UNICEF POLICY ON PERSONAL DATA PROTECTION
Effective Date: 15 July 2020
RATIONALE
- UNICEF uses personal data in a range of activities, whether it is to carry out beneficiaries’ needs assessments, to implement child protection programmes, to tailor supporters’ engagement or to manage human and supply resources. Examples of personal data include data that directly identify an individual (e.g. a name, a date of birth) or combinations of data (e.g. demographic data, location data) that make the individual identifiable. What constitutes personal data is dynamic and contextual. A single data source may not make an individual identifiable. However, in combination, and with the application of new technologies, data sources may make the individual identifiable. Therefore each data source should be assessed for actual or potential personal data content.
- UNICEF must consider opportunities and risks in the use of personal data, including in combination with evolving technologies (e.g. biometrics, artificial intelligence). The protection of this data is essential to upholding fundamental rights to privacy[1] and the UN-system wide personal data protection and privacy principles. This Policy implements these UN principles and governs the processing of personal data by UNICEF. The Policy stipulates a compliance framework for appropriate personal data protection throughout the data life cycle (e.g. collection, storage, analysis, transfer, deletion, or collectively, ‘processing’). Under the Policy UNICEF commits to process personal data in ways that are appropriately: i) justified; ii) for defined purposes; iii) limited in scope to that necessary for defined purposes; iv) performed for accuracy and currency; v) secure and confidential; vi) limited in time; vii) transparent to the persons the data is about, and allows requests for access, change, deletion, or limits on processing (including automated decision-making); and viii) protected upon transfer to others. Related implementation measures are provided.
- This Policy is without prejudice to the 1946 Convention on the Privileges and Immunities of the United Nations.
SCOPE OF APPLICATION
- This Policy uses terms, such as “personal data”, “data subjects”, “processing”, “data controller” and “data processor” and other terms as defined in Annex 1.
- This Policy applies solely to the processing of the personal data of living individuals.
- This Policy applies only to personal data collected and/or further processed by UNICEF filing systems, and provides protection that is appropriate to the risks and sensitivity regarding the personal data processed by particular filing systems.
- All UNICEF personnel are required to process personal data in accordance with this Policy.
- The following topics are outside the scope of this Policy: (a) anonymous or anonymized information processed for statistical and research purposes; (b) data that can identify a group, demographic or community, but not an individual; (c) personal data of deceased data subjects; and (d) confidential information that does not include personal data.[2] These matters may be subject to possible regulation under other Policies, or warrant application of principles from this Policy, mutatis mutandis.
- This Policy complements other UNICEF regulations relating data or information, such as the Information Disclosure Policy and the Procedure on Information Management. This Policy shall be implemented subject to: i) overriding legal obligations, such as relevant resolutions, regulations, rules or decisions of the General Assembly, Secretary General or Executive Board; ii) the Office of Internal Audit and Investigation Charter and iii) fundamental rights and freedoms of the data subjects or other persons.
POLICY STATEMENTS
- In its interpretation and application to the personal data of a child, the best interest of the child shall be a primary consideration, and an interpretation and application that does no harm shall be sought.
- UNICEF personnel shall take particular care in processing the personal data of children and vulnerable categories of data subjects.
- The processing of particularly sensitive personal data is allowed only where necessary to carry out UNICEF’s mandate. Where such processing occurs, appropriate organizational and technical safeguards shall be used to protect the data subjects against identified risks associated with the processing, including the risk of discrimination.
- The respective roles and responsibilities (as a controller or a processor) of UNICEF and UNICEF associates must be defined prior to the collection and further processing of personal data to ensure accountability under this Policy.
- As a controller, UNICEF may only engage with processors, including UNICEF associates, that provide appropriate commitment and assurance of meeting the requirements of this Policy or equivalent personal data protection standards, with the exception of paragraphs 43 to 49. As a joint controller, UNICEF shall agree in writing with other controllers the responsibilities of each and shall disclose the arrangement to the data subject where appropriate.
- As a processor, UNICEF will notify data controllers of its data protection requirements and will not knowingly process personal data received that were not collected in compliance with this Policy. UNICEF may only process data on documented instructions from the controller, subject to any pre-existing obligations UNICEF has to process that were disclosed to the controller. UNICEF may only engage with (sub-)processors, including UNICEF associates, upon consent of the controller, and where the (sub-)processor agrees to assume the same data protection obligations as UNICEF made to the controller.
- Risks associated with the processing of personal data shall be managed in accordance with UNICEF’s Enterprise Risk Management Policy, including by taking into account the confidentiality and level of sensitivity of the personal data that are processed.
Policy Elements
Personal data protection principles
Legitimate and fair processing
- One or more legitimate bases is required for the processing of personal data. The legitimate bases are: (i) the consent of the data subject, or the child’s representative where appropriate (“consent”); (ii) to prepare for or perform a contract with the data subject, including a contract of employment (“contract”); (iii ) to protect the life, physical or mental integrity of the data subject or another person (“vital interests”); (iv) to protect or advance the interests of people UNICEF serves, and particularly those interests UNICEF is mandated to protect or advance (this legitimate basis would constitute “UNICEF’s legitimate interest” as well as the “beneficiary interest”); (v) compliance with a public legal obligation to which UNICEF is subject (“legal obligation”); (vi) other legitimate interests of UNICEF consistent with its mandate, including the establishment, exercise or defense of legal claims or for UNICEF accountability(“other legitimate interests”).
- Consent, often supported by other legitimate bases, is the preferred basis for processing. In some cases, obtaining consent may be impractical, including because: the data subject is an under-13 child or a child whose age cannot be determined, and consent cannot be sought from a child’s representative; the capacity of the data subject to consent cannot be reasonably assessed, and substitute alternative consent is unavailable; or there is urgency and the timely grant of consent by the data subject is not expected.
- Personal data shall be processed in a manner that is transparent to the data subject, in conformity with paragraphs 25 and 26.
Purpose specification
- Personal data shall be processed for specified and limited purposes, which are consistent with the mandate of UNICEF and are determined prior to the time of collection.
- UNICEF may further process personal data for purposes other than those specified at the time of collection: i) if consent is obtained to further processing; ii) if such further processing is compatible with those original purposes and the risks of further processing do not outweigh the benefits it entails for the data subject; iii) if UNICEF is required to process further for statistical, historical or scientific purposes; iv) to establish UNICEF accountability; or v) for the establishment, exercise or defense of legal claims.
Necessity and proportionality
- The processing of personal data shall be relevant, limited and adequate to what is necessary in relation to the purpose(s) specified for processing. This requires, in particular, ensuring that the personal data collected are not excessive for the purposes for which they are collected, and that the period for which the data are stored in the UNICEF filing system, is no longer than necessary, in conformity with paragraph 24.
Accuracy
- Reasonable efforts shall be made to process personal data with accuracy and currency. The accuracy of the personal data to be retained shall be reassessed periodically. Frequency of accuracy review will depend on factors such as the relative time sensitivity of the personal data. Determination of reassessment frequency shall be substantiated and documented. Personal data in archives need not be reassessed, corrected or kept current.
Security
- Personal data shall be classified in accordance with a contextual assessment of its sensitivity, in accordance with UNICEF information security standards.
- Appropriate organizational, administrative, physical and technical safeguards and procedures shall be implemented to protect the security of personal data, including against or from accidental or unauthorized destruction, loss, alteration, disclosure, access, or unplanned loss of availability. Such measures may include logging access, changes to or deletion of personal data.
Limited retention
- Personal data shall be retained in the UNICEF filing system:
- Permanently, if and only if the criteria under UNICEF’s policies and procedures on archiving are met;
- For the time required to achieve the purposes for which the personal data were collected. Those responsible for stipulating and implementing appropriate retention standards shall substantiate and document i) how long the personal data is needed for the intended purpose(s), ii) after which period of time the data will become stale or no longer useful for the intended purpose(s), iii) the appropriate retention period for the personal data based on assessment of retention needs, iv) how to safely and appropriately destroy or archive the personal data at the end of the determined retention period. Note: retention periods exceeding 10 years require additional substantiation.
Notice of personal data processing
- UNICEF shall provide to the data subject the information contained in Annex 2, when collecting their personal data.
- When personal data are collected by UNICEF (as controller) from a source other than the data subject or child’s representative, the information contained in Annex 2 shall be provided to each identified data subject within a reasonable period, having regard to the logistical constraints to which UNICEF is subject.
Data subject requests to interact with their personal data
- Access, correction, deletion, objection and restriction to processing of personal data, and objection to automated decision-making may be requested, subject to the conditions below, by an individual who provides sufficient evidence of being the relevant data subject or associated child representative.
- Such requests shall be limited to personal data within UNICEF’s filing system that directly identify the data subject and not to data that could indirectly identify the data subject.
- Where such requests relate to personal data held in unstructured format, including written reports, and other files from which personal data extraction would not be possible employing reasonably available resources, UNICEF would generally decline to fulfill the request, unless overriding considerations demanded otherwise. Such overriding considerations could include upholding the best interest of the child or fundamental rights and freedoms of individuals.
- Data subject requests shall be addressed by UNICEF in accordance with the mechanism set out in Annex 2, taking into account possible overriding considerations in the application of this Policy (see paragraph 9) and the provisions below.
Access
- Unless it adversely affects the rights and freedoms of others, upon request, the data subjects or child’s representatives shall be provided with confirmation as to whether personal data concerning the data subject are being processed, and, where that is the case, information about requested categories of personal data held by UNICEF.
- Access to UNICEF archives shall be provided in accordance with applicable policies and procedures specific to archives.
Correction
- A request from the data subject or associated child’s representative to update or correct personal data shall be granted, unless the requested change would be inaccurate or the data are contained in a record held in the UNICEF archives.
- In order to preserve the integrity of UNICEF archives, a note may be included in the relevant archival file to indicate that a correction request has been made.
Deletion
- Subject to paragraph 36, a request by a data subject or child’s representative to have personal data deleted from the UNICEF filing system shall be granted when: i) the personal data were not processed in compliance with this Policy; ii) retention of the personal data would not be in compliance with this Policy; iii) in cases where the only legitimate basis for processing is consent, the data subject withdraws the consent on which the processing was based; or iv) a request has been granted to fully restrict processing under paragraph 38.
- Personal data shall not be deleted in the following circumstances: i) there are overriding vital interests, beneficiary interests, legal obligations or other legitimate interests; ii) UNICEF is required to process further for statistical, historical or scientific purposes.
- Records held in UNICEF archives shall not be deleted, in order to preserve the integrity of UNICEF records.
Objection to and restriction of processing
- Data subjects or the relevant child’s representatives may, at any time, object to or request restriction of the processing of their personal data if: i) the processing would not be in compliance with this Policy; ii) in cases where the only legitimate basis for processing is consent, the data subject withdraws the consent on which the processing is based; or iii) on compelling grounds relating to their particular situation. The request shall be granted unless there are overriding vital interests, beneficiary interests, legal obligations or other legitimate interests.
Automated decision-making
- Data subjects shall be entitled not to be subject to a decision based solely on automated processing, which produces adverse legal or significant material effects on them, unless the processing is carried out with consent, is necessary for entering into or performance of a contract between the data subject and UNICEF, or is necessary for beneficiary interests or other legitimate interests (and provided that appropriate safeguards are in place).
Personal data transfers
- Transfers may only occur when there is a legitimate basis for both personal data transfer and data processing. What constitutes a legitimate basis has been set out in paragraph 15 above, and these legitimate bases apply equally to data processing and data transfers.
- Each of the data protection principles and sections of this Policy applies equally to data processing and data transfers. In particular, transfers shall only occur where the conditions set out in paragraph 13 are met.
Policy Implementation
Awareness-raising
- UNICEF shall provide training and take appropriate action to raise awareness so as to ensure the effective implementation of this Policy by its personnel, taking into account resource and logistics constraints.
Planning
- In acting as a controller and determining the means of processing personal data (including when creating databases), UNICEF shall incorporate “data protection by design and by default” into planning, development and decision making, and implement appropriate technical and organizational measures, such as data minimization and pseudonymization.
- When UNICEF acts as a controller and the processing of personal data is likely to involve high risks to the rights and freedoms of the data subjects, in particular where new technologies are involved, a data protection impact assessment (DPIA) shall (and in other cases may) be conducted prior to the processing to identify the risks, any corresponding mitigating measures, and inform whether the processing shall proceed.
Monitoring
- UNICEF shall take practical measures to monitor compliance with this Policy, including the development and maintenance of centralized registers of:
- Key measures taken by offices to implement this Policy;
- UNICEF filing systems that include personal data, which register shall contain i) the name and contact details of the information asset owner; ii) the purposes of the processing; iii) categories of the data subjects and data sources; (iv) types of personal data concerned; v) categories of recipients to whom the personal data have been or can be disclosed or otherwise transferred; vi) default retention periods; and vii) where possible, a general description of the technical and organizational security measures pursuant to 23.
- personal data breaches, and the nature of any data subject notifications made because of those breaches.
Personal data breach
- A personal data breach regulation shall be established, addressing, among other things, appropriate reporting channels, review or investigations of incidents, technical responsive measures, and notifications to data subjects and others.
Accountability
- A failure to comply with the Policy may amount to misconduct (particularly if the result of gross negligence, recklessness or deliberate conduct).
- UNICEF shall define other requirements of an implementing structure, Procedures, Standards and Guidance to operationalize and monitor implementation of this Policy. UNICEF shall adopt an appropriate oversight structure to interpret the Policy, in particular, if handling data subjects’ requests.
Special considerations in Emergency Contexts
- In designated emergencies, derogation to data protection regulations may exceptionally be provided by the Director of EMOPS, after consultation with the OED/Child Safeguarding office and the UNICEF Country Representative, and in line with EMOPS and OED/Child Safeguarding guidance on data protection in humanitarian action. Derogations may address: the selection of legitimate bases for processing; assessment of necessity and proportionality in processing; accuracy, security and retention measures; the timing, format and method of notice to data subjects regarding the processing of their data; assessment of the adequacy of safeguards on transfers; the form of data protection impact assessments; and the timing of responses to data subject requests and central registration of filing systems.
Transitional Measures
- This Policy shall be progressively implemented. There will be a 12 months transitional period from the effective date noted above for full adherence to the policy document. During this time, a comprehensive implementation plan will be rolled out. Successful completion of the implementation plan will require full cooperation at the Division, Region and Country levels regarding key implementation activities such as the compilation of personal data inventories; performance of data risk assessments; the drafting of guidance and notice documents and data protection training (e.g., train the trainer activities, etc.). Requests for implementation delay such as exemptions from specific provisions of this Policy, for specific time periods and filing systems, may be granted by the Deputy Executive Director (Management), following a request made by a Division or Regional Director, following a risk assessment. Such exemptions shall be noted in any relevant information notice.
[1] Including in the Universal Declaration on Human Rights, article 12 and the Convention on the Rights of the Child, Article 16.
[2] Such as business secrets: see UNICEF Information Disclosure Policy.