These young girls and their families were displaced by violence to the Tajikan IDP site, near Kandahar City. Most people taking refuge here fled violence in Zabul and some have been displaced for more than six years. They are relieved to be safe, but urgent needs include shelter, farming supplies, water, sanitation and hygiene. One woman said: “Where we came from, we had beautiful green gardens, we had a good life until the conflict." Another said: “You can find malnourished children in every second and third home." This photo was taken November 2019. OCHA/Charlotte Cans
Towards Enhanced Data Responsibility in Humanitarian Action
Data responsibility in humanitarian action is the safe, ethical and effective management of personal and non-personal data for operational response. It is a critical issue for the humanitarian system to address, and the stakes are high.
Data is an important component of humanitarian response. Data management relating to crisis contexts, affected people and humanitarian operations allows the humanitarian community to respond more effectively and efficiently. However, as organizations manage increasingly large volumes of data, they also face more complex challenges and risks.
Irresponsible data management in humanitarian response can place already vulnerable people and communities at greater risk of harm or exploitation and expose key vulnerabilities. This is of particular concern when humanitarian actors handle sensitive data1 — data that is likely to lead to harm when exposed.
Personal and non-personal data can be sensitive in humanitarian action. While the humanitarian system has a common understanding regarding the sensitivity of personal data, determining the sensitivity of non-personal data is more complex. For example, data on the locations of medical facilities in conflict settings can expose patients and staff to risk, whereas this information is typically less sensitive in natural disaster response settings.
Humanitarian Guidance and Mechanisms
IASC Operational Guidance on Data Responsibility in Humanitarian Action
Vanuatu
A woman shows her card from the Unblocked Cash programme implemented by Oxfam and the Vanuatu Resilience Business Council (VBRC) in the aftermath of Tropical Cyclone Harold.
In February 2021, the IASC launched its Operational Guidance on Data Responsibility in Humanitarian Action — the first-ever system-wide guidance to ensure data responsibility in all phases of humanitarian action. It provides concrete guidance on how to maximize the benefits of data for humanitarian action while avoiding harm to already vulnerable populations. More than 250 stakeholders from the humanitarian sector were involved in developing the guidance.
Therefore, it is critical that the humanitarian system addresses data responsibility — including data protection, data privacy and cybersecurity — in humanitarian action. Data responsibility can also be a powerful enabler of trust, ensuring that data is treated in a principled manner, kept confidential and used solely for humanitarian purposes.
Despite considerable progress, gaps remain between global frameworks and their practical application in field operations. Technological and policy solutions are needed that can safely secure humanitarian data against cyber operations, enable partnerships with private sector vendors, and ultimately secure a neutral, impartial and independent humanitarian cyberspace.
Increasing Cyber Threats Call for Scaled-Up Investment in Data Responsibility in Humanitarian Action
Proliferating offensive cyber operations have ‘potentially devastating’ humanitarian consequences if they disrupt critical infrastructure that supports essential public services, such as medical facilities, financial services, energy, water, transport and sanitation. This was noted by the Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security.2
Over the past decade, humanitarian organizations have increasingly been exposed to adverse cyber activity that has grown in sophistication and scale.3 Save the Children and Human Rights Watch experienced data theft as part of the 2020 Blackbaud hack,4 a ransomware attack that likely went undetected for several months. The United States Agency for International Development (USAID), Catholic Relief Services and over 150 organizations were affected by the 2021 USAID-Nobelium hack, which may have compromised beneficiary information and staff data.5
Many humanitarian organizations struggle to diagnose when a cyberoperation has occurred against them, and they may lack basic cybersecurity standards.6 HRP contexts are among those least prepared for cybersecurity threats, according to the Global Cybersecurity Index of the UN’s International Telecommunication Union.7 Growing nation State cyber militarization, increased use of cyber operations by non-State actors, and evolving and sophisticated cyber capabilities present a grave threat to people affected by and working in humanitarian crises.8
Humanitarian Guidance and Mechanisms
OCHA Data Responsibility Guidelines
Aden, Yemen
A humanitarian worker conducts an assessment at the Al Sha'ab IDPs collective center.
The OCHA Data Responsibility Guidelines offer a set of principles, processes and tools to support OCHA’s data work. They also address how OCHA should implement the IASC Operational Guidance on Data Responsibility in Humanitarian Action. The guidelines are informed by research and field testing conducted over the past several years. This includes OCHA offices in 10 operational contexts piloting a working draft of the guidelines in 2019 and 2020. Several OCHA offices have already adopted important aspects of the guidelines. In Iraq, OCHA worked with the Assessment Working Group to incorporate data responsibility actions into the Multi-Cluster Needs Assessment process. In Somalia, OCHA worked with the HCT to agree on an Information Sharing Protocol, which includes a data and information sensitivity classification for data generated about the crisis. In Cameroon, OCHA and its partners developed two different Information Sharing Protocols for the responses in the country’s Far North and north-west/south-west regions. OCHA’s Centre for Humanitarian Data supports OCHA offices with adopting the guidelines through advisory services, support missions, trainings, templates and tools. For more information on how OCHA supports data responsibility, visit the Centre’s website.
Addressing data responsibility, including data protection, data privacy and cyber security, in humanitarian action is therefore critical for the humanitarian system. It can also be a powerful enabler of trust, ensuring that data is treated in a principled manner, kept confidential and used solely for humanitarian purposes.
Despite considerable progress, gaps remain between global frameworks and their practical application in field operations. Technological and policy solutions are needed which can safely secure humanitarian data against cyber operations, enable partnership with private sector vendors and ultimately secure a neutral, impartial and independent humanitarian cyberspace.
United Nations General Assembly, Open-ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security, Final Substantive Report, 10 March 2021 (A/AC.290/2021/CRP.2).
International Telecommunications Union, Global Cybersecurity Index (GCI) 2018, 2019. The GCI scores cybersecurity commitment along five pillars of preparedness including legal, technical, organizational, capacity-building and cooperation measures.