WHAT HUMANITARIAN ORGANISATIONS IN NIGERIA SHOULD LEARN FROM THE ICRC DATA BREACH
On 19th January 2022, the International Committee of the Red Cross (ICRC) reported a data breach compromised the data of over 515,000 vulnerable persons.1 The data of these persons originated from at least 60 Red Cross and Red Crescent chapters around the world. While the identity of the hackers or the reason for their act is yet to be known, the ICRC is concerned that the breach potentially puts the affected people at even more risk. In further reaction to the situation, the ICRC temporarily shut down systems around its Restoring Family Links Programme, which is also currently being implemented in Nigeria. As novel as this may seem, data breaches are not new in the sector; in 2021, the United Nations reported that hackers breached part of its infrastructure in April 2021 and remained active until early August 2021.2
This breach brings to the fore, issues around data security and privacy in the Humanitarian and Development sectors. As conflict and emergencies escalate in different parts of the world, humanitarian organisations have been swift at setting-up emergency response and alleviating the suffering of vulnerable populations. However, because interventions are increasingly reliant on data (which includes personally identifiable information) issues of data privacy and security have become of great concern.
Under the Nigeria Data Protection Regulation 2019 (the “Regulation”), organisations that process or control personal data, including third-party contractors are required to develop security measures to protect data. Further, the Regulation stipulates that anyone entrusted with, or in possession of personal data owes a duty of care to the owner of that data. A fallout of this duty of care would be to notify a data subject when a data breach has occurred, which can be costly for a humanitarian organisation – both in terms of finance and human resource.
Regarding international transfer of personal data, the Regulation specifies that personal data can only be transferred to another country or to an international organization subject to the supervision of the Honourable Attorney-General of the Federation. The National Information Technology Development Agency (NITDA) is also empowered to make a decision as to the adequacy of data protection safeguards in each case. However, in the cases where the NITDA has not made a decision as to adequacy, personal data may still be legally transferred to a foreign country or international organisation in different instances which include, (a) that the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfer, the absence of an adequacy decision, the safeguards in place, and the fact that there are no alternatives; and (b) that the transfer to a foreign country is necessary for important reasons of public interest (provided in all cases, that the data subject has been made to understand the principles of data protection that are likely to be breached, if any, by reason of such transfer).
Recognising the importance of data protection, in 2017, in conjunction with the Brussels Privacy Hub of the Free University of Brussels, the ICRC published a Handbook on Data Protection in Humanitarian Action (the “Handbook”).3 The Handbook sets out recommended minimum standards for the processing of personal data and sets out five data protection principles which humanitarian organisations should strive to comply with, in the processing of personal data. In respect of data and processing security, the Handbook outlines measures that humanitarian organisations should consider in their bid to minimize data security risks, some of which are: (i) training of staff and partners; (ii) physical security; (iii) discretion clauses; (iv) data sharing agreements with partners and third parties; and (v) setting up standard operating procedures for data management and retention. Chapter IV of the handbook recommends that humanitarian organisations undertake Data Protection Impact Assessment (“DPIA”) for projects or initiatives that require the processing of personal data throughout its lifecycle; ultimately, the rationale for conducting a DPIA is to identify, evaluate and address the risks to personal data arising from a project, policy, programme, or other initiative. All-together, the Handbook provides a reasonable holistic picture of the data privacy issues in the humanitarian sector and how to mitigate risks.
With the occurrence of this data breach incident, it has become imperative for humanitarian (as well as Development) organisations to double down on their data privacy compliance systems, ensuring that security measures are updated, and data compliance audits are done as often as possible. In addition to the measures outlined in the Handbook, humanitarian organisations should also consider the following: (i) automate security policy enforcement systems; (ii) manage data access permissions to ensure that staff gain access on a need-to-know basis; (iii) in collecting personal data, restrict the information collected to only those that are relevant to the outcomes and/reporting of the programs/projects; and (iv) put in place cybersecurity standards and ensure strict adherence by staff.
As humanitarian operations routinely entail collection and processing personal data of beneficiaries, vendors, employees and other persons – humanitarian organisations now appear to bear a heightened burden not only to perform the role of data protection educators to data subjects, but to ensure data security as well, keeping in mind that protecting the individuals’ personal data is an integral part of protecting integrity of their lives and dignity.4
To underpin this, it is advisable for the entity to put in place, a Board-level system of watchfulness – making a conscious, good faith effort to periodically monitor the gatekeepers of the data security infrastructure.
While these precautions may not totally extinguish the risk of unforeseen data breach, it effectively mitigates – even eliminates the legal risk and liability potentially accruing to the humanitarian or development entity, from the breach of the duty of care for others’ personal data.
1 Cyber-attack targets Red Cross Red Crescent data | ICRC (accessed 21st January 2021); Cyberattack on ICRC exposes data on 515,000 vulnerable people | Cybersecurity News | Al Jazeera (accessed 21st January 2021)
2 https://www.washingtonpost.com/business/2021/09/09/united-nations-hackers/ (accessed 15th February 2021)(accessed 15th February 2021)
3 Handbook on data protection in humanitarian action (reliefweb.int) (accessed on 21st January 2021)
4 Kuner, C. and Marelli, M. eds., (2017). Handbook on Data Protection in Humanitarian Action. [online] International Committee of the Red Cross. Available at: https://reliefweb.int/sites/reliefweb.int/files/resources/4305_002_Data_protection_and_humanitarian_action.pdf [Accessed 21 Jan. 2022].