UNICEF POLICY ON PERSONAL DATA PROTECTION
Annex 1 & 2
ANNEX 1: DEFINITIONS
- Archives are, as the context requires, either physical or electronic recorded information that has been deemed of sufficient administrative, fiscal, legal, historical or informational value as to warrant permanent retention under the relevant UNICEF regulation, or a designated facility containing such information objects.
- Anonymous or anonymized information means information about a person whose identity cannot be determined.
- Child’s representative means a parent, legal guardian, or other individual legally responsible for the child in question with respect to issue being addressed.
- Child or children refer to individuals who are under 18 years of age.
- Consent means, in light of the information provided to the individual data subject, any freely given, specific and informed agreement of a data subject to the processing of their personal data. In the case of under-13 children, such consent shall be provided by the child’s representative, with due consideration of the best interest of the under-13 child. Consent as defined and used in this Policy is intended to provide the data subject with agency as to the collection and further processing of their data. The consent is often supported by other legitimate bases for data processing such as UNICEF’s legitimate interest, beneficiary interest, vital interest or contract. Data subject requests for withdrawal or alteration of consent will be reviewed and acted on with due consideration to the best interest of the child and the legitimate bases relied on for the collection and processing of the personal data.
- Controller means the entity or individual, including a public authority, agency or other body, who, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Data Protection Impact Assessment (DPIA) means a standardized assessment building on the HLCM Principles and other recognized international data protection principles that assesses the impact of the envisaged processing activities on the protection of personal data and on the rights and freedoms of the data subjects. A DPIA aims to identify mitigating measures, if any, in order to avoid or minimize such impact.
- Data subject means an individual whose personal data is subject to processing under this Policy, regardless of who provided the personal data or how it was found. For the purpose of the Policy, the term data subject includes, but it is not limited to past, potential or current beneficiaries, individual donors, supporters, suppliers, individuals in other UNICEF associate organizations and personnel.
- Information Asset Owner means an individual or group designated pursuant to the UNICEF Standard on Information Security: Asset Management.
- Particularly Sensitive personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union/staff association membership, genetic data and biometric data capable of uniquely identifying a natural person, data concerning health, or data concerning an individual’s sex life or sexual orientation.
- Personal data means any information relating to an identified or identifiable individual (‘data subject’). An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to i) an identifier such as a name, an identification number, audiovisual materials, location data, an online identifier, ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual or iii) assessments of the status and/or specific needs, such as in the context of assistance programmes. The definition of what constitutes personal data is contextual and expanding particularly due to enhancements in technology and methods for identifying individuals.
- Personal data breach means a breach of security leading to the accidental or unauthorized destruction, loss, alteration, disclosure, access, or unplanned loss of availability of personal data that is unencrypted or can be decrypted.
- Personal data transfer means any action that makes personal data accessible or otherwise available to another party, other than the data subject, regardless of the media and format (electronically or physically). Movement of data or provision of access to data to other individuals within UNICEF is not a personal data transfer. Personal data transfer includes transfers within a country as well as data transfers from the country where the data was originally collected to another country or countries.
- Process or processing means any operation or set of operations performed on personal data, whether by automated means or manually, such as collecting, recording, structuring, consulting, retrieving, using, transferring, disclosing, sharing or otherwise making available, or deleting.
- Processor means an individual or entity, including a public authority, agency or other body, which processes personal data on behalf of the controller.
- Pseudonymization means any technical process under which personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable individual.
- UNICEF associate means one of the following kinds of entities with which UNICEF has a contractual relationship or collaboration arrangement: a civil society partner, bilateral or multilateral partner, National Committee, supplier or vendor, corporate partner, or a sub-contractor of any of these entities. It does not include governments.
- UNICEF filing system means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis. This includes databases and other repositories of personal data, as well as archives, administered by or on behalf of UNICEF.
- UNICEF personnel means UNICEF staff, individual consultants and contractors, UNVs, interns, volunteers, gratis personnel, UNICEF goodwill ambassadors, individuals serving on loan or deployed under Stand-by Personnel arrangements to UNICEF, and persons working for UNICEF through an employment agency or similar arrangement.
- Under-13 child means a child who is below the age of 13 years as proven by any available means of identification. In the absence of such a document, the term means a child who is likely to be under the age of 13 years according to the assessment of the person collecting the personal data.
ANNEX 2: REQUESTS OF IDENTIFIED DATA SUBJECTS TO INTERACT WITH THEIR PERSONAL DATA
Provision of information about the processing of a data subject’s personal data
- Pursuant to paragraph 25 and 26, the following information shall be provided to the data subject or child’s representative, in writing or orally:
- the purposes for which their personal data will be processed;
- whether personal data about the data subject will be collected from other sources, and the categories of such sources (which could include other UN agencies, government sources, UNICEF associate sources, publicly available information);
- the anticipated retention period;
- whether their personal data will be transferred to third parties, the categories of third parties to which their personal data will be transferred, and whether they may be outside the country in which the data subject is located;
- the importance that data subjects provide accurate and complete personal data as well as changes to their personal situation pursuant to paragraph 21 of the Policy;
- how to request access to their personal data, or correction or deletion of it; to object to or to restrict the processing of their personal data; and any further recourse that might be available.
- Such information shall be provided in a clear and plain language as well as in a format adapted to the age, maturity and vulnerability of the data subjects.
How data subjects can make requests for access, correction, deletion, objection to a restriction of processing, or objections to automated decision-making
- UNICEF shall consider a request made orally or in writing by:
- An adult data subject;
- A child data subject who is 13 or older and has apparent capacity to understand the nature and appreciate the consequences of the request, with due consideration of the best interest of the child;
- A child’s representative for a data subject who is a child between 13 and 18, upon assent of the child and with due consideration of the best interest of the child;
- The child’s representative for a data subject for an under-13 child, with due consideration of the best interest of the child.
UNICEF responses to requests for access, correction, deletion, objection to a restriction of processing, or objections to automated decision-making
- In assessing or responding to the request, the person responding:
- May ask for further detail, if the request does not contain sufficient detail to enable UNICEF to identify and locate the record with reasonable efforts;
- Shall, where possible, respond to the request within a reasonable time, orally or in writing, and pursuant to paragraph 17 and paragraph 49;
- Shall generally limit requests to structured personal data, unless overriding reasons demands otherwise. Such overriding reasons could include upholding the best interest of the child or essential rights and freedoms of individuals;
- Shall not reveal personal data about the data subject, unless there is sufficient proof that the person asking for the information is the data subject, or a child’s representative (consideration being given to the best interest of the child);
- May deny the request if there are grounds for believing that the request is manifestly abusive, fraudulent or obstructive to the purpose of processing;
- Shall provide reasons if the request is denied, other than if it is denied on grounds that it is manifestly abusive, fraudulent or obstructive to the purpose of processing;
- Shall provide access in a form (oral, in print, digitally, or through online access) that is reasonably practical to UNICEF and person requesting, if access is granted;
- Shall provide information about any available recourse or review mechanism that has been established and could be used by the data subject or a child’s representative.