Data processing for resettlement
Resettlement relies on the processing of personal data of refugees. This personal data is collected and processed for the purposes of assessing an individual’s eligibility and suitability for resettlement, and to facilitate departure to and reception in the resettlement country. Personal data processing in the resettlement process includes:
- The processing of data already (i) collected directly by UNHCR (e.g. at registration), (ii) received from partners (e.g. protection information) or (iii) generated by UNHCR (e.g. RSD assessments).
- The collection and verifying of data through a resettlement interview.
- The sharing of data with third parties involved in the resettlement process (e.g. sharing a resettlement submission with a resettlement State).
- Case collaboration and follow-up among UNHCR colleagues or partners, or with a resettlement country.
Personal data is any information relating to an identified or identifiable individual. It includes for example biographical and relationship data, photos, biometric data, contact details, findings of fact regarding refugee claims, political affiliations, military service, as well as personal documents and expressions of opinion (such as in medical assessments, needs assessments and other notes for the file).
A data subject is an individual whose personal data is subject to processing.
Data protection as accountability to refugees
Refugees, like all of us, live in an increasingly data-driven and interconnected world in which personal data is constantly being collected, stored and shared, notably every time we use a digital device or access a digital service. Yet, data protection principles and terminology can seem complex and difficult to comprehend and people often don’t understand their own rights as data subjects or know how to exercise them.
The resettlement interview is a key opportunity for UNHCR to inform refugees in an accessible way about the processing of their data, their right to protection in that regard, and how they may exercise their data subject rights to have agency over the processing. Providing such information is part of UNHCR’s commitment to ensuring accountability to affected people and is a requirement under UNHCR’s personal data protection and privacy framework. Offices should therefore ensure that caseworkers are capacitated to explain to refugees how their data will be used and shared throughout the resettlement process in line with UNHCR’s personal data protection and privacy framework.
UNHCR’s personal data protection and privacy framework sets out the rules for the processing of personal data to protect the dignity and fundamental rights of data subjects, in particular their right to privacy. To this end, the General Policy on Data Protection and Privacy (GDPP):
(i) restricts UNHCR’s collection, storage, further use and sharing of personal data in accordance with nine principles, and
(ii) seeks to ensure individuals are in a position to know about, understand and have agency over the processing of their personal data.
Key data protection and privacy principles in resettlement
The GDPP lays down nine data protection and privacy principles to which UNHCR is bound when processing personal data: fair and legitimate processing, purpose specification, proportionality and necessity, retention limitation, accuracy, confidentiality, security, transparency and accountability. The following section focuses on seven of those. Specific guidance on the remaining principles (accountability and retention limitation) in the resettlement context is forthcoming.
The principle of fair and legitimate processing
This principle requires UNHCR to process personal data in a fair manner and only based on one or more of the legitimate bases set out in para 18 of the GDPP.
In the resettlement context
Along with providing international protection, the function of facilitating durable solutions for refugees lies at the heart of UNHCR’s mandate. As such, provided that the processing of personal data is justified for resettlement purposes, UNHCR can always rely on the legitimate basis in para 18 GDPP that “the processing is necessary for, or otherwise enables, the performance of UNHCR’s mandate …”. When counselling refugees, it may be of limited utility to provide a detailed explanation of the concept of ‘legitimate basis’ (unless requested or otherwise appropriate), and more instructive to rather demonstrate (i) that the collection and processing of personal data – including identity data and information on refugee claim and resettlement need – is necessary for the resettlement process under UNHCR’s mandate, and (ii) that UNHCR is required to process this personal data for resettlement in a fair manner. The requirement for fairness means that personal data may be obtained and used only in ways that the data subject would reasonably expect, and that the data should not be used in ways that could have an unjustifiably adverse or discriminatory impact.
A word on consent
Resettlement is voluntary and not all refugees wish to be resettled. However, those refugees who are identified for resettlement on account of their protection needs often have few other options available and may suffer significant detriment without resettlement. The imbalance of power between refugees in need of resettlement and UNHCR is extreme. At the same time, the processing of personal data is indispensable for resettlement consideration; it is impossible for an individual to benefit from resettlement without their personal data being processed. As a result, a refugee does not have a genuine choice to refuse the processing of their personal data as part of their processing for resettlement. In this way, the basic condition for valid consent – that it is freely given – cannot be satisfied to the standard established by the UNHCR data protection framework and in personal data protection and privacy law more generally. Therefore, UNHCR does not rely on consent as a legitimate basis for processing personal data for resettlement.
The principle of purpose specification
Purpose specification is the principle whereby personal data shall only be processed for specified purposes consistent with UNHCR’s mandate and functions. This also means that further processing needs to be compatible with the initial purpose(s) for which the data was originally collected. Para 20 of the GDPP includes a list of purposes of further processing which are always considered compatible with UNHCR’s mandate, one of which is “when [the processing] is necessary for long-term provision of protection and assistance and seeking of solutions…”.
In the resettlement context
When processing cases for resettlement, UNHCR often needs to use personal data which has been collected prior to resettlement consideration, for example during registration activities or at refugee status determination, or in the course of provision of protection and assistance by UNHCR partners. Even if it was not already specified at the time of collection that resettlement may be one of the purposes for which an individual’s personal data may be further processed, it follows from para 20 GDPP that processing cases for resettlement is a ‘compatible purpose’. That said, refugees undergoing consideration for resettlement should always be informed of that purpose for using their data so they can exercise their data subject ‘right to object’ if they so wish.
The principle of proportionality and necessity (data minimization)
This principle is linked to the principle of purpose specification and means that the amount of personal data collected and shared should be adequate, relevant and limited to what is necessary in relation to the identified purpose, and not exceed that purpose.
In the resettlement context
The RRF must contain sufficient information to enable States to assess the eligibility and admissibility of each case member for resettlement. It should not contain data that is unnecessary or disproportionate to the type or amount of information required by the receiving State authorities for this purpose. For example, detailed personal data of other individuals not included in the Resettlement Case would normally be unnecessary and disproportionate, such as including in the Relatives section the telephone number and exact address of relatives residing in a resettlement country.
In general, it should also be recalled under this principle that personal data which is considered necessary and proportionate for submission by UNHCR to State authorities might not be necessary and proportionate for onward sharing for the purposes of travel and settlement services. Given that the RRF is mainly designed for the purpose of documenting resettlement needs and eligibility for international protection, and to enable the State’s adjudication of the case, UNHCR discourages resettlement countries from sharing the RRF document with IOM, settlement service providers and municipal council authorities, without appropriate redaction by the relevant State authority. UNHCR encourages States instead to use the Pre-Departure Orientation and Reception Information Form which is designed to limit onward sharing of personal data, while providing adequate information to third parties for purposes specific to their respective roles and responsibilities. Note also that a data sharing agreement with the resettlement country should establish the conditions for disclosure of personal data to third parties and to the data subject (see Data sharing agreements for the purpose of resettlement below).
The accuracy principle
The accuracy principle requires UNHCR to take all reasonable steps to ensure that personal data is accurate and kept up to date so that it fulfils the purposes for which it is being processed. To this end, caseworkers should review, verify and update personal data during all case processing.
This principle is not to be confused with the general duty of persons of concern to cooperate with UNHCR by providing truthful and complete information when seeking to avail themselves of protection, assistance or durable solutions interventions. However, the accuracy principle and the duty to cooperate with UNHCR work in tandem. During counselling, UNHCR should inform individuals of their duty to help UNHCR to record their personal data accurately and fully, to the best of their knowledge, and to help UNHCR correct and/or update data later on, over time.
In the resettlement context
The caseworker works with individuals during their resettlement interview to identify and resolve any inconsistencies and errors in their personal data in proGres, and duly record corrections and the circumstances in which they were made. Caseworkers also draft the summary of the refugee claim in Section 4 of the RRF in a way that accurately reflects the established facts of the claim. To help ensure accuracy of data collection during the resettlement interview, it is strongly advised that caseworkers read back to the data subject the key information recorded during the interview. The Applicant is then required to sign a declaration (RRF Section 8) to affirm that the information they have provided is correct, complete and truthful to the best of their knowledge.
The principle of confidentiality
The principle of confidentiality requires UNHCR to process personal data “with due regard to confidentiality, in accordance with relevant regulations, rules, policies, administrative instructions and other instruments established or adopted by UNHCR or the United Nations” (para 25 GDPP). Note in particular Regulation 1.2(i) of the UN Staff Regulations, which stipulates that staff members “shall not communicate to any Government, entity, person or any other source any information known to them by reason of their official position that they know or ought to have known has not been made public, except as appropriate in the normal course of their duties or by authorization of the Secretary-General”. Further, under Principle 6 of UNHCR’s Code of Conduct, it is explained that “disclosure of sensitive or confidential information without authorization may seriously jeopardize the efficiency and credibility of UNHCR and its staff and endanger beneficiaries”.
Any sharing of personal data outside UNHCR with third parties must be in accordance not only with the principle of confidentiality but also with all the other data protection and privacy principles in the GDPP as well. The third party must afford an adequate level of protection for the shared personal data, in line with the data protection and privacy principles.
In the resettlement context
Respecting the confidentiality of the personal data processed for resettlement is essential for creating an environment of security and trust for refugees, and for maintaining the integrity of resettlement procedures. The duty of confidentiality for all colleagues who have access to personal data, including caseworkers and interpreters, should be clearly understood and reinforced through training, Code of Conduct refreshers and SOPs. UNHCR colleagues should take care not to discuss individual cases between them in a way that may identify the concerned individuals, unless necessary. Personal data must be stored in a way that it is accessible only to authorized personnel on a need-to-know basis and transferred only through protected communication channels (see The principle of security below and 2.5 File Management and Recordkeeping). UNHCR shares RRFs with resettlement countries on the understanding that they afford an adequate level of protection for the personal data therein, including by respecting the confidentiality of the data.
The principle of confidentiality also generally precludes resettlement caseworkers from sharing sensitive information relating specifically to one member of a Resettlement Case with any other member of the Case, let alone with another family member or with a member of the wider community. Information included within a Resettlement Case may be particularly sensitive (e.g. information related to gender based violence), which if disclosed by a resettlement caseworker in breach of their duty of confidentiality might result in serious repercussions for the data subject or another person.
Any authorized disclosure of personal data requires a legitimate basis and must be for a specified purpose consistent with UNHCR’s mandate and functions. Authorized disclosures must also respect all the other data protection and privacy principles as well.
The principle of security
This principle requires UNHCR to apply adequate organizational, administrative, physical and technical safeguards and procedures to protect the security of personal data, including against unauthorized access and processing and against accidental loss, alteration, damage or destruction. Respect for this principle is a precondition for ensuring the confidentiality of personal data.
In the resettlement context
SOPs must ensure safe and responsible physical and electronic file management, email and internet use as well as implementation of secure file transfer methods and controlled user management for PRIMES tools, including proGres, and any other systems used in the resettlement process. See 2.5 File Management and Recordkeeping.
File sharing or transfer of RRFs, supporting documents, assessments and other documents containing personal data, must be conducted in a way that ensures privacy and protection of personal data. It is best practice to only use corporate encrypted data transfer tools supported by UNHCR, such as PRIMES, Microsoft SharePoint and Secure File Sharing (SFS) in line with UNHCR information security policies. SFS offers additional security by providing scheduled deletion of the files and restricting the access to files only to the owner/creator and specific recipients, by default.
If communicating by Outlook email on individual cases, data minimization and privacy enhancing methods should be considered at all times, for example, using the proGres individual/ case number instead of individual names. Where possible, internal email communication on cases should use links to entities in proGres such as Individuals, Registration Groups, Referrals, RSD Cases and Resettlement Cases where recipients have appropriate proGres user profiles. Names and other personal data must never appear in the subject line of any email. Colleagues should also ensure that emails containing personal data of refugees are only forwarded to other recipients on a strict need to know basis.
Personal data should not be shared through unsupported or unendorsed communication channels, such as private email, commercial messaging apps (Whatsapp etc) or file sharing platforms (Dropbox, etc).
For further information and guidance, see the Cybersecurity tools, solutions & services, page on the intranet, as well as UNHCR’s Guidance on Electronic Storage and Transfer of POC data outside PRIMES and Policy on Information Security.
The principle of transparency
This principle requires UNHCR to process personal data with transparency to the data subject. In other words, it should be transparent to individuals how UNHCR will collect, use, share and otherwise process their personal data. The principle of transparency empowers data subjects to hold UNHCR accountable and exercise agency over their personal data. Ensuring the greatest possible transparency in data processing is part of UNHCR’s accountability to affected people and should be seen as part of a whole-of-protection approach beginning at initial registration and reinforced over time during different interactions with displaced and stateless persons.
In the resettlement context
During introductory counselling, that is, before personal data is collected in a resettlement interview, UNHCR must inform refugees about which types of personal data need to be processed, with whom their data will be shared during resettlement processing and why; and explain to refugees what their rights are as data subjects and how they can exercise them. To comply with the transparency principle, such information should be delivered in a way that is clear, concise and easy to understand. Therefore, caseworkers need to adapt data protection counselling according to the capacity of the data subject to comprehend. This means, for example, adopting a child-friendly approach, when appropriate, and finding accessible ways to inform people from diverse backgrounds about the processing of their personal data for resettlement. Whether data processing is sufficiently transparent should be determined from the perspective of the data subject. See ‘The right to information’ in the section below.
Rights of the data subject
The data protection and privacy standards in Part 2 of the GDPP include the following set of rights of data subjects with respect to the processing of their personal data:
- the right to information;
- the right to access;
- the right to rectification;
- the right to deletion; and
- the right to object.
Before complying with a request to exercise a data subject right, UNHCR should verify the identity of the individual concerned.
Data subject rights are not absolute, and UNHCR may, in the circumstances of an individual case, deny the exercise of a data subject right, in whole or in part, for reasons set out in Para 49 of the GDPP.
In addition, UNHCR may establish limitations to the exercise of a data subject right that are ‘generally applicable’, i.e. applying to all data subjects, if necessary for reasons set out in para 62 of the GDPP, and subject to the conditions set out in para 63 of the GDPP. It is strongly recommended to consult the Chief DPO when considering the establishment of a ‘generally applicable limitation’ to a data subject right. Furthermore, RCPS should be consulted and agree to any ‘generally applicable’ limitation on a data subject right in the resettlement context that may be under consideration in a country office or regional bureau. Such a limitation must be documented and the Chief DPO formally notified.
Any refusal of an individual request to exercise a data subject right must be recorded and communicated in writing to the individual concerned.
If an individual considers that the exercise of their data subject rights has not been respected, they may submit a complaint to the Personal Data Controller (under paras 51-53 of the GDPP). If they are dissatisfied with the response to their complaint, a redress request may be submitted (see paras 54-60 as well as 75(d)). Resettlement SOPS should include or refer to processes in the office to receive, record and respond to requests and complaints relating to the exercise of data subject rights.
The right to information
Data subjects have the right to information about the processing of their personal data, including, for example, whether their data will be shared with any third parties and how to exercise their rights as data subjects. The right to be informed in this way is at the heart of data protection; clear and transparent information helps data subjects know about and understand, and therefore exercise agency over the processing of their personal data by UNHCR.
In the resettlement context
Resettlement Applicants need to be informed during introductory counselling about, in particular:
- What categories of personal data will be collected, stored and shared with third parties and for which purposes (e.g. identity data to verify identity, refugee claim and resettlement needs data to assess eligibility and relevant specific needs and other data for transportation and reception support).
- The fact that only data that is necessary and proportionate to meet these purposes will be processed.
- How to exercise their data subject rights.
See 4.4 The Resettlement Interview for guidance on introductory counselling.
The right to access
Data subjects have a right to access their own personal data and UNHCR should strive for transparency in this regard. In particular, personal data that has been collected from the data subject themself should, in general, be unrestricted.
It is for UNHCR to decide the format in which the copy of the personal data requested should be provided to the data subject. However, where the personal data is contained in a copy of a document that was provided by the data subject (e.g. a passport or a certificate), an identical copy of that document should in principle be provided (note that UNHCR should not keep the originals of such documents).
The GDPP contains provisions in paras 49 and 61-62 that allow UNHCR to legitimately deny, in whole or in part, the exercise of the right to access.
In the Resettlement Context
A resettlement submission contains personal data not only of the resettlement Applicant but also of other individuals – notably, family members within a Resettlement Case, relatives listed in RRF section 3, and UNHCR personnel. It may also contain UNHCR assessments (e.g. the RRF itself, a BID, other reports) and analysis (e.g. about the refugee claim and the need for resettlement, and relating to the protection situation in the country of asylum).
When considering a request to access the RRF or other documents in the resettlement submission, the Personal Data Controller needs to consider to what extent the Applicant is entitled to access that data, taking into account (i) whether, based on the circumstances of the individual case, there is a need to make any restrictions permitted under para 49 of the GDPP, and (ii) whether the request for access engages any generally applicable limitation to the right to access made under paras 62-63 of the GDPP.
Where it is determined that the Applicant is not entitled to access all the personal data concerned, they should be provided with redacted extracts. Access to this information should be documented in the file.
The right to rectification
The right to rectification is the right to obtain correction or completion of inaccurate or incomplete personal data. This right may be exercised by data subjects at any time, for example, on the spot during the collection of their personal data, or at a later stage.
In the resettlement context
During resettlement interviews, caseworkers should read back the key information recorded to ensure that Applicants have the opportunity to correct and complete their personal data, as necessary. Caseworkers should bear in mind that rectification of personal data may, depending on the case, need to be treated as an inconsistency or fraud allegation under UNHCR’s Policy Addressing Fraud Committed by Persons of Concern.
The right to deletion
A data subject has the right to request deletion of personal data for which there is no legitimate basis for the processing or when the information is no longer necessary for the specified (or compatible) purposes for which it was collected. That is unless there are grounds for retaining the data for one of the purposes listed in para 23 of the GDPP, including ‘archiving’ and ‘accountability of UNHCR’s actions’.
In the resettlement context
Much of the personal data processed for resettlement purposes also needs to be processed for other operational purposes as well, in particular protection and assistance interventions. Unless the personal data is needed solely for purposes of resettlement processing, deleting it could therefore be to the serious detriment of the refugee concerned. Usually, the more appropriate course of action would be to remind the refugee of their right to object to the processing of their personal data for the specific purposes of resettlement (see below). Moreover, all individual case files of persons of concern – whether open or closed – are considered permanent records under UNHCR’s Policy on the Management of UNHCR Records and Archives, and as such, the personal data contained in a resettlement case file is not deleted unless it does not have sufficient long-term value to merit archiving.
The right to object
A data subject has the right to object to the processing of their personal data, at any time, on legitimate grounds relating to their particular situation. If the objection is accepted, no further processing of the personal data should take place for the purposes in respect of which the objection was made; and, if there is no legitimate basis for processing the data for any other purpose, in principle it should be deleted.
In the resettlement context
There will usually be no legitimate grounds for objection to the processing of personal data for resettlement purposes when that processing is necessary and proportionate for determining eligibility and suitability for resettlement (e.g. identity data, refugee claim, exclusion triggers, admissibility). That is unless the refugee concerned wishes to withdraw from the resettlement process, in which case, given that resettlement is voluntary, the objection would always be legitimate. While in principle a Resettlement Applicant may also object to the sharing of their RRF with a specific resettlement country, the objection is likely to be unsuccessful unless the Applicant can demonstrate legitimate grounds relating to their particular situation, since UNHCR is not necessarily able to submit the case to another country where the Applicant would prefer to be resettled.
Resettlement caseworkers must carefully counsel refugees who express an objection to the processing of certain personal data during the resettlement process, in particular where the consequence of accepting an objection may be that their case can no longer be considered for resettlement. That said, resettlement caseworkers should be mindful of the dignity and privacy of data subjects and consider again whether the personal data they object to sharing is indeed necessary and material to the resettlement submission. For example, it may be that a specific need, past experience or particular hardship may not be required personal data for resettlement consideration, depending on the context and the reasonable expectations of the resettlement country to be alerted about specific information. Objections of this nature should be discussed with a resettlement supervisor and the Applicant, and an agreement reached together about the extent to which particularly sensitive personal data needs to be processed and as to whether any organizational, contractual or technical adjustments could be made to the processing to further protect the dignity, security and right to privacy of the Applicant. For example, underlining to a resettlement country that a specific piece of information is highly confidential and sensitive and/or extremely difficult for the data subject to discuss, may be possible solutions.
Data sharing agreements for the purpose of resettlement
UNHCR is often required to share personal data with third parties, including, among others, governments, UN agencies or non-governmental organizations. Sharing of personal data in resettlement takes place through, for example, Resettlement Case submissions to resettlement States and follow ups to these submissions, including updates to the personal data shared.
Part 6 of the DPP (which is more detailed than the GDPP on conditions for sharing personal data with third parties) states that, where sharing of personal data is likely to be large, repeated or structural, UNHCR should seek to sign a data sharing agreement, prior to the sharing, unless there are satisfactory reasons not to do so. As such, UNHCR has engaged in bilateral discussions with multiple governments of resettlement States and other entities in order to conclude data sharing agreements (DSAs), given that the resettlement process requires regular sharing of personal data.
In the resettlement context
When the scope of a DSA in the resettlement context covers resettlement submissions from more than one country of asylum, it is considered to be a global DSA and therefore comes under the purview of UNHCR’s Resettlement and Complementary Pathways Service (RCPS) and is signed by the Personal Data Controller for resettlement in DIP. In line with the DPP, the Chief Data Protection and Privacy Officer (Chief DPO) and Legal Affairs Service must be consulted in the drafting process and are required to review and clear the agreements prior to finalization. RCPS maintains a record of global DSAs concluded in the resettlement context which is available to concerned Personal Data Controllers upon request.
If a DSA is required, it is advised that the relevant Personal Data Controller in a country office consults the Data Protection Focal Point at the relevant regional bureau and clearance from the Chief DPO and Legal Affairs Service, who will also consult RCPS in order to ensure global consistency.
Recognizing that the preparation and conclusion of DSAs is a continuous process while resettlement activities are ongoing, UNHCR must continuously consider the level of data protection afforded by third parties with whom personal data is shared, which should be adequate in line with the data protection and privacy principles of UNHCR’s GDPP (para 44). Furthermore, irrespective of the existence of a DSA, UNHCR is required to consistently apply the above-mentioned data protection and privacy principles when sharing data for the purpose of resettlement.
Some key points on the application of UNHCR’s data protection and privacy standards in resettlement
- Personal data can only be processed for specified purposes consistent with UNHCR’s mandate and functions.
- UNHCR must inform refugees about which types of personal data need to be processed during the resettlement process, with whom their data will be shared and why, and explain the rights of the data subject are and how they can be exercised.
- An RRF should not contain data that is unnecessary or disproportionate to the amount of information required by the receiving State authorities.
- Resettlement SOPs should set out processes that ensure respect for the rights of the data subject, including for the reception and response of data subject complaints.
- SOPs should take into account the fact that requests to correct personal data may lead to inconsistencies or fraud allegations that will need to be addressed in line with UNHCR’s Policy on addressing fraud committed by persons of concern and the related Operational Guidelines.
- When communicating on individual cases, SharePoint Team sites or Secure File Sharing is recommended. Email communications containing personal data should contain proGres numbers and not names. Personal data should never appear in the subject line of any email.
- To ensure confidentiality, personal data must be stored in a way that it is accessible only to authorized personnel on a need-to-know basis and transferred only through protected communication channels.