UNHCR
Part three: Delivering Better

Towards Enhanced Data Responsibility in Humanitarian Action

Mogadishu, Somalia

An internally displaced Somali woman holds her registration card while waiting for humanitarian supplies that were flown to Mogadishu. UNCHR/Siegfried Modola

Data responsibility in humanitarian action is the safe, ethical and effective management of personal and non-personal data for operational response. It is a critical issue for the humanitarian system to address, and the stakes are high. 

Data is an important component of humanitarian response. Data management relating to crisis contexts, affected people and humanitarian operations allows the humanitarian community to respond more effectively and efficiently. However, as organizations manage increasingly large volumes of data, they also face more complex challenges and risks. 

Irresponsible data management in humanitarian response can place already vulnerable people and communities at greater risk of harm or exploitation and expose key vulnerabilities. This is of particular concern when humanitarian actors handle sensitive data — data that is likely to lead to harm when exposed.  

Personal and non-personal data can be sensitive in humanitarian action. While the humanitarian system has a common understanding regarding the sensitivity of personal data, determining the sensitivity of non-personal data is more complex. For example, data on the locations of medical facilities in conflict settings can expose patients and staff to risk, whereas this information is typically less sensitive in natural disaster response settings. 

Therefore, it is critical that the humanitarian system addresses data responsibility — including data protection, data privacy and cybersecurity — in humanitarian action. Data responsibility can also be a powerful enabler of trust, ensuring that data is treated in a principled manner, kept confidential and used solely for humanitarian purposes.  

In recent years, humanitarian actors have developed principles, policies and strategies for data responsibility. These include system-wide guidance, such as the  IASC Operational Guidance on Data Responsibility in Humanitarian Action. Other global strategies and policies also guide data management within the UN system, such as the UN Secretary-General’s Roadmap for Digital Cooperation, the Strategy of the UN Secretary-General for Action by Everyone, Everywhere (2020-2022) and the OCHA Data Responsibility Guidelines. 

Despite considerable progress, gaps remain between global frameworks and their practical application in field operations. Technological and policy solutions are needed that can safely secure humanitarian data against cyber operations, enable partnerships with private sector vendors, and ultimately secure a neutral, impartial and independent humanitarian cyberspace. 

Increasing Cyber Threats Call for Scaled-Up Investment in Data Responsibility in Humanitarian Action

Proliferating offensive cyber operations have ‘potentially devastating’ humanitarian consequences if they disrupt critical infrastructure that supports essential public services, such as medical facilities, financial services, energy, water, transport and sanitation. This was noted by the Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security.

Over the past decade, humanitarian organizations have increasingly been exposed to adverse cyber activity that has grown in sophistication and scale. Save the Children and Human Rights Watch experienced data theft as part of the 2020 Blackbaud hack, a ransomware attack that likely went undetected for several months. The United States Agency for International Development (USAID), Catholic Relief Services and over 150 organizations were affected by the 2021 USAID-Nobelium hack, which may have compromised beneficiary information and staff data.

Many humanitarian organizations struggle to diagnose when a cyberoperation has occurred against them, and they may lack basic cybersecurity standards. HRP contexts are among those least prepared for cybersecurity threats, according to the Global Cybersecurity Index of the UN’s International Telecommunication Union. Growing nation State cyber militarization, increased use of cyber operations by non-State actors, and evolving and sophisticated cyber capabilities present a grave threat to people affected by and working in humanitarian crises.

Addressing data responsibility, including data protection, data privacy and cyber security, in humanitarian action is therefore critical for the humanitarian system. It can also be a powerful enabler of trust, ensuring that data is treated in a principled manner, kept confidential and used solely for humanitarian purposes.

Since 2020, principles, policies and strategies have been developed for data responsibility in humanitarian action. These include system-wide guidance, such as the IASC Operational Guidance on Data Responsibility in Humanitarian Action, as well as global strategies and policies to guide data management within the UN system, such as the UN Secretary-General’s Roadmap for Digital Cooperation, the Data Strategy of the UN Secretary General for Action by Everyone, Everywhere (2020-2022), and the OCHA Data Responsibility Guidelines.

Despite considerable progress, gaps remain between global frameworks and their practical application in field operations. Technological and policy solutions are needed that can safely secure humanitarian data against cyber operations, enable partnerships with private sector vendors, and ultimately secure a neutral, impartial and independent humanitarian cyberspace.

Further reading

References

  1. See the Information Sharing Protocol template for more information on how to develop a data and information sensitivity classification.
  2. United Nations General Assembly, Open-ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security, Final Substantive Report, 10 March 2021 (A/AC.290/2021/CRP.2).
  3. UN Chronicle, Fighting the Industrialization of Cyber Crime.
  4. The New Humanitarian, Dozens of NGOs Hit by Hack on US Fundraising Database, 4 August 2020.
  5. CNBC, Russian hackers launch major cyberattack through U.S. aid agency’s email system, Microsoft says, 28 May 2021.
  6. Devex, USAID hack is 'wakeup call' for aid industry on cybersecurity, 4 June 2021.
  7. International Telecommunications Union, Global Cybersecurity Index (GCI) 2018, 2019. The GCI scores cybersecurity commitment along five pillars of preparedness including legal, technical, organizational, capacity-building and cooperation measures.
  8. The Atlantic Council, A primer on the proliferation of offensive cyber capabilities, 1 March 2021; Inter-Agency Standing Committee, IASC Operational Guidance on Data Responsibility in Humanitarian Action, 3 February 2021.
  9. United Nations, Data Strategy of the UN Secretary General for Action by Everyone, Everywhere, 2020-2022, May 2020.