Our principles are based on the UN Principles on Personal Data Protection and Privacy, adopted by the HLCM in 2018 and the UNSDG Guidance Note on Big Data for Achievement of the 2030 Agenda: Data Privacy, Ethics and Protection. These Principles aim to ensure proper implementation of the UN Principles on Personal Data Protection and Privacy in our practices. We also use the UNSDG Guidance Note on Big Data for Achievement of the 2030 Agenda: Data Privacy, Ethics and Protection to further clarify guidance on how to apply our principles in a big data context.
Our Data Privacy & Data Protection Principles
The following principles apply whenever we collect, use, share, or otherwise process personal data or sensitive non-personal data as part of our activities:
Fair and Legitimate Processing
We process data in a fair manner, in accordance with the United Nations global mandate and governing instruments, and on the basis of any of the following: (i) the consent of the data subject; (ii) the best interests of the data subject, consistent with the United Nations global mandate; (iii) the United Nations global mandate and governing instruments; or (iv) another appropriate legal basis specifically identified.
We process data for specified purposes, which are consistent with the United Nations global mandate and take into account the balancing of relevant rights, freedoms and interests. We do not process data in ways that are incompatible with such purposes.
Proportionality and Necessity
We ensure that the data we process is relevant, limited and adequate to what is necessary in relation to the specified purposes of data processing.
We do not attempt to knowingly and purposefully re-identify de-identified data, unless there is a legitimate and fair basis for doing so, and we make all reasonable efforts to prevent any illegitimate or unjustified re-identification.
We only retain data for the time that is necessary for the specified purposes.
We ensure that the data is accurate and, where necessary, up to date to fulfill the specified purposes.
We process data with due regard to confidentiality.
We implement appropriate organizational, administrative, physical and technical safeguards and procedures to protect the security of the data, including against or from unauthorized or accidental access, damage, loss or other risks presented by data processing.
We employ stricter standards of care while processing data that relates to vulnerable populations and persons at risk, children and young people, and when processing any other sensitive data. We also ensure proper protection of non-personal data, that is processed in a sensitive context and that may put certain individuals or groups of individuals at risk of harms.
Risks, Harms, and Benefits Assessment
We perform a risks, harms and benefits assessment and implement appropriate mitigation processes before any new or substantially changed data processing activity is undertaken. We take into consideration the impact that data processing may have not only on individuals but also on groups of individuals. We ensure that the risks and harms are not excessive in relation to the positive impact of the project.
We process data with transparency to the data subjects, as appropriate and whenever possible. This includes provision of information about the processing of their personal data as well as information on how to request access, verification, rectification, and/or deletion of that personal data, insofar as the specified purpose for which data is processed is not frustrated.
Technology Collaborators and Data Transfers
We transfer data to third parties, provided that under the circumstances, we have satisfied ourselves that the third party affords appropriate protection for the personal data, consistent with the requirements of the relevant data privacy and data protection instruments and the United Nations’ global mandate.
We design, carry out, report and document our data processing activities with adequate accuracy and openness, and we ensure that we have adequate policies and mechanisms in place to adhere to these Principles and other relevant data privacy and data protection instruments, including the UN Principles on Personal Data Protection and Privacy.
UN Principles on Personal Data Protection and Privacy
The Principles set out a basic framework for the processing of personal data by, or on behalf of, the United Nations System Organizations in carrying out their mandated activities.
They aim to:
(i) harmonize standards for the protection of personal data across the UN System;
(ii) facilitate the accountable processing of personal data; and
(iii) ensure respect for the human rights and fundamental freedoms of individuals, in particular the right to privacy.
UNSDG Guidance Note on Data Privacy, Ethics and Protection.
The note sets out general guidance on data privacy, data protection and data ethics for the United Nations Development Group (UNDG) concerning the use of big data, collected in real time by private sector entities as part of their business offerings, and shared with UNDG members for the purposes of strengthening operational implementation of their programmes to support the achievement of the 2030 Agenda.