NRC

Data Protection Policy

NRC Data Protection Policy LAST UPDATED DECEMBER 2018

Table of contents

1 Introduction 3
2 Definitions 4
3 Principles 6
3.1 Obtain information fairly and lawfully 7
3.2 Purpose limitation 8
3.3 Data minimisation 8
3.4 Information quality 8
3.5 Storage limitation 8
3.6 Information security 9
3.7 NRC’s Responsibility towards Data Protection Law 9
4 The rights of the Data Subjects 10
5 When NRC is Processing data on behalf of others 11
6 When publishing pictures of individual persons 11
7 Questions related to NRC`s data protection policy? 12

2
1 Introduction

NRC helps people fleeing from conflict and disasters in countries worldwide. To provide
adequate assistance, NRC must collect information, including Personal Data. NRC
processes Personal Data to fulfil obligations towards beneficiaries, employees, public
authorities, donors, partners and other stakeholders.
The NRC Data Protection policy establishes the organisation’s standard on how to protect
the privacy of the individuals whose data is processed in line with applicable legislation and
humanitarian principles such as the following:

NRC vision: Rights respected People protected

NRC Mission statement: NRC works to protect the rights of displaced and vulnerable
persons during crisis.
Sphere protection principle: Avoid exposing people to further harm as a result of your
actions.

Art. 12 Universal Declaration of Human rights:

No one shall be subjected to arbitrary interference with his privacy, family, home or
correspondence.

Art. 8 Charter of Fundamental Rights of the European Union:

Everyone has the right to the protection of personal data concerning him or her.

Legal framework
NRC staff, partners or suppliers processing Personal Data on behalf of NRC must do this in
accordance with the EU General Data Protection Regulation 2016/679 - GDPR (NRC is a
Norwegian based organisation, subjected to GDPR) and data protection legislation that is
relevant in the country in which the processing (as defined below) of Personal Data takes
place. This applies both to Personal Data stored on electronic format and in a paper
archive. When GDPR, local legislation or donor requirements conflicts, NRC shall always
comply with whichever offers the highest level of privacy protection.
Other legislation, such as tax and employment and labour laws might also be relevant for
how and what type of Personal Data regarding employees NRC may process.
Policies

The NRC Code of Conduct set out how NRC staff act and handle sensitive and confidential
information. The privacy of all persons whose data is being processed by NRC shall be
safeguarded in accordance to this policy. This policy, together with principles and guidelines
presented in this document, is part of NRC’s internal control on processing of Personal
Data.

3
2 Definitions

The following definitions describe key terminology related to Data Protection and will be
used in all documents related to this subject.

Personal Data
Personal Data shall mean any information relating to an identified or identifiable natural
person ('Data Subject'). An identifiable person is one who can be identified, directly or
indirectly, in particular by reference to an identification number, location data, online
identifier or to one or more factors specific to their physical, physiological, genetic, mental,
economic, cultural or social identity, such as but not limited to, name, address, phone
number, e-mail, photo, IP address, title etc.

Special categories of Personal Data

Special categories of Personal Data are information about racial or ethnic background,
political opinion, philosophical or religious belief, health conditions, sexual orientation,
membership in trade union, genetic and biometric data.
Data relating to criminal offences and convictions may only be processed under the control
of official authority or when authorised by national law

It is important to be aware that in complex emergencies and conflict situations any type of
Personal Data may be regarded as “sensitive”, even though it does not fall under the
definition of special categories in Personal Data legislation. This is due to context and what
(harm) that information could bring to people in case it should fall in the wrong hands.

Processing
Processing of Personal Data (“Processing”) means any operation, or set of operations,
performed upon Personal Data, whether or not by automatic means, such as collection,
recording, organization, storage, adaptation or alteration, retrieval, consultation, use,
printing, publishing, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, blocking, erasure or destruction.

Data Subject
The individual person whose Personal Data is being processed.

Data controller
Data controller (“Controller”) shall mean the natural or legal person, public authority,
agency or any other body which alone, or jointly with others, determines the purposes and
means of the processing of Personal Data.

4
Data processor
Data processor (“Processor”) shall mean a natural or legal person, public authority, agency
or any other body which processes Personal Data on behalf of the data controller, including
partners, outsourcing companies, cloud storage providers, software providers (e.g. Unit4,
Telecomputing, WebCruiter, Microsoft etc.).

Consent
Consent of the Data Subject means any freely given, specific, informed and unambiguous
indication of the Data Subject's wishes by which he or she, by a statement or by a clear
affirmative action, signifies agreement to the processing of Personal Data relating to him or
her. As far as possible, NRC wants the consent to be in writing.
NRC will use declarations of Consent in various contexts in which Personal Data are
processed.

Data breach
Data breach (“Data Breach”) means a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal
Data transmitted, stored or otherwise processed.

5
3 Principles

To comply with Personal Data protection regulations, NRC shall ensure that Personal Data
must be:

• Collected for specified, explicit and legitimate purposes and not further processed
in a way incompatible with those purposes;
• Processed lawfully, fairly and in a transparent manner;
• Adequate, relevant and not excessive in relation to the purposes for which they are
collected and/or further processed;
• Accurate and, where necessary, kept up to date. Every reasonable step must be
taken to ensure that data which are inaccurate or incomplete, having regard to the
purposes for which they were collected or for which they are further processed, are
erased or rectified;
• Kept in a form which permits identification of Data Subjects for no longer than is
necessary for the purposes for which the data were collected or for which they are
further processed.
• Protected against unauthorised access, loss and destruction
• Made available to allow Data Subjects’ right to access their Personal Data;

NRC shall ensure that Personal Data may be processed only if:

• The Data Subject has unambiguously given their consent; or

• Processing is necessary for the performance of a contract to which the Data Subject
is party or in order to take steps at the request of the Data Subject prior to entering
into a contract; or
• Processing is necessary for compliance with a legal obligation to which the
controller is subject; or
• Processing is necessary in order to protect the vital interests of the Data Subject; or
• Processing is necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller or in a third
party to whom the data are disclosed; or
• Processing is necessary for the purposes of the legitimate interests pursued by the
controller or by the third party or parties to whom the data are disclosed, except
where such interests are overridden by the interests for fundamental rights and
freedoms of the Data Subject which require protection.

6
3.1 Obtain information fairly and lawfully
All Personal Data processed by, or on behalf of, NRC shall be collected and used fairly. The
processing of Personal Data by NRC should be within the reasonable expectation of the
Data Subjects and not have unjust adverse effects on his or her rights.

The processing must have a lawful basis from one of the following conditions:

1. Permitted or Required by National Law

NRC may process information about employees and consultants and private donors in
accordance with employment law, tax law, marketing laws and other national legislation.

2. Contractual necessity
NRC may process Personal Data when necessary in order to prepare for or enter into a
contract with a Data Subject.

3. Legitimate interest
NRC may process Personal Data to fulfil a legitimate interest such as (but not limited to);
manage user accounts, distribution lists, security incidents, recruitment, communication
with partners, donors, suppliers and vendors.
NRC will document the legitimate interest and ensure that Personal Data is only processed
based on legitimate interest if it does not override the fundamental rights and freedoms of
the individual.

4. Consent
In absence of legal justifications, contractual relationship or legitimate interest, NRC shall
ask for consent when processing Personal Data. The consent must be given
freely/voluntarily and in an informed manner, which means that prior to collecting Personal
Data, the Data Subject (or the guardian of the Data Subject in case of a minor) must be
informed about their rights1.
The consent must be displayed by an explicit action by the Data Subject preferably by
signature or use of tick boxes for electronic data collection tools. Oral consent is not
recommended as NRC must be able to provide proof of having obtained informed consent if
requested by the Norwegian Data Protection Authority. If it is impossible to get verifiable
consent from the Data Subject, due to emergencies or conflict situations, the NRC
representative must document how oral consent was obtained from the Data Subject. All
verifiable consent (or the NRC representative’s documentation) must always be filed for
future reference.

5. Protect the vital interest of a person

NRC can process Personal Data when it is necessary to ensure the safety and security of
the Data Subject, and the person is unable to give consent due to physical or legal
incapability.
In such case, the NRC`s representative must write down/document the reasons for
processing on this basis, so that NRC can be able to explain the situation later for the Data
Subject or the Data Protection Authority.

.........................................................................................................................................................
1 see section 4 The rights of the Data Subject

7
3.2 Purpose limitation
Personal Data processed by or on behalf of NRC can only be used for informed/agreed
specific and predetermined purposes. The Personal Data can only be processed in a way
that is compatible with those purposes.

3.3 Data minimisation

The amount of personal information collected shall be an absolute minimum. Only data
necessary for the specific purpose can be processed and it cannot be stored longer than is
necessary to carry out the original purpose.

The Personal Data shall be:

• adequate and relevant for the purpose of the processing;

• sufficient to carry out the purpose
• not excessive – only the type of information that is needed to fulfil the purpose;

NRC shall make sure that any need for special categories of data2 is justified and limited to
the bare necessity.
Be aware that in some countries where NRC operates, processing special categories of
(sensitive) Personal Data might require to register with the national Data Protection
Commissioner (before data collection starts).

3.4 Information quality

NRC will ensure that the Personal Data is validated against the purpose and that it is kept
up to date. NRC will take reasonable steps to ensure the accuracy of the Personal Data and
keep them updated if incorrect or misleading.

3.5 Storage limitation

NRC shall only keep Personal Data for as long as needed to fulfil the purpose, requirements
by donors or public authority.

Personal Data shall be deleted (or in the case of paper documents destroyed via burning or
shredding):

• when it no longer serves the defined purpose;

• when no legal obligations or donor agreements require NRC to keep it;
• if it contains incorrect information that cannot be corrected.

.........................................................................................................................................................
2 see chapter 2 Definitions

8
3.6 Information security
NRC shall ensure safe storage of personal data. Personal data processed by, or on behalf
of NRC, shall be kept safe from unauthorized access, loss and unintended disclosure,
changes or deletion. Security measures shall be proportionate to the above mentioned
risks and the sensitivity of the data. This is particularly important where the processing
involves transmission of data over a network or transported outside NRC premises (both
paper documents and information residing on electronic equipment).

Where processing is carried out on NRC’s behalf, NRC must choose a Processor providing
sufficient guarantees in respect of the technical security measures and organizational
measures governing the processing to be carried out, and must ensure compliance with
those measures.

The carrying out of processing by way of a Processor, must be governed by a contract or

legal act, binding the Processor to NRC and stipulating in particular that the Processor shall
act only on instructions from NRC.

Examples of security measures

• Authentication with a password or equivalent on equipment and data sources
holding Personal Data;
• Multi-factor authentication to access electronic Personal Data;
• Ensure access control based on purpose specification (see Section 3.1);
• Log activities/transactions in network and data sources holding Personal Data;
• Ensure backup and test if recovery is possible;
• Use encryption when transferring Personal Data over a network;
• Secure premises where Personal Data are stored (both electronic and physical
data) from all unauthorised access;
• Have system in place to destroy data (electronic and physical data) in emergencies
such as evacuation of offices3.

It is the responsibility of NRC to make planned and systematic actions to ensure a

satisfactory level of information security with regards to confidentiality, integrity and
availability when processing Personal Data.

3.7 NRC’s Responsibility towards Data Protection Law

NRC shall establish and document measures to ensure compliance with this policy. This
responsibility rests with every country program, regional office, representation office as well
as Head Office.
This includes:
• at all times keep an updated document with information about the type of Personal
Data that is being processed, the purpose and lawful basis of the processing, where
it is stored, for how long it is kept and who can access it;

.........................................................................................................................................................
3 see the NRC Start-up Handbook

9
 • at all times keep updated log on Data Breaches (loss or unintentional disclosure of
Personal Data) and corrective actions. Report all Data Breaches to the DPO
immediately after being aware of the situation;
• ensure signed data processer agreements with partners and/or suppliers that
impose the same requirements on the data processors as resting upon NRC.

4 The rights of the Data Subjects

Processing of personal data shall be transparent. It is the responsibility of NRC to inform

Data Subject about the collection and use of Personal Data.
The Data Subjects have the right to be informed about:
• Who you are representing (contact details of the Data Controller);

• The purpose of the data collection. Why you need to collect personal data;

• The lawful basis of the processing. If it is consent, inform about the right to withdraw
consent at any time;

• What type of Personal Data is needed;

• How long do we need to keep the data;

• If the Personal Data was obtained from a third party, who or what was is the source;

• Who will have access to the Personal Data and if it will be shared with a third party.

Access, rectification, erasure

NRC shall ensure that the Personal Data is made available to the Data Subject on request.
The identity of the person requesting Personal Data must be determined before any
information is revealed. If the Data Subject finds that the information is incorrect, it is
NRC’s responsibility to ensure that the data is corrected or deleted, if correction is not
possible.
The Data Subject’s right to see what type of Personal Data NRC holds on them does not
include the right to see entire documents. Do not release information if this discloses
information about other individuals.
NRC will delete Personal Data according to the retention policy or on Data Subjects request
when it is no longer needed to fulfil the purpose for which it was collected.

10
5 When NRC is Processing data on behalf of others
Whenever NRC is engaged as an implementing partner and processes data on behalf of
others, we act as a data processor and shall ensure that there is a signed data processor
agreement4 with the data controller that specifies the requirements of the data controller.
In such case, NRC will ensure that every NRC staff involved in the collaboration are familiar
with the terms. If a Partner data protection policy is in conflict with the NRC data protection
policy, NRC shall always comply with the most privacy-friendly regulation.
Example: collecting beneficiary registration data on behalf of UNHCR.

6 When publishing pictures of individual persons

An important task of NRC is to advocate for people whose rights and interest are violated. A
powerful tool in this work is to publish stories and photos of individuals and groups of
people.
An image is regarded as Personal Data when it identifies an individual and the general rule
is that an informed consent is required. Photos showing a group of people where the
situation, activity or event is the subject of the photo, can be published without consent as
long as the pictures are harmless and in no way are offensive to those portrayed5. However,
the rules for information quality and security still apply.
When in doubt, consider the following:

• Is it ethically correct to publish the picture?

• Does the image display an assembly of people in the open air or events that are of
general interest?
• Is there potential for the image to later present harm to the personal safety,
dignity, and physical or psychological well-being of the individual(s) in the photo?
• Section 5 in the NRC Code of Conduct:
“I will ensure that portrayal of individuals and their circumstances is fairly represented in
terms of their capacities and vulnerabilities. All efforts must be made to explain how
photos and stories will be used and to obtain permission from the individuals for the use
of their photos and stories“

Still in doubt? Ask for informed consent or refrain from publishing the image.

.........................................................................................................................................................
4 See the Data Processor Agreement Template
5 see also the NRC Global Communication Policy

11
7 Questions related to NRC`s data protection policy?
If you have any questions or issues related to NRC`s data protection policy, please don`t
hesitate to contact:
Norwegian Refugee Council – NRC
Email: [email protected]
Telephone number: +47 23 10 98 00 (Switchboard)

12