Frauke Weber, Deputy Head of Restoring Family Links Department, German Red Cross
Nicole Batch, Protection Manager, Migration Support Programs, Australian Red Cross
Sarah Safaa Dwidar, Data Protection Legal Adviser, International Committee of the Red Cross
The importance of data protection for the work of the International Red Cross and Red Crescent Movement was recently highlighted with the adoption of Resolution 4 at the 33rd International Conference of the Red Cross and Red Crescent in December 2019. Entitled “Restoring Family Links while respecting privacy, including as it relates to personal data protection,” this resolution emphasizes the need to establish an ongoing dialogue between States and National Societies, to ensure cross-border transfers of data with the highest data protection standards. This is due to the sensitive nature of the personal data required to locate missing or separated family members. This blog post examines this issue with examples from Germany and Australia to illustrate the progress and agreements that can be made with States to help facilitate this important work of the Movement.
Why is data protection so important for the restoration of family links?
Every year, the International Red Cross and Red Crescent Movement (the Movement) helps thousands of people to find a missing family member through the global Family Links network. To trace a missing person, a National Society or ICRC Delegation needs to ask the searching relative for information about the missing family member and the circumstances that led to their separation. The personal data that people entrust to the Family Links network is very sensitive and any misuse of this data may put family members in danger, especially when vulnerable groups such as minors, migrants or detainees are involved.
Searching for missing persons in other countries requires cross-border transfers of personal data, and such transfers often involve many risks. In these circumstances, personal data is typically shared with Movement components, international organizations and local non-governmental organizations. If deemed necessary, some key data of the missing person will also be transferred to the relevant public authorities for tracing purposes (for example, in order to check whether the missing person is registered in State databases). Ensuring an adequate level of protection of the personal data, as well as a commitment to use the data for exclusively humanitarian purposes, is critical. Such measures must be ensured by the Movement components involved, as well as the relevant public authorities and any third parties at the national and international levels that receive personal data from the Movement.
The Movement’s Restoring Family Links (RFL) Code of Conduct on Data Protection takes these risks into account and contains a set of principles for RFL personnel to follow when processing the personal data necessary for RFL activities. However, following the Code of Conduct is not enough; each National Society must also comply with the applicable national data protection legislation in their State.
Dialogue between National Societies and public authorities – a ‘win-win’ for all
Two thirds of all countries
now have data protection laws in place. The
remaining third represents an immediate opportunity for National Societies to
engage with their public authorities to help ensure that any future domestic
data protection laws facilitate, rather than hinder, RFL activities. Even in countries with
existing data protection legislation, the dialogue between National Societies
and public authorities is just as important in order to advocate for clear
rules that allow the Movement to carry out its RFL services in accordance
with the law – as well as with the mandates and fundamental principles of the
Movement and in
a manner that is as unrestricted as possible.
In 2019, the 33rd International Conference of the Red Cross and Red Crescent Movement adopted resolution 4 entitled “Restoring Family Links while respecting privacy, including as it relates to personal data protection”, which provides a solid basis on which to initiate the necessary dialogue. Furthermore, this resolution has demonstrated States’ own commitment to engage with the Movement on this crucial topic.
Capitalizing on this commitment, National Societies should engage with public authorities on the development of data protection legislation or interpretation of already existing legislation. For example, data protection standards require that the processing of personal data is “lawful”; meaning that there is a legal basis for that processing. Most data protection laws identify the “public interest” as one possible legal basis upon which certain data processing entities may rely. It is very important that the legal basis of “public interest” applies not only to States when they are processing personal data but also to National Societies as auxiliaries to the public authorities for tracing purposes. Some national, regional and international legal frameworks already recognize the need for humanitarian actors, including RFL practitioners, to rely on the “public interest” as a legal basis.
As outlined above, the dialogue between National Societies and the relevant public authorities on data protection in the context of RFL remains critical – with the primary objective of ‘doing no harm’ to RFL beneficiaries through the processing of their personal data, and thus maintaining the trust they have in the Movement.
Examples of humanitarian-focused data protection regulations
In Germany, for example, a new data protection law was adopted in 2009 specifically addressing the National Society’s Tracing Service. The Federal Data Protection Act for German Red Cross Tracing Service recognises that clarifying the fate and whereabouts of missing persons and ensuring contact between separated family members are tasks to be carried out by the National Society. It also clarifies, inter alia, that necessary cross-border transfers are allowed. This law was developed as a result of the ongoing and constructive dialogue between German Red Cross, the data protection supervisory authority and the government.
Australian Red Cross has also been engaging in longstanding negotiations with their government to address compliance issues with their domestic privacy legislation and the humanitarian objectives of locating missing family members. Working with the Federal Privacy Commissioner led to the creation of the Privacy (Persons Reported as Missing) Rule 2014, under the national privacy law. Under this rule, Australian Red Cross is identified as a ‘locating body’ of missing persons, together with the Missing Persons Units of the various Police Forces. This Rule provides reassurance that Australian Red Cross is a recognised institution with a specific role in locating people who have been reported missing. This is in order to assist with reuniting families, and to ensure discretional disclosure of information regarding missing persons who are unable to provide consent themselves. This rule exemplifies the cooperation between States and Movement components that Resolution 4 envisaged in order to facilitate the access to personal data that is necessary to establish the fate and whereabouts of missing persons.
Continued efforts to contribute to the development of domestic data protection legal frameworks, like those we have seen in Germany and Australia, are necessary to help separated families find their missing loved ones – and to ensure that any processing of their personal data does not put them at further risk.
 See operative paragraphs 3 and 6 of Resolution 4;
 See EU General Data Protection Regulation, interinstitutional file 2012/001 (COD) (14 April 2016), Recitals 46, 112 (https://gdpr-info.eu/recitals/); Explanatory Report to the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Modernised Convention 108), Council of Europe Treaty Series – No. 223 (2018), para. 47 (https://rm.coe.int/cets-223-explanatory-report-to-the-protocol-amending-the-convention-fo/16808ac91a); DELIBERATION n°2012-161 du 24 mai 2012, Délibération n° 2012-161 du 24 mai 2012 autorisant la Croix-Rouge Française à mettre en œuvre un traitement automatisé de données à caractère personnel ayant pour finalité le rétablissement des liens familiaux (https://www.legifrance.gouv.fr/affichCnil.do?id=CNILTEXT000026241772).
 See operative paragraph 4(f) of Resolution 4.
More about this topic:
Resolution 4 : Restoring Family Links while respecting privacy, including as it relates to personal data protection
RFL Code of Conduct on Data Protection
Data Protection: Key principles for personnel of the Family Links Network
RFL Strategy 2020-2025
Handbook on Data Protection in Humanitarian Action
RFL Data Protection Video for families of missing persons