Data Privacy Day: Taking a closer look at Data Protection in humanitarian contexts

28 January 2025



January 28th marks the Data Privacy Day (also known as Data Protection Day) in various countries. This date spots the anniversary of the 1981 Convention 108, the first international treaty on data protection. The day is now recognized globally, encouraging individuals and organizations to prioritize privacy and secure personal data.

In today's digital age, personal data has become the new currency, with organizations worldwide collecting, processing, and storing unprecedented amounts of personal information. The growing frequency of data breaches and privacy violations has raised global concerns about how personal data is protected and used. For humanitarian organizations, these concerns take on an even greater significance. In January 2022, a devastating cyber attack exposed the vulnerability of humanitarian data when hackers breached the International Committee of the Red Cross (ICRC) servers, compromising sensitive personal data of over 500,000 aid recipients. The attack, which had begun several months earlier in November 2021, highlighted an alarming pattern of cybercriminals increasingly targeting humanitarian organizations and the vulnerable populations they serve.

Working with some of the world's most vulnerable populations, these organizations must balance their crucial need to collect personal data for aid delivery with the paramount responsibility of protecting this sensitive information from misuse or exploitation.


Why is Data Privacy important for humanitarian organizations?

Humanitarian organizations are entrusted with a wealth of personal and sensitive data – from biometric data for aid distribution to medical histories and family details. Sensitive data is a double-edged sword. On one hand, they’re important for providing life-saving assistance, but on the other hand for those fleeing conflict, recovering from natural disasters, or navigating public health crises, the misuse of their data might lead to exploitation, persecution, or discrimination of already vulnerable population.


Personal data in humanitarian contexts isn’t just about privacy, it’s about protecting lives, upholding human dignity, and ensuring that the fundamental “do not harm” principle is respected. The ability to protect personal data links directly to trust between humanitarian organizations and the people they serve. When affected populations lose confidence in an organization's ability to protect their information, they may withhold critical details or avoid seeking assistance altogether. This reluctance can severely hamper aid delivery and create dangerous gaps in humanitarian response. The erosion of trust or breakdown in trust between humanitarian organizations and the communities they serve might undermine years of humanitarian efforts.

iMMAP Inc. has implemented a comprehensive data framework including data protection policies, manuals and guidelines that protects and safeguards the data that is collected. In collaboration with its country offices, iMMAP takes an approach to data collection by ensuring that only the minimum necessary data is gathered. This ensures that the data remains relevant, accurate and secure. In addition, we only collect data for specific and legitimate purposes and ensures that data is not processed in a way that is incompatible with those purposes. Among others, within the organization, the staff take all reasonable steps to ensure that the data is kept secure and protected from unauthorized access, alternation, loss or destruction.



Data Privacy challenges in humanitarian efforts

As humanitarian organizations increasingly digitize their operations and share data to improve aid effectiveness, they encounter complex privacy challenges that could jeopardize the safety of vulnerable populations.

Two significant risks that emerge from this digital transformation are data revelation and mosaicking. Data revelation occurs when combining multiple datasets or images (often from different sources or sensors) to create a single, unified view. Mosaicking refers to the unintended exposure of personal or sensitive information that might occur when datasets from different sources are combined. This process can unintentionally expose personal information that was not initially apparent. Even when data is de-identified, merging different data sets can reveal new details about individuals or groups, potentially leading to discrimination, targeting, or exploitation.



Another critical risk is the exposure of vulnerable individuals to harm. When humanitarian data is shared, the unintentional exposure of personal information can compromise the safety of those being helped. For instance, disclosing the location of displaced persons or the type of assistance they are receiving may make them targets for violence or exploitation.

In addition, many organizations face the risk of inadequate data security and protection. As humanitarian organizations increasingly rely on open data and collaborative sharing of information, the threat of data breaches rises. Many organizations working in conflict zones may not have the resources or capacity to protect sensitive data, and if security protocols are inconsistent or insufficient, it could lead to unintended leaks of confidential information.

Organizations also grapple with data overload and fragmentation. The vast amount of data collected by humanitarian agencies can create challenges in managing, storing, and securing it effectively. When data is spread across multiple platforms or siloed in different systems, the risk of errors, confusion, and security gaps increases.


Best practices for Data Protection in Humanitarian Organizations

To address growing data privacy challenges, humanitarian organizations focus on three essential practices. First, strong data governance frameworks serve as the foundation, with organizations implementing privacy impact assessments, incident response plans, and clear protocols for data collection and deletion. These frameworks are supported by dedicated data protection officers and committees ensuring consistent application of privacy policies across all operations. The ICRC's Handbook on Data Protection in Humanitarian Action serves as a cornerstone guide for implementing these governance structures.

Second, training and awareness programs ensure staff at all levels understand how to protect sensitive information. Humanitarian organizations need to invest in regular training to help staff understand the best practices for handling data, recognize potential risks, and apply these practices throughout the data lifecycle. Additionally, organizations must work closely with affected communities to better understand and address their specific data protection needs, fostering trust and transparency.

Third and final, transform your approach on personal data sharing, implementing strict 'need-to-know' principles and formal data sharing agreements. These agreements specify data use, protection requirements, and deletion schedules, while secure platforms and encryption protocols safeguard sensitive information throughout the humanitarian response cycle.