Think responsibly: How NetHope and Mastercard are helping protect humanitarian data

Category | Story

By Paul Musser, Senior Vice President, Humanitarian Development and Donors, Mastercard, and David Goodman, Chief Information Officer in Residence, NetHope

At the end of 2015, nearly 6.7 million refugees were considered to be in a protracted crisis – defined by the United Nations High Commissioner for Refugees (UNHCR) as one in which 25,000 or more refugees from the same nationality have been in exile for five or more years.

According to the UNHCR, the average length of major protracted refugee situations is now a staggering 26 years. Imagine what that must be like – to live in uncertainty, with no end in sight, not knowing if or when you’ll ever be able to return to your home. As more and more people are being forced to flee their homes for longer periods of time, humanitarian aid organizations are grappling with how to meet refugees’ basic needs, like food and housing, and how to provide access to critical services like education, employment, and healthcare.

Of course, we know these are not only issues affecting refugees. UN OCHA's Global Humanitarian Overview for 2017 estimates that there are more than 92 million people in need of urgent assistance who have been faced with the devastating impacts of war, extreme poverty and natural disasters.

We have witnessed first-hand with our partners in the field that delivering humanitarian aid is not a one-size-fits all proposition – it requires a great deal of testing, learning and adapting to fit the needs of the situation. As global humanitarian aid spending soars to record levels, aid organizations are increasingly using technology to streamline operations, reduce costs, and improve program effectiveness. At the same time, humanitarian aid is becoming more and more digital, providing a wealth of information for agencies to learn about how their programs are working and can be improved.

But, along with this great wealth of information comes great responsibility. It’s equally as critical that aid organizations establish data security standards and best practices to ensure they are protecting the personal data that is being entrusted to them. Failure to do so can put beneficiaries and agency staff at risk and undermine trust in humanitarian organizations.

According to the U.S. Department of State’s Overseas Security Advisory Council (OSAC): “Humanitarian missions are more vulnerable to network intrusions given a lack of resources for cybersecurity programs, and threat actors increasingly view humanitarian organizations as an easy target.” Despite this, only a handful of NGOs have robust data policies and practices in place.

Following last year’s World Humanitarian Summit in Istanbul, NetHope and Mastercard came together to lead a global initiative around humanitarian data management. Recognizing the urgency required to advance this effort and the commitments made as part of the Agenda for Humanity, NetHope commissioned Mastercard to conduct a review of existing data security standards and requirements, and evaluate each standard through a development and humanitarian lens.

We came away with better insight into which practices are relevant in this space and a roadmap for establishing a new data security baseline for the humanitarian sector. We also discovered some important barriers that need to be overcome:

  1. Lack of funding. A painful gap exists between the needs of the humanitarian community and the resources available. Donors and aid organizations are faced with a tough choice: funds can either go to providing more aid to more people, or they can go towards an NGO’s internal operations. Given the size and number of humanitarian crises around the world continues to grow at an unprecedented rate, there’s typically little debate as to which is more urgent. However, NGOs cannot continue to allow these risks to go unchecked. A stronger connection needs to be made between responsible data practices and beneficiary impact to help bring the issue into funding and investment discussions.
  1. Low perceived risk. We found that many information technology professionals at NGOs fear that their concerns over data security will only be heard once news of a data breach reverberates through the sector. But this is the worst-case scenario. NGO IT groups need a clear and straightforward set of data security best practices and requirements to clearly and simply demonstrate the gaps and actual risk to their organization.
  1. Complex environments. As we said before, there’s no one-size-fits-all to humanitarian aid. NGOs operate in diverse and complex places. Many field outposts have limited capabilities and connectivity, making all-encompassing security policies difficult to implement across a multitude of geographies. Finding a way to put in place security measures that meet both the needs of the head office and the field operations will be essential.

NGOs know that data privacy and protection is vital to refugees and the other vulnerable populations they serve, as well as for the protection of their own organization.  This is a “digital” example of the “do no harm principle.” But for their already time- and resource-strapped staff members, it’s nearly impossible to make sense of the array of practices and requirements, and how they should be applied to humanitarian contexts.

We believe the community would benefit from a collective understanding of the right frameworks to have in place. As one NetHope member organization told us, the collaboration between Mastercard and NetHope to identify information security best practices for the development and humanitarian sector will allow NGOs to spend less time at the drawing board and focus on real-world improvements.

That’s where the power of the private sector and partnership with the public sector is most valuable – when we are drawing on our respective strengths and working together as fellow humanitarians. And that’s why we are calling on the stakeholders across this community to do their part to advance this effort.

It’s critical that funders review the security requirements in their grant agreements and support their grantees’ efforts to improve security programs with earmarked funds. We need program staff to talk to their IT colleagues about their approach to data protection and security, and work to incorporate best practices into program design. In turn, IT staff must learn about the variety of regulatory environments where their organization operates. They should be a resource to program colleagues for best practices and implement Privacy Impact Assessments. Finally, it’s incumbent upon senior leaders and board members to talk to their IT leadership about the current risks, understand the environment where they are operating and where there may be deficiencies. This should be a priority.

With these guidelines in place, we can ensure that beneficiaries are not only receiving aid that allows them to live with dignity, but also the peace of mind that their personal data will be kept safe. A fundamental human right for all.