Towards Enhanced Data Responsibility in Humanitarian Action

Part three: Delivering Better

Mogadishu, Somalia

An internally displaced Somali woman holds her registration card while waiting for humanitarian supplies that were flown to Mogadishu. UNCHR/Siegfried Modola

Data responsibility in humanitarian action is the safe, ethical and effective management of personal and non-personal data for operational response. It is a critical issue for the humanitarian system to address, and the stakes are high. 

Data is an important component of humanitarian response. Data management relating to crisis contexts, affected people and humanitarian operations allows the humanitarian community to respond more effectively and efficiently. However, as organizations manage increasingly large volumes of data, they also face more complex challenges and risks. 

Irresponsible data management in humanitarian response can place already vulnerable people and communities at greater risk of harm or exploitation and expose key vulnerabilities. This is of particular concern when humanitarian actors handle sensitive data¹ — data that is likely to lead to harm when exposed.  

Personal and non-personal data can be sensitive in humanitarian action. While the humanitarian system has a common understanding regarding the sensitivity of personal data, determining the sensitivity of non-personal data is more complex. For example, data on the locations of medical facilities in conflict settings can expose patients and staff to risk, whereas this information is typically less sensitive in natural disaster response settings. 

Humanitarian Guidance and Mechanisms

IASC Operational Guidance on Data Responsibility in Humanitarian Action

In February 2021, the IASC launched its Operational Guidance on Data Responsibility in Humanitarian Action — the first-ever system-wide guidance to ensure data responsibility in all phases of humanitarian action. It provides concrete guidance on how to maximize the benefits of data for humanitarian action while avoiding harm to already vulnerable populations. More than 250 stakeholders from the humanitarian sector were involved in developing the guidance.

In the picture, a woman from Vanuatu shows her card from the Unblocked Cash programme implemented by Oxfam and the Vanuatu Resilience Business Council (VBRC) in the aftermath of Tropical Cyclone Harold.

OXFAM/Arlene Bax

Therefore, it is critical that the humanitarian system addresses data responsibility — including data protection, data privacy and cybersecurity — in humanitarian action. Data responsibility can also be a powerful enabler of trust, ensuring that data is treated in a principled manner, kept confidential and used solely for humanitarian purposes.  

In recent years, humanitarian actors have developed principles, policies and strategies for data responsibility. These include system-wide guidance, such as the  IASC Operational Guidance on Data Responsibility in Humanitarian Action. Other global strategies and policies also guide data management within the UN system, such as the UN Secretary-General’s Roadmap for Digital Cooperation, the Strategy of the UN Secretary-General for Action by Everyone, Everywhere (2020-2022) and the OCHA Data Responsibility Guidelines. 

Despite considerable progress, gaps remain between global frameworks and their practical application in field operations. Technological and policy solutions are needed that can safely secure humanitarian data against cyber operations, enable partnerships with private sector vendors, and ultimately secure a neutral, impartial and independent humanitarian cyberspace. 

Increasing Cyber Threats Call for Scaled-Up Investment in Data Responsibility in Humanitarian Action 

Proliferating offensive cyber operations have ‘potentially devastating’ humanitarian consequences if they disrupt critical infrastructure that supports essential public services, such as medical facilities, financial services, energy, water, transport and sanitation. This was noted by the Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security.²

Over the past decade, humanitarian organizations have increasingly been exposed to adverse cyber activity that has grown in sophistication and scale.³ Save the Children and Human Rights Watch experienced data theft as part of the 2020 Blackbaud hack,⁴ a ransomware attack that likely went undetected for several months. The United States Agency for International Development (USAID), Catholic Relief Services and over 150 organizations were affected by the 2021 USAID-Nobelium hack, which may have compromised beneficiary information and staff data.⁵

Many humanitarian organizations struggle to diagnose when a cyberoperation has occurred against them, and they may lack basic cybersecurity standards.⁶ HRP contexts are among those least prepared for cybersecurity threats, according to the Global Cybersecurity Index of the UN’s International Telecommunication Union.⁷ Growing nation State cyber militarization, increased use of cyber operations by non-State actors, and evolving and sophisticated cyber capabilities present a grave threat to people affected by and working in humanitarian crises.⁸

Humanitarian Guidance and Mechanisms

OCHA Data Responsibility Guidelines

The OCHA Data Responsibility Guidelines offer a set of principles, processes and tools to support OCHA’s data work. They also address how OCHA should implement the IASC Operational Guidance on Data Responsibility in Humanitarian Action. The guidelines are informed by research and field testing conducted over the past several years. This includes OCHA offices in 10 operational contexts piloting a working draft of the guidelines in 2019 and 2020.  Several OCHA offices have already adopted important aspects of the guidelines. In Iraq, OCHA worked with the Assessment Working Group to incorporate data responsibility actions into the Multi-Cluster Needs Assessment process. In Somalia, OCHA worked with the HCT to agree on an Information Sharing Protocol, which includes a data and information sensitivity classification for data generated about the crisis. In Cameroon, OCHA and its partners developed two different Information Sharing Protocols for the responses in the country’s Far North and north-west/south-west regions. OCHA’s Centre for Humanitarian Data supports OCHA offices with adopting the guidelines through advisory services, support missions, trainings, templates and tools. For more information on how OCHA supports data responsibility, visit the Centre’s website. 

In the picture, a humanitarian worker conducts an assessment at the Al Sha'ab IDPs collective center in Aden, Yemen.

OCHA/Matteo Minasi

Addressing data responsibility, including data protection, data privacy and cyber security, in humanitarian action is therefore critical for the humanitarian system. It can also be a powerful enabler of trust, ensuring that data is treated in a principled manner, kept confidential and used solely for humanitarian purposes.

Since 2020, principles, policies and strategies have been developed for data responsibility in humanitarian action. These include system-wide guidance, such as the IASC Operational Guidance on Data Responsibility in Humanitarian Action, as well as global strategies and policies to guide data management within the UN system, such as the UN Secretary-General’s Roadmap for Digital Cooperation, the Data Strategy of the UN Secretary General for Action by Everyone, Everywhere (2020-2022),⁹ and the OCHA Data Responsibility Guidelines.

Despite considerable progress, gaps remain between global frameworks and their practical application in field operations. Technological and policy solutions are needed that can safely secure humanitarian data against cyber operations, enable partnerships with private sector vendors, and ultimately secure a neutral, impartial and independent humanitarian cyberspace.