2.1 Glossary and key definitions
This section contains a glossary of selected key definitions related to Responsible Data and Data protection in the context of humanitarian action. It will also point you to other more detailed sections or even some other toolboxes.
You can find some of these concepts under a different format in sub-section 2.7 Key concepts to master where they will be presented as “knowledge capsules” for your reference and later use.
In the table of contents below, click on the heading of each definition to be directed to the glossary content.
A more extensive list of program data related definitions can be found in CartONG’s Information Management Beginner’s Glossary.
Last, you can refer to the very useful French-English glossary from the French authority on Data protection, CNIL.
Note that you will find set of definitions and glossary in several resources referenced in this toolbox. Content might slightly differ as interpretations are subject to organizations’ specific context and mandate. Do not be put off by these differences, the topic being complex, it can be approached from various angles.
The below definitions are mainly extracted from one of the following reference documents:
- OCHA & Center for Humanitarian Data, 2020, IASC Operational guidance on Data Responsibility in humanitarian action
- ICRC, 2021, Handbook on Data Protection in Humanitarian Action, 2nd edition
- Netherlands Red Cross - 510, 2018, Data Responsibility Policy
- PAM, 2017, Conducting Mobile Surveys Responsibly
- ICO (UK’s independent body set up to uphold information rights) website
- European GDPR
When definitions were complimentary, both sources of information were displayed.
TABLE OF CONTENTS
- 1. General definitions
- 2. Roles in data protection
- 3. The rights of the data subject
- 4. Legal bases for data processing
- 5. Tools and situations
- 6. Pseudonymisation & anonymization
1. General definitions
1.1 Data protection
Data protection includes the processes, systems and practices used to safeguard information from being lost, corrupted, or accessed by unauthorized parties. It refers to the fundamental rights of individuals: the right to data protection is derived from the Right to Privacy.
As stated by ICRC, “Protecting individuals’ personal data is an integral part of protecting their life, integrity, and dignity”. New technologies have allowed for easier and faster processing of personal data, which in turn leads to concerns about intrusion into the private lives. In the humanitarian and development sphere, NGOs collect and process personal data to perform humanitarian activities. However, in such environments where the rule of law may not be fully applied, “the protection of personal data of beneficiaries and staff is often necessary to safeguard their security, lives and work” (ICRC, Handbook on data protection in humanitarian action).
1.2 Responsible data
Responsible data is the duty to ensure people’s rights to consent, privacy, security and ownership around the information processes of collection, analysis, storage, presentation and reuse of data while respecting the values of transparency and openness. (Engine Room)
1.3 Personal data
Any information relating to a natural person (or “data subject”) who can be identified directly or indirectly. More precisely, it includes:
- A name, a picture, a fingerprint or iris scan;
- An identification number, an employee number or an internal registration number;
- A phone or social security number;
- Location data such as a postal address;
- An email address, an online identifier, an IP address;
- A voice recording;
- One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
In short, personal data means information about a particular living individual. It doesn’t need to be “private” information – even information which is public knowledge or is about someone’s professional life can be personal data. It does not cover truly anonymous information – but if you could still identify someone from the details, or by combining it with other information, it will still count as personal data. (ICO)
1.4 Personall identifiable information (PII)
Also called “direct identifiers”, they are specific personal data that can directly identify the identity of a person. PII can include data such as a respondent’s name, address, or ID number.
Personally Identifiable Information (PII) is the American term, and the term personal information is meant to be the EU equivalent of PII. Nonetheless, they do not correspond with each other exactly. All PII can be personal data but not all personal data is considered as PII.
PII has a limited scope of data which includes: name, address, birth date, Social Security numbers and banking information. Whereas, personal information in the context of the GDPR also references data such as: photographs, social media posts, preferences and location as personal. Therefore, to comply with the GDPR you need to look at the broader context of what personal data is.
What constitutes personally identifiable data is continually expanding, as technological advancements make it possible or easier to derive an individual’s identity using disparate pieces of information from the wide range of datasets that are now accessible. (510)
1.5 Sensitive data
It means personal data which, if disclosed or accessed without proper authorization, may cause harm, may result in discrimination against or the repression of the individual concerned, thus potentially harming fundamental rights of the people.
According to RGPD, sensitive data encompass data revealing:
- Racial or ethnic origin;
- Political opinions and affiliation;
- Religious beliefs or philosophical inclinations;
- Trade union membership;
- Sexual life and orientations;
- Criminal allegation, proceedings or convictions;
- Armed group affiliation;
- Health (data on physical or mental health of any kind, such as HIV or TB status, addictions, diseases, birth control methods, disabilities, medical treatments, allergies);
- Genetic and biometric data, if used for the purpose of identification
The disclosure of sensitive data could cause harm to a person or have a negative impact on an organization’s ability to carry out its activities.
All sensitive data require augmented protection even though different types of data falling under the scope of sensitive data (e.g. different types of biometric data) may present different levels of sensitivity. Given the specific situations in which humanitarian organizations work and the possibility that some data elements could give rise to discrimination, setting out a definitive list of sensitive data categories in humanitarian action is not meaningful (ICRC).
1.6 Do no harm (DND) principle
General definition:
“Do no harm” is to avoid exposing people to additional risks through aid action.
“Do no harm” means taking a step back from an intervention to look at the broader context and mitigate potential negative effects on the social fabric, the economy and the environment. (HI/F3E)
As part of Responsible data:
All reasonable measures shall be taken to avoid causing any harm. This means considering the context of the project, including political and cultural sensitivities. For an accurate assessment local knowledge is essential and must be consulted. If at any time the use of any data or, conversely, not using data could pose significant risks to any concerned party, apply a qualitative threat & risk assessment. If the analysis reveals significant risks, one shall refrain from executing the project. (510)
2. Roles in data protection
2.1 Natural person or data subject (individuals)
Technical term for the person to whom particular data relate.
A natural person (e.g. an individual) whose personal data is being processed, and who can be identified, either directly or indirectly, by reference to that data.
The nomination as a data subject is linked to a set of specific data subject rights to which he/she is entitled with regards to his/her personal data, even when this data is gathered, collected or otherwise processed by others.
Although data may also relate to organizations, rather than individuals, organizations would not be considered ‘data subjects’ under the recognized legal definition. (OCHA)
2.2 Data controller
It means the person or organization that, alone or jointly with others, determines the purposes and means of the processing of personal data. (ICRC)
A data controller is the entity or person who decides how and why to collect and use the data. This will usually be an organization, but can be an individual (e.g. a sole trader). The controller must make sure that the processing of that data complies with data protection laws. Data controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data. (ICO)
2.3 Data processor
It refers to the person or organization that processes personal data on behalf of the data controller (ICRC).
The data processor is a person or an organization that processes and adds value to raw data, e.g. by cleaning it, loading it into a searchable database, or combining it with data from other sources. (OCHA)
A processor is a separate person or organization (not an employee) who processes data on behalf of the controller and in accordance with its instructions. Data processors have some direct legal obligations, but these are more limited than those of the controller […] as they act on behalf of, and only on the instructions of, the relevant controller. (ICO)
2.4 Data protectio officer (DPO)
He/she assists an organization to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIA) and act as a contact point for data subjects and the supervisory authority.
The DPO must remain independent, an expert in data protection, adequately resourced, and report to the highest management level.
A DPO can be an existing employee or externally appointed. In some cases, several organizations can appoint a single DPO between them. (ICO)
3. The rights of the data subject
3.1 Right of information
This transparency principle gives to each data subject the right to be informed about (510):
- The purposes of the processing for which the personal data are intended as well as the legal basis selected;
- If the data were not acquired on the basis of informed consent: the legitimate interest pursued by the data controller or by a third party;
- The identity and the contact details of the data controller;
- The contact details of the data protection officer (DPO);
- The recipients or categories of recipients of the personal data, if any (meaning third-party recipients), specifying if the data controller intends to transfer personal data to a third country or international organization;
- The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to data processing as well as the right to data portability;
- The existence of the right to withdraw consent at any time;
- The right to lodge a complaint with a supervisory authority;
If any,
- The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such data processing for the data subject;
- When the data have been acquired from a third-party, additionally:
- The categories of personal data concerned;
- From which source the personal data originate, and if applicable, whether it came from publicly accessible sources.
3.2 Right of access
Individuals have the right to access their personal data e.g.:
- Confirmation that you are processing their personal data;
- A copy of their personal data
- Other supplementary information such as one you should provide in the right of information.
- Individuals can make an access request verbally or in writing.
- You must act on the subject access request without undue delay
- You cannot charge a fee to deal with a request in most circumstances. (ICO)
3.3 Right of rectification & erasure
Individuals have rights to have inaccurate personal data rectified, or completed if it is incomplete or to have personal data erased.
- Individuals can make a request for rectification or erasure verbally or in writing.
This right is not absolute and only applies in certain circumstances.
3.4 Right of restrict data processing
Individuals have the right to request the restriction or suppression of their personal data.
When data processing is restricted, you are permitted to store the personal data, but not use it.
This right has close links to the right to rectification and the right to object.
3.5 Right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability; for instance their medical file and history as a patient, their mobile phone number carried over to another service provider.
The right only applies to information an individual has provided to a data controller.
3.6 Right to object
The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
Individuals have an absolute right to stop their data being used for direct marketing. In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so.
4. Legal bases for data processing
In order to be implemented, any data processing must be based on one of the “legal bases” provided for by the GDPR. The prior determination of the appropriate legal basis is a key step in the data management cycle.
There are 6 legal bases for data processing. No single basis is “better” or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the data subject.
Most legal bases require that data processing is “necessary” for a specific purpose. If you can reasonably achieve the same purpose without this data processing (e.g. data collection, data sharing, etc.) , you won’t have a legal basis.
If you are processing special categories of data (e.g. personal data, IPP, sensitive data, etc.), you need to identify both a legal basis for general data processing and an additional condition for processing this type of data. (ICO)
4.1 Vital interest
When Consent cannot be validly obtained, personal data may still be processed if the humanitarian organization establishes that this is in the vital interest of the data subject or of another person, e.g. where data processing is necessary in order to protect an interest which is essential for the data subject’s life, integrity, health, dignity, or security or that of another person. (ICRC)
Vital interest is likely to be relevant for emergency medical care, when you need to process personal data for medical purposes but the patient is unable to give consent to the processing.
Warning: You cannot invoke vital interest for health data or other special categories of data (e.g. personal data, IPP, sensitive data, etc.) if the person is capable of giving consent, even if they refuse to give consent.
Processing of one individual’s personal data to protect the vital interest of others is likely to happen more rarely. It may be relevant, for example, if it is necessary to process a parent’s personal data to protect the vital interest of a child. (ICO)
Vital interest might apply where you are processing on humanitarian grounds such as monitoring epidemics, cases of sought persons, or where there is a natural or man-made disaster causing a humanitarian emergency (to provide for the essential needs of an individual or a community during or in the aftermath of an Emergency). (ICO/ICRC)
ICRC example: A humanitarian organization needs to collect personal data from vulnerable individuals following a natural disaster in order to provide vital assistance (e.g. food, water, medical assistance, etc.). It may use the vital interest of the individuals as the legal basis for the collection of personal data, without the need to obtain their consent. However, it should:
- Ensure that this legal basis is used only to provide such assistance;
- Offer the individuals the right to object;
- Process the data collected in accordance with its privacy policy, which should be available to data subjects upon request. It should provide all relevant information about the data processing, for example through posters, or group explanations, or by making further information available on leaflets or web sites when beneficiaries are registered or aid is distributed.
4.2 Public mission of public interest
You can rely on this legal basis if you need to process personal data:
- “In the execution of public authority”
- This covers public functions and powers set out in the law;
- To carry out a specific task of public interest provided by the law. (ICO)
Activity in question should be part of a humanitarian mandate established under national or international law. This for example would be the case for the ICRC, National Societies of the Red Cross/Red Crescent, the UNHCR, the UNICEF, the WFP, the IOM, and other humanitarian organizations mandated under national or international law to carry out specific missions, in so far as the processing of personal data is necessary to accomplish those missions. In this case, the term “necessary” is to be strictly construed (e.g. the data processing should be truly necessary, rather than just convenient, to fulfil the relevant purpose).
This may happen, for example, when the processing of personal data relates to persons deprived of their liberty in an armed conflict or other situation of violence, where the humanitarian organization has not yet been in a position to visit the data subject deprived of his/her liberty and therefore obtain his/her consent and, subsequently, if consent is not considered as a valid legal basis due to the vulnerability of the data subjects. (ICRC)
4.3 Legitimate interest
Legitimate interest is the most flexible legal basis for processing, but you cannot assume it will always be the most appropriate.
It is likely to be appropriate where you use people’s data in ways they would reasonably expect and which have a minimal impact on privacy, or where there is a compelling justification for the processing.
If you choose to rely on legitimate interest, an additional responsibility is assumed by the data controller to take into account and protect the rights and interested of individuals.
You must balance your interest against the individual’s. If they would not reasonably expect the data processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interest. This can be broken down into a three-part test:
- Purpose test: Are you pursuing a legitimate interest?
- Necessity test: Is the processing necessary for that purpose?
- Balancing test: Do the individual’s interests override the legitimate interest?
The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interest, but this is not an exhaustive list. (ICO)
ICRC examples of data processing activities that are permissible based on the legitimate interest of the organization:
- A humanitarian organization processes personal data in the course of scanning its IT systems for viruses;
- Verifying the identity of beneficiaries for anti-fraud purposes;
- Defending itself in a legal proceeding brought by an ex-employee. (ICRC)
4.4 Contract execution
You can rely on this legal basis if you need to process someone’s personal data and:
- A contract is entered into with a person and his/her personal data must be processed to comply with your contractual obligations; or
- A contract has not been concluded with the person, yet, but he/she has asked you to do something (e.g. provide a quotation) and you need to process their personal data to address the request. (ICO)
This will generally be the case with regard to data processing for the following purposes:
- HR management of personnel files, including recruitment; or
- Management of relations with suppliers of goods/services; or
- Relations with donors. (ICRC)
4.5 Legal obligations
You can rely on this legal basis if you need to process the personal data to comply with a common law or statutory obligation. You should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your obligation.
This may be the case, for example, in the field of labor law, or for organizations without privileges and immunities, if necessary to comply with an enforceable local legal obligation. In this respect, it is also important to stress that humanitarian organizations should consider whether any legal obligation to disclose data applicable to them may expose data subjects (program beneficiaries) to a risk of repression or harm, in which case they should consider not engaging in data collection in the first place.
ICRC example: In the country where a humanitarian organization operates there is a legal obligation to provide information to the social security and tax authorities about wage payments made to staff. If the organization is subject to domestic jurisdiction, this is permissible based on the legal obligation to which the organization is subject. (ICRC)
4.6 Consent
The use of consent as a legal basis means that natural person agrees to the processing of his/her data.
Informed consent is any freely-given, specific and informed indication of the data subject’s agreement to the collection and processing of personal data relating to him or her. The data subject’s consent or clear affirmative action may be given either by a written statement or an oral, audio recorded statement. (510*
However, consent is appropriate if you can offer people real choice and control over how their data will be used, and if you want to build their trust and commitment. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair. (ICO)
If these conditions are respected:
- Explicit consent can legitimize the use of special categories of data (e.g. personal data, IPP, sensitive data, etc.).
- Consent may also be relevant where the individual has exercised their right to restriction.
- Explicit consent can legitimize automated decision-making and overseas transfers of data.
Consent can be a very technical and context-specific matter with many legal and regulatory implications. For instance, consent in the context of academic research may be different from that in a healthcare context. Also take note that consent has a particular meaning in a legal context, which can vary across jurisdictions and across sectors (Engine Room).
5. Tools and situations
5.1 Data protection impact assessment (DPIA)
Tool and process for assessing the protection impacts on data subjects in processing their personal data and for identifying remedial actions as necessary in order to avoid or minimize such impacts. (OCHA)
A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimize the data protection risks of a project. You must do a DPIA for data processing that are likely to result in a high risk to individuals. This includes some specified types of data processing.
Your DPIA must:
- Describe the nature, scope, context and purposes of the data processing;
- Assess necessity, proportionality and compliance measures;
- Identify and assess risks to individuals;
- Identify any additional measures to mitigate those risks.
To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. (ICO)
5.2 Data transfer agreement (DTA)
They are typically established in cases involving sensitive (e.g. personal data on affected populations) or proprietary data (e.g. commercial satellite imagery). These agreements should clearly specify the roles and responsibilities of the different parties involved and stipulate additional restrictions or protective measures on how the data is processed and shared.
Different types of data transfer agreements will be needed depending on the type of data, the applicability of regional and national laws, and the actors involved. When transferring data, staff should observe any restrictions specified in the relevant license(s). Any licenses added to datasets or information products should remain attached to such resources throughout the data management process. (OCHA)
Note: Some organizations use the term Information Sharing Protocol (ISP):
An Information Sharing Protocol (ISP) for a humanitarian response establishes clear standards, approaches, and roles and responsibilities for information sharing across different functions and activities. Establishing this early in a crisis response can help socialize responsible data approach in different clusters or sectors and with different partner organizations. (OCHA)
5.3 Data processing
Almost anything you do with data counts as data processing; including collecting, recording, storing, using, analyzing, combining, disclosing or deleting it. (ICO)
Data processing means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination or erasure. (ICRC)
5.4 Data protection by design and default
Data protection by design (privacy by design) is about considering data protection and privacy issues upfront in everything you do. Data protection by design is ultimately an approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle. In essence this means you have to integrate or “bake in” data protection into your processing activities and business practices.
Data protection by design has broad application. Examples include:
- Developing new IT systems, services, products and processes that involve processing personal data;
- Developing organisational policies, processes, business practices and/or strategies that have privacy implications;
- Physical design;
- Embarking on data sharing initiatives;
Data protection by default requires you to ensure that you only process the data that is necessary to achieve your specific purpose.
It links to the fundamental data protection principles of data minimization and purpose limitation.
Webinar CartONG & Ritimo on Infosobriety (in French)
You must consider things like:
- Adopting a “privacy-first” approach with any default settings of systems and applications;
- Ensuring you do not provide an illusory choice to individuals relating to the data you will process;
- Not processing additional data unless the individual decides you can;
- Ensuring that personal data is not automatically made publicly available to others unless the individual decides to make it so;
- Providing individuals with sufficient controls and options to exercise their rights. (ICO)
5.5 Data breach
The loss, destruction, alteration, acquisition, or disclosure of information caused by accidental or intentional, unlawful or otherwise unauthorized purposes, which compromise the confidentiality, integrity and/or availability of information. (OCHA)
A breach can occur when for example:
- Your laptop, mobile phone or a paper file with personal data has been lost or stolen;
- You have shared personal data with someone who is not authorized to have access to that data, for example when an email was sent to the wrong recipient;
- You inadvertently have unauthorized access to confidential information;
- You find confidential information in a place where it is not supposed to be stored;
- You open a link or an attachment associated with a suspicious email;
- Your computer or mobile phone has been hacked or infected with a virus. (510)
Note: Some organizations use the term Critical Incident:
Any event in which a risk is caused to affected people, the organization and/or partners due to inappropriate management of humanitarian data. (OCHA)
5.6 Biometrics
Techniques for measuring personal biological (anatomical or physiological), or behavioral characteristics which can be used to establish the identity of a natural person by comparing it with stored reference data.
“Biometric identifiers” (BIs) are pieces of information that encode a representation of a person’s unique human signatures (e.g. fingerprints, retinal scans or voice scans) which cannot be easily changed and can be electronically verified. (OCHA)
6. Pseudonymisation & anonymization
6.1 De-identified or pseudonymised data
Data are considered pseudonymized when personal data can no longer be attributed to a specific data subject without the use of additional information such as registration/identification code, (provided that such code is kept separately securely). Using and sharing identification codes instead of names is a good practice but the data cannot be considered as anonymized since the identification remains possible.
De-identified or pseudonymized data are still personal data (because there is still a risk that it can be linked back to the individual) and can still cause harm to individuals and their communities, especially when the data is highly sensitive. (ACF/MSF)
6.2 Re-identification
Process by which de-identified data becomes re-identifiable again and thus can be traced back or linked to an individual(s) or group(s) of individuals through reasonably available means at the time of data re-identification (e.g. through the use of data matching or similar techniques). It can be very difficult to assess the risk of re-identification with absolute certainty. (OCHA/ICRC)
6.3 Anonymized or anonymous data
Anonymous or anonymized data are data set(s) that do not include any information allowing direct or indirect identification of an individual (and there is no reasonable basis to believe it could).
Anonymous and anonymized data can still cause harm to individuals and their communities, for example when it is highly sensitive.
Anonymization encompasses techniques that can be used to ensure that data sets containing personal data are fully and irreversibly anonymized so that they do not relate to an identified or identifiable natural person, or that the data subject is not or no longer identifiable.
6.4 Aggregated data
When aggregating data, i.e. when clustering information based on a given criterion from personal data, it’s important to ensure that the processing, sharing, and/or publication of such data do not lead to the identification of individuals and do not present risks to data subjects.
Although specific consent from data subjects is not required for their personal data to be used in aggregate data sets or statistics, humanitarian organizations should ensure that such data processing has another legitimate basis, and does not expose individuals or groups to harm, or otherwise jeopardize their protection. (ACF/ICRC)