Interview: Data Protection in UNHCR
“Data protection is part and parcel of refugee protection”
Alexander Beck, Senior Data Protection Officer based in Copenhagen, on the particular role of data protection for UNHCR.
Since 2015, UNHCR has its own Data Protection Policy. This is the first data protection instrument in a UN agency. Can you tell us why UNHCR took this step?
Alexander Beck: Data protection is a longstanding priority for UNHCR. Earlier internal memoranda and guidelines dealt with the issue from a confidentiality perspective. What is new in the Data Protection Policy is the terminology and a closer alignment to principles and concepts of data protection law that we consider to be good international practice and fully compatible with UNHCR’s mandate. UNHCR took that step because we are a very data intensive organization. That means many UNHCR staff and colleagues and partner organisations need to process a lot of information on individual refugees, asylum-seekers, internally displaced persons, and other people whom we protect and assist – so-called personal data – in our daily work. In the years before the Policy was adopted, we felt the need for a more principled response to an increasing number of requests from UNHCR offices in the field including the acknowledgment of certain rights refugees have as ‘data subjects’. This is what the Data Protection Policy does.
You mention UNHCR’s mandate. Would you agree that the Data protection Policy is derived from it?
A.B: Yes, data protection is firmly rooted in UNHCR’s mandate. In 1950, the UN General Assembly tasked the High Commissioner for Refugees to provide international protection to refugees [and seek solutions]. No one would dispute that protecting refugees includes protecting their personal data. But in order to understand how this should be done, we need to consider international human rights law. This also takes into account the growing awareness of international organizations of the need for all aspects of their work to safeguard and to respect human rights. And data protection law emerged from the fundamental right to privacy, recognized in the Universal Declaration of Human Rights, other international and regional human rights instruments and national constitutions. In the 1970s and 1980s, data protection law began to emerge in national laws and regional agreements. Today, more than 120 countries have adopted data protection or privacy laws and this process continues. The UNHCR Data Protection Policy therefore stands on two legs, the organisation’s international legal mandate, and human rights law.
How important is data protection for UNHCR in practice?
A.B: Data protection is part and parcel of refugee protection. Moreover, refugees are often in a vulnerable position and their information is highly sensitive; they face far greater risks than most of us if their data is misused or shared with those who have no right to it. Data protection is therefore particularly important to UNHCR. There are two further reasons why data protection is likely to become even more important in the future: the use of new technologies and the growing number of actors in the humanitarian field, including traditionally non-humanitarian entities. Both increase opportunities for persons of concern to UNHCR, but they also entail higher risks because of increased processing of personal data, including data sharing among such actors. UNHCR, as a main collector of personal data, therefore needs to lead efforts to ensure respect for data protection principles.
Can you give a few examples?
A.B: There are a number of examples of new technologies which create both opportunities and risks: The wider use of smart phones, in particular mobile messaging apps, social media, the collection of biometric data; cloud computing; and the use of blockchain technology. Offering greater connectivity also requires safeguards against risks of surveillance. More reliable identification of individuals due to biometrics and more efficient distribution of and access to assistance stands against risks of tracking such individuals if the data were to fall into the wrong hands. Using the cloud for personal data may save costs and increase flexibility, but could compromise confidentiality. There is a lot of talk around blockchain – a new and emerging technology. But it is too early to tell whether blockchain is appropriate or sufficiently mature for UNHCR’s purposes. Like many data protection instruments, UNHCR’s Policy is technology-neutral. But it does require us to assess risks through Data Protection Impact Assessments reflecting current practice in several countries and also in the European Union based on the General Data Protection Regulation (GDPR). UNHCR’s Data Protection Policy requires to apply “privacy by design and by default”. This will allow us to make good use of and to invest responsibly in new technologies, as we seek to strengthen protection and improve services for the people of our concern.
Isn’t there a risk that data protection requirements slow down urgent measures for refugee protection and assistance?
A.B: Where there is a humanitarian imperative, data protection rules should not prevent action to save lives. They should be applied in a way which does no harm. In many situations where data protection rules appear to slow down processes, the reality is that they have not been considered and factored in at the beginning, for example when developing a project or starting negotiations with third parties. The problem is not the data protection principles; the problem arises if those responsible for their respect think of them too late in a process. The principles are flexible and several exception clauses in the UNHCR Policy do take account of emergency situations.
What would you qualify as the greatest challenges UNHCR may face in protecting personal data in the years to come?
A.B: We need to establish an all-encompassing culture of data protection. There is a need to withstand internal and external pressure to compromise on data protection principles. It will be crucial to maintain trust between UNHCR and the persons we are supposed to protect. Refugees should know and understand their rights and that they are the rightful owners of their data. There are many challenges ahead of us, but we are optimistic: UNHCR staff members, whether in protection functions or not, are doing their best and with the unequivocal support from senior management, we will continue adapting and improving our policies in a rapidly evolving environment, both politically and technologically.
Alexander Beck, Senior Data Protection Officer