This data may, for example, include the nationality and international protection needs of people forced to flee, names of individual donors or contact information of procured vendors.
UNHCR’s General Policy on Personal Data Protection and Privacy (GDPP) brings the Agency’s longstanding human rights-based approach to data protection and privacy in line with modern and global standards in this area.
This policy introduces a data protection framework for the collection, use and sharing of personal data of all individuals (‘data subjects’). This includes the people we serve as well as UNHCR donors, partners and personnel. The policy thereby builds upon UNHCR’s existing Policy on Protection of Personal Data of Persons of Concern to UNHCR from 2015, which will continue to be in effect as a part of UNHCR’s data protection framework.
Under the GDPP, UNHCR establishes the function of the Chief Data Protection Officer. This dedicated colleague provides independent and impartial expert support. They advise, monitor, and provide oversight in order to ensure UNHCR’s compliance with its data protection framework when processing personal data.
Furthermore, the policy introduces a review mechanism through which individuals will be able to seek a formal review of complaints and cases. Once established, the Personal Data Protection Review Committee will independently and impartially review requests by all data subjects.
Data protection standards are constantly evolving and improving across the world. It is crucial for UNHCR policies to be in line with the best international standards, such as the UN Personal Data Protection and Privacy Principles, adopted by the UN High-Level Committee on Management (HLCM). This effort supports the alignment of approaches with UNHCR’s partners and sister agencies and aims to make collaborations clear, transparent and predictable when the processing of personal data is required. Together, we can positively affect standards and approaches to data protection globally.
Currently, UNHCR is updating its data protection policy specifically for the people we serve to align it with the GDPP and to factor in the most recent developments in data protection.