Tips on navigating the digital humanitarian space

But the arrival of technical tools often outpaces organisations’ abilities to adapt, leaving aid groups scrambling to catch up as they try to avoid personal information falling into the wrong hands.

The ICRC hopes to help humanitarians better use and manage new technologies with the second edition of its Handbook on Data Protection in Humanitarian Action. A series of online panels last week marked the launch of the book, with the aim of raising awareness of new technologies and the need for beefed-up data protection.

Why it matters now. The new handbook, which updates the original July 2017 edition, has been two years in the making. “The idea was to add new technologies [to the handbook] that have become even more important,” Philippe Stoll, head of communication policy and support at the ICRC, told Geneva Solutions in a phone conversation. Those technologies include blockchain, digital identity and biometrics, connectivity as aid, artificial intelligence, and social media, he added. But the update could not include everything. Changes brought about by the pandemic, such as the increased use of contact-tracing apps, are not reflected. As Stoll explained: “We had no clue that contact-tracing apps will be used… for a crisis. We were aware of it, but we were not sure that this would be important. And obviously, it was too late to add it in the handbook.”

Navigating the digital humanitarian space. Since the 2016 European Union General Data Protection Regulation (GDPR) came into effect, humanitarians must comply with data protection principles, including issues such as anonymisation, aggregation, and the right to erasure. The challenge for humanitarians – and many others – has been figuring out how to do that, Stoll noted.

As Balthasar Staehelin, digital transformation and data director at the ICRC, explained in a 1 September panel discussion, data protection still “seems to be lost on so many people”, who see it as a technical issue rather than a matter of protecting the privacy of individuals.

Humanitarians need to begin viewing data protection as compatible with principles of humanitarian work, similar to the mandate to “do no harm”, said Júlia Zomignani Barboza, a researcher from the Brussels Privacy Hub, an NGO that partnered with the ICRC on the data protection and handbook project.

States and businesses must also devise a way to manage the data from humanitarian organisations – creating what Nathaniel Raymond, a lecturer at the Yale University Jackson Institute of Global Affairs, referred to as a “corporate humanitarian space”.

“No longer do the principles of humanity, impartiality, independence, and neutrality [apply] to positioning [with] states… [they also extend] to the few big companies who control the Internet and AI [artificial intelligence],” Raymond said.

Digital dilemmas. Cyberattacks against international NGOs and humanitarian organisations are not new. In November 2019, The New Humanitarian reported a cyberattack on some UN offices in Geneva and Vienna. In another incident this July, a ransomware attack hit a US fundraising database, where records of funders and their beneficiaries were held.

Organisations – including aid groups – often underreport such incidents, making it difficult to assess their nature, frequency, and impact, Raymond added. “The real challenge,” he said, “is a political and cultural transformation for humanitarians where we can be comfortable telling the truth when bad things happen. We can’t learn how to prevent harm if we don’t tell the truth when harm happens.”

An unequal playing field? What makes this even harder is the increasing pressure from funders to be “more accountable, more transparent, and to use every penny as best as possible”, said Alexandrine Pirlot de Corbion, strategy director of Privacy International, a London-based NGO that has been advocating for the human right of privacy since 1990.

Though all members of the humanitarian sector must navigate the same digital space, smaller organisations established in the EU, for example, may have a more difficult time, she noted. Larger organisations, such as the UN and the ICRC, have privileges and immunities from legal data protection regulations; smaller humanitarian groups must follow GDPR, creating “unhealthy power dynamics”, Pirlot de Corbion explained.

Smaller organisations may decide they can’t launch a programme because of GDPR, she said. This is especially so if the risks outweigh the benefits after their assessment, whether there is a lack of legitimate basis for processing data or the rights of data subjects are not being respected. On the other hand, a bigger organisation that doesn't have to comply might go ahead. “It creates this weird tension among those who have the legal [data privacy] obligations, who then might start to make very different decisions,” she noted.

The bottom line. So just why must digital data security be a priority for humanitarians – and be a consideration when planning new projects? Because if personal data falls into the wrong hands, it can pose a threat to people’s lives. It’s important for humanitarian organisations to understand data security issues and then “have the freedom or the ability to say no [to using risky technology], which could be very hard”, Pirlot de Corbion said. “If you do a risk assessment, and the risks outweigh the benefits, there should be a process to go back to the drawing board and to say, ‘Okay, we cannot proceed’.”

For aid groups, it all comes down to trust and how to build it. As Maja Messmer Mokhtar, head of humanitarian policy at the Human Security Division of Swiss Foreign Affairs, said: “The trust of the people they serve is the currency of humanitarian organisations.”