the Red Cross. It should allow data subjects to exercise control over their data on a rolling basis instead of, for example, just clicking on “150 pages of information notices”.
The ICRC and the UN are beyond the reach of EU law; and there are provisions (“recitals”, in the legal parlance) for humanitarian circumstances and international organisations. However, they will be treated like third countries and are therefore not untouched by the legal framework.
A senior manager at an international NGO who requested anonymity told IRIN that providing a lifeline to vulnerable people who have little to fall back on means the obligations on aid providers are heavier than for a normal business relationship. “We constantly have to get better at it,” the manager said, adding: “it’s a huge responsibility that we have... the power differential is much greater”.
But compliance will come at a cost, and will involve more than just IT departments. Fortune 500 companies are spending a combined $7.8 billion to get in line with the GDPR over 2018, according to one study.
Shabby Amini, director of fundraising, partnerships, and communications at CARE International UK told IRIN it was a significant task to understand the regulations “and what they mean for all our employees, volunteers, managers, board members, and the organisation as a whole.” One major change is that data containing beneficiary names will not be transmitted back to the UK from field operations, Amini said, by email.
Médecins Sans Frontières, which treats nine million patients a year, told IRIN that GDPR could "reinforce the application and coherence" of its ethical principles. But the allocation of resources for data protection and compliance raised difficult decisions. "For many humanitarian NGOs, resources are a significant challenge," MSF said.
The new rules also have major implications for fundraising activities as aid agencies in Europe run sophisticated operations that rely heavily on databases of individual donors.
Major organisations like MSF spend millions on direct mail and other approaches to prospective donors. They will now be required to be able to show how and why they collected every individual in a supporter database or mailing list. MSF told IRIN it has records of six miliion donors and it would "be reviewing all of our donor databases and our processes for treating donor data to ensure that they are compliant." A "gap analysis" was underway in all its units, the medical group said by email.
Kathryn Corrick is a partner in a new UK firm that specialises in advising clients, including charities, on implementing GDPR. Corrick prefers to describe the process as getting “GDPR-ready” rather than “GDPR-compliant”, as GDPR will be an ongoing obligation, not a one-off act.
UK charity fundraisers have faced criticism for sharing lists of individual donors who then received multiple appeals for donations, Corrick said. For charities looking to overcome reputational damage, she argued that GDPR provides an opportunity to rebuild trust, even while it demands a change in culture and rethinking how to do marketing.
When CARE International ran a small test on opt-in mailing list settings, Amini said it showed “a chance that this will affect income… if fewer people are receiving funding requests.” She told IRIN the agency is modelling the possible drop in income. It has the contacts of about 250,000 past and present donors. Approaching people to donate who have not opted into those type of mails could breach the GDPR.
For Corrick, agencies and companies will have to adapt. "This isn't about saying 'no' to activity... it's about educating people," she said, adding that the key will be to change the attitude away from, "let's do something [just] because we've got the data”.
[A public service announcemement video from the European Commission]
WFP’s auditors gave a blunt assessment of a litany of failings in its data protection in a report made public in December. It failed to gain consent properly; it didn’t assess privacy risk; data was exchanged insecurely and shared with other organisations without any legal agreements.
Several officials with the UN and other aid agencies, however, told IRIN that most humanitarian agencies would fare little better and gave WFP some credit for the transparency shown.
In November, Red Rose, a package used by humanitarian NGOs and ICRC for biometric registration and record-keeping, was also shown to have serious flaws.
Data security analysts were quick to say the humanitarian sector is not managing technology risk effectively and a breach affecting vulnerable people’s safety was not only entirely possible, but likely: repressive regimes or extremist groups could exploit collected data to spy on – or abuse – the very clients the aid agencies claim to protect.
These experts argue that the humanitarian community often relies on a range of bespoke software, flimsy cyber-security, no external oversight, insufficient technical capacity, and over-confidence about risk.
A well-placed UN official told IRIN that UN systems couldn’t withstand “industrial” hacking, and that “when a member state throws military resources at cyber, honestly it’s not safe.” He added that recruiting for information security wasn’t working out due to stiff competition from the private sector.
Meanwhile, the senior international NGO manager said the digital revolution in humanitarian action has a tendency towards a "shiny new toy syndrome", which values novelty and, apparently, sophistication. For example, the senior manager said, this has led agencies into an excessive habit of "just collecting the biometric data of poor people" and a "massive pushing" for its collection, fuelled by donors.
Misplaced enthusiasm for biometrics and overlapping roles in the aid response mean that, according to IRIN’s enquiries, some Rohingya refugee families (for whom verified identity is critical) may be registered three times, with data handled by three different agencies, each with unknown data-sharing agreements.
The connection of registration data to banks and mobile money providers adds another layer of risk. “There are so many possibilities to actually lose control over the data,” Marelli said. He pointed out that banks and mobile companies may be obliged to share data with national authorities, and the location-based data of mobile money could be a further concern.
While the focus is often on hacks, leaks and breaches, the NGO manager often worries more about someone tricking a staff member into handing over login details. (Reports say in return for bribes, officials are selling personal data from India’s record billion-strong national ID system, Aadhaar.)
“There are areas in which, of course, humanitarians have a long way to go,” admitted Marelli, who also highlighted today’s complex networks, saying: ”When we’re talking about cloud-based solutions, and data flows across jurisdictions… it may not be very clear who exactly is going to access information and what that information might be used for.”
A data subject in the EU may enter their email address via a “cloud” server physically in Ireland, but the organisation holding the data may be in Switzerland and the mailing list company the Swiss entity uses is actually a US firm (Disclosure: this example is similar to IRIN’s setup – we too are reviewing our practice).
Policy and practice
Aid organisations, Marelli said, have been improving data protection for some years as an extension of their core ethos – to protect civilians responsibly. “Data protection can be a very useful tool to translate the principle of ‘do no harm’ in a digital environment,” he added.
A range of policies and handbooks have been set up by the major UN bodies, NGOs, and the Red Cross that cover similar ground as the GDPR. Some aid groups explicitly commit to a “responsible data” approach, limiting risks but making the most of new technology.
Implementation, as the WFP audit (and others, including one of UNHCR in 2016) confirm, however, is mixed.
In the end, the GDPR will spur better practice, said Marelli. Gathering personal data must be justified and “proportional”, he added.
He likened biometrics to “a very powerful medicine with very dangerous side-effects” and, giving the example of fingerprints asked: why take 10, when a single thumbprint will suffice?
(TOP PHOTO: WW II prisoner of war mail sorting, Switzerland, ICRC archives)
We uncovered the sex abuse scandal that rocked the WHO, but there’s more to do
We just covered a report that says the World Health Organization failed to prevent and tackle widespread sexual abuse during the Ebola response in Congo.
Our investigation with the Thomson Reuters Foundation triggered this probe, demonstrating the impact our journalism can have.
But this won’t be the last case of aid worker sex abuse. This also won’t be the last time the aid sector has to ask itself difficult questions about why justice for victims of sexual abuse and exploitation has been sorely lacking.
We’re already working on our next investigation, but reporting like this takes months, sometimes years, and can’t be done alone.
The support of our readers and donors helps keep our journalism free and accessible for all. Donations mean we can keep holding power in the aid sector accountable, and do more of this.