Report on – 33rd IC Resolution 4: Restoring Family Links while respecting privacy, including as it relates to personal data protection (33IC/19/R4) – Italian Red Cross

Has your State/National Society/Institution incorporated the commitments contained in this resolution into the relevant strategic or operational plans?

The commitments are incorporated into:
Strategy
Policy
Operational plan

At the International, Regional, National, Local level

Explanation:

The essence of the resolution is integrated into the annual National RFL Action Plans, which are executed at national, regional, and local levels. The Italian Red Cross also prioritizes the RFL Code of Conduct, incorporating it into internal procedures for processing and protecting personal data. It is also part of the specialization training course on RFL, addressed to the Staff and Volunteers of the Italian Red Cross. Additionally, the training course dedicates three modules on the data protection legal framework, focusing on the GDPR. 

Has your State/National Society/Institution been working with other partners to implement the commitments contained in this resolution?

Partner with:
National Red Cross or Red Crescent Society in your country
Government and/or public authorities
ICRC/IFRC

Examples of cooperation:

In synergy with the State, the Italian Red Cross worked to put in place measures to protect men, women, boys, and girls, in particular those in vulnerable situations, including persons with disabilities. The Authorities published a Handbook for identifying, referring, and caring for persons living with vulnerabilities entering Italy and within the protection and reception system, in collaboration with various stakeholders including the Italian Red Cross. It contains a dedicated session to the RFL service, as the needs of separated families have been included within the framework of the vulnerabilities. According to the procedures in place, those needs are considered within the framework of the Red Cross and Red Crescent Movement principles, including the protection of the data subjects as per the RFL Code of Conduct and the Italian legal framework. The Handbook was created in both Italian and English versions. It  is available on the Italian Ministry of the Interior website at the following link:

https://www.interno.gov.it/it/stampa-e-comunicazione/pubblicazioni/vademecum-rilevazione-referral-e-presa-carico-persone-portatrici-vulnerabilita-arrivo-sul-territorio-ed-inserite-nel-sistema-protezione-e-accoglienza.

Have you encountered any challenges in implementing the commitments contained in this resolution?

Details about challenges:

The data breach to the ICRC server in Geneva that occurred in January 2022 significantly impacted the RFL service in Italy. Therefore, the Italian Red Cross encountered various challenges in implementing the resolution. In particular, the Italian Red Cross’ RFL Network played a crucial role in re-contacting family members to inform them about the hacker attack. However, this effort exposed disparities in capacity across different regions, requiring additional time and effort to address the situation effectively. The data breach to the IT system of the Italian RC that occurred in January 2024 put the National Society in front of similar challenges faced two years before. 

Another challenge was aligning the national RFL Network with updated privacy modules. Despite dedicated training sessions, the usage of the outdated versions continued on local levels, necessitating ongoing awareness efforts to ensure all volunteers understood and adopted the changes.

Additionally, handling missing migrants’ cases, especially those related to potential shipwreck victims, posed difficulties. The initial sharing of anonymized modules with only physical descriptions aims to protect individuals’ privacy but often leads to stakeholder resistance demanding complete files. This requires the Italian Red Cross to engage in advocacy to emphasize the importance of partial information sharing for privacy protection.

Furthermore, ensuring the dignified treatment of deceased migrants and centralizing data to identify them and provide answers to families is another challenge. The Italian Red Cross, in collaboration with the ICRC, is facing difficulties in responding timely to family requests due to the complex procedures and involvement of various bodies and authorities.

Lastly, humanitarian organizations that handle sensitive personal data of their beneficiaries face significant risks from hackers seeking to exploit this information. The risk of new data breaches can lead to severe consequences, including identity theft, loss of privacy, and potential harm to vulnerable individuals. Given the sensitive nature of the data, the stakes are particularly high, making these organizations attractive targets for cyberattacks. 

To mitigate these risks, robust contingency plans should be in place. These plans should focus on quickly identifying and responding to breaches, minimizing damage, and ensuring the continuous protection and timely assistance of beneficiaries. This is particularly relevant to restore operations swiftly, safeguard personal data, and maintain trust with the communities we serve. The Italian Red Cross is working to ensure both an adequate level of protection and the organization’s integrity but also to guarantee that aid and support can be delivered without interruption, even in the face of a cyberattack.

Have the commitments contained in this resolution had an impact on the work and direction of your State/National Society/Institution?

Details about the impact:

The resolution on data protection has significantly impacted the Italian Red Cross’s activities. Ensuring the protection of families’ data has become crucial, with all personnel and RFL offices involved in processing personal data, providing specific training modules, and continuously updating information notices and consent forms.

The continuous commitment of the Italian Red Cross in synergy with the Institutions to ensure the protection and assistance of the migrants from their arrival and during their stay in Italy demonstrates the capacity of both the National Society and the concerned authorities to implement this resolution. 

Have the commitments contained in this resolution had an impact on the communities that your State/National Society/Institution serves?

Description of the impact:

The commitments that were fulfilled by the Italian Red Cross within the resolution had a significant impact on communities. By prioritizing personal data protection, the Italian Red Cross fostered trust and collaboration with authorities who also handle sensitive data, thus contributing to reinforce a shared commitment to privacy and security standards.

However, the Italian Red Cross’ work has not been without challenges. A data breach highlighted the vulnerabilities that organizations can face. In particular, regarding the reputation risks. To be precise, the hacker attack had varied impacts on the beneficiaries: some continued to trust the Italian Red Cross due to its transparent and prompt response, while others were concerned about their privacy and requested the deletion of their data from the Italian Red Cross database. This incident demonstrated the Italian Red Cross’ dedication to compliance with data protection laws and its responsiveness to beneficiaries’ concerns.

Furthermore, the National Data Protection Guarantor was notified promptly about the data breach and was able to observe the Italian Red Cross’ adherence to legal obligations and effective crisis management. The NS’s efforts included informing affected individuals in multiple languages and using dedicated materials to ensure clarity, transparency and understanding. This swift and comprehensive response not only mitigated the immediate impact of the breach but also reinforced the Italian Red Cross’ reputation for integrity and accountability in data protection.

Therefore, the Italian Red Cross’ commitment to data protection has strengthened its relationships with both beneficiaries and authorities, demonstrating that being transparent, responsive, and following legal guidelines is essential for maintaining trust and for efficient help to those in need.