UNICEF POLICY ON PERSONAL DATA PROTECTION

Effective Date: 15 July 2020

RATIONALE

  1. UNICEF  uses  personal  data  in  a  range  of  activities,  whether  it  is  to  carry  out  beneficiaries’  needs  assessments,  to  implement  child  protection  programmes,  to  tailor  supporters’  engagement  or  to  manage human and supply resources. Examples of personal data include data that directly identify an individual (e.g. a name, a date of birth) or combinations of data (e.g. demographic data, location data) that make the individual identifiable. What constitutes personal data is dynamic and contextual. A single data source may not make an individual identifiable. However, in combination, and with the application of new technologies, data sources may make  the  individual  identifiable. Therefore each data source should be assessed for actual or potential personal data content.
  2. UNICEF  must  consider  opportunities  and  risks  in  the  use  of  personal  data,  including  in  combination  with evolving technologies (e.g. biometrics, artificial intelligence). The protection of this data is essential to upholding fundamental rights to privacy[1]  and the UN-system wide personal data protection and privacy principles. This Policy implements these UN principles and governs the processing of personal data  by  UNICEF.  The  Policy  stipulates  a  compliance  framework  for  appropriate  personal  data  protection throughout  the  data  life  cycle (e.g.  collection,  storage,  analysis,  transfer,  deletion,  or  collectively, ‘processing’). Under the Policy UNICEF commits to process personal data in ways that are appropriately:  i) justified;  ii)  for  defined  purposes;  iii)  limited  in  scope  to  that  necessary  for  defined purposes; iv) performed for accuracy and currency; v) secure and confidential; vi) limited in time; vii) transparent to the persons the data is about, and allows requests for access, change, deletion, or limits on processing  (including  automated  decision-making); and viii)  protected  upon  transfer  to  others. Related implementation measures are provided.
  3. This Policy is without prejudice to the 1946 Convention on the Privileges and Immunities of the United Nations.

SCOPE OF APPLICATION

  1. This  Policy  uses terms,  such  as  “personal  data”,  “data  subjects”,  “processing”,  “data  controller”  and  “data processor” and other terms as defined in Annex 1.
  2. This Policy applies solely to the processing of the personal data of living individuals.
  3. This Policy applies only to personal data collected and/or further processed by UNICEF filing systems, and  provides  protection  that  is  appropriate  to  the  risks  and  sensitivity  regarding the  personal  data  processed by particular filing systems. 
  4. All UNICEF personnel are required to process personal data in accordance with this Policy.  
  5. The  following  topics are  outside the  scope  of  this  Policy: (a) anonymous or  anonymized information processed  for  statistical  and  research  purposes;  (b)  data  that  can  identify  a  group,  demographic  or  community,  but  not  an  individual;  (c)  personal  data  of  deceased  data  subjects;  and (d)  confidential information that does not include personal data.[2] These matters may be subject to possible regulation under other Policies, or warrant application of principles from this Policy, mutatis mutandis.
  6. This  Policy  complements  other  UNICEF  regulations  relating  data  or  information,  such  as  the Information  Disclosure  Policy  and  the  Procedure  on  Information  Management.  This  Policy  shall  be  implemented subject to: i) overriding legal obligations, such as relevant resolutions, regulations, rules or decisions of the General Assembly, Secretary General or Executive Board; ii) the Office of Internal Audit and Investigation Charter and iii) fundamental rights and freedoms of the data subjects or other persons.

POLICY STATEMENTS

  1. In its interpretation and application to the personal data of a child, the best interest of the child shall be a primary consideration, and an interpretation and application that does no harm shall be sought.
  2. UNICEF personnel shall take particular care in processing the personal data of children and vulnerable categories of data subjects. 
  3. The  processing  of  particularly  sensitive  personal  data  is  allowed  only  where  necessary  to  carry  out  UNICEF’s   mandate.   Where   such   processing   occurs,   appropriate   organizational   and   technical   safeguards  shall  be  used  to  protect  the  data  subjects  against  identified  risks  associated  with  the  processing, including the risk of discrimination.
  4. The respective roles  and  responsibilities  (as  a  controller  or  a  processor)  of  UNICEF and UNICEF associates must be  defined  prior  to  the  collection  and  further  processing of personal  data  to  ensure  accountability under this Policy.
    1. As a controller, UNICEF may only engage with processors, including UNICEF associates, that provide appropriate commitment and assurance of meeting the requirements of this Policy or equivalent personal data protection standards, with the exception of paragraphs 43 to  49. As a joint controller, UNICEF shall agree in writing with other controllers the responsibilities of each and shall disclose the arrangement to the data subject where appropriate.
    2. As a processor, UNICEF will notify data controllers of its data protection requirements and will not knowingly process personal data received that were not collected in compliance with this Policy.  UNICEF may only process data on documented instructions from the controller, subject to any pre-existing obligations UNICEF has to process that were disclosed to the controller. UNICEF may only engage with (sub-)processors, including UNICEF associates, upon consent of the controller, and where the (sub-)processor agrees to assume the same data protection obligations as UNICEF made to the controller. 
  5. Risks associated with the processing of personal data shall be managed in accordance with UNICEF’s Enterprise  Risk  Management  Policy,  including  by  taking into  account  the  confidentiality  and  level  of  sensitivity of the personal data that are processed.

Policy Elements

Personal data protection principles

Legitimate and fair processing

  1. One or more legitimate bases is required for the processing of personal data. The legitimate bases  are: (i)  the  consent  of  the  data  subject,  or  the  child’s  representative  where  appropriate (“consent”);  (ii) to prepare for or perform a contract with the data subject, including a contract of employment (“contract”); (iii   ) to protect the life, physical or mental integrity of the data subject or another person (“vital interests”); (iv)  to  protect  or  advance  the  interests  of  people  UNICEF  serves,  and  particularly  those  interests  UNICEF is mandated to protect or advance (this legitimate basis would constitute “UNICEF’s legitimate interest”  as  well  as  the  “beneficiary  interest”);  (v)  compliance  with  a  public  legal  obligation  to  which  UNICEF  is  subject  (“legal  obligation”);  (vi)  other legitimate  interests  of  UNICEF  consistent  with  its mandate, including the establishment, exercise or defense of legal claims or for UNICEF accountability(“other legitimate interests”).
  2. Consent,  often  supported  by  other  legitimate  bases,  is  the  preferred  basis  for  processing.  In  some  cases, obtaining consent may be impractical, including because: the data subject is an under-13 child or a  child  whose  age  cannot  be  determined,  and  consent  cannot  be  sought  from  a  child’s  representative;  the  capacity  of  the  data  subject    to  consent  cannot  be  reasonably  assessed,  and  substitute alternative consent is unavailable; or there is urgency and the timely grant of    consent by the data subject is not expected.
  3. Personal data shall be processed in a manner that is transparent to the data subject, in conformity with paragraphs 25 and 26.

Purpose specification

  1. Personal  data  shall  be  processed  for  specified  and  limited  purposes,  which are  consistent  with  the  mandate of UNICEF and are determined prior to the time of collection.
  2. UNICEF  may  further process  personal  data  for  purposes  other  than  those  specified  at  the  time  of collection: i)   if   consent is obtained to further processing; ii) if   such further processing is compatible with those original purposes and the risks of further processing do not outweigh the benefits it entails for the data subject; iii) if  UNICEF is required to process further for statistical, historical or scientific purposes; iv) to establish UNICEF accountability; or v) for the establishment, exercise or defense of legal claims.

Necessity and proportionality

  1. The processing of personal data shall be relevant, limited and adequate to what is necessary in relation to the purpose(s) specified for processing. This requires, in particular, ensuring that the personal data collected are not excessive for the purposes for which they are collected, and that the period for which the  data  are  stored  in  the  UNICEF  filing  system,  is  no  longer  than  necessary,  in  conformity  with paragraph 24.

Accuracy

  1. Reasonable efforts shall be made to process personal data with accuracy and currency. The accuracy of the personal data to be retained shall be reassessed periodically. Frequency of accuracy review will depend  on  factors  such  as  the  relative  time  sensitivity  of  the  personal  data.  Determination  of  reassessment frequency shall be substantiated and documented. Personal data in archives need not be reassessed, corrected or kept current.

Security

  1. Personal  data  shall be classified  in  accordance  with  a  contextual  assessment  of  its  sensitivity,  in  accordance with UNICEF information security standards.
  2. Appropriate organizational, administrative, physical and technical safeguards and procedures shall be implemented  to  protect  the  security  of  personal  data,  including  against  or  from  accidental  or  unauthorized destruction,  loss,  alteration,  disclosure,  access,  or  unplanned loss  of  availability.  Such measures may include logging access, changes to or deletion of personal data.

Limited retention

  1. Personal data shall be retained in the UNICEF filing system:
    1. Permanently, if and only if the criteria under UNICEF’s policies and procedures on archiving are met;
    2. For the time required to achieve the purposes for which the personal data were collected. Those responsible for stipulating and implementing appropriate retention standards shall substantiate and document i) how long the personal data is needed for the intended purpose(s), ii) after which period of time the data will become stale or no longer useful for the intended purpose(s), iii) the appropriate retention period for the personal data based on assessment of retention needs, iv) how to safely and appropriately destroy or archive the personal data at the end of the determined retention period. Note: retention periods exceeding 10 years require additional substantiation.

Notice of personal data processing

  1. UNICEF shall provide to the data subject the information contained in Annex 2, when collecting their personal data.
  2. When personal data are collected by UNICEF (as controller) from a source other than the data subject or child’s representative, the information contained in Annex 2 shall be provided to each identified data subject  within  a  reasonable  period,  having  regard  to  the  logistical  constraints  to  which  UNICEF  is  subject.

Data subject requests to interact with their personal data

  1. Access, correction, deletion, objection and restriction to processing of personal data, and objection to automated decision-making may be requested, subject to the conditions below, by an individual who provides sufficient evidence of being the relevant data subject or associated child representative.
  2. Such requests shall be limited to personal data within UNICEF’s filing system that directly identify the data subject and not to data that could indirectly identify the data subject.
  3. Where such requests relate to personal data held in unstructured format, including written reports, and other files from which personal data extraction would not be possible employing reasonably available resources,  UNICEF  would  generally  decline  to  fulfill  the  request,  unless  overriding considerations demanded otherwise. Such overriding considerations could include upholding the best interest of the child or fundamental rights and freedoms of individuals.
  4. Data  subject  requests  shall be  addressed  by  UNICEF  in  accordance  with  the  mechanism  set  out  in  Annex  2,  taking  into  account possible  overriding  considerations in  the  application  of  this  Policy  (see  paragraph 9) and the provisions below.   

Access

  1. Unless it adversely affects the rights and freedoms of others, upon request, the data subjects or child’s representatives shall be provided with confirmation as to whether personal data concerning the data subject are being processed, and, where that is the case, information about requested categories of personal data held by UNICEF.
  2. Access to UNICEF archives shall be provided in accordance with applicable policies and procedures specific to archives.

Correction

  1. A request from the data subject or associated child’s representative to update or correct personal data shall  be  granted,  unless  the requested  change  would  be  inaccurate or the  data  are  contained  in  a  record held in the UNICEF archives.
  2. In order to preserve the integrity of UNICEF archives, a note may be included in the relevant archival file to indicate that a correction request has been made.

Deletion

  1. Subject to paragraph 36, a request by a data subject or child’s representative to have personal data deleted from the UNICEF filing system shall be granted when: i) the personal data were not processed in compliance with this Policy; ii) retention of the personal data would not be in compliance with this Policy; iii) in cases where the only legitimate basis for processing is consent, the data subject withdraws the consent  on  which  the  processing  was  based;  or  iv)  a  request  has  been  granted  to  fully  restrict processing under paragraph 38.
  2. Personal data shall not be deleted in the following circumstances: i) there are overriding vital interests, beneficiary interests, legal obligations or other legitimate interests; ii)   UNICEF is required to process further for statistical, historical or scientific purposes. 
  3. Records held  in  UNICEF  archives shall  not  be  deleted, in  order  to  preserve  the  integrity  of  UNICEF  records.

Objection to and restriction of processing

  1. Data subjects or the relevant child’s representatives may, at any time, object to or request restriction of the processing of their personal data if: i) the processing would not be in compliance with this Policy; ii) in  cases  where  the  only  legitimate  basis  for  processing  is  consent,  the  data  subject  withdraws  the  consent  on  which  the  processing  is  based;  or  iii)  on  compelling  grounds  relating  to  their  particular  situation. The request shall be granted unless there are overriding vital interests, beneficiary interests, legal obligations or other legitimate interests.

Automated decision-making

  1. Data subjects shall be entitled not to be subject to a decision based solely on automated processing, which produces adverse legal or significant material effects on them, unless the processing is carried out with consent, is necessary for entering into or performance of a contract between the data subject and UNICEF, or is necessary for beneficiary interests or other legitimate interests (and provided that appropriate safeguards are in place).   

Personal data transfers

  1. Transfers may only occur when there is a legitimate basis for both personal data transfer and data processing. What constitutes a legitimate basis has been set out in paragraph 15 above, and these legitimate bases apply equally to data processing and data transfers.
  2. Each of the data protection principles and sections of this Policy applies equally to data processing and data transfers. In particular, transfers shall only occur where the conditions set out in paragraph 13 are met.

Policy Implementation

Awareness-raising

  1. UNICEF  shall  provide  training  and  take  appropriate  action  to  raise  awareness  so  as  to  ensure the effective  implementation  of  this  Policy  by  its  personnel,  taking  into  account  resource  and  logistics  constraints. 

Planning

  1. In acting  as  a  controller  and  determining  the  means  of  processing  personal  data  (including  when  creating databases), UNICEF shall  incorporate “data protection by design and by default” into planning, development and decision making, and implement appropriate technical and organizational measures, such as data minimization and pseudonymization.
  2. When UNICEF acts as a controller and the processing of personal data is likely to involve high risks to the rights and freedoms of the data subjects, in particular where new technologies are involved, a data protection  impact  assessment  (DPIA)  shall  (and  in  other  cases  may)  be  conducted  prior  to  the  processing  to  identify  the risks,  any corresponding  mitigating  measures,  and  inform  whether  the processing shall proceed.

Monitoring

  1. UNICEF   shall   take   practical   measures   to   monitor   compliance   with   this   Policy,   including the development and maintenance of centralized registers of:
    1. Key measures taken by offices to implement this Policy;
    2. UNICEF filing systems that include personal data, which register shall contain i) the name and contact details of the information asset owner; ii) the purposes of the processing; iii) categories of the data subjects and data sources; (iv) types of personal data concerned; v) categories of recipients to whom the personal data have been or can be disclosed or otherwise transferred; vi) default retention periods; and vii) where possible, a general description of the technical and organizational security measures pursuant to 23.
    3. personal data breaches, and the nature of any data subject notifications made because of those breaches.

Personal data breach

  1. A personal data breach regulation shall be established, addressing, among other things, appropriate reporting  channels,  review  or  investigations  of  incidents,  technical  responsive  measures,  and notifications to data subjects and others.  

Accountability

  1. A failure to comply with the Policy  may  amount  to  misconduct  (particularly  if  the  result  of  gross  negligence,  recklessness  or deliberate conduct).
  2. UNICEF  shall  define  other  requirements  of  an  implementing structure,  Procedures,  Standards  and Guidance to operationalize  and  monitor  implementation of  this  Policy. UNICEF shall adopt an appropriate oversight structure to interpret the Policy, in particular, if handling data subjects’ requests.

Special considerations in Emergency Contexts 

  1. In designated emergencies, derogation to  data protection regulations  may exceptionally be provided by the Director of EMOPS, after consultation with the OED/Child Safeguarding office and the UNICEF Country  Representative,  and in  line  with EMOPS  and OED/Child  Safeguarding  guidance  on  data protection  in  humanitarian  action.  Derogations  may  address:  the  selection of  legitimate  bases  for processing; assessment of necessity and proportionality in processing; accuracy, security and retention measures; the timing, format and method of notice to data subjects regarding the processing of their data; assessment  of  the  adequacy  of  safeguards  on  transfers;  the  form of  data protection impact assessments;  and the timing  of  responses  to  data subject  requests  and central  registration of  filing systems.

Transitional Measures 

  1. This Policy shall be progressively implemented. There will be a 12 months transitional period from the effective date noted above for full adherence to the policy document.  During this time, a comprehensive implementation plan will be rolled out. Successful completion of the implementation plan will require full cooperation at the Division, Region and Country levels regarding key implementation activities such as the  compilation  of  personal  data  inventories;  performance  of  data  risk  assessments;  the  drafting  of  guidance  and  notice  documents  and  data  protection  training  (e.g.,  train  the  trainer  activities,  etc.).  Requests for implementation delay such as exemptions from specific provisions of this Policy, for  specific  time  periods  and filing  systems,  may  be  granted  by  the  Deputy  Executive  Director  (Management),  following  a  request  made  by  a  Division or  Regional  Director,  following  a  risk  assessment. Such exemptions shall be noted in any relevant information notice.

[1] Including in the Universal Declaration on Human Rights, article 12 and the Convention on the Rights of the Child, Article 16.

[2] Such as business secrets: see UNICEF Information Disclosure Policy.