Consultancy to develop a data protection framework for the project

CONTEXT

Over the last years, an overall growing number of humanitarian workers were killed, injured or kidnapped in the line of duty. There is increasing understanding of the impact of work in high-risk areas on the physical and psychological wellbeing of humanitarian workers, and a growing awareness that national aid workers bear the brunt.

A consortium project led by ACF along with Legal Action Worldwide (LAW) and Global International Security Forum (GISF) as implementing partners, intends to develop a protection mechanism for humanitarian workers (called “Project” below), with a specific focus on national organizations and national staff. Funded by DG ECHO, the Project aims to provide assistance to aid workers and their immediate families who have experienced security incidents, are under immediate threat of harm, or have been arrested/are facing legal charges due to their work as a humanitarian.

The Project will achieve this through the provision of grants to humanitarian NGOs, to cover the costs of protection measures, post incident support to the staff and legal support. The ultimate aim is to protect staff from further harm, support their recovery and improve their well-being. The mechanism will contract the grants to DG ECHO Certified Partners, and through them also their downstream national partners (not necessarily only those funded with ECHO funding).

The Project will establish a hotline, grant application procedures, clear criteria for funding, a vetting approach for funding and contracting templates. The Project will function under an advisory board consisting of key stakeholders, which will include national NGO representatives, donors and others. A vetting committee will regularly vet cases funded and rejected, against agreed criteria. In due course, it is the intention for the mechanism to function under its own legal registration.

LAW leads on the overall legal component of the intervention. In the event that it was decided to award a protection grant for legal services under the mechanism, the grantee and the individual in question would be proposed to ask his/her lawyer to engage with LAW throughout the process. Over time, the objective is to build up a catalogue of legal specialists present in high risk contexts, who can be recommended to national organisations to provide legal support to aid workers at risk and follow cases.

This first phase of the Project will be open to cases from anywhere in the Middle East & North Africa region.

Due to ethical considerations and the data sensitivity, the Project requires to develop a robust framework for managing and protecting the data that will be collected and shared between the partners. ACF is seeking to hire a consultant to conduct the data protection assessment and to propose recommendations to integrate data protection principles across the Project activities, in line with the GDPR and other relevant policies and frameworks.

DESCRIPTION OF THE EXPECTED SERVICE

Overall scope of work expected from the Consultant:

The overall objective of the consultancy is to provide technical expertise for the consortium in developing data sharing and data protection framework and tools for the safe and smooth implementation of the Project.

The deliverables must be made available to all consortium partners and DG ECHO Certified Partners, and aim to help build trust in the mechanism and its confidential management of data.

The work shall be conducted in a participatory manner with the consortium partners and other relevant stakeholders. The consultant(s) will be invited to learn from initiatives like Protect Defenders and World Organisation Against Torture and their approach to data protection. The consultancy employ relevant tools to capture the different dimensions of risks related to data management. The assessment will include desk reviews, organizational self-assessments, key informant interviews, virtual meetings. The consultant(s) will review existing documents related to the Project (partnership agreements, sub-contracting contracts, ToR Avisory Board, ToR vetting committee…).

Travel is not required to perform the consultancy.

The Consultant will be under the overall guidance of the ACF Program Coordinator with the support of consortium partners.

Key priorities and deliverables

All deliverables are expected to be produced in English

1. Assessment report on data protection risks related to the Project’s implementation. It shall include:

• Data protection impact assessment, taking into consideration that the 3 consortium partners HQs are in Paris, London and Geneva
• Review of the roles and responsibilities of each party to the Project
• Identification of sensitive and personal data that will be processed by the Project
• Mapping of personal data flow, identification of all data recipients

1. Detailed process and related protocols, tools and/or templates to follow for data management. It shall include:

• Platform data security policy
• Data retention and archiving policy
• Data breach protocol
• Measures for informing people, obtaining their consent and exercising their rights
• Recommendation for IT tools and data hosting

1. Proposed amendments in the documents used to contractualize the relations with partners (article to include or review in MoU / contracts, template of data sharing agreements…)
2. Conclusion report with remaining recommendations and debriefing

CONSULTANT’S PROFILE

Individual consultants or organizations are expected to have:

• Significant experience within the different data protection areas (or capacity to mobilize different profiles with the following background):
• legal (practical application of relevant legislation – including the GDPR)
• IT (in terms of data storage, retrieval and securitization)
• risk analysis
• audit data management systems / compliance
• Significant (5-10 years) experience in the international data protection context and legislation (EU-GDPR but also French legislation), including drafting of data protection policies and procedures, technology provisions, etc.
• Previous experience working with international non-profit organizations is strongly recommended (but not mandatory), ideally in the humanitarian or international development sector
• Previous experience working with special categories of data such as medical data and/or data issued from conflict areas
• The possession of a certification by the International Association of Privacy Professionals (IAPP) is considered as an asset (i.e. Certified Information Privacy Association (CIPP) and Certified Information Privacy Professional/ Information Technology (CIPP/IT)).

TIMELINE:

The assignment is expected to take 3 to 4 months from the time of signing of the contract, with possible extension based on identified additional needs and potential longer term advisory services as necessary and if required.

We are seeking a consultant (or a firm) who is available to start to work shortly after the deadline for submission of tenders.