Yesterday I participated in a side event on data protection in humanitarian action at the 2018 International Conference of Data Protection and Privacy Commissioners in Brussels. The context of the meeting is a planned update to the Handbook on Data Protection in Humanitarian Action, first published in 2017 by the International Committee of the Red Cross (ICRC) and Brussels Privacy Hub.

The Handbook aims to equip staff of humanitarian organizations with data protection guidance for processing personal data as part of their operations. New crises and emerging technologies introduce new data protection challenges. A working group has been established to identify and respond to these challenges, as well as to address other gaps in the handbook a year into its use.

It was a lively panel discussion with contributions from:

  • Yves Dricot, Deputy Director-General of the Directorate General Development Cooperation and Humanitarian Aid, Belgian Ministry of Foreign Affairs  
  • Massimo Marelli, Head of Data Protection Office, ICRC
  • Christopher Kuner, Co-Director, Brussels Privacy Hub
  • Stuart Campo, Researcher, Signal Program on Human Security and Technology, Harvard Humanitarian Initiative
  • Alexandrine Pirlot de Corbion, Global South Programme Lead, Privacy International
  • Christina Vasala Kokkinaki, Legal Officer, International Organisation for Migration
  • Wojciech Wiewiórowski, Assistant European Data Protection Supervisor, EDPS

Several themes emerged during the event, which I summarize below:

Don’t Overstate Technology: Panelists warned against fixating too strongly on technology during discussions on data protection in humanitarian settings. While changes in technology are important, they can sometimes distract us from focusing on the people at the core of humanitarian intervention.

Making the Handbook More Actionable: Several commented on how the Handbook could become more practical with stronger examples. It was noted that humanitarians in the field are thirsty for actionable (and concise) guidance to help them make better decisions in protecting personal data.

Centrality of Identity: “Aid distribution is all about identity management,” it was remarked. Registration and identification practices are core to the humanitarian enterprise and technologies such as smart cards and biometrics are becoming more and more central to operations. These developments have significant data protection implications.

Private Sector Involvement: A number of participants noted the importance of engaging the private sector in updating the Handbook. Technology providers, mobile network operators, and financial institutions like banks and payment processors, among others, play an increasingly central role in humanitarian intervention. Any tailored guidance for data protection in humanitarian operations must account for these private sector systems and data practices. This is a difficult problem.

Group Privacy Concerns: It was encouraging to hear an acknowledgment that the risks extend beyond individual-level concerns with ‘personal data’. Can updated guidance address community-level risks (e.g. demographic information which can be used to afflict harm on certain groups)?

We look forward to engaging the ICRC and Brussels Privacy Hub as they work on updates to the Handbook through 2019.