Data protection

Data protection is defined by IOM as “the systematic application of a set of institutional, technical and physical safeguards that preserve the right to privacy with respect to the collection, storage, use and disclosure of personal data” (IOM, 2010: 13). Personal data are any information relating to an identified or identifiable data subject that are recorded by electronic means or on paper and include not only data directly provided by an individual, but also personally identifiable information and machine-generated information that can be linked to an individual (such as mobile phone data) (World Bank, 2021). Data subjects are “individuals that can be directly or indirectly identified by the reference to a specific factor or factors that may include a name, identification number, material circumstances and physical, mental, cultural and economic or social characteristics (IOM, 2010: 13).

Protecting personal data is important to safeguard the right to privacy, which is a fundamental human right. Improper use and unauthorized disclosure of personal data may result in a variety of risks to the migrant, including verbal and physical violence, targeting as well as discrimination. “Data sharing should not be used to curtail access to rights and services, or enable exploitation, abuse or violence against migrants. This means, for example, making use of password protection, data encryption, firewalls and antivirus protection” (IOM, 2021). 

Data protection measures are especially important when collecting personal data of vulnerable populations in any context. In situations where there is conflict, displacement and/or forced migration, migrants may find their safety is further compromised if personal data are collected by, or shared with, governments without their knowledge and prior consent (IOM, 2024). “Data should be backed up, stored and synchronized in different repositories on multiple servers to prevent potential loss or theft. In all cases, any data source on gender and international migration should remove or resample data in such a way as to make individuals unidentifiable prior to publication” (Van den Eynden et al., 2011).

Case study: examples of why data protection and privacy measures are essential when handling migration data

-Deportation of irregular migrants (Friedland, 2018). Interoperability between The United States’ Federal Bureau of Investigations and Dept. of Homeland Security databases enabled Immigration and Customs Enforcement agents to identify foreign-born persons who were arrested by local authorities for deportation.

-Criminalization of trafficking victims (Taylor, 2022) In the UK, The Salvation Army shared data about victims of county lines trafficking with The Home Office, including information about open or pending cases against The Home Office.

-Involuntary returns of refugees (Human Rights Watch, 2021): UNHCR allegedly shared personal data on Rohingya refugees with the government of Bangladesh which shared it with Myanmar for discussions of possible repatriation.

IOM’s (2010) Data Protection Manual outlines 12 key principles for ensuring data protection:

  1. Obtaining personal data through lawful and fair means;
  2. Specifying the purpose of data collection to the data subject and ensuring that it is only used for that purpose;
  3. Ensuring that personal data are accurate and up to date;
  4. Obtaining the data subject’s consent at the time of data collection or at minimum ensuring that the data subject understands and appreciates the purpose for which the data is being collected;
  5. Only transferring personal data to third parties with the consent of the data subject and under the guarantee of adequate safeguards to protect the confidentiality of the data;
  6. Respecting the confidentiality of the data at all stages of data collection and processing;
  7. Providing the data subjects with the opportunity to verify and access their data;
  8. Keeping data in a location that is secure, both technically and organizationally;
  9. Only keeping personal data for as long as it is necessary or destroying it otherwise;
  10. Applying all data protection principles to both electronic and paper records of personal data;
  11. Assuming ownership of personal data collected directly from the data subject or collected on behalf of the organization;
  12. Appointing an independent body to oversee the implementation of the principles and investigate any complaints.

Migration actors might also consider the extent to which providing informed consent is meaningful, as evidence indicates that it would take the average person 76 days to read all of the disclosure documents related to each website and application visited over a year (World Bank, 2021). In such cases, other models of consent shifting the responsibilities for data protection and privacy to the data producers and users rather than the data subjects, e.g., legitimate purpose tests and fiduciary duty clauses, might be explored. Informed consent might not make sense for data that is required by public administration for certain processes, however such data can still be safeguarded from misuse through legislation such as the European General Data Protection Regulation (GDPR). Public administration also falls under the GDPR, which requires that individuals are be informed about processing purposes and rights, that data producers limit the use of data to completing the administrative task and appoint a data protection officer to ensure the security of personal data and that data subjects are notified in case of a security breach (European Commission, 2024).

The distinction between personal data and nonpersonal data is becoming increasingly blurred as a result of the widespread mixing and processing of different data sources using sophisticated algorithms that make non-personal data identifiable again, or make it possible to identify specific groups.  Furthermore, current provisions for personal data protection focus on the individual rather than on specific societal groups (for example those defined based on ethnicity, religion or sexual orientation) who may be vulnerable to data misuse for targeting or surveillance, especially in fragile sociopolitical environments (World Bank, 2021). Therefore, migration actors might consider extending data protection and privacy measures to cover the mixing of data sources and group privacy.

Data protection and privacy resources

-IOM’s Data Protection Manual includes templates for a consent form when collecting personal data from data subjects and a contractual agreement for third parties handling personal data as well as checklists for data quality, security, and protection.

-Terre des hommes (Tdh) has developed a Data Protection Starter Kit that aims to provide a first level of support on the question of data protection for field staff who are involved in collecting or working with data that has been obtained directly from people or communities supporting Tdh with its programs. The introduction pack is comprised of an overview document on the main issues concerning data protection as well as a basic self-assessment tool to increase awareness on data protection, identify possible threats, and to define actions to mitigate risks. The starter guide also includes several tutorials that can help users to secure their data by showing them how to encrypt and share files containing sensitive data, create databases containing sensitive data, anonymize or aggregate data prior to sharing, protect mobile devices, permanently delete data from one’s device and archive or back-up data. 

-IOM’s DTM developed a guideline for identifying sensitive data and inter-organizational data sharing pathways with templates for requesting data from other organizations.

< Table of contents
Checklist
References
Resources