show menu
Thank you for visiting. Please not that the content population on this website is still in progress.

Data protection impact assessment
Last updated:

As outlined in the Policy on the Protection of Personal Data of Persons of Concern to UNHCR, operations are required to design digital communication tools with privacy and confidentiality in mind and undertake a Data Protection Impact Assessment (DPIA) for any systems or projects where personal data is processed (such as social media monitoring and analysis). 

When elaborating new systems, projects or policies or before entering into data transfer arrangements with Implementing Partners or third parties which may negatively impact on the protection of personal data of persons of concern, UNHCR needs to carry out a Data Protection Impact Assessment (DPIA). A DPIA is required where the collection and processing or transfer of personal data is likely to be large, repeated or structural (i.e. where data is shared with an Implementing Partner or third party over a certain period of time).

By identifying, assessing, mitigating, and communicating data protection risks and their impact to refugees, forcibly displaced and stateless people, organisations can fulfil their responsibility to be more accountable towards them and safeguard their rights.

Additionally, a DPIA provides guidance and recommendations on how to best facilitate alignment with the Principles on the Use of Artificial Intelligence in the UN System (2022), the UN Secretary-General’s Guidance on Human Rights Due Diligence for Digital Technology Use and the IASC Operational Guidance on Data Responsibility in Humanitarian Action.

The guidance for the DPIA process consists of several steps:

  1. Threshold analysis (e.g. whether a DPIA is necessary);
  2. Preparation of the DPIA, including setting up a team, plan, allocate resources, identify and consult stakeholders;
  3. Performing the DPIA, including identification of personal data flows, determination of data protection safeguard requirements, risk identification, analysis and evaluation and setting out options or alternatives;
  4. Follow up, including preparation of the report and a public summary, implement risk treatment plans and review or update the DPIA. 

RESOURCE

Policy on the Protection of Personal Data of Persons of Concern to UNHCR

UNHCR’s 2015 Policy on the Protection of Personal Data of Persons of Concern to UNHCR, commonly referred to as the ‘Data Protection Policy’ (DPP), sets out UNHCR’s general human-rights based approach to personal data processing including data of forcibly displaced and stateless people as well as data of people not of concern to UNHCR. The DPP is complemented by Guidance on the Protection of Personal Data of Persons of Concern to UNHCR, or ‘Data Protection Guidance’ (DPG), which provides further details on the DPP’s implementation, supervision, and accountability provisions.

Sorry… This form is closed to new submissions.