The month of September has witnessed two devastating disasters in Africa.
The catastrophic failure of two dams in the city of Derna in Libya brought about an unprecedented level of death and destruction.
A few hours earlier, a powerful earthquake registering 6.8 on the Richter Scale had jolted the Atlas Mountains in Morocco claiming the lives of thousands and displacing hundreds of thousands from their homes.
The scale of destruction from these two events is nothing short of horrific.
In Libya, the floodwaters tore through infrastructure that was already weakened by years of armed conflict, compounding the effect on those already affected and making rescue efforts challenging.
Teams from the International Red Cross and Red Crescent Movement have been on the ground.
They have been attending to the huge humanitarian needs, including search and rescue, finding missing persons, providing medical treatment, and offering psychosocial support.
Last week, the International Committee of the Red Cross (ICRC)’s logistics Centre in Nairobi sent a plane load of equipment to Libya to assist in reconstructing water infrastructure and 2,500 body bags to support the proper and dignified management of the dead.
When humanitarian aid organizations respond to such disasters, their operations invariably involve the collection, processing, and storage of personal data, including biometric data, genetic data, and data on the health status of individuals.
The data is required for humanitarian-related assistance including identification of affected persons and mortal remains and promoting family reunifications.
Accurate and timely data has become the lifeblood of effective humanitarian response allowing organizations to target their efforts precisely, allocate resources efficiently, and respond promptly to emerging needs.
Persons who give their personal data to humanitarian organizations do so trusting that their data will be handled with respect and for the intended purposes.
Mishandling of data can pose a serious threat to the lives and safety of the very people that humanitarian organizations are trying to protect and assist.
It is hard to speak of upholding human dignity in the absence of a robust framework of data protection by humanitarian aid organizations.
Organizations, therefore, have a moral imperative, even in the absence of a legal duty to protect the data they collect.
This includes implementing encryption, access controls, and secure storage solutions to minimize the likelihood of breaches and cyberattacks.
The cyberattack in January 2022 targeting the servers of a company entrusted by the ICRC to store data related to missing persons from conflicts and disasters serves as a stark reminder of the risks faced by humanitarian organizations.
This highly sophisticated cyber intrusion impacted the data of over 515,000 vulnerable individuals, compiled by more than 60 Red Cross and Red Crescent Societies globally.
The ICRC promptly implemented remedial measures, including temporarily taking the data offline.
The lessons learnt from the attack are being used to augment the existing framework of data protection with a key takeaway being that humanitarian organizations are not immune to cyber threats.
In Kenya, we have appreciated the dialogue between the ICRC and the Office of the Data Protection Commissioner discussing data protection for humanitarian organizations based on our operations in Kenya.
Constant dialogue with data protection authorities is essential for building trust between regulators and humanitarian agencies.
Kenya’s Data Protection Commissioner Immaculate Kassait this week joined me in officially opening a Data Protection Officer (DPO) Humanitarian Action Certificate Course in Naivasha this Monday.
She urged humanitarian organizations to protect the personal data of the people they serve as this is part of safeguarding human life and the dignity of the individual.
She further called on humanitarians to view data protection legislation not as a hindrance but rather as a tool to enhance humanitarian work.
The course is hosted by the ICRC together with the European Centre on Privacy and Cybersecurity (ECPC) and Maastricht University Faculty of Law.
It brings together more than 30 participants from across Africa with the aim of enabling them to get a better understanding of how they can work and process data of affected populations in emergencies while protecting their dignity.
Dignity must be at the centre of humanitarian action, and we are keen to preserve that. This workshop is one way of helping to get it right.
We are cognizant that humanitarian response cannot exist alone and involves a mix of various actors, comprising local NGOs, national governments, international NGOs, UN agencies and the International Red Cross and Red Crescent Movement leading to a substantial exchange of data among them, within and across borders.
This raises lots of challenges for data protection given that different organizations may be subject to different legal obligations both at the local and international levels.
One pragmatic approach to surmounting these legal intricacies involves establishing robust internal data protection frameworks.
Each humanitarian organization bears the responsibility of ensuring that its systems and procedures for data collection, processing, and utilization align with the best international standards and which data it needs to protect.
In the end, it is to ensure that we ‘do no harm’ with this data entrusted to us by those who are most vulnerable.
Daniel O’Malley is the Head of Regional Delegation of the ICRC in Nairobi.