Assessing data management activities in the humanitarian sector: a guidance note

PI collaborated with the Centre for Humanitarian Data, the International Committee of the Red Cross, and UN Global Pulse to develop a guidance notes on risk assessments for humanitarian practitioners.

Key points

- New technologies continue to present great risks and opportunities for humanitarian organisations and the people they serve.

- Protecting humanitarians organisations as well as the affected populations they serve requires a comprehensive approach to tackle the threats and risks.

- Data impact assessments should be conducted before and during data management activities in order to inform project planning and design.

News & Analysis

New technologies continue to present great risks and opportunities for any users but for some communities the implications and harms can have severe consequences and one of the sectors facing increasing challenges to keep innovating whilst protecting themselves and the people they serve is the humanitarian sector.

Over the course of engagement with the humanitarian sector, one of our key observations has been how risk assessments undertaken in the sector omitted to integrate a hollistic approach to identifying the risks associated with the use of new technologies in their operations and programmes to assess how the “do no harm” principle applies in a digital environment.

This is partly due to the novelty of this field as well as to constant changes in the legal, regulatory, and technological landscapes surrounding technologies but there are also various other reasons we’ve identified for these shortcomings in this field.

One of these reasons is that humanitarian practitioners are not systematically recording the risks associated with the use of new technologies and therefore they fail to undertake appropriate measures to mitigate them, and in some cases to even drop their plans.

This is why PI collaborated with the Centre for Humanitarian Data, the International Committee of the Red Cross, and UN Global Pulse to develop a guidance notes on risk assessments. Undertaking risk assessments is not only crucial to consider the impact on privacy, and assessing compliance with data protection but they provide a process by which to determine the broader implications for the enjoyment of fundamental rights and freedoms of affected populations who humanitarian organisations aim to assist.

The aim of the guidance note is to support humanitarians in conducting assessments for their data management activities. The note provides guidance on how to decide whether to do an assessment, what to take into account when undertaking such an assessment as well presents three areas that the humanitarian practioners should focus on including:

  • Designing standard tools to facililate data impact assessments;
  • Developing the capacity to conduct such assessments within their own organisations and as a result, across the sector; and
  • Sharing data impact assessment outcomes to improve learning and continuous improvement of practices and policies

Whilst we believe the availability of such guidance can assist the humanitarian sector to improve protocols, procedures and strategies to identify and manage risks more is required if humanitarian organisations and the affected populations they serve are to be effectively protected.

Protecting people requires addressing the threats emerging in the humanitarian ecosystem as a whole including data exploitation and surveillance by governments and companies alike. This is at the core of PI’s mission as we continue to advocate for legal and technological solutions to protect people and their data from exploitation.

The humanitarian sector relies on an variety of third parties, primarily the private sector, to design, deploy and maintain the use of technology in their programmes, be it telecommunications or other digital service providers, and yet they have little leverage to influence how these third parties operate.

Many of these actors operate in the shadows with very little transparency and accountability which is putting users at risk. This is why at PI we are continuously exposing and challenging the failure of companies to understand and acknowledge the responsibilities they have when their business models, either intentionally or not, are exposing people who are already in the most vulnerable positions to even greater risk such as humanitarian workers and those affected populations which the humanitarian sector exists to assist.

And let’s forget the ever increasing unprecedented surveillance capabilities of governments. These powers can be used to protect our security, but without proper safeguards these capabilities can also be abused and undermine the very values they seek to protect including providing humanitarian assistance safely and securely.

Protecting humanitarians organisations as well as the affected populations they serve, requires a comprehensive approach to tackle the threats and risks. We hope this guidance note will provide humanitarian practitioners with a structured way to think about the importance of risk assessments beyond just seeing them as an internal and/or legal compliance tools and that it will highlight the need for them not only to develop their understanding of technology but also the need for them to put pressure on state and non-state actors within the humanitarian ecoystem to prevent data exploitation and surveillance.

Find out more about Privacy International’s work on data exploitation and surveillance in the development and humanitarian sector, and sign up to keep up-to-date with our news.