Beneficiary Data Protection

Data protection is the systematic application of a set of institutional, technical and physical safeguards that preserve the right to privacy with respect to the collection, storage, use, disclosure and disposal of personal data. Personal data includes all information that can be used to identify data subjects, which in the case of a humanitarian cash-based intervention means our programme beneficiaries.

Humanitarian agencies collect a wealth of personal data from individuals in all areas of programming, as well as in other areas such as fundraising and advocacy.  Cash transfer programming is no exception.  However actions to protect beneficiary data have lagged behind. Research in 2011 by the Cash Learning Partnership into new technologies being used on cash transfer programming found that humanitarian agencies lacked systems and processes for beneficiary data protection and data management. As we enter a digital age of programming the importance of protecting beneficiary data is being recognised.

Leaks of personal data have potential to result in individuals being targeted for violence or harassment, due to ethnicity, religion, medical history, or just because they have received aid or worked with international organisations. This is a major concern for aid agencies, whose mandate is to uphold the humanitarian principle of ‘do no harm’. Risks to the protection of beneficiary data are faced at every stage.

E-transfers and their associated risks

Where feasible and appropriate to the context, e-transfer technology is increasingly being adopted by aid agencies, which can allow programmes to reach affected populations at a large scale and in hard-to-reach environments. It is the adoption of e-transfer technology, and digital technology more generally on programmes, that is driving an increasing realisation within the humanitarian sector of the privacy risks associated with the collection, use, storage, sharing and disposal of beneficary data. A failure to understand or mitigate these new threats throughout the programme cycle can put people at risk and undermine the trust that humanitarian organisations require in order to do their work.

E-transfer programmes begin with the collection of personal data from beneficiaries. This personal data is often more extensive than that gathered in conventional aid distributions – for example,  on some e-transfer systems, client ID is verified using biometric data and this requires the collection of highly personal data from beneficiaries such as photos, finger prints and retina scans.

Once collected this information is stored by the agency and will be used by the agency to prepare beneficiary lists.  The data may be shared with partner agencies and  wider stakeholders including for example, national governments administering social protection programmes , or potentially with donors who are funding the intervention. This raises a number of risk factors to be considered, for example:

  • Who within the agency is collecting this personal information?
  • How is it being collected?
  • How and where is this data being stored?
  • Who has access to the data?
  • How is it being shared with partners and other stakeholders? What is being shared? How are partners storing and using this data?
  • How is all of this being communicated to beneficiaries and their consent obtained?
  • How long will the data be kept for and what will happen to it afterwards?
  • If the programme scales up – Can the data management system cope and maintain its integrity?

Good practice

There are several good practice approaches agencies can put in place to overcome some of the challenges associated with protecting beneficiary data on e-transfer programmes.

Challenges can be identified from an individual programme level, up to an organisational, sector and global level. 

Analysis of existing humanitarian practices demonstrate that organisations are applying a number of solutions to these challenges. Some solutions originate from legislative guidance; others are developed in situ, in response to a programmatic challenge.

Many organisations are taking the following approach, that can be seen as emerging good practice in finding solutions pertinent to specific programme locations:

  1. Getting a better understanding of the importance of ensuring beneficiary privacy and the implications of not doing so.
  1. Understanding what constitutes their due diligence in this regard. What are the core principles that they should be adhering to? What is the overriding Government policy on data management?
  1. Either as part of preparedness measures or following response analysis, organisations are undertaking risk analysis to gain a better understanding of the data protection risks and related implications for the specific programme context. This includes considering: size and scale of the planned programme, beneficiary profile and vulnerabilities, location, duration, cash assistance amount, delivery mechanism and wider legislation (including: host country, donor country, third party policies).
  1. Considering their mandates and the contexts in which they operate, public and private sector organisations are applying these risk analysis techniques to the project and data management cycles, and developing organisationally relevant documents. 


Related resources

  • A data Starter Kit For Humanitarian Field Staff (ELAN): Building upon CaLP’s foundational Protecting Beneficiary Privacy, this Starter Kit provides concrete tips to help you assess, plan and improve your data management practices. The seven Tip Sheets align with the project and data management lifecycles, so you’ll know exactly when to think about RAD, PIAs and E2EE.
  • Privacy Impact Assessment of UNHCR Cash Based Interventions (UNHCR): This report presents the findings of the Privacy Impact Assessments (PIAs) of two of UNCHR's  Cash-Based Interventions (CBIs) in middle-income countries. It  also highlights key issues related to data protection that go beyond CBIs and are equally relevant to in-kind assistance, and need to be addressed globally
  • Know Your Customer Standards and Privacy Recommendations for Cash Transfers (UNHCR, World Vision): This report reviews how Know Your Customer (KYC) standards – rules designed to combat criminal money laundering and terrorism financing - are applied in humanitarian cash programs. It provides a number of recommendations and guidelines in relation to the application of KYC rules and data privacy measures for humanitarian cash transfers.
  • Challenges and the State of Play of Interoperability in Cash Transfer Programming (UNHCR, World Vision): This study explores the factors driving the design of interoperability for Cash Transfer Programming. It outlines the rapidly changing environment in which digital services are emerging, the types of digital collaborations that could be enabled, and the key design challenges that confront effective interoperability.



Legislation and trends 

E-transfer technologies