Ukrainian refugees receive cash assistance from UNHCR at Wroclaw centre in Poland. © UNHCR/Rafal Kostrzynski
By Dogu Han Buyukyagcioglu and Etienne Maury
In late 2022, UNHCR adopted the General Policy on Personal Data and Privacy (GDPP) issued by the High Commissioner Filippo Grandi. The new policy establishes an updated and unified data protection and privacy framework applicable to the collection, use and sharing of personal data of all individuals by UNHCR, fostering trust among people we serve, staff, partners, and donors.
Protecting people forced to flee and those without a nationality also means protecting their personal data
In 2015, UNHCR introduced its data protection principles with the adoption of its Policy on the Protection of Personal Data of Persons of Concern to UNHCR. The new Policy builds on the existing data protection framework and introduces an updated set of data protection principles, data subject rights and operational standards related to the handling of personal data. This update reconfirms UNHCR’s longstanding human rights-based approach to data protection and privacy within the spirit of UN efforts and the UN Secretary-General’s Data Strategy 2020-2022.
Data protection enables UNHCR’s mandate and the delivery of effective responses to current challenges
UNHCR works with a range of partners to deliver protection and assistance as well as facilitate solutions for the people we serve. Use of personal data is crucial for such collaboration which may include delivery of life-saving assistance and other services while avoiding gaps or duplication. Processing of such personal data is also very sensitive in the contexts in which UNHCR and its partners operate. The new Policy sets the foundation for clear, predictable and principled data flows between UNHCR and entities it works with in compliance with key data protection and humanitarian principles. Examples of this include global level data sharing arrangements such as the Global Data Sharing Addendum to the Memorandum of Understanding with World Food Programme.
Keeping up with technological progress – in a principled way
Delivery of UNHCR’s mandate requires continued innovation to address the unique and everchanging challenges faced by people we serve. This may include, for instance, tailored digital tools to distribute assistance globally. In an ideal world, these are interoperable with available systems on the ground or digital channels of communication to allow engagement with and accountability to people we serve. Updated standards introduced by the GDPP support the development of such responsible and sustainable digital solutions. By doing so, UNHCR aims to stay abreast of the normative developments in data protection which respond to technological advancements and their impact on individuals.
Ensuring transparency, legitimacy and accountability in UNHCR’s data protection
Giving individuals transparency and more agency over the processing of their personal data is important in our times. GDPP put emphasis on the need for transparent, fair and legitimate use of personal data, as it requires informing individuals in a clear and understandable way about what is happening with their personal data and what they can do about it. To ensure and safeguard the implementation of this, the new Policy will introduce UNHCR’s Personal Data and Privacy Review Committee which will make recommendations for the High Commissioner and act as a mechanism to review redress requests by individuals whose personal data is processed by UNHCR.
It also establishes the function of Chief Data Protection Officer, supported as needed by a dedicated office, who will provide independent and impartial expert support, advice and oversight on the implementation of UNHCR’s data protection standards.
The Policy foresees a three-year transition period and progressive implementation.