Page

UNICEF POLICY ON PERSONAL DATA PROTECTION

Annex 1 & 2

ANNEX 1: DEFINITIONS

  1. Archives are, as the context requires, either physical or electronic recorded information that has been deemed of sufficient administrative, fiscal, legal, historical or informational value as to warrant permanent retention under the relevant UNICEF regulation, or a designated facility containing such information objects.
  2. Anonymous or anonymized information means information about a person whose identity cannot be determined.
  3. Child’s representative means a parent, legal guardian, or other individual legally responsible for the child in question with respect to issue being addressed.
  4. Child or children refer to individuals who are under 18 years of age.
  5. Consent means,  in  light  of  the  information  provided to  the  individual  data  subject,  any  freely  given,  specific and informed agreement of a data subject to the processing of their personal data. In the case of  under-13  children,  such  consent  shall  be  provided  by  the  child’s  representative,  with  due  consideration of the best interest of the under-13 child. Consent as defined and used in this Policy is intended  to  provide  the  data  subject  with  agency  as  to  the  collection  and  further  processing  of  their data. The consent is often supported by other legitimate bases for data processing such as UNICEF’s legitimate interest, beneficiary interest, vital interest or contract. Data subject requests for withdrawal or alteration of consent will be reviewed and acted on with due consideration to the best interest of the child and the legitimate bases relied on for the collection and processing of the personal data.
  6. Controller means the entity or individual, including a public authority, agency or other body, who, alone or jointly with others, determines the purposes and means of the processing of personal data.
  7. Data  Protection  Impact  Assessment  (DPIA) means  a  standardized  assessment  building  on  the  HLCM Principles and other recognized international data protection principles that assesses the impact of the envisaged processing activities on the protection of personal data and on the rights and freedoms of the data subjects. A DPIA aims to identify mitigating measures, if any, in order to avoid or minimize such impact.
  8. Data subject means an individual whose personal data is subject to processing under this Policy, regardless of who provided the personal data or how it was found. For the purpose of the Policy, the term data subject includes, but it is not limited to past, potential or current beneficiaries, individual donors, supporters, suppliers, individuals in other UNICEF associate organizations and personnel.
  9. Information Asset Owner means an individual or group designated pursuant to the UNICEF Standard on Information Security: Asset Management.
  10. Particularly Sensitive personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union/staff association membership, genetic data and  biometric  data  capable  of  uniquely  identifying  a  natural  person,  data  concerning  health,  or  data concerning an individual’s sex life or sexual orientation.
  11. Personal data means any information relating to an identified or identifiable individual (‘data subject’). An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to i) an identifier such as a name, an identification number, audiovisual materials, location data, an online identifier,  ii)  one  or  more  factors  specific  to  the  physical,  physiological,  genetic,  mental,  economic,  cultural or social identity of the individual or iii) assessments of the status and/or specific needs, such as  in  the  context  of  assistance  programmes.  The  definition  of  what  constitutes  personal  data  is contextual and expanding particularly due to enhancements in technology and methods for identifying individuals.
  12. Personal  data  breach  means  a  breach of  security  leading  to  the  accidental  or  unauthorized  destruction, loss, alteration, disclosure, access, or unplanned loss of availability of personal data that is unencrypted or can be decrypted.
  13. Personal data transfer means any action that makes personal data accessible or otherwise available to  another  party,  other  than  the  data  subject,  regardless  of  the  media  and  format  (electronically  or  physically). Movement of data or provision of access to data to other individuals within UNICEF is not a  personal  data  transfer. Personal  data  transfer  includes  transfers  within  a  country  as  well  as  data  transfers from the country where the data was originally collected to another country or countries.
  14. Process or processing means any operation or set of operations performed on personal data, whether by  automated  means  or  manually,  such  as  collecting,  recording,  structuring,  consulting,  retrieving,  using, transferring, disclosing, sharing or otherwise making available, or deleting.
  15. Processor means an  individual  or  entity,  including  a  public  authority,  agency  or  other  body,  which processes personal data on behalf of the controller.
  16. Pseudonymization means  any  technical  process  under  which  personal  data  can  no  longer  be  attributed  to  a  specific  data  subject  without  the  use  of  additional  information,  provided  that  such  additional  information  is  kept  separately  and  is  subject  to  technical  and  organizational  measures  to  ensure that the personal data are not attributed to an identified or identifiable individual.
  17. UNICEF associate means one of the following kinds of entities with which UNICEF has a contractual relationship  or  collaboration  arrangement:  a  civil  society  partner,  bilateral  or  multilateral  partner,  National Committee, supplier or vendor, corporate partner, or a sub-contractor of any of these entities. It does not include governments.
  18. UNICEF filing system means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis. This includes databases and other repositories of personal data, as well as archives, administered by or on behalf of UNICEF.
  19. UNICEF  personnel  means  UNICEF  staff,  individual  consultants  and  contractors,  UNVs,  interns,  volunteers, gratis personnel, UNICEF goodwill ambassadors, individuals serving on loan or deployed under Stand-by  Personnel  arrangements  to  UNICEF,  and  persons  working  for  UNICEF  through  an  employment agency or similar arrangement.
  20. Under-13 child means a child who is below the age of 13 years as proven by any available means of identification. In the absence of such a document, the term means a child who is likely to be under the age of 13 years according to the assessment of the person collecting the personal data.   

 

ANNEX 2: REQUESTS OF IDENTIFIED DATA SUBJECTS TO INTERACT WITH THEIR PERSONAL DATA

Provision of information about the processing of a data subject’s personal data

  1. Pursuant to paragraph 25 and 26, the following information shall be provided to the data subject or child’s representative, in writing or orally:
    1. the purposes for which their personal data will be processed;
    2. whether personal data about the data subject will be collected from other sources, and the categories of such sources (which could include other UN agencies, government sources, UNICEF associate sources, publicly available information);
    3. the anticipated retention period;
    4. whether their personal data will be transferred to third parties, the categories of third parties to which their personal data will be transferred, and whether they may be outside the country in which the data subject is located;
    5. the importance that data subjects provide accurate and complete personal data as well as changes to their personal situation pursuant to paragraph 21 of the Policy;
    6. how to request access to their personal data, or correction or deletion of it; to object to or to restrict the processing of their personal data; and any further recourse that might be available.
  2. Such information shall be provided in a clear and plain language as well as in a format adapted to the age, maturity and vulnerability of the data subjects.

How data subjects can make requests for access, correction, deletion, objection to a restriction of processing, or objections to automated decision-making

  1. UNICEF shall consider a request made orally or in writing by:
    1. An adult data subject;
    2. A child data subject who is 13 or older and has apparent capacity to understand the nature and appreciate the consequences of the request, with due consideration of the best interest of the child;
    3. A child’s representative for a data subject who is a child between 13 and 18, upon assent of the child and with due consideration of the best interest of the child;
    4. The child’s representative for a data subject for an under-13 child, with due consideration of the best interest of the child.

UNICEF responses to requests for access, correction, deletion, objection to a restriction of processing, or objections to automated decision-making

  1. In assessing or responding to the request, the person responding:
    1. May ask for further detail, if the request does not contain sufficient detail to enable UNICEF to identify and locate the record with reasonable efforts;
    2. Shall, where possible, respond to the request within a reasonable time, orally or in writing, and pursuant to paragraph 17 and paragraph 49;
    3. Shall generally limit requests to structured personal data, unless overriding reasons demands otherwise. Such overriding reasons could include upholding the best interest of the child or essential rights and freedoms of individuals;
    4. Shall not reveal personal data about the data subject, unless there is sufficient proof that the person asking for the information is the data subject, or a child’s representative (consideration being given to the best interest of the child);
    5. May deny the request if there are grounds for believing that the request is manifestly abusive, fraudulent or obstructive to the purpose of processing;
    6. Shall provide reasons if the request is denied, other than if it is denied on grounds that it is manifestly abusive, fraudulent or obstructive to the purpose of processing;
    7. Shall provide access in a form (oral, in print, digitally, or through online access) that is reasonably practical to UNICEF and person requesting, if access is granted;
    8. Shall provide information about any available recourse or review mechanism that has been established and could be used by the data subject or a child’s representative.