Safeguarding Humanitarian Data and Protecting Humanitarian Organizations from Digital Threats

Tilman Rodenhäuser (ICRC), Silvia Pelucchi (ICRC), James De France (IFRC)

In early 2022, an unprecedented cyber attack resulted in the theft of personal data entrusted to the International Committee of the Red Cross (ICRC) and National Red Cross and Red Crescent Societies (National Societies). In response, the Council of Delegates of the International Red Cross and Red Crescent Movement adopted in June that same year a resolution on safeguarding humanitarian data. The resolution touches on several interconnected issues. For instance, it first addresses the responsibility of humanitarian organizations to adopt and implement cyber security measures and data protection practices that protect the data we collect; second, it reiterates that humanitarian organizations are protected under international humanitarian law and calls on states and other actors to respect and protect impartial humanitarian organizations as much online as they do offline; and third, it encourages research and innovation to strengthen the protection of humanitarian data.

To strengthen data protection capacity within the Movement (and the broader humanitarian community), the ICRC has established two Humanitarian Action Programmes: one with the University of Maastricht, focusing on training and certification for data protection officers; and one with the University of Cambridge, which involves carrying out research together on digital transformation and its implications for humanitarian actions. As of April 2023, the training and certification programme developed with Maastricht has been conducted eight times across four continents, training more than 230 humanitarian professionals, of which more than 100 were sponsored by National Societies. The ICRC also supports National Societies globally in their work to comply with the Code of Conduct on Data Protection for the Restoring Family Links (RFL) network, developing and contextualizing data protection tools across the RFL network and helping National Societies in their dialogue with authorities, particularly after the 2022 data breach.

Several National Societies have worked significantly on data protection. For example, in 2023 the Zimbabwe Red Cross Society approved a volunteer/staff agreement to uphold the Code of Conduct on Data Protection to be signed by staff and volunteers working on RFL; the Uganda Red Cross Society was certified as a data collector, data processor and data controller by its local Data Protection Authority; and the Australian Red Cross developed a data protection simulation exercise for national staff and volunteers working on RFL.

The International Federation of Red Cross and Red Crescent Societies (IFRC) has continued developing its internal data protection practices and working with National Societies to help implement data protection obligations. For instance, the IFRC has completed several data protection impact assessments with National Societies on projects involving novel data processing techniques. It has also developed standardized data sharing agreements and privacy statements designed to enable transparent, secure and legal transfers of personal data in emergencies between the IFRC and National Societies. The IFRC continues, along with National Societies, to develop software tools designed with the principles of data protection and do-no-harm at their core.

Even strong data protection by humanitarian organizations will, however, not provide sufficient protection against data breaches. To alert states to these new threats and to reiterate the long-standing consensus on the protection of humanitarian organizations against harm, the ICRC raised the issue at the United Nations, calling on states “to reaffirm that humanitarian organizations, their staff, and humanitarian data must never be targeted, be it in the physical or in the digital world”. We are determined to ensure that legal and policy frameworks will be put in place to this effect.

As stressed in the resolution, however, all Movement components should strive to invest further in data protection. In parallel, the ICRC works on possible technical solutions to strengthen the protection of humanitarian organizations and their data from harm. For example, in 2022 the ICRC opened a delegation for cyberspace, which is designed to serve as a secure testing ground where we can carry out research and development for safe digital services for affected communities. Moreover, in November 2022 the ICRC, together with the Australian Red Cross, published a report: Digitalizing the Red Cross, Red Crescent and Red Crystal Emblems: Benefits, Risks, and Possible Solutions. In recent months, we have started discussions on a digital emblem with National Societies and states and continued to refine possible technical solutions.

The data protection work culminated in 2019 in the passing of the resolution on restoring family links while respecting privacy, including as it relates to personal data protection at the International Conference of the Red Cross and Red Crescent and the safeguarding humanitarian data resolution at the 2022 Council of Delegates. But this can only be a starting point. Since the adoption of these resolutions, cyber attacks against humanitarian organizations have further emphasized the need for concrete and decisive steps. So, building on the resolution, we will need to bring the question of how to safeguard humanitarian organizations, including their data, against digital threats to the 34th International Conference.

Read more about this topic

Rodenhäuser, Staehelin, Marelli, Safeguarding Humanitarian Organizations from Digital Threats

Marelli, Hacking Humanitarians: Defining the Cyber Perimeter and Developing a Cyber Security Strategy for International Humanitarian Organizations in Digital Transformation

The International Committee of the Red Cross, the International Federation of Red Cross and Red Crescent Societies, and the Standing Commission of the Red Cross and Red Crescent, in its function as Trustee of the International Conference of the Red Cross and Red Crescent (the Conference), cannot be held responsible or liable in any manner for any user-generated content or posts on this Database. In the event that the Website team considers any post or content to be incompatible with the Fundamental Principles of the International Red Cross and Red Crescent Movement and/or with the objectives of the Conference, it reserves the right to remove such content.