Official Sign-off Note
On behalf of World Vision International - Somalia, I Solomon Kipkurui Technical
Project Lead, Community Based Early Warning Early Action System, World Vision
International - Somalia hereby receive and acknowledge the Inception Report,
developed collaboratively between the World Vision International - Somalia and
Zamid Consulting on 31st May 2019.
I hereby confirm that the aforementioned Inception Report accurately captures the
technical scope with a road map that will facilitate the development and
operationalization of the Community Based Early Warning Early Action System.
It is agreed and understood that by means of this sign-off note; World Vision
International - Somalia endorses and adopts the aforementioned Inception Report.
_____________________ _________________________
Solomon Kipkirui, Date
Technical Project Lead, CBEWEAS
INCEPTION REPORT
ESTABLISHMENT OF SOMREP COMMUNITY BASED
EARLY WARNING – EARLY ACTION SYSTEM
CONTRACT REF FY 19-WVSO-052
MAY 2019
ZAMID CONSULTING . 4T H FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
Table of Contents 4
Introduction to SomReP 6
Conceptual Framework
Project Work Plan 9
Data Collection, Analysis and Management
11
Harmonized Indicators 11
1. Food Security and Livelihood Indicators 12
2. Health Nutrition Indicators 13
3. WASH Indicators 14
4. Education and Protection Indicators 15
5. Environment and Meteorological forecast Indicators 16
17
Data Collection, Validation, Analysis and Security
19
References
Appendices 20
ZAMID CONSULTING . 4TH FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
Introduction to SomReP
The Somalia Resilience Program (SomReP) is a consortium of 7 INGOs (ACF,
ADRA, CARE, COOPI, DRC, Oxfam and WVI). They came together guided by
ambitious approach and believe to tackle the challenges chronic vulnerability among
pastoralists, agro-pastoralists, and peri-urban households due to recurrent shocks in
Somalia. These international organizations complement each other based on their
experience as well as expertise in community development and resilient building in
Somalia. They also bring on board tried and tested approaches and best practices
thus fostering synergies. Currently, SomReP is supporting communities affected by
disasters like drought, floods etc to recover by implementing lifesaving and resilience
programs in Somalia.
SomReP’s Overall Objective
To increase the resilience of chronically vulnerable people, communities and
systems in targeted pastoral, agro-pastoral and peri-urban livelihood zones.
SomReP’s Expected Results
1. Improved adaptive capacity of individuals households and communities
through support to livelihood diversification, and improved access to markets,
financial services, and basic livelihood services
2. Improved absorptive capacity of households and communities through
collective action in support of effective disaster risk management, adoption of
positive coping strategies and improved access to formal and informal safety
nets
3. Ecosystem health improved through promotion of equitable and sustainable
natural resource management.
4. Transformative capacity improved through support to greater coordination of
community based governance structures in livelihoods, DRR, conflict
mitigation and natural resource management
ZAMID CONSULTING . 4T H FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
5. Program learning and research generated and shared among relevant
stakeholders (including communities, NGOs, and government)
SomReP key activities include the establishment of Community Based Early
Warning Early Action system (CBEWEAS). The CBEWEAS is an integral part of
Community Based Disaster Risk Reduction (CBDRM). With increasing manifestation
of negative effects related to disasters, building public awareness about disaster
risks with proactive engagement of various stakeholders is becoming critical.
CBEWEAS is essential in empowering communities to prepare for and confront
hazards. SomRep has supported CBEWEAS for the past 5 years where Early
Warning Committees were organized and trained. These collect early warning
information at community to guide decision making to guide detection and
responding shocks. However, collected information is not aggregated at central level
(district or consortium). Each agency collects and uses own information in own
location. This comes mainly because there is no centralized digital data platform
which could allow such aggregation of information.
An Online and Integrated CBEWEAS
In May 2019, SomReP contracted Zamid Consulting (Contract Reference FY
19-WVSO-052) to develop an integrated online (web-enabled) data collection
platform system for community-based EW/EA committees and government
institutions at the community and district levels in Somalia. The system is to
harmonize the efforts from a section of SomReP partners (Oxfam, ADRA and World
Vision Somalia) who are currently in the process of developing/rolling out similar
online early warning systems.
The primary objective of the consultancy assignment is to establish an open data
source collection system in a hosted environment for the purpose of early warning
and early action response mechanisms, as well as monitoring and evaluation of
SomReP partner resilience programs in Somalia. The system is to serve as a web
ZAMID CONSULTING . 4T H FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
based “data collection system” that is cost effective, user friendly and functional. In
addition, it should respond to the needs of the communities and government at local
levels for effective disaster management and mitigation as well as enhance project
planning, implementation and management for SomReP partner organization
programs/projects.
The secondary objective of the consultancy is to develop functionality within the
CBEWEAS that will enable SomReP partner organizations track and manage project
activities in a manner that provides the right information to key stakeholders at the
right time to enable adaptive project management and decision making for early
warning/early action.
Conceptual Framework
Informed by the project’s Terms of Reference and the Expected Output(s), Zamid
Consulting considered various approaches to software development and elected to
deliver on the CBEWEAS using the Waterfall Project Management Framework. First
cited in an article1 by Dr. Winston W. Royce, Waterfall is a project management
approach where a project is completed in distinct stages and moved step by step
toward ultimate release to the consumers of the software. In software development,
the traditional Waterfall model tends to progress through the phases of conception,
initiation, analysis, design, development, testing, deployment and maintenance.
1Royce, Winston (1970), "Managing the Development of Large Software Systems"
ZAMID CONSULTING . 4TH FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
Some of the project factors that informed the decision to select the Waterfall Project
Management model include:
1. The Terms of Reference have a fixed set of requirements, scope and budget
2. Zamid Consulting could accurately estimate the level of effort required
3. The project is innately low-risk and may involve upgrading an existing system
4. The project has a hard-stop deadline of June 30, 2019
5. System users will not be responsible for updating CBEWEAS’s core functions
Phases in the Waterfall Project Management Framework
All tasks on waterfall projects are grouped by type of activity and each project follows
the same phases:
1. Requirements - where we analyze business needs and document what
software needs to do
2. Design - where we choose the technology, create diagrams and plan
software architecture
3. Development - where we figure out how to solve problems and write code
4. Testing - where we make sure the code does what it supposed to do without
breaking anything
5. Operations - where we deploy the code to a production environment and
provide support
Once the aforementioned activities are sequenced into a Work Plan, the resulting
process is visually represented like the slopes of a waterfall, hence the name.
We project that 20–40% of the time committed will be spent on requirements and
design with 30–40% on development, and the rest on testing and operations.
Activities on waterfall projects have to happen in a sequential order and one set of
activities can't start before the previous one ends. This is why planning is the most
important thing on waterfall projects.
ZAMID CONSULTING . 4TH FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
Figure 1: Implementation Steps for the Waterfall Project Management Framework
Figure 2: Proposed Steps for Design, Development and Operationalization of CBEWEAS
ZAMID CONSULTING . 4T H FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
Project Work Plan
The Terms of Reference specified the contract set the delivery deadline for the
SomReP CBEWEAS as June 30 2019. The key activities to be carried out during the
contractual period, are enumerated in the proposed Work Plan in Table 1.
These activities will utilize the Waterfall Project Management model to facilitate the
Development and Operationalization of the SomReP CBEWEAS. The outline of
activities also highlights the stakeholders involved, the parties responsible for each
activity together with the respective deliverables as per the Terms of Reference.
Task Responsible Duration Deadline
Organization
1. Conduct a kick-off workshop to World Vision 2 days 29-May-2019
evaluation and harmonize the existing Somalia and
data sets, tools, systems, indicators, Zamid Consulting
dashboards and collection methods
Deliverable(s)
Project Inception Report with the pilot
number and choice of indicators that
will inform the automation
2. Conduct a Detailed Requirements World Vision 2 Days 30-May-2019
Gathering Workshop to design a Somalia and
cost-effective, interportable Zamid Consulting
automated data collection and
analysis system that ensures data
integrity
Deliverable(s)
Software Requirements Specification
Report
ZAMID CONSULTING . 4TH FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
3. Perform System Prototype Zamid Consulting 3 weeks 18-Jun-2019
Development
Deliverable(s)
A CBEWEAS prototype that securely
aggregates data from multiple
sources
4. Conduct a User-Acceptance and World Vision 3 days 21-Jun-2019
System Administrator Testing Somalia and
Workshop Zamid Consulting
Deliverable(s)
System User Feedback Report
5. Perform the Final System Integration Zamid Consulting 5 days 26-Jun-2019
and Data Migration
Deliverable(s)
Launch-ready version of the
CBEWEAS
6. Conduct Stakeholder Sensitization World Vision 1 Day 26-Jun-2019
Forums Somalia and
Zamid Consulting
Deliverable(s)
Communication Collateral and
System User Training Manuals and
Documentation
7. Launch and Formal Project World Vision 1 day 28-Jun-2019
Hand-Over Somalia
Total Project Duration to Hand-Over of the System 32 Days
Table 1: Proposed Work Plan
ZAMID CONSULTING . 4T H FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
Data Collection, Analysis and Management
The project’s Terms of Reference identified a harmonized set of indicators that the
CBEWEAS should capture, validate and store. These data sets are to be securely
hosted in a cloud-based environment and should be accessible to stakeholders for
the purpose of early warning and early action response mechanisms, as well as
monitoring and evaluation of SomReP partner resilience programs in Somalia.
Harmonized Indicators
A kick-off meeting between stakeholders held on 30th May 2019, produced a pilot
set of indicators in Table 2 - Table 6 below. These indicators had, in an earlier
exercise, been harmonized across the SomReP partner organizations and were set
to serve as the initial set of indicators that the CBEWEAS should capture and store.
The aforementioned pilot set of harmonized indicators had been categorized into:
1. Food Security and Livelihood Indicators
2. Health Nutrition Indicators
3. WASH Indicators
4. Education and Protection Indicators
5. Environment and Meteorological forecast Indicators
ZAMID CONSULTING . 4T H FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
1. Food Security and Livelihood Indicators
Measurement Perimeter Indicator
1.1. Food prices and supply 1.1.1 Grain market information
1.2. Livestock prices 2.2.2 Prices for livestock(WFP)
1.2.3 Livestock market information
1.3. Pasture/forage in villages 1.3.1. # of pasture/forage hectares irrigated
1.3.2. Pasture availability throughout the dry season
1.4. Water accessibility and availability 1.4.1. River water level (Increase/decrease
1.4.2. Availability of water throughout the 12 month
1.4.3. Flood Warning
1.5. Household food consumption 1.5.1 FCS Index
1.6. Vulnerability to food deprivation: 1.6.1. Reduced Coping index (rCSI)
Households expenditure on food
6.2. % of expenditures on food
1.7. Livestock body condition and health 1.7.1. # of animals treated
status
1.7.2. # of veterinary interventions
1.8. Migration 1.8.1. Amount of Migration (In/out of the village)
Table 2. CBEWEAS Food Security and Livelihood Indicators
ZAMID CONSULTING . 4TH FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
2. Health Nutrition Indicators
Measurement Perimeter Indicator
2.1 Human resource 2.1.1. # of health care facilities supported and/or
rehabilitated by type (e.g., primary, secondary,
2.2..Clinical Management of rape tertiary)
2.1.2. Human resource- Number of health care providers
trained by type (e.g., doctor, nurse, community
health worker, midwife, and traditional birth
attendant), by sex
2.2.1. # of health facilities offering clinical management
of rape survivors/Total number of health hospitals)
2.3.Preventation of Global Acute 2.3.1. # of cases with severe acute malnutrition newly
Malnutrition admitted for treatment
2.4.Prevention and Management of 2.4.1. Proportion of discharged cases with severe acute
severe acute malnutrition malnutrition who non-recovered
2.5.People treated for SAM, by sex and 2.5.1. # of cases with severe acute
age referred to inpatient care or hospital
2.6. Health service coverage. 2.6.1 # of Under-five child mortality, with the proportion
of newborn deaths
2.7. Risk factors- Admission for
communicable Diseases 2.7.1 % of people admitted/treated from communicable
diseases within the last one month
2.8. Health service coverage, risk 2.8.1. % of Vaccination coverage estimated per antigen
factors- Immunization admission. dose per age group
2.9. Death case report, by age and 2.9.1. # of death case reported as a result of
gender communicable diseases, (by age and gender)
Table 3. CBEWEAS Health Nutrition Indicators
ZAMID CONSULTING . 4T H FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
3. WASH Indicators
Measurement Perimeter Indicator
SAFELY MANAGED DRINKING WATER SERVICES
3.1. Population using safely managed 3.1.1. # of households for Using Improved Water Sources
drinking water services
(accessibility, availability, and 3.1.2. Water sources treated and tested for free residual
quality) chlorine
3.1.3. % of water facilities maintained by the
communities/ private sector
3.1.3. Water quality testing (Source Water Quality
(Bacteriological)
3.2. Water points overcrowded with 3.2.1. Sources of safe water in villages
livestock and households
HANDWASHING FACILITIES WITH SOAP AND WATER
3.3. Population with handwashing 3.3.1. # of hand washing facilities in use
facilities with soap and water at
home
3.4. Households benefiting from solid 3.4.1. # of households using water with soap after going
waste management, drainage, to the bathroom and during food preparation
and/or vector control activities
(without double-counting)
SAFELY MANAGED SANITATION SERVICES
3.5. Population using safely managed 3.5.1. # of households using hygienic sanitation facilities
sanitation services
3.5.2. # of households with communal latrines completed
and clean
3.5.3. # of households practising open defecation
Table 4. CBEWEAS WASH Indicators
ZAMID CONSULTING . 4T H FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
4. Education and Protection Indicators
Measurement Perimeter Indicator
4.1. School-age children attending 4.1.1. % of school-age children attending schools
schools
4.1.2 The number of school-age children attending
4.2. Schools in the target village/area schools
with adequate facilities meeting
standards 4.2.1. % of schools in the village/area with adequate
facilities meeting standards
4.2.2. # of schools with adequate facilities meeting
standards
4.2.3. # of schools in the village
4.3. Primary, secondary schools with 4.3.1. % of primary, secondary schools with improved
improved water supply or water water supply or water sources
sources
4.4.1. % of health facilities equipped to respond to GBV
4.4. Health facilities equipped to survivors (PEP kits)
respond to GBV survivors
4.5.1. # of case workers/protection staff on GBV and CP
4.5. Workers/protection staff on GBV case management and PSS
and CP case management and
PSS 4.6.1. # of civilians injured in violence
4.6. Civilians injured in violence
4.7. Reports of sexual violence per 4.7.1. # of reports of sexual violence per 10,000 people
10,000 people
4.8. Reported cases by service 4.8.1. # of reports of sexual violence providers or
providers or community actors community actors
4.9. households with children dropping 4.9.1. # of children dropping out of school in each
out of school household.
Table 5. CBEWEAS Education and Protection Indicators
ZAMID CONSULTING . 4TH FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
5. Environment and Meteorological forecast Indicators
ENVIRONMENT
5.1. Availability of renewable energy in 5.1.1. Sources of renewable energy in village
village
5.2. Schools with renewable energy 5.1.2. The cost of renewable energy in village
equipment (solar or wind)
5.2.1. # of schools with alternative sources of energy
5.3. households using charcoal / equipment.
firewood as source of fuel for
cooking 5.3.1. # of households using charcoal/firewood for
cooking.
5.4. households willing to use
alternative/efficient sources of 5.4.1. # of households willing to use alternative sources
energy ( Solar and wind) of energy
METEOROLOGICAL FORECAST
5.5.Metrological forecast 5.5.1. eMODIS NDVI (Normalized Difference Vegetation
Index)
5.5.2. Cumulative RFF(mm):Cumulative rainfall
estimates
5.5.3. Dekadal REF(mm): 10-day rainfall estimates
5.5.4. Cumulative ETA(mm): Cumulative estimated time
of arrival
5.5.5. Dekadal ETA(mm): 10-day rainfall estimated time
of arrival
Table 6. CBEWEAS Environment and Meteorological forecast Indicators
ZAMID CONSULTING . 4T H FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
Data Collection, Validation, Analysis and Security
In the context of the SomReP consortium, data collection and analysis is the
responsibility of each partner organization. The proposed CBEWEAS should
frictionlessly integrate with the existing data collection mechanisms set out by the
respective SomReP partner organizations.
During the kick-off meeting on 30th May 2019, stakeholders discussed some of the
existing data collection mechanisms at the village, district, regional and national
level. This exercise was carried out in an effort to advise on the technology and
process that will be employed to serve the purpose of automating the data collection
and analysis.
Some of the information sources identified were:
1. Raw data collected by the Early Warning Committee representatives at the
village, location, district and regional level
2. Non-technical mobile data collection systems like the Open Data Collect
system developed by ADRA
3. Electronic Data collected by the Famine Early Warning Systems Network
(FEWSNET)
4. Electronic data collected by the Food Security and Nutrition Analysis Unit -
Somalia (FSNAU)
5. The electronic data collected by the Food and Agriculture Organization’s
Somalia Water and Land Information Management (FAO-SWALIM)
Stakeholders in the kick-off meeting then discussed and identified the respective
organizations, indicated in Appendix 2, that will be responsible for collecting and
relaying the data to the CBEWEAS users to enter/upload the data for validation and
analysis.
ZAMID CONSULTING . 4T H FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
Data integrity is a critical component of the CBEWEAS. To ensure the integrity of the
data in the CBEWEAS, stakeholders in the kick-off meeting elected to have SomReP
personnel, within the respective partner organizations, who will be responsible for
reviewing the data captured from various sources, before approving it to be
committed to the system making it accessible to stakeholders and the larger general
public. To this end, each SomReP partner is to nominate two individuals who will
receive technical training and access credentials to complete this task.
Regarding Data Analysis, the CBEWEAS is to process and analyze the data
automatically and generate tabular/visual system reports under the guidance of the
indicator thresholds, in Appendix 3, defined by each SomReP partner organization.
Information Security remains paramount to the availability, integrity and sustainability
of the CBEWEAS. In May 2017, World Vision International endorsed a discussion
paper2 titled Data Protection, Privacy and Security for Humanitarian and
Development Programs. The report concluded that a collective effort of individuals
and agencies to further address the complexities and risks is of the utmost
importance in mitigating the risks inherent in capturing, storing and analysing
beneficiary data.
The proposed CBEWEAS will be implemented under the guidance of the privacy
guidelines, risk management approaches and data interoperability benchmarks
highlighted in the Data Protection, Privacy and Security for Humanitarian and
Development Programs discussion paper. This will ensure that the system is in
compliance with the United States’ Health Insurance Portability and Accountability
Act of 1996 (HIPAA) regulations, and the European Union’s General Data Protection
Regulation (GDPR).
2 Lutz Al, Doornbos Amos et al (2017) "Data Protection, Privacy and Security for Humanitarian and
Development Programs"
ZAMID CONSULTING . 4T H FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
References
Royce, Winston (1970), "M anaging the Development of Large Software Systems"
Olic Aleksandar (2017), “Waterfall Project Management Methodology”
Lutz Al, Doornbos Amos et al (2017) " Data Protection, Privacy and Security for
Humanitarian and Development Programs"
ZAMID CONSULTING . 4T H FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
Appendices
APPENDIX 1: Terms of Reference for the Development of the Establishment
of the Community Based Early Warning - Early Action System
APPENDIX 2: SomReP Harmonized Indicators and Data Collection Agencies
APPENDIX 3: SomReP Harmonized Indicator Threshold Definitions
APPENDIX 4: Discussion Paper - Data Protection, Privacy and Security for
Humanitarian and Development Programs
ZAMID CONSULTING . 4T H FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
INCEPTION REPORT APPENDIX 1
Terms of Reference for the Development of the Establishment
of the Community Based Early Warning - Early Action System
FEBRUARY 2019
ZAMID CONSULTING . 4TH FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
1.0 Background
The Somalia Resilience Program (SomReP) is a consortium of 7 INGOs (ACF,
ADRA, CARE, COOPI,DRC, Oxfam and WVI). They came together guided by
ambitious approach and believe to tackle the challenges chronic vulnerability
among pastoralists, agro-pastoralists, and peri-urban households due to
recurrent shocks in Somalia. These international organizations complement each
other based on their experience as well as expertise in community development
and resilient building in Somalia. They also bring on board tried and tested
approaches and best practices thus fostering synergies. Currently, SomReP is
supporting communities affected by disasters like drought, floods etc to recover
by implementing lifesaving and resilience programs in Somalia.
SomReP is guided by the following overall objective and results:
Overall Objective
To increase the resilience of chronically vulnerable people, communities and
systems in targeted pastoral, agro-pastoral and peri-urban livelihood zones.
Expected Results
1. Improved adaptive capacity of individuals households and communities
through support to livelihood diversification, and improved access to markets,
financial services, and basic livelihood services
2. Improved absorptive capacity of households and communities through
collective action in support of effective disaster risk management, adoption of
positive coping strategies and improved access to formal and informal safety
nets
3. Ecosystem health improved through promotion of equitable and sustainable
natural resource management.
ZAMID CONSULTING . 4TH FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
4. Transformative capacity improved through support to greater coordination of
community based governance structures in livelihoods, DRR, conflict
mitigation and natural resource management
5. Program learning and research generated and shared among relevant
stakeholders (including communities, NGOs, and government)
SomReP key activities include establishment of Community Based Early Warning
Early Action system (CBEWEAS). The CBEWEAS is an integral part of
Community Based Disaster Risk Reduction (CBDRM). With increasing
manifestation of negative effects related to disasters, building public awareness
about disaster risks with proactive engagement of various stakeholders is
becoming critical. CBEWEAS is essential in empowering communities to prepare
for and confront hazards. SomRep has supported CBEWEAS for the past 5 years
where Early Warning Committees were organized and trained. These collect
early warning information at community to guide decision making to guide
detection and responding shocks. However, collected information is not
aggregated at central level (district or consortium). Each agency collects and
uses own information in own location. This comes mainly because there is no
centralized digital data platform which could allow such aggregation of
information.
SomReP is therefore seeking the services of a consultant to develop an
integrated online (web-enabled) data collection platform system for
community-based EW/EA committees and government institutions at the
community and district levels in Somalia. Some SomReP partners are in different
levels of developing/rolling out an online early warning systems eg Oxfam, ADRA
and World Vision Somalia, and these efforts needs to be harmonized to ensure
efficiency and synergy.
2.0 Objectives
ZAMID CONSULTING . 4TH FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
The overall objective of the consultancy assignment is to establish an open data
source collection system in a hosted environment for the purpose of early
warning and early action response mechanisms, monitoring and evaluation of
SomReP partner resilience programs in Somalia. The system should be a web
based “data collection system” that is cost effective, user friendly and functional.
In addition, it should be able to respond to the needs of the communities and
government at local levels for effective disaster management and mitigation,
enhance project planning, implementation and management for SomReP partner
organization programs/projects. A secondary objective of an EWEA system is to
enable SomReP partner organizations track and manage project activities in a
manner that provides the right information to key stakeholders at the right time to
enable adaptive project management and decision making for early warning/early
action.
3.0 The Scope of Work
The consultant will focus on the following:
● Harmonization of tools and approaches; review each partner’s
indicators/parameters and come up harmonized indicators across SOMREP
partners.
● Develop, discuss, agree and pilot the number and choice of indicators, their
thresholds which determine shock different shock levels which will also guide
tool development
● Develop cost effective digital data collection platform that takes into account the
changing livelihood trends and compatible with SomReP -MandE ICT
infrastructure.
● Study the already existing dashboard/online systems by the different partner
organizations eg ADRA and WVI, Oxfam etc and come up with a harmonised
system which allows interoperability of data from other credible sources like
FEWSNET, FSNAU, SWALIM etc
ZAMID CONSULTING . 4TH FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
● Alternatively, instead of developing a totally new system, consider identify
potential dashboard that partner organisations have that SomRep can support to
upgrade to become a central platform that all others can be linked to and linked
to that of UN data sources
● The system should have an integrated SMS functionality that allows 2-way
sharing of information to community stakeholders and enable them to submit real
time information to SomReP and Partners.
● Develop an EWS that aggregates data and information from multiple sources.
● Ensure data integrity during and after MandE System implementation
● Provide a high security and cost effective online portal platform/dashboard
● Design a complete user manual that outlines installation, setup, and deployment
of the platform
● Provide a final hand over report signed off by SomReP and the consultant
● Provide training and reference manuals for different stakeholders in the use of
database, telephone and platform
● The system should utilize new technologies to gather, analyse, disseminate data
and re-introduce feedback into the system.
● Develop approaches and tools for communicating early warning information to
multiple audiences, including communities
● The platform system should be able to be self-hosted by SomReP and partners
organisations
● Engage government partners (Jubaland State, Southwest State, and Somaliland)
to understand their user-experience of government to understand barriers.
● Provide guidance to World Vision, ADRA and OXFAM to promote harmonization.
ZAMID CONSULTING . 4TH FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
4.0 Expected Outputs
● An inception Report detailing the methodology to be used
● Harmonized and documented set of indicators
● A harmonized data collection digital platform developed
● User manual for the data platform developed
● The final report incorporating comments / feedback from the Contracting
Authority. The report must be drawn up in 2 copies and submitted also in soft
copy (in MS WORD or PDF Formats) to the Contracting Authority.
5.0 Qualifications and Experience for the Consultants
● The firm/individual consultant required should have recognizable experience in
the field of management of information/data, software development with
experience in web enabled MIS development of comparable projects.
● Experience in developing a work-flow interface for updating and tracking records.
● Experience in administering and developing relational databases using MS
Visual Studio .NET, MS SQL Server, PHP, MYSQL or mobile development
(Android, iOS).
● Knowledge of Open Data Kit (ODK) is a plus.
● The firm/individual consultant selected should be experienced in providing
database training and user training.
● Firms/individual consultant should have knowledge and understanding of early
warning/early action systems
Interested and qualified consultants are asked to send a technical and financial
proposal. Only shortlisted candidates will be contacted for interview
ZAMID CONSULTING . 4T H FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
INCEPTION REPORT APPENDIX 2
SomReP Harmonized Indicators and Data Collection Agencies
MAY 2019
ZAMID CONSULTING . 4TH FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
Sector Measurement Perimeter Indicator Data Collection Agency(ies)
1.1. Food prices and supply World Vision, ADRA, FSNAU
1.0. 1.2. Livestock prices 1.1.1 Grain market information
Food security 2.2.2 Prices for livestock(WFP)
and livelihood 1.2.3 Livestock market information
1.3.1. # of pasture/forage hectares irrigated
1.3. Pasture/forage in villages
1.3.2. Pasture availability throughout the dry season
1.4. Water accessibility and availability 1.4.1. River water level (Increase/decrease
1.4.2. Availability of water throughout the 12 month
1.4.3. Flood Warning
1.5. Household food consumption 1.5.1 FCS Index
1.6. Vulnerability to food deprivation :Households expenditure on food 1.6.1. Reduced Coping index (rCSI)
1.7. Livestock body condition and health status 6.2. % of expenditures on food
1.8. Migration
1.7.1. # of animals treated
1.7.2. # of veterinary interventions (e.g., treatments,
vaccinations, etc.)
1.7.3. Livestock body condition
1.8.1. Amount of Migration (In/out of the village)
Sector Measurement Perimeter Indicator Data Collection Agency(ies)
2.1 Human resource
2.0. Health 2.1.1. # of health care facilities supported and/or
Nutrition rehabilitated by type (e.g., primary, secondary, tertiary)
2.2..Clinical Management of rape 2.1.2. Human resource- Number of health care
providers trained by type (e.g., doctor, nurse,
community health worker, midwife, and traditional
birth attendant), by sex
2.2.1. # of health facilities offering clinical
management of rape survivors/Total number of
health hospitals)
2.3.Preventation of Global Acute Malnutrition 2.3.1. # of cases with severe acute malnutrition newly ACF, WHO, Health and nutrition
2.4.Prevention and Management of severe acute malnutrition admitted for treatment cluster,
2.5.People treated for SAM, by sex and age
2.6. Health service coverage. 2.4.1. Proportion of discharged cases with severe
2.7. Risk factors- Admission for communicable Diseases acute malnutrition who non-recovered
2.8. Health service coverage, risk factors- Immunization admission.
2.9. Death case report, by age and gender 2.5.1. # of cases with severe acute
referred to inpatient care or hospital
2.6.1 # of Under-five child mortality, with the
proportion of newborn deaths
2.7.1 % of people addmitted/treated from
communicable diseases within the last one month
2.8.1. % of Vaccination coverage estimated per
antigen dose per age group
2.9.1. # of death case reported as a results of
communicable diseases, (by age and gender)
Sector Measurement Perimeter Indicator Data Collection Agency(ies)
SAFELY MANAGED DRINKING WATER SERVICES wash cluster, SWALIM/FAO,
3.0. 3.1. Population using safely managed drinking water 3.1.1. # of households for Using Improved Water
WASH services(accessibility, availability, and quality) Sources
3.2. Water points overcrowded with livestock and households 3.1.2. Water sources treated and tested for free
residual chlorine
3.1.3. % of water facilities maintained by the
communities/ private sector
3.1.3 Water quality testing (Source Water Quality
(Bacteriological)
3.2.1. Sources of safe water in villages
HANDWASHING FACILITIES WITH SOAP AND WATER 3.3.1. # of hand washing facilities in use
3.3. Population with handwashing facilities with soap and water at
home
3.4. HHs benefiting from solid waste management, drainage, and/or 3.4.1 # of HHs using water with soap after toilet and
vector control activities (without double-counting) during food preparation
SAFELY MANAGED SANITATION SERVICES 3.5.1. # of HHs using hygienic sanitation facilities
3.5. Population using safely managed sanitation services
3.5.2. # of HHs with communal latrines completed
and clean
3.5.3. # of households practising open defaecation
Sector Measurement Perimeter Indicator Data Collection Agency(ies)
4.1. School-age children attending schools World vision, Education cluster
4.0. 4.1.1. % of school-age children attending schools
Education and 4.2. Schools in the target village/area with adequate facilities meeting
standards 4.1.2 The number of school-age children attending
Protection 4.2h.1. l% of schools in the village/area with adequate
facilities meeting standards
4.2.2. # of schools with adequate facilities meeting
4.2.3. # of schools in the village
4.3. Primary, secondary schools with improved water supply or water 4.3.1. % of primary, secondary schools with
sources improved water supply or water sources
4.4. Health facilities equipped to respond to GBV survivors
4.4.1. % of health facilities equipped to respond to
4.5. Workers/protection staff on GBV and CP case management and GBV survivors (PEP kits)
PSS
4.6. Civilians injured in violence 4.5.1. # of case workers/protection staff on GBV and
CP case management and PSS
4.6.1. # of civilians injured in violence
4.7. Reports of sexual violence per 10,000 people 4.7.1. # of reports of sexual violence per 10,000
4.8. Reported cases by service providers or community actors people
4.8.1. # of reports of sexual violence providers or
community actors
4.9. HHs with children dropping out of school 4.9.1. # of children dropping out of school in each
HH.
Sector Measurement Perimeter Indicator Data Collection Agency(ies)
World vision/ADRA
5.0. Environment 5.1.1. Sources of renewable energy in village
Environment 5.2.1. # of schools with alternative sources of energy
5.1. Availability of renewable energy in village 5.3.1i . # of HHs using charcoal/firewood for cooking.
and 5.2. Schools with renewable energy equipment (solar or wind)
Metrological 5.3. HHs using charcoal / firewood as source of fuel for cooking
forecast
(Outsourcing)
5.4. HHs willing to use alternative/efficient sources of energy ( Solar & 5.4.1. # of HHs willing to use alternative sources of
wind) energy
Metrological forecast
5.5.Metrological forecast 5.5.1. eMODIS NDVI (Normalized Difference
Vegetation Index)
FEWSNET, SWALIM, IGAD/ICPAC
5.5.2. Cumulative RFF(mm):Cumulative rainfall
estimates
5.5.3. Dekadal REF(mm): 10-day rainfall estimates
5.5.4. Cumulative ETA(mm): Cumulative estimated
time of arrival
5.5.5. Dekadal ETA(mm): 10-day rainfall estimated
time of arrival
INCEPTION REPORT APPENDIX 3
SomReP Harmonized Indicator Threshold Definitions
MAY 2019
ZAMID CONSULTING . 4TH FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
PHASED THRESHOLDS
KEY MONITORING DEFINITION THRESHOLDS DATA SOURCE NORMAL ALERT ALARM
INDICATORS
1. CLIMATE % of long-term % decrease below SWALIM/FEWSNET/ <20% 20% – 60% > 60% decrease
mean (monthly) average (Based on FSNAU decrease/Any decrease from from LTM
Rainfall thresholds) increase LTM
% of long-term SWALIM/FEWSNET/ <0.05 Decrease > 0.125
Normalized mean (monthly) % decrease below FSNAU decrease/Any Decrease of from Standard
Difference normal NDVI increase 0.05 - 0.125 Deviation (also
Vegetation Index (Based on FSNAU from Standard known as a “Large
(NDVI) <5% decrease”)
thresholds) SWALIM increase/Any Deviation (also
decrease known as a > 10% increase in
Price of water % increase % increase above “Small price over LTM
(monthly) above normal level < High risk level decrease”)
River five year average (Based on
levels/Flooding thresholds) 5% - 10%
Monitoring river increase in
level for flooding River level above price over LTM
or high risk critical levels or
levels flooding >High risk > Bank Full
level but <
Bank full
2. POPULATION MOVEMENT
Number of # of people # of arrivals and UNHCR/PRMN <1000 arrivals or 1000 - 5000 >5000 arrivals or
displaced displaced departures departures arrivals or departures
(monthly) (monthly) departures
population
3. NUTRITION
Number of New new admission new admission Nutrition Cluster <25% increase in 25-50% >50% increase in
Admissions to compared to five- compared to five- admissions increase in admissions
Feeding and year average year average compared to admissions compared to
Treatment Centers average compared to average
average
4. HEALTH Number of Number of WHO (CSR/eDEWS; AFP 01 >1
Measles outbreak confirmed confirmed measles surveillance)
measles cases cases
WHO (CSR/eDEWS; AFP
Number of AWD Number of AWD surveillance)
cases cases
<200 cases 200-500 cases > 500 cases
Number of AWD Number of AWD WHO (CSR/eDEWS; AFP Case Fatality
deaths deaths surveillance)
0 Rate (CFR) CFR>1%
AWD outbreak ≤1%
Polio outbreak
Malaria Number of Number of WHO (CSR/eDEWS; AFP 00 1
confirmed polio confirmed polio surveillance)
cases cases
WHO (CSR/eDEWS; AFP
Number of No thresholds set surveillance)
confirmed yet
malaria cases
5. MARKET % increase % increase above FSNAU/FEWSNET <5% increase/ 5% - 10% > 10% increase in
(monthly) above normal level FSNAU/FEWSNET Any decrease increase in price over LTM
Maize prices five year average (Based on FSNAU/FEWSNET price over LTM
thresholds) FSNAU/FEWSNET <5% increase/
Sorghum prices % increase FSNAU/FEWSNET Any decrease 5% - 10% > 10% increase in
(monthly) above % increase above FSNAU/FEWSNET increase in price over LTM
Local goat prices five year average normal level FSNAU/FEWSNET <5% decrease/ price over LTM
(Based on FSNAU/FEWSNET Any increase
Wage labor % decrease thresholds) 5% - 10% > 10% decrease in
Terms of trade (monthly) below <5% decrease/ decrease in price over LTM
(wage labor to five year average % decrease below Any increase
cereals) normal level price over LTM
Terms of trade % decrease Zero change/Any
(local quality goat (monthly) below (Based on increase 5% - 10% > 10% decrease in
to cereals) five year average thresholds) decrease in price over LTM
<5Kgs price over LTM
Rice prices % decrease % decrease below decrease/any
(monthly) below normal level increase 1kg - 2kg decrease >= 3kg
Cost of minimum five year average (Based on decrease
basket thresholds) <5% increase/ below the LTM
% decrease Any increase
(monthly) below Decrease below decrease 6- decrease > 10kg
five year average normal level <5% increase/ 10kg
(Based on Any increase
% decrease thresholds) 5% - 10% > 10% increase in
(monthly) below increase in price over LTM
five year average Decrease below price over LTM
normal level
% decrease (Based on 5% - 10% > 10% increase in
(monthly) below thresholds) increase in price over LTM
five year average
% decrease below price over LTM
normal level
(Based on
thresholds)
% decrease below
normal level
(Based on
thresholds)
INCEPTION REPORT APPENDIX 4
Discussion Paper - Data Protection, Privacy and Security for
Humanitarian and Development Programs
MAY 2017
ZAMID CONSULTING . 4TH FLOOR PIONEER HOUSE, KENYATTA AVENUE . NAIROBI
Data Protection, Privacy and Security
for Humanitarian & Development
Programs
DISCUSSION Authors:
PAPER Al Lutz, WVI Chief Info Security Officer
Amos Doornbos, WVI HEA Strategy & Systems Director
Anna Kehl, WVI ICT4D Volunteer
Annette E. Ghee, Ph.D., WVI Research & DME Technical Director
Laura DePauw, WVI Sustainable Health Knowledge Management
Coordinator
Editor:
Sherrie S. Simms, Ph.D., WVI ICT4D Director
Discussion Paper: Data Protection, Privacy and Security for Humanitarian & Development Programs
This Discussion Paper has been created to facilitate knowledge exchange and discussion. It is not a formal
publication of World Vision International (WVI), has not been edited to official publication standards, and the
findings, interpretations and recommendations do not imply an official position on the part of WVI. The
research, content and conclusions presented in this paper are those of the authors and do not necessarily reflect
the policies or perspectives of WVI.
The electronic version of this document can be accessed at: http://wvi.org/health/ict4d
World Vision is a Christian relief, development and advocacy organisation dedicated to working with children,
families and communities to overcome poverty and injustice. Inspired by our Christian values, we are dedicated
to working with the world’s most vulnerable people. We serve all people regardless of religion, race, ethnicity
or gender.
© World Vision International 2017
All rights reserved. No portion of this publication may be reproduced in any form, except for brief excerpts in
reviews, without prior permission of the publisher.
Discussion Paper: Data Protection, Privacy and Security for Humanitarian & Development Programs
Table of Contents
Strategic Opportunities and Imminent Risks..............................................................................................................................1
Existing guidelines, regulation & frameworks relevant to ICT4D .........................................................................................2
WVI Data Protection, Privacy & Security Framework.............................................................................................................5
Information security and privacy...............................................................................................................................................5
Current policies in place.............................................................................................................................................................6
Enforcement mechanisms...........................................................................................................................................................6
Information security assessment process ...............................................................................................................................6
Looking ahead................................................................................................................................................................................8
Ethical Considerations .....................................................................................................................................................................8
World Vision Experience ............................................................................................................................................................. 10
Effectively working within a regulatory environment ....................................................................................................... 10
Challenges faced when obtaining ‘consent’ ......................................................................................................................... 11
Multiple uses of data including unintended discrimination .............................................................................................. 11
Issue of data ownership and privacy ..................................................................................................................................... 12
Designing solutions with data security and privacy in mind ............................................................................................ 12
Use of biometrics ...................................................................................................................................................................... 12
Cash-based programming: challenging us to think differently ....................................................................................... 12
Geo-coded data: a unique set of challenges........................................................................................................................ 13
Addressing gaps in policies and guidance............................................................................................................................. 13
Anticipating tomorrow’s technology .................................................................................................................................... 14
Conclusion ....................................................................................................................................................................................... 14
Discussion Paper: Data Protection, Privacy and Security
Strategic Opportunities and Imminent Risks
As the relief and development sector has matured over Information & Communication Technology (ICT) is
many decades, Information & Communication Technology the most powerful new tool we have for solving
for Development (ICT4D) has shifted more recently from the world’s major challenges—ending poverty and
innovation to a catalytic tool for attaining target hunger, ensuring universal access to basic services,
socioeconomic development goals1. Practitioners of and making the transition to a low-carbon
ICT4D from international and local Non-governmental economy. . . .
Organizations (NGOs), civil society organizations, the Yet technology by itself is never a solution. It must
United Nations (UN) agencies, donor agencies and be properly deployed—directed towards social
private sector companies are increasingly aware of the purposes—and extended to the poor and to
inherent opportunities and risks involved with capturing, remote regions that markets alone will not serve,
analysing and leveraging data about beneficiaries and sub- at least not in a timely way. Put simply, technology
populations. must be combined with a will towards the common
Crowd-sourced efforts to define and address these [global] good. In our era, that means harnessing it
opportunities and risks have led to some progress across to the global objectives embodied by the
the ICT4D space and have produced results such as the Millennium Development Goals and Sustainable
following definition of Responsible Data: “The duty to Development Goals.
ensure people's rights to consent, privacy, security and
Dr. Jeffrey D. Sachs
ownership around the information processes of
collection, analysis, storage, presentation and reuse of data, while respecting the values of transparency and
openness.”2 In addition, individual agencies, NGOs, donors, private corporations and others3 have been working
to define their own approaches to these issues.
Useful research and recommendations on responsible data have also recently been published by the UN Office
for the Coordination of Humanitarian Affairs,4 and by GovLab at New York University/Centre for Innovation at
Leiden University5. Yet, there still remains a gap in terms of commonly agreed and utilized principles and
standards to ensure a high level of adherence to data protection, privacy and security principles and standards
for ICT4D. Given the potentially harmful risks of failing to put in place appropriate safeguards, a collaborative
effort in the humanitarian, development and ICT4D sector to further delineate Digital Development Principle 8:
Address Privacy & Security6 is timely and much needed.
Based on Information Technology (IT) industry standards, World Vision International (WVI) has been
implementing a Data Protection, Privacy & Security (DPP&S) framework for the last four to five years. This
framework is applicable to WVI globally as well as specific ICT4D projects with respect to relevant approaches
and safeguards. In order to understand the current landscape of other existing frameworks, regulation, research
and compliance, WVI has undertaken a desk research process of these broader global trends and has also
documented its implementation of its own framework along with case studies of its approach in humanitarian
assistance and health and nutrition.
1Dr. Jeffrey D. Sachs, Director of the Earth Institute at Columbia University and Special Advisor to United Nations Secretary-General Ban Ki-moon on the Sustainable
Development Goals. How Information & Communications Technology can Accelerate Action on the Sustainable Development Goals, 2016.
2 The Hand-Book of the Modern Development Specialist: Being a Complete Illustrated Guide to Responsible Data Usage, Manners & General
Deportment, Responsible Data Forum, 2016. https://responsibledata.io/resources/handbook/assets/pdf/responsible-data-handbook.pdf
3 U.N. Global Pulse, Oxfam, Catholic Relief Services, MasterCard, Visa, DFID/UKAid, UN OCHA & others
4 Building Data Responsibility Into Humanitarian Action. U.N. OCHA, May 2016.
https://docs.unocha.org/sites/dms/Documents/TB18_Data%20Responsibility_Online.pdf
5 Mapping and Comparing Responsible Data Approaches, GovLab, New York University & Centre for Innovation, Leiden University. June 2016.
http://www.thegovlab.org/static/files/publications/ocha.pdf
6 Digital Impact Alliance – Digital Development Principle 8: http://digitalprinciples.org/address-privacy-security/
May 2017 Page 1
Discussion Paper: Data Protection, Privacy and Security
Existing guidelines, regulation & frameworks relevant to ICT4D
There are a number of key frameworks that are relevant to addressing Digital Development Principle 8. While
all provide some challenge in the context of implementation of humanitarian, development and ICT4D
programmes, they are important benchmarks that should be assessed and considered for implementation.
The Organization for Economic Cooperation and Development (OECD) privacy guidelines were
last updated in 2013 to provide a risk-management approach as well as a discussion on the importance of
developing international interoperability in ensuring privacy. OECD’s members are given a framework of
guidelines as well as suggestions for implementation. Both the public and private sectors in these nations are
responsible for providing:
• limits to the collection of data;
• data quality assurance;
• purpose specification of data at time of collection;
• limitation of data use to specified purpose;
• assurance of security safeguards;
• openness about practice, policies, and developments regarding the data;
• specified set of rights for the individuals from whom data is collected;
• accountability of the data controller.7
There are guidelines for international data flow, requiring restrictions to reflect legitimate risks and encouraging
low restrictions on data flow between member nations. Privacy management programmes, data security breach
notification systems, and national privacy strategies are addressed as well.8 It is important to note that the
member nations of OECD are primarily wealthy, technologically advanced nations that have been able to put in
place solid regulatory frameworks. While only six of the thirty-five members are from outside of Europe and
North America, OECD also has agreements and partnerships with many non-member nations which may not
have regulatory frameworks in place.
Two critical benchmarks that must be considered when evaluating existing data protection, privacy, and security
standards are the United States’ Health Insurance Portability and Accountability Act of 1996
(HIPAA) regulations, and the European Union’s General Data Protection Regulation (GDPR), which
will replace the current Data Protection Directive starting May 2018. The GDPR has much more stringent
regulations than HIPAA, and organisations in developed countries as well are concerned about their ability to
meet the GDPR requirements.
HIPAA includes four rules known as the “Privacy Rule”, the “Security Rule”, the “Enforcement Rule”, and the
“Omnibus Rule”.9 The Privacy Rule and Security Rule are most relevant to ICT4D, as they address protection of
individually identifiable data and protection of electronic health data.
The Privacy Rule protects individually identifiable information, mandating disclosure of what is the “minimum
necessary” and limiting disclosure of the following:
1. individual identified by the information;
2. the entity’s own treatment, payment, and healthcare operations;
3. uses and disclosures to which the individual has the option to agree or object;
4. incidental use and disclosure;
7 The OECD Privacy Framework, OECD, 2013. http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf
8 "2013 OECD Privacy Guidelines," OECD. Accessed April 11, 2017, https://www.oecd.org/internet/ieconomy/privacy-guidelines.htm.
9 “HIPAA For Professionals,” Office for Civil Rights, US Department of Health and Human Services. Accessed March 31, 2017,
https://www.hhs.gov/hipaa/for-professionals/index.html.
May 2017 Page 2
Discussion Paper: Data Protection, Privacy and Security
5. public interest and benefit activities;
6. limited data sets which have been de-identified.
Individuals have the right to view their data and amend it as needed; the right to be notified when and to whom
individually identifiable data has been disclosed; and the right to request restricted access of their data to
different entities.10
The Security Rule is designed “to protect the privacy of individuals’ health information while allowing covered
entities11 to adopt new technologies to improve the quality and efficiency of patient care.”12 Regarding
electronically-Protected Health Information (e-PHI), entities must:
• ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
• identify and protect against reasonably anticipated threats to the security or integrity of the information;
• protect against reasonably anticipated, impermissible uses or disclosures;
• ensure compliance by their workforce.
Procedures for doing so are not specified; however, the Security Rule does provide some guidance on crucial
considerations for creating procedures. Entities are required to perform ongoing risk analysis and provide a
specified set of physical, technical, and administrative safeguards.
Like the European Union’s current Data Protection Directive, the new General Data Protection
Regulation (GDPR) places conditions on processing any kind of personal data. For “lawful processing” to
occur, a legal basis for the use of that data must be documented, and it cannot violate eight key individual rights,
as discussed below.13 The GDPR has specific policies for the protection of children’s rights as well, requiring that
children must be able to understand the privacy notices, and that online services offered for children may only
process data with a guardian’s consent unless they are preventative or counselling services.
Individual rights according to the GDPR include:
1. the right to be informed
2. the right of access
3. the right to rectification
4. the right to erasure
5. the right to restrict processing
6. the right to data portability
7. the right to object
8. rights in relation to automated decision making and profiling.14
The most noteworthy difference between the current Data Protection Directive and the new GDPR is an
emphasis on accountability. Not only must organisations adhere to the GDPR, but they must set up their own
governance system to demonstrate adherence and keep records. While there is a list of what the records must
10 “Summary of the HIPAA Privacy Rule,” Office for Civil Rights, US Department of Health and Human Services. March 2005. Accessed March 31, 2017,
https://www.hhs.gov/sites/default/files/privacysummary.pdf.
11 Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically
transmit any health information in connection with transactions for which HHS has adopted standards.
12 Summary of the HIPAA Security Rule,” Office for Civil Rights, US Department of Health and Human Services. Accessed March 31, 2017,
https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.
13 “Key Areas to Consider,” Overview of the GDPR, Information Commissioner’s Office, licensed under the Open Government License. Accessed March
31, 2017, https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/key-areas-to-consider/.
14 “Individual’s Rights,” Overview of the GDPR, Information Commissioner’s Office, licensed under the Open Government License. Accessed March 31,
2017, https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/.
May 2017 Page 3
Discussion Paper: Data Protection, Privacy and Security
document, there is not a certain structure of governance that must be used across the board. Performing data
protection impact assessments is strongly encouraged though not required.15
The DLA Piper law firm has found that few organisations currently meet the requirements and thus suggests
that they focus on meeting these requirements even before the GDPR begins to be enforced to ensure that they
fully comply by May 2018.16 This is particularly relevant for those in the healthcare and life sciences sector, as
they score the lowest on compliance with the new standards at the moment.
The Asia Pacific Economic Cooperation (APEC) Privacy Framework, created to support electronic
commerce, seeks to protect information through a flexible approach that will ensure privacy but not create
unnecessary barriers to information exchange.17 The framework’s privacy principles are as follows:
1. Preventing harm: Design personal information protections with the goal of preventing harm.
2. Notice: Either before, at the time of, or as soon as possible after information collection, individuals
must know:
a) that their information is being collected;
b) why it is being collected;
c) to whom the information will potentially be disclosed;
d) the identity of the personal information controller and how to contact them;
e) options available for limiting the disclosure of their information.
3. Collection limitation: Only information relevant to the purpose of collection may be collected, and
collection methods must be legal, fair, and with notice to the individual from whom the data is collected.
4. Uses of personal information: Personal information may only be used for the stated purpose for which
it was collected and other closely related purposes unless the individual gives consent. The information
must only be used to provide a product or service requested by the individual, or by the authority of
law.
5. Choice: Individuals must be provided with understandable, accessible, and affordable ways to exercise
choice over the collection, use, and disclosure of their information.
6. Integrity of personal information: Personal information must be accurate, complete, and as up-to-date
as is necessary for the use of the information.
7. Security safeguards: Personal information controllers must protect personal information with safeguards
proportional to the level and severity of risk.
8. Access and correction: Individuals must be able to access and challenge the accuracy of the information
that the personal information controller holds regarding them, as well as have the information corrected
or deleted if appropriate. If deemed not appropriate, the individual must be provided with reasons why.
9. Accountability: The personal information controller must be accountable for complying with the
principles above.
15 “Overview of the GDPR,” Information Commissioner’s Office, licensed under the Open Government License. Accessed March 31, 2017,
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/.
16 Global Data Privacy Snapshot 2017: How does your organization compare? DLA Piper.
https://www.dlapiper.com/~/media/Files/Insights/Publications/2017/01/DLA%20Piper%20Whitepaper.pdf.
17 APEC Privacy Framework, APEC Secretariat, 2005. http://www.apec.org/Groups/Committee-on-Trade-and-
Investment/~/media/Files/Groups/ECSG/05_ecsg_privacyframewk.ashx.
May 2017 Page 4
Discussion Paper: Data Protection, Privacy and Security
WVI Data Protection, Privacy & Security Framework
Inherent within World Vision’s portfolio, data protection, privacy and security are specific concerns. We have
been using digital technology in our humanitarian and development work to amplify the impact and quality of our
programming for many years, with ICT4D project work documented as early as 2003. We currently use digital
technology in our disaster management, health, nutrition, food assistance, education, advocacy, water and
sanitation, agriculture and economic development work. Because of this breadth of scope, safe data standards
for our donors, beneficiaries, employees and partners is a serious concern. Effort has been undertaken in recent
years to establish World Vision’s framework for information security and privacy, and has wrestled with what
data security should look like in humanitarian contexts. However, as ICT4D is a new area in the development
world, there is still a lot of work to be done to arrive at consensus on global standards for data protection,
privacy and security.
Information security and privacy
World Vision believes that in order to assure sensitive information is both secure and private, all information
security, privacy and legal stakeholders need to be in alignment. World Vision has made strides in the past few
years in bringing the privacy
and information security groups
together structurally with close
linkages to the World Vision
Legal team. This, combined
with the development of global
policies and assessment
processes, is strengthening
World Vision’s information
security and privacy posture.
When looking at data
protection and security issues,
World Vision is targeting a
four-step process: finding the
data (primarily structured data);
classifying the data (public,
private, confidential, etc.);
tagging the data (based on how sensitive it is); and managing the data. This process is hard to do well but World
Vision focuses on its most critical applications:
• Horizon (World Vision's integrated system with design, monitoring and evaluation, project budgeting,
sponsorship monitoring, child well-being outcome reporting and rich media capacities);
• Our People (World Vision’s centralized employee HR system);
• Sponsorship (World Vision’s sponsored-child database);
• Sun6 (World Vision Partnership’s global financial system).
When looking at risk, the Enterprise Risk Management (ERM) team works closely with the Information Security
team to assure that both groups are looking at and classifying risk from the same vantage point. ERM looks at
World Vision’s global functions, weights the risks of each organisational function, and creates a normalized list of
the top ten organisational risks. These risks and corresponding risk categories have been globally aligned.
Currently, fundraising offices (internally referred to as Support Offices [SOs]), have their own risk systems into
which WVI provides input, however, future plans include integrating these systems.
May 2017 Page 5
Discussion Paper: Data Protection, Privacy and Security
Current policies in place
World Vision’s development of global information security and privacy policies has been a work in progress over
various years. In recent years, Information Security, in conjunction with Legal and the ERM, leveraged the
International Organisation for Standardisation (ISO) to develop a set of policies based on global standards.
Through this process, three policies were developed which apply to all World Vision entities, including
microfinance institutions:
• Partnership Policy on Global Data Protection and Privacy: This policy provides an overarching framework for
global data protection and privacy at World Vision, documenting the data protection and privacy
principles and policies required to ensure there is consistency in data protection and privacy, compliance
with applicable data protection/data privacy law, good practice, protection of Personally Identifiable
Information (PII), and minimization of risks of regulatory compliance failures and reputational damage for
the World Vision Partnership. It is the primary policy under which all other data protection and privacy
related policies reside.
• Partnership Policy on Information Security: This policy provides an overarching framework for information
security at World Vision, documenting the information security principles and policies required to
ensure confidentiality, integrity and availability of World Vision’s assets, information, data and IT
services. It is the primary policy under which all other technical and security related policies reside.
• Management Policy on Information Security: This policy targets and addresses global information security
functions, issues, and concerns for the World Vision Partnership. It is supported by and is in alignment
with the board-approved Partnership Policy on Information Security. Offices can add additional detail or
make them more stringent, but their policies must meet the minimum standard of this policy. The next
step will be to reconcile current policies with this policy.
A Management Policy on Global Protection and Privacy, and a set of Data Protection and Privacy Security
Standards, have been drafted and are currently in a review cycle. These policies are a good start and serve as a
baseline standard for all offices.
Enforcement mechanisms
Developing policies is an important step, but enforcement can often be difficult. Current methods include the
Staff Training for Information Security Awareness, designed to equip staff to take responsibility for safeguarding
organisational data and information from unauthorised users, to recognise potential security risks, and to be able
to report incidents immediately. Online training combined with learning reinforcements and phishing
assessments help reinforce learnings. Plans are in development to create Staff Training for Global Data
Protection and Privacy.
Information security assessment process
In addition to policy, World Vision has developed project integration information Final Security Review (FSR)
assessments. In order to assure that assessments are fit for purpose, World Vision carries out three levels of
assessments:
1. Security Lite Assessment (FSR-Lite): used to assess Commercial Off-the-Shelf (COTS) applications, cloud
services, external web hosting, and external service providers;
2. Basic Security Assessment (FSR-Basic): used to assess minor releases containing approved changes, new
functionality, or new components for existing application, service, or system;
May 2017 Page 6
Discussion Paper: Data Protection, Privacy and Security
3. Full Security Assessment (FSR-Full): used to assess projects introducing major releases, new versions, or
new designs for major partnership-wide applications/services (e.g., Sponsorship, Horizon, Financial
Systems; Our People).
Source: Department of Information Security, World Vision International
Once the level of approach is determined, the below three-step security assessment approach is applied:
1. Initial registration questionnaire: covering the policies, perimeter, network, servers, desktop/mobile, apps
and data;
2. Minimum security baseline: includes policy review attestation and certifications, Minimum Security
Baseline (MSB) perimeter security, architecture review, vulnerability scanning (Qualys©18), security
configuration wizard, application code review, and MSB data management;
3. Final security review: through this process, a final assessment score is determined. Low risk (80%-100%)
are certified and recommended for deployment, medium risk (60%-79%) requires senior management
sign-off, and finally high risk (0%-59%) are not recommended for deployment.
18 Qualys© Vulnerability Management. https://www.qualys.com/suite/vulnerability-management/
May 2017 Page 7
Discussion Paper: Data Protection, Privacy and Security
Post-deployment there are third-party penetration assessments from the big four tier 1 applications (Horizon,
Our People, Sponsorship, and Sun6) and vulnerability remediation to assure continued information security of the
project.
Looking ahead
Going forward, World Vision has more to do but we have great work to build upon. We are working to
standardise the policy framework as we currently have some policies that are not linked. Both the Management
Policy on Global Protection and Privacy and Data Protection and Privacy Security Standards need to be
approved by senior leadership. Privacy Awareness Training is needed for all WVIT staff and, finally, Privacy
Impact Assessments for Horizon, Our People, Sponsorship, and Sun6.
Ethical Considerations
Many of the global privacy and security standards described thus far are based on an ethical framework. These
frameworks generally include the values of preventing harm, ensuring privacy, maintaining confidentiality during
disclosure, and ensuring that the benefits of data collection outweigh the risks; therefore existing standards
worldwide have ethical considerations embedded within them.
The United States Federal Trade Commission’s “Fair Information Practice Principles”19 are often referenced as a
strong set of ethical guidelines and have been used as a model by many organisations and governments when
creating their own data protection standards. Many U.S. laws are based upon these as well. The principles are as
follows:
1. An individual must be notified of privacy practices before data is collected.
2. Consent to the specific use of the data being collected must be given by the individual, and consent may
be given or removed at any point.
3. The individual must be able to view and correct their data at any time.
4. Data integrity must be kept and security measures and safeguards must be present.
5. There must be a system in place to enforce compliance to the above standards that allows the individual
to cite grievances against the organisation collecting the data.20
Critics point out that there is no principle requiring a governing authority, leading to too much reliance on self-
regulation.
In May of 2015, UN Global Pulse facilitated a workshop titled “Improving Data Privacy & Security in ICT4D” at
the UN Headquarters in New York. At this workshop, a number of ethical issues were addressed with emphasis
on:
1. the need to obtain consent from those individuals from whom data is obtained;
2. the importance and current lack of privacy risk assessments in any programme or project collecting
identifiable information;
3. the reality of the insecure nature of data transfer and the importance of creating secure mechanisms
by which de-identified information can be disclosed;
4. the need for transparency, particularly as it comes to building trust with communities and individuals.21
19 https://www.ftc.gov/reports/privacy-online-fair-information-practices-electronic-marketplace-federal-trade-commission
20 “Fair Information Practice Principles,” CIPPGuide and Jon-Michael C. Brook, January 2010. Accessed March 28, 2017,
https://www.cippguide.org/2010/01/18/fair-information-practices-principles/.
21 Improving Data Privacy & Security in ICT4D: A Workshop on Principle 8 of the Digital Development Principles, meeting report, U.N. Global Pulse
2015. http://www.unglobalpulse.org/sites/default/files/Data%20Privacy%20and%20Security%20in%20ICT4D%20-%20conference%20report%20layout%20-
%20FINAL.pdf
May 2017 Page 8
Discussion Paper: Data Protection, Privacy and Security
In respecting these issues, we face unique challenges in a humanitarian setting. The United Nations Office for the
Coordination of Humanitarian Affairs (OCHA) policy paper “Humanitarianism in the Cyberwarfare Age”
discusses the challenges of informed consent in a crisis situation.22 Those requiring medical attention may be
unable to give consent due to their physical condition. When it comes to situations where minutes taken to get
consent could mean life or death, saving lives takes precedent.
At the start of a crisis, organisations may not be sure yet how data will be used, making it difficult to inform
individuals properly, and even when a statement about disclosure and use is given, those with low literacy levels
in the language that the statement is written in still may not be able to properly give informed consent.
Furthermore, beneficiaries may consent to actions that, in a non-crisis setting, they would never condone. It is
difficult to see a way to eliminate the potential for coercion created by the crisis itself. “Absolute protection
would make humanitarian response impractical by not allowing the collection of any information, while the
public listing of personal details would likewise endanger lives,” concludes OCHA. “Clearly, the imperative to
save lives under difficult circumstances must be balanced with the responsibility to do no harm.”
OCHA’s policy paper cites risk assessments as an integral starting point in data collection in humanitarian crises,
and UN Global Pulse’s workshop had a breakout session to brainstorm major factors in creating a benefits,
harms, and risks frameworks. Performing a risk assessment gives humanitarian workers who are not data
security experts a concrete way to consider if, and to what degree, the benefits outweigh the risks and harms.
UN Global Pulse is currently developing a two-phase assessment tool for humanitarian projects; the initial
assessment tool has been completed and can be downloaded from their website.23 However, a lack of resources
such as staff and funding is common for humanitarian organisations, and this can create a barrier to performing
risk assessments.
Any time data is transferred there is risk of a security breach. A joint effort between NetHope and Mastercard
revealed that many humanitarian professionals do not consider there to be a high risk of a security breach.24
Thus, they do not recognise the importance of de-identifying information and creating secure mechanisms to
transfer data as needed, and they do not consider creating secure mechanisms for data transfer to be a priority.
Donors often feel the same way and would rather their money go somewhere other than to the development of
internal security measures.25 Even the communities from whom data is collected may not fully understand the
importance of data security, as privacy can be considered a Western value and risk is weighed differently by
different cultures.26
In fact, there are a number of high risks involved when considering humanitarian data. OCHA lists political
attacks, attacks on marginalised community members who receive aid, attacks on humanitarian partners, and
criminal activity and fraud as the most pressing risks for the humanitarian sector.27 The U.S. Department of
State’s Overseas Security Advisory Council (OSAC) has said that “humanitarian missions are more vulnerable to
network intrusions given a lack of resources for cybersecurity programmes, and threat actors increasingly view
humanitarian organisations as an easy target.”28 These risks are all ethical considerations that must be taken into
account, as any of these types of breaches could violate privacy and cause harm.
22 Humanitarianism in the Age of Cyber-warfare: Towards the Principled and Secure Use of Information in Humanitarian Emergencies, OCHA, October
2014. http://digitalprinciples.org/wp-content/uploads/2015/12/Humanitarianism-in-the-Cyberwarfare-Age-OCHA-Policy-Paper-11.pdf
23 U.N. Global Pulse, ‘Data Innovation Risk Assessment Tool,’ 2016. http://www.unglobalpulse.org/privacy/tools
24 “Think Responsibly: How We’re Helping NGOs Protect Humanitarian Data,” Paul Musser and David Goodman, Agenda for Humanity, 2016. Accessed
April 11, 2017, http://www.agendaforhumanity.org/news-details/5805.
25Improving Data Privacy & Security in ICT4D: A Workshop on Principle 8 of the Digital Development Principles, meeting report, U.N. Global Pulse 2015.
26“The Ongoing Challenge of Protecting Privacy in Digital Development,” ICT Works, April 2016. Accessed Aprip 11, 2017,
http://www.ictworks.org/2016/04/18/the-ongoing-challenge-of-protecting-privacy-in-digital-development/.
27 Humanitarianism in the Age of Cyber-warfare: Towards the Principled and Secure Use of Information in Humanitarian Emergencies, OCHA, October
2014. http://digitalprinciples.org/wp-content/uploads/2015/12/Humanitarianism-in-the-Cyberwarfare-Age-OCHA-Policy-Paper-11.pdf
28“Think Responsibly: How We’re Helping NGOs Protect Humanitarian Data,” Paul Musser and David Goodman, Agenda for Humanity, 2016. Accessed
April 11, 2017, http://www.agendaforhumanity.org/news-details/5805.
May 2017 Page 9
Discussion Paper: Data Protection, Privacy and Security
Transparency is vital when it comes to ethical humanitarian work. World Vision has a stated policy that the data
collected from a community belongs to the community. World Vision’s Open Information Policy explains that “if
external stakeholders are to have confidence in us, they need to be sure that World Vision will ‘disclose’
relevant information when this is appropriate to enable them to make valid decisions about World Vision and
our work.”29 This can be difficult when data is stored and accessed online, particularly if it written in a language
other than that read by those from whom the data was collected. OCHA suggests that organisations find ways
for these communities to exercise their right to freely access accurate, updated data, even if it requires a “low-
tech” solution. They should also be reminded of the privacy policy and given ways to submit complaints and
corrections to the data.
World Vision Experience
Issues surrounding data protection and security exist everywhere and working in the humanitarian sector is no
exception. It can be easy to jump to technology as a solution, but data protection is essentially a people issue. It
involves the data of people, collected by people, through processes managed by people. Personally Identifiable
Information (PII), data about an individual’s vulnerabilities, and sensitive data have been collected by the NGO
community for decades and often haven’t been properly stored and vigilantly shared. Now that an increasing
volume of data is being captured digitally, the risk of exposure is increasing exponentially.
World Vision’s approach to data protection and security in humanitarian and development contexts can be
implemented in one of two ways: we can attempt to lock down and control everything, or we can work
together to enable others to make wise choices and implement projects as securely as possible. Both options
require clear decisions and investment and speak to the type of organisation World Vison wants to be. In line
with our core values30, World Vision strives to work together with partners for the benefit of our beneficiaries.
In order to address data protection ethical concerns while delivering community-based programming or
mounting a humanitarian response, understanding the issues that practitioners face is essential.
Effectively working within a regulatory environment
Legal and regulatory frameworks governing data security and privacy are varied as one looks across the globe.
However, general privacy protections consistent with human rights principles are commonly in place. In the
health sector WHO has reported that 73 of 116 member states have defined national digital health strategies31
which typically take data security and privacy as well as ethics into consideration. Yet, there are worrying signs
that implementation of these policies may fall short. A recent survey examined current practice related to
electronic reproductive and maternal and child health registries and revealed data security safeguards and
support for core privacy principles were inadequate, despite having protective legislation in place32. Given our
collective mandate to harmonize with national information systems, understanding and working within these
policy contexts are at the heart of sustainable ICT4D.
In the health sphere, our recent experience suggests that there are varying levels of capability of mHealth
project teams to effectively support government counterparts and address gaps in legal and regulatory
frameworks, contribute to policy development and augment its implementation. The most effective working
relationships are characterized by teams using well-developed partnering competencies with balanced
participation from both health and IT professionals through informal engagement mechanisms (advisory or
technical boards/committees, policy development working groups and active participation at consensus building
events).
29 “Implementing the WVI Open Information Policy,” World Vision, July 2013. http://wvi.org/publication/implementing-wvi-open-information-policy.
30http://www.wvi.org/vision-and-values-0
31 http://www.who.int/goe/survey/2015survey/en/
32Myhre et al. BMC Pregnancy and Childbirth (2016) 16:279.
May 2017 Page 10
Discussion Paper: Data Protection, Privacy and Security
Challenges faced when obtaining ‘consent’
In the context of a humanitarian response, beneficiaries are frequently asked for information before they receive
goods or services. This raises the question whether or not beneficiaries have given true ‘consent.’ Humanitarian
professionals are learning that the practice of obtaining consent falls on a spectrum between informed and
uninformed and is a whole we are closer to uninformed consent than we would like to be. Defining what
fundamental type of ‘consent’ beneficiaries must agree to is key:
1. Consent to use the information given for a stated purpose?
2. Consent to share the information with others and with whom for what reason?
3. Who is responsible to decide when and with whom to share the information?
4. How much risk to the beneficiary arises given the nature of the data collected (e.g. involves
documentation of a characteristic that is potentially stigmatizing, illegal or otherwise leads to significant
problems for that individual should data security be breached)?
We also need to consider the psychological impact of disaster/traumatic events on a person’s ability to make
decisions. How does this influence the process to obtain consent and in particular is some level of coercion
unavoidable?
Multiple uses of data including unintended discrimination
Stakeholders are requesting information on increasing numbers of indicators leading to a growing set of
characteristics (e.g. religion, education, wealth, HIV serostatus or other health status, etc.) captured in data sets.
These data sets can provide valuable information to help focus programming or a humanitarian response and
protect beneficiaries from harm in fragile contexts. But, while data can be used for legitimate inclusive or
vulnerability targeting purposes, it can also be used to exclude and even discriminate. In light of this reality,
challenging questions are raised:
1. If we decide to use data only for the reason for which it was collected, would this actually result in us
sharing less?
2. How do we ensure that senior decision-makers are involved in making decisions regarding the use and
sharing of data collected for one purpose, but now being considered for use in a new way? And how do
we do this while avoiding micro-managing?
3. How do we guide frontline staff to decide when and how to share data with third parties? Data sharing
with local or national government is a frequent request, but can extend to other types of partners such
as external researchers.
It is important for humanitarian NGOs to determine internally which staff members (or staff levels or roles)
need to access which aspects of data. There is likely no staff member who needs to see all the data. Further
guidance regarding data sharing between agencies and across borders needs to be developed and adapted to a
given country context. When sharing data, organizations should take a minimalist approach with third parties by
furnishing solely those data elements that meet their needs. This doesn’t mean withholding all programme level
assessments, monitoring and impact data, but it is important to be more strategic about how and when this
information is shared.
In the health sphere on the other hand, open data access is viewed as desirable and harmonization of data
standards is a growing trend that greatly facilitates data exchange or true interoperability across data systems.
The international community has called for open data standards and put forward proposals to operationalize
these using base syntactic and semantic standards. The diversity of national contexts that drive legal and
May 2017 Page 11
Discussion Paper: Data Protection, Privacy and Security
normative frameworks around data ownership and individual rights has impeded the emergence of a global
consensus around safeguards for data privacy and security yet recent progress in this area is encouraging33.
Issue of data ownership and privacy
Who do we define as the owner of a beneficiary’s data? Is World Vision the owner? If so, what does this mean
and what responsibility does this demand? What are beneficiary’s rights to data? Can a beneficiary walk into one
of our offices and see all the data we have about them, who it has been shared with, and then ask for it to be
deleted? At this point in time, this is not easily possible. In the future beneficiaries will have much greater
control over who has access to their data, but a more organisational and industry change will have to occur
before this becomes a reality.
On the other hand, in the health sector, there is a growing trend towards making de-identified data publicly
available in the spirit of scientific knowledge sharing and collaboration. This concept is yet to be reconciled with
the data ownership issue.
Designing solutions with data security and privacy in mind
The Digital Development Principles initiative and follow on consultation at the global level has highlighted the
need for technology developers working in the health sphere to consider data security and privacy when
designing solutions. The EU guidance on this mandates that privacy implications of the application have to be
considered at each step of the development and wherever the user is given a choice34.
Use of biometrics
Biometrics (measurement of physical human characteristics e.g., fingerprint, face recognition, etc.) can be used in
a variety of different ways. Unfortunately, most NGOs do not have an agency perspective on biometrics and are
often being asked to implement the use of biometrics at the insistence of donors. In some narrowly defined
cases, 100 percent certainty of individual identification is itself ethically mandated. One such set of circumstances
exists with World Vision’s collaboration with an Ebola Vaccine Trial in Sierra Leone. In this case, ethical
guidance suggests that researchers must confirm administration of a potentially harmful experimental drug to the
intended recipient. When large numbers of participants are involved, biometrics can boost confidence and
greatly streamline this process.
Just because biometrics or any other technology innovation is possible, it doesn’t mean it should be used. A use
case for biometrics needs to be clarified and World Vision needs to develop its own perspective on its use.
Cash-based programming: challenging us to think differently
In almost every project World Vision implements, we collect, analyse and generate a great deal of data.
However, the recent trend towards greater cash-based programming challenges us as an organisation to think
differently about the types of data we collect and what we do with the data. As cash-based programmes mature,
we are engaging more with formal financial service providers who have standardised and highly regulated
systems and processes. To confirm their identity when we deliver cash to beneficiaries through these
mechanisms, we often need to collect data that is classified as personally identifiable information (in this case,
referred to as “Know Your Customer” or KYC data). Once collected, we often need to share all or part of the
data with third parties. It is critical for us to fully understand this process so that we are clear on what data
actually needs to be shared and what doesn’t, to assure that procedures for data sharing comply with global
standards and with applicable national policies intended to safeguard the privacy and security of data.
In the humanitarian sphere, ICT solution design must appropriately balance the beneficiary’s right to privacy with
the need to reduce fraud, or in some cases respond to demands for information in the name of terrorism.
33 https://ohie.org/2017/03/openhie-values-and-digital-principles/
34 http://www.who.int/goe/survey/2015survey/en/
May 2017 Page 12
Discussion Paper: Data Protection, Privacy and Security
Geo-coded data: a unique set of challenges
In several development spheres, the use of geo-coded data has been gathering momentum and has proven its
value as a powerful analytic lens and maps can powerfully illustrate complex patterns.
Yet with this powerful tool, concerns regarding data security and privacy arise. This is no more evident than
with the Demographic and Health Surveys where techniques have been developed to “de-identify” geo-coded
information by introducing a small yet known amount of random spatial displacement to the data such that
statistical analyses are minimally affected35. World Vision has incorporated geo-coded data collection into some
aspects of programming, so far only to capture and track the location of key community resources, for example
improved water sources or primary health care facilities. There is the potential to include geocode identifiers at
household level yet clear policies in this regard are lacking.
Addressing gaps in policies and guidance
In addition to the Partnership Policy on Information Security and the Partnership Policy on Global Data Protection and
Privacy, World Vision does have several ethical frameworks in place. Guidance governing the collection of
routine monitoring information has been recently updated and disseminated:
Ethics Quick Reference Guide: This guide summarises the specific ethical requirements that must
be followed when collecting qualitative and quantitative data from children. These requirements
are documented in the World Vision Child Protection Standards and ensure that our processes do
not bring more harm than benefit to children.36
Policies that offer guidance pertaining specifically to ethics of data collection in the context of both routine
evaluation and more rigorous forms of research are currently being updated.
These frameworks are a good starting point but there is room for improvement, both at a policy level and at a
practical implementation guidance level. Some areas for improvement include:
• better and more consistent use of Virtual Private Networks (VPNs);
• reducing file sharing over skype;
• reducing the number of offices using insecure wireless Internet;
• increasing the number databases, hard drives, backups, etc., that are encrypted;
• using password managers to improve the quality of passwords being used and being remembered by
staff;
• policy defining when data must be de-identified and delineating levels of permissions to access de-
identified data for the purpose of business intelligence and on open access to such datasets;
• practical guidance pertaining to preparation of de-identified datasets, including geocoded data and
mechanisms to document when data use agreements are required (e.g. giving external researchers
access to data);
• articulation of an agency position on biometrics, telemedicine, point-of-care medical diagnostics and
other screening tools, outbreak surveillance and drug and commodity supply chain optimization
(especially those managed by community health workers37);
• better guidance to help frontline staff understand how to discover country specific laws around data
protection/security as well as how to apply these laws;
• consistency in how we manage data sharing and storage, including consideration of:
o in-country storage of all survey data with personally identifying information in-country through a
local database;
35 http://dhsprogram.com/What-We-Do/GPS-Data-Collection.cfm
36 http://www.wvi.org/child-protection/publication/protection-girls-and-boys-world-visions-systems-approach
37 https://peoplecentered.net/2016/05/20/transform-health-services/
May 2017 Page 13
Discussion Paper: Data Protection, Privacy and Security
o in-country storage in encrypted databases for very sensitive data;
o digital identity and personally identifiable information stored in the cloud behind well managed
firewalls.
In addition to internal policies and guidance, there are key industry standards in place that help guide our work,
including: International Committee of the Red Cross’ Rules on Personal Data Protection; Oxfam's Data
Protection Policy; Oxfam's Data Privacy Policy; and Information Commissioner’s Office’s Privacy in Mobile Apps.
Finally, policies and guidance, regardless of their quality, often find themselves in the information graveyard if
they are poorly or infrequently communicated. It is important to constantly communicate our existing policies
and work to improve them. Staff must be aware of our policies, their contents and relevance to their work.
Anticipating tomorrow’s technology
It is important to remember that as the development and humanitarian response community works to grapple
with the consequences of today’s new technologies, we must also look to the future. In the humanitarian
industry, technologies such as BlockChain38 are revolutionising the financial services world, but also expanding
beyond financial data and will transform the information management space in the next five to ten years.
Continued innovations in affordable mobile-enabled medical diagnostics and rapid screening tools are examples
of ICT that has the potential to transform work in the health sector.
We must understand these technologies and assess their utility and potential risk to our beneficiaries with
regard to information security and privacy while preserving the highest possible ethical standards.
Conclusion
The complexities of the contexts where humanitarian and development agencies operate make it quite difficult
to implement a fail-safe approach to data protection, privacy and security in its digital work. At the same time, it
is incumbent on this sector to strive toward the highest level of integrity, ethics and technical ability to ensure
the strongest possible data protection of vulnerable populations, and particularly children.
Therefore, individual and collective effort of individuals and agencies to further address the complexities and
risks is of the utmost importance in mitigating the risks inherent in capturing, storing and analysing beneficiary
data. A collective call to action to further define and align with Digital Development Principle 8: Address Privacy
& Security would exemplify a key step forward.
38 https://www.blockchain.com/ Page 14
May 2017
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
CBEWEAS Inception Report - FINAL
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
CBEWEAS Inception Report - FINAL
- 1 - 50
Pages: