The Right to Information During Crises
Measuring the degree to which the right to information during crises is realized has at least three core groups of metrics. These core groups are as follows:
• Ensuring Protection of HIAs: The protection of HIAs can include: the clear delineation of what constitutes humanitarian cyberspace; ensuring free and unfettered access of humanitarian actors to infrastructure necessary to connect with affected populations; and the enforcement of prohibitions against attacks on and exploitation of humanitarian information infrastructure and activities.108
• Equitable Provision of Communication Infrastructure and Capacity: Realizing the right to information during a crisis should also be measured by how populations are equitably provided with the necessary physical infrastructure and the capacity to generate, transmit, and receive information. Equitable provision of these resources can include ensuring that economically and socially marginalized communities can connect to telecommunications networks; training and capacity building for communities to conduct HIAs when crises occur; and supporting efforts to strengthen and secure communications infrastructure in crisis-prone communities.
• Removing Economic, Social, Cultural, and Political Barriers to Humanitarian Information: The right to information during crises requires state and non-state actors to remove economic, social, cultural, and political barriers that often prevent communities from accessing information during crises. Examples of this work can include supporting the translation of humanitarian information products into local languages and culturally appropriate formats; addressing the role gender plays in access to data and ICTs; and removing regulatory barriers preventing relevant data from being accessible to specific affected communities and responders, in a manner that respects the rights articulated herein.
Further metrics and indicators are necessary to identify related obligations and establish minimum technical standards.
The Right to Protection from Harm
Realizing the right to protection from harm resulting from the use of ICTs and data can be measured by at least four core metrics, which include:
• Building an Evidence Base for Understanding the Potential Threats and Harms Caused by HIAs: To date, there has been little intentional and evidence-based research done to understand the unique threats and harms caused by HIAs in specific operational contexts. The development of protection standards tailored to HIAs depends on better studying these threats and harms, including the impacts of HIAs on particularly vulnerable populations.
• Development and Adoption of Protection Standards for HIAs: Current professional standards for protection work do not fully encompass the diverse range of actors and technologies that make up the current HIA ecosystem.109 Protection standards specific to HIAs, drawing from the evidence base of past practice described above, will need to be both technologically and contextually detailed enough to be applied in specific operational environments.
• Ensuring the Capacity to Protect Data, Including Data Minimization:The right to protection from harm stemming from HIAs requires humanitarian information actors to establish and maintain a appropriate capacity necessary for secure data in full at each stage of its life cycle.110 Relatedly, capacity and approaches for minimizing data collection only to the defined scope of the activity planned should be established as well.111,112 Minimizing data collection to the defined scope of the planned activity may include limiting or eliminating collection of personal identifying information such as family names, physical characteristics, or unique identification numbers, to name a few possible indicators.113 Securing the data life-cycle in full, from design and collection points through storage and subsequent analysis, may include combinations of digital and physical security measures designed to ensure that those contributing data cannot be tracked and subsequently targeted in association with the HIA.
• Ensuring Accountability and Learning Through Documenting Critical Incidents: At present, critical incidents (i.e. the loss of life, breaches of data storage facilities, and other injurious incidents or violations of human rights) are not captured and publicly shared by humanitarian actors in a routine way, nor to the degree necessary for improving practice and being accountable to affected populations. Standard procedures and venues for capturing and sharing these incidents are necessary to realize the right to protection from harm related to HIAs, as well as the right to redress and rectification.
The Right to Data Privacy and Security
Realization of the right to data privacy and security means that humanitarians have an obligation to build processes and safeguards into the implementation and governance of ICTs which minimize the potential for harm and privacy violations, and provide mechanisms for the evaluation of humanitarian performance in upholding these rights, and accountability to the populations served. These obligations proceed from the Red Cross/NGO Code of Conduct,114 which stipulates, “we hold ourselves accountable to both those we seek to assist and those from whom we accept resources,” the Sphere Protection Principles, which provide the imperative, “avoid exposing people to further harm as a result of your actions,”115 as well as the Humanitarian Charter,116 the Sphere Core Standards,117,118,119 and the nine commitments of the Core Humanitarian Standard.120
Notification: Subjects of data collection as part of HIAs should be made aware that their data will be collected prior to its collection occurring. This should include identification of the organization collecting the data, the uses for which the data is being collected, and any third parties which may be recipient to the data. Also identified should be the nature of the data collected and the means by which it shall be collected, policies that ensure the quality, security, and integrity of the data, and the means by which the subject can seek redress and rectification.
Data Minimization: Humanitarians must limit data collected to that which is necessary for specified purposes. These purposes must be explicit, legitimate, and determined at the time of data collection. Data must be obtained by lawful and fair means, with respect to the rights of the data subject, and with the consent of the subject where applicable.
Use Limitations: Humanitarians must not disclose, make available, share, or use personal data for purposes beyond the scope of those purposes explicitly defined at the time of collection, except with the consent of the data subject.
Security: Humanitarian actors must impose managerial and technical measures to protect against loss and the unauthorized access, destruction, use, modification, or disclosure of the data collected as a result of HIAs. Humanitarians must also adopt best practices for the handling of data to ensure against inadvertent misuse or loss, and develop a culture of security and privacy that guards against privacy and security breaches and ensures that all personnel can recognize common threats to data security and privacy. Organizations should:
• adopt and implement humanitarian sector minimal technical standards governing systems handling sensitive and personal data;
• adopt minimum training standards to ensure that ICT and information security personnel, individuals working with sensitive data, and other personnel are qualified; and
• implement standardized risk assessment protocols, third-party independent audits of systems and personnel, and compliance testing and assurance.121
Governance & Accountability: Humanitarian actors engaged in HIAs must establish appropriate internal governance for the handling of PII and DII. This, at a minimum, includes:
• policies and procedures that are capable of handling sensitive data across the humanitarian data ecosystem;122
• implementation of privacy management programs appropriate to the scope of a project’s exposure to sensitive and personal data;123
• mechanisms by which a data subject can seek recourse within a timely manner and with minimal costs;
• internal mechanisms for oversight, critical incident response, the ongoing monitoring and reassessment of data collection;
• routine and independent auditing of data governance and management practices; and
• standardized legal agreements for data sharing where appropriate, including minimum technical standards to facilitate data sharing in a secure manner.
The Right to Data Agency
Realizing the right to data agency depends on the development of, and adherence to, minimum technical and ethical standards for data acquisition and use. Developing minimum standards to realize the right to data agency begins with identifying the legal, ethical, regulatory, and technical rules and norms that govern data agency in specific response contexts.124 Minimum technical and ethical standards for data acquisition and use must meet the following metrics:
• Procedures for Notification and Informed Consent: Any use of HIAs must be planned in a manner consistent with the principles of notification, informed participation, consent, and informed consent. Initial project planning must determine the level of notification and consent required, and standardized guidelines for this determination must be developed. Informed consent must be obtained prior to the collection of data with experimental purposes. The informed consent process must meet minimum standards for the provision of information, comprehension, and voluntariness.125
• Experimental Review: All HIAs which are experimental in nature should be subject to review by Institutional Review Boards (IRBs). There must be research and sector-wide agreement on what constitutes experimental procedures in the context of HIAs. Humanitarian actors also require training in how to determine which HIAs constitute experimental procedures and to identify which require IRBs.
• Developing a Chain of Consent: Data aggregation presents unique challenges to the realization of data agency. The aggregation of data may create data products that pose additional risks to affected populations compared to the unaggregated data. Because future technological developments and partnerships leading to data aggregation may not be foreseen, humanitarian actors must create and adhere to standardized data licensing agreements informed by assessments of additional risks attributable to data aggregation. Data licensing agreements must also capture the chain of consent, or the parameters of data use obtained in the informed consent process, at each stage of data aggregation and sharing.
• Best Practices for Enfranchising Populations in HIA Design and Execution: Humanitarian actors should use approaches, tools, and techniques that are culturally, logistically, and operationally appropriate to the context in which HIAs are deployed. Participatory design is an ultimate goal of the development of HIAs, in order to ensure that the intent and effect of HIAs are first and foremost suited to the needs and preferences of the local population. Consistent feedback loops and formal channels for populations affected by crises to provide input about decisions that affect their right to data agency must be established. As part of these feedback loops and channels, crisis-affected populations must be enfranchised to participate in these processes, including the provision of information about their right to data agency.
The Right to Redress and Rectification
To realize the right to redress, humanitarians and other actors must be accountable to crisis-affected populations. Humanitarians should keep the following in mind as they work with HIAs: Who is responsible if a HIA based on “bad” data causes harm, and what might adequate redress look like?
Realizing the right to redress will involve at least three metrics:
• Designation of humanitarian actors who are accountable for addressing critical incidents and complaints: The right to redress requires humanitarian agencies to have designated personnel that process and address relevant complaints, and who have certain obligations when critical incidents occur. This function may best be implemented as an independent and inter-agency humanitarian data supervisory body that has jurisdiction across organizations.
• Clearly define who is accountable for data-related harms, and what they will do to address these harms: Humanitarian organizations must clearly define who holds ultimate responsibility for harms to affected populations that stem from HIAs. Responsible parties must then create protocols for addressing complaints and engaging in rectification, erasure, and redress activities. This must be done before these protocols are actually needed, not after. These protocols should be as transparent as possible, enabling affected populations to comment on and improve them.
• Build awareness amongst affected populations of their right to redress: Affected populations must be aware that they have the right to access and rectify their data, and to receive redress if this data has caused them harm. Humanitarians need to develop plans and best practices for communicating this right to populations in clear and context-sensitive ways, with an emphasis on transparency and inclusion.
108. Gilman and Baker, “Humanitarianism in the Age of Cyber-Warfare: Towards the Principled and Humanitarian Emergencies.”
109. International Committee of the Red Cross, Professional Standards for Protection Work.
110. “Data Life Cycle,” accessed August 16, 2016, http://www.bu.edu/datamanagement/background/data-life-cycle/.
111. International Committee of the Red Cross, Professional Standards for Protection Work.
112. Raymond, Nathaniel and Al Achkar, Ziad and Verhulst, Stefaan and Berens, Jos and Barajas, Lilian and Easton, Matthew, Building Data Responsibility into Humanitarian Action (May 1, 2016). OCHA Policy and Studies Series, May 2016, Available at SSRN: https://ssrn.com/abstract=3141479.
114. International Federation of the Red Cross and Red Crescent and International Committee of the Red Cross, “The Code of Conduct for the International Red Cross and Red Crescent Movement and Non-Governmental Organizations (NGOs) in Disaster Relief.”
115. The Sphere Project, Sphere Project: Humanitarian Charter and Minimum Standards in Humanitarian Response, 33.
116. Ibid., 19.
117. Ibid., 68.
118. Ibid., 65.
119. Ibid., 58.
120. CHS Alliance, Groupe URD, and The Sphere Project, Core Humanitarian Standard: Core Humanitarian Standard on Quality and Accountability.
121. The Sphere Project, Sphere Project: Humanitarian Charter and Minimum Standards in Humanitarian Response, 305.
122. Raymond and Al-Achkar, “Building Data Responsibility into Humanitarian Action.”
123. Organization for Economic Cooperation and Development, “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.”
124. Raymond and Al-Achkar, “Building Data Responsibility into Humanitarian Action.”
125. National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research, “Belmont Report: Ethical Principles and Guidelines for the Protection of Human Subjects of Research, Report of the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research.”