Data Insecurity: Refugee Protection in Light of Emerging Technologies
The use of biometrics by humanitarian agencies is quietly nearing its thirteenth birthday. As one of the first adopters of this technology, the UN High Commissioner for Refugees (UNHCR) has increasingly used biometric data collection technology, which includes fingerprinting, iris scanning, and facial recognition software, since 2002. According to the UNHCR, this technology is a tool to prevent and deter fraud while ensuring faster and more accurate registration of refugees. Because humanitarian agencies must learn and record names, addresses, and family and tribal information to ensure an individual qualifies for refugee status and to accurately distribute benefits, the collection of this potentially sensitive data is a key element of the humanitarian aid methodology. Moreover, UNHCR argues that identity verification is not just a procedural necessity, but also “a matter of human dignity.” However, the massive scale of data collection combined with new technologies that may be vulnerable to hacking and other forms of security breach pose a critical challenge to humanitarian agencies seeking to ensure the privacy, security, and physical safety of the populations they serve.
The basis of the right to privacy and data protection is found in international human rights law. The right to protection from arbitrary interference with one’s privacy is guaranteed by Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights. Data protections specifically arose with the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data implemented by the Council of Europe in 1981, the United Nations General Assembly’s Guidelines for the Regulation of Computerized Personal Data Files adopted in 1990, and the e-Privacy Directive of the European Parliament issued in 2002, which all guaranteed the right of all individuals to privacy and security in the processing of their data. No attempt was made however, to address the unique security issues faced by humanitarian aid agencies in their collection of refugee and asylum-seeker data
The body of international law that applies to the unique circumstances and concerns of refugees is based on the 1951 Refugee Convention. This Convention defines refugees as people with a “well-founded fear of being persecuted for reasons of race, religion, nationality, membership of a particular social group or political opinion.” Because of the unique vulnerabilities of refugees, UNHCR has supported increased protection of refugee data held by humanitarian agencies, noting that the “confidentiality of data is particularly important for refugees and other people in need of international protection, as there is a danger that agents of persecution or rights violations may ultimately gain access to such information, potentially exposing a refugee to danger even in his/her asylum country.”
If accessed by unfriendly governments, data on refugees and other asylum-seekers, could pose a serious threat to the safety of those refugees. The danger of persecution, discrimination, and violence is twofold: it may result from the extraterritorial reach of state actors from refugees’ countries of origin, or in the case of failed asylum-seekers, there may be serious consequences at the hands of the state upon their return to their country of origin. Further, even in the country of asylum, data leaks may increase the risk that refugees will be targets for discrimination and harassment by the population of host countries, due to racist, ethnic, and economic tensions that position them as an unwelcome monetary and administrative burden on the host state.
However, even the most vigilant and technically secure agency may be required to share refugee data with host and possible resettlement states, as well as with third parties and affiliates who carry out some of the organization’s operations. These states and third parties may have less secure or scrupulous methods of data processing, and sensitive personal data is therefore once again subject to intentional or accidental breach. This exemplifies the serious need for comprehensive policies that govern humanitarian data processing.
Some organizations have attempted to address this need through the implementation of internal policies, but data protections dictating organizational conduct are still the exception, rather than the rule. One of the first and only efforts at ensuring data security was undertaken by the International Organization for Migration in 2010 through the creation of its Data Protection Manual, which details mandatory procedures for oversight, training, and compliance in data protection. Other organizations have not been as thorough. The International Committee of the Red Cross revised its Professional Standards for Protection Work guidelines in 2013 to specifically address the need for standards on managing sensitive information, with special attention paid to the “risks to information sources and other conflict-affected populations arising from the public sharing of information.” However, while these standards are intended as a minimum standard for protection work, they lack a method for enforcement or accountability.
In 2014, the UN Office for the Coordination of Humanitarian Affairs (OCHA) published a policy paper on “Humanitarianism in the Age of Cyber-warfare: Towards the Principled and Secure Use of Information in Humanitarian Emergencies,” which increases awareness of the need for data security and encouraged organizations to “adopt codes of conduct and operational procedures for the ethical and principled use of information, in particular personal data, at the organizational level, and consider adopting universal guidelines for the use of information in humanitarian crisis.” This set the stage for the creation of the UNHCR “Policy on the Protection of Personal Data of Persons of Concern to UNHCR.” This policy, though it only applies directly to the UNHCR and its affiliates, is likely to have an influence on the data processing methods and procedures of other humanitarian organizations. By creating a framework of rights, obligations, and procedures surrounding the collection and processing of personal data, the UNHCR has made a significant step towards patching the data protection gap. The policy specifically defines “personal data,” the main focus of its protection, to include biometric data, defined as “personal biological (anatomical or physiological) or behavioural characteristics which can be used to establish a person’s identity by comparing it with stored reference data.” Furthermore, persons of concern, including refugees, asylum-seekers, stateless persons, internally displaced persons, and returnees, are guaranteed a right to privacy regarding the data collected by UNHCR, and they are also given the right to access and object to collected data. These relatively simple rights add an additional layer of security in the data collection process by giving refugees more access to and control over their information after it has been recorded by agencies.
Most importantly for the issue of privacy and data security, the UNHCR data protection policy outlines proper methods for collection, storage, and sharing of personal data, and assigns obligations and responsibilities for ensuring data protection to existing agency staff through a structure of data processors, data controllers, and data protection focal points. This accountability mechanism, with its specific and clearly delineated duties and obligations, has the potential to ensure accountability and supervision in data processing and is a promising development in the protection of refugees from dangerous lapses in data security. However, due to the relative newness of the policy, its success or failure in implementation remains to be seen.
While it is a positive step, the UNHCR’s implementation of a data protection policy is by no means a full solution to the problem of data insecurity. First, the reality of humanitarian efforts, explicitly acknowledged by the UNHCR data policy, is that such organizations can only operate with the consent of the state, which may require organizations to share collected data with the government as a condition of operation. The policy is notably vague on which implementing parties and third parties may access data, and does not address what restrictions apply to third party data access. The policy outlines general principles, including the requirement that the processing of personal data be “necessary and proportionate to the purpose(s) for which it is being processed. Therefore, data that is processed should be adequate and relevant to the identified purpose, and not exceed that purpose.” But the proportionality and confidentiality requirements apply only to UNHCR personnel, which may allow third parties with data access to share that data in potentially indiscriminate ways. These gaps in the policy leave sensitive data open to breach, and put the safety and security of refugees at risk.
Since the UNHCR data policy is a new instrument, its effectiveness in practice remains to be seen. It is clearly a major step forward in the field of humanitarian data collection and protection, and will hopefully ensure data security for vulnerable populations. But there is a need for continued vigilance on the part of the UNHCR and other humanitarian organizations and practitioners regarding data security so that security policies and ever-evolving technologies in the humanitarian context serve to protect, and not endanger, refugee populations. As such, effective data policies and improved data security measures are needed to allow for increased efficiency of humanitarian agencies without sacrificing the safety, security, and privacy of the people these agencies serve.
Kate Akkaya is the Legal Research Assistant for the Advanced Training Program on Humanitarian Action. She is currently in her second year at Northeastern University School of Law and holds a BA in International Affairs from Northeastern University, with minors in History and Middle Eastern Studies. She has previously worked with the NuLawLab on access to justice initiatives, and has also studied and conducted research in Turkey and Armenia with a focus on human rights, humanitarian, and conflict law.