5.1 Analysis of potential risks and harms

TABLE OF CONTENTS

• 5.1.1 Key terms to master
  • i. What is a threat?
  • ii. What is harm?
  • iii. What is a risk?
  • iv. DPIA
• 5.1.2 Managing data protection risks
• 5.1.3 DPIA Examples
• 5.1.4 Cases where a DPIA is mandatory
• 5.1.5 To go further
• 5.1.6 What to do in case of personal data breaches

---

Humanitarian Aid and International Development actors – and particularly humanitarian NGOs – process a lot of personal and sensitive data in the context of their interventions. Responsibly managing the data of affected populations, by collecting the minimum amount and protecting them, is simply a way to respect the “Do not harm” principle applied to the digital context in which NGOs work today.

However, to be able to ensure that the processing of data carried out will not have harmful consequences on the affected populations, it is of the utmost importance to perform a risk assessment (generally called DPIA, or Data Protection Impact Assessment), which will help you identify and minimize a project’s data protection risks.

5.1.1 Key terms to master

There are certain terms from the field of personal data protection that must be known and mastered before carrying out a risk assessment in data protection: such as a threat, causing harm, a risk, and a DPIA.

i. What is a threat?

In the field of personal or sensitive data protection, “threats are anything can cause harm, either intentionally or unintentionally.” (Source: the TDH Data Protection Starter Kit).

Threats may include:

• Unjustifiable or excessive data collection. For instance: collecting data on a couple’s marital status for a child nutrition project.
• Inappropriate use of data
  • Unreasonable use. For instance: using data to target assistance by marital status rather than by needs.
  • Unauthorised use. For instance: affected populations gave NGO staff their consent for photos of their children to be taken during registration. These photos are now being used for a marketing campaign without the explicit consent of either parents or children.
  • Storage or use of inaccurate or outdated data. For instance: some children are not eligible for assistance due to their age not having been correctly entered into the database.
• Security issues
  • Data loss. For instance: loss of a USB key or hardware failure of a drive containing data.
  • Data theft. Lost data is accidentally put into the wrong hands or data is copied or stolen for criminal purposes.
  • Unjustified access, transfer, sharing or publication of data. Data is in the hands of unauthorised persons. However, there is no criminal intent as in the case of stolen data. For instance: data is sent via email to people who should not have access to it, or a password is revealed to too many people.

ii. What is harm?

Harm is the negative consequence(s) that the manipulation of data - including any denial of fundamental rights and freedoms - can have on data subject(s) or organisations.

Most common harms:

• Tangible harm: bodily injury, loss of freedom of movement, harm to a person or property, and other material or bodily harm.
• Psychological harm: discomfort, anxiety, trauma, feelings of insecurity and other psychological harm.
• Social harms: discrimination, stigma, loss of trust, judicial persecution and other social harms.
• Economic harm: financial losses, deterioration of economic prospects and other economic harm.

For example: being stigmatized by one’s neighbour is a form of social harm. Being a victim of physical violence is tangible harm. Being driven out of your village constitutes a form of tangible (loss of your home), economic (loss of property and probably economic prospects) and social harm.

Examples of harms in humanitarian interventions from the CartONG/Tdh Data Protection Starter :

iii. What is a risk?

“Risks are at the intersection of harm and threat. They describe the likelihood and impact of a harmful event taking place” (Source: The TDH Data Protection Starter Kit).

To illustrate what a risk is, if one takes the last harm mentioned above, the risk of indicting men will be much more likely in a country hostile to homosexuality.

iv. DPIA

To help manage these risks and “develop data processing types respectful of privacy”, a tool exists called Data Protection Impact Assessment, or DPIA. It is a process to help you identify and minimize the data protection risks of a project.

Your DPIA must (See section 2.1 of the toolbox):

• Describe the nature, scope, context and purposes of the data processing,
• Assess necessity, proportionality and compliance measures,
• Identify and assess risks to individuals,
• Identify any additional measures to mitigate those risks.

5.1.2 Managing data protection risks

Now that you have mastered the above terms, you will understand that to avoid the risks of violating the privacy and rights of populations, generalizing risk assessments is essential.

For additional insights, the capsule below will provide elements for reflection that may allow you to understand the different dimensions to consider in your risk assessment.

5.1.3 DPIA Examples

Here are concrete examples of DPIAs used by some NGOs that you can download and adapt:

This excel includes:

• Risk Analysis (DPIA): first descriptive part, tool used by Handicap International/Humanity and Inclusion,
• Risk Analysis (DPIA): second part on risk assessment,
• Risk assessment medium.

Please note: a DPIA is a tool that adapts to suit the different areas of intervention because the risks are not identical from one context to another.

In the very sensitive field of cash or cash-based interventions, the CALP Network has a number of tools that can help you. For instance:

• the protection risks and benefits analysis tool.
• the Practical Guidance for Data Protection in Cash and Voucher Assistance developed by the IFRC.

5.1.4 Cases where a DPIA is mandatory

The French CNIL has established a list of data processing for which a DPIA is mandatory, from which we have compiled an extract relevant to the international solidarity sector:

• assessment/scoring (including profiling),
• processing involving the profiling of persons, which may lead to their exclusion from the benefit of a contract or to the suspension or termination of said contract,
• collection of sensitive data or highly personal data,
• large-scale collection of personal data,
• cross-referencing data,
• vulnerable people (patients, elderly, children, etc.),
• innovative use (use of a new technology),
• processing aimed at providing social or medico-social support to people,
• processing of biometric data for the purpose of uniquely identifying a natural person, including so-called “vulnerable” persons.

Given current NGO programmes, we can summarise by outlining that the vast majority of data collection and processing cases carried out by industry actors require some form of DPIA. Donors moreover sometimes request a DPIA be undertaken, as is the case with ECHO for instance.

It is all the more essential as consent should no longer be the lawful basis for collecting widely used by NGOs given the balance of power in which they inevitably are (as seen in Section 3.1, part 1.3 on legal bases). This means that, without consent, NGOs have an even greater responsibility for data, and therefore need to carry out an even more thorough risk analysis.

In any case, the energy derived from the DPIA will of course be determined based on the operational context (a training program in Senegal will not require the same depth of analysis as a cash program in a civil war context, with numerous armed groups).

5.1.5 To go further

The CNIL has implemented a DPIA model. To guide the process, several guidelines regarding the methodology and knowledge bases are available on its website, which proposes the following methodology:

• Delimit and describe the context of the processing(s) considered,
• Analyse measures to ensure compliance with the fundamental principles: proportionality and necessity of processing, and the protection of the rights of data subjects,
• Assess the privacy risks related to data security and verify that they are adequately addressed,
• Formalise the validation of the AIP (DPIA software) in the light of the above elements or decide to revise the previous steps.

5.1.6 What to do in case of personal data breaches

A data breach means a breach of security resulting in the destruction, loss, alteration, disclosure or unauthorised access to data, either accidentally or illegally. This includes violations that result from accidental and deliberate causes. This also means that a breach is not limited to the loss of personal data.

The severity and consequences of any data breach will depend on the nature and use of the data, ranging from inconsequential to endangering the lives of the data subjects.

Examples of personal and sensitive data breaches include:

• data to which an unauthorised stakeholder has access (e.g., a former employee still has access to the organisation’s databases, or servers are hacked in order to copy lists of affected populations),
• deliberate or accidental actions (or inactions) of a stakeholder (e.g., confidential documents are forgotten in the printer or in the home of a respondent),
• sending personal data to an incorrect recipient by e-mail (e.g., by clicking on “reply to all”),
• the loss or theft of computer peripherals containing personal data (e.g., an investigation database copied to a USB stick is lost),
• modification of personal data without authorisation (ex: by mistake, a staff member deletes the contents of a sensitive file, which was not protected by a password), and/or,
• loss of access or availability of data.

Recommendations to implement in the event of a data breach:

• Notify the breach:
  • What?
    • The nature of the breach,
    • The type and number of data subjects,
    • The consequences on the privacy of the data subjects and/or at the organisational level,
    • The measures taken to address these and mitigate the risks.
  • To whom?
    • the data subjects, regarding which data exactly has been corrupted and in particular with respect to its consequences/risks for them. Please note: it is important to communicate in accessible terms (and think about vocabulary, issues, language, etc.), to ensure understanding of the impact of the breach of populations on their privacy,
    • your organisation’s DPO, who will guide you through the process,
    • the organisation responsible for processing (data controller) if it is the processor who discovers the breach,
    • the partners and donors concerned,
    • the NGO’s supervisory authority (in France it is the CNIL for example) and that of the country of intervention if there is one (link to find the supervisory authority of another EU country/ in the United Kingdom it is the ICO), within 72 hours of becoming aware if you are in a context regulated by the GDPR,
    • in a public manner if necessary, for example if the breach affects a large number of people.
• Implement technical or organisational measures to mitigate risks to the rights of data subjects.

It should be noted that it is best for some of these measures to have been set up at the start of the collection project - such as creating mechanisms to deal with complaints and feedback, or involving communities from the design of projects via monitoring mechanisms (Source: protection risks and benefits analysis tool, ERC). In other cases, the measures can be implemented following the breach (pause in activities, re-securing systems, discussions with communities or people who have had access to the data, etc.).

• Learn from the personal data breach, its context and gravity, and where possible, take preventive measures to prevent the situation from recurring.

We can only praise the ICRC’s response to the massive cyber-attack of which it was the target in 2022. Strong communication was established following the attack, in order to inform all those concerned by the data breach, as a principle of transparency. However, the impact on the activities was extensive (some activities were paused for several weeks). This communication campaign helped to bring awareness once more to the humanitarian sector on the existing data protection risks.