In today’s age of information, data protection has become a concern for us all. Anyone who has used Google, sent an email or shown their passport at a border control has their personal data stored online, building a digital shadow of our daily lives. Data protection is becoming increasingly crucial–but even more so for refugees. Forced to flee persecution, refugees remain vulnerable targets throughout their journeys.

As the EU’s new General Data Protection Regulation (GDPR) nears implementation, humanitarian agencies need to reconsider how to process and securitise the data of vulnerable people they work with. This scramble to get up to speed with data protection regulation draws attention to an overlooked issue: refugee data. A recent internal audit at the UN’s World Food Programme highlighted the organisation’s lack of data protection safeguards, stressing the need for “major improvements”.

The outbreak of the refugee crisis in early 2015 has made the issue all the more pressing. Millions of refugees traveling across Africa, the Middle East and Europe have had their personal information digitally collected and processed many times over by humanitarian agencies. From refugee camps, to processing centres, NGO offices, and humanitarian programs–the registration of those assisted is common practice.

If retrieved by a government or a group wishing them harm, this data could put countless individuals and their families in harm’s way. A simple hack could give authoritarian regimes access to the contents of asylum applications, facilitating the identification of a persecuted group, and putting unsuccessful asylum seekers at further risk of harm.

Data leaks may also pose further risks to refugees within their new host countries. Andy Elvin chief executive of Tact, a foster care organisation for underage asylum-seekers, explained that asylum seekers in the UK were being increasingly harassed and victimised as a result of their asylum status. A recent case of a 17-year-old Kurdish Iranian asylum-seeker beaten unconscious in South London illustrates the very problem. Falling into the hands of xenophobic groups, personal information of refugees or asylum seekers could represent a disastrous threat to their safety and wellbeing.

The basis of a refugee’s right to privacy and data protection is found in international human rights law. Article 12 of the Universal Declaration of Human Rights guarantees a refugee’s right to protection from any arbitrary interference with their privacy. It is the duty of those collecting the personal information of refugees to ensure their protection. The digitalisation of personal information, however, has made it difficult for agencies to ensure their complete security.

The UN has been using biometrics to process refugees since 2002, outlining that it makes refugee registration more efficient, accurate and ‘dignified’, while facilitating fraud detection. The case for using biometrics is strong as it optimises identity processing and verification. But there are undeniable issues with the use of this technology.

For one, the use of biometrics can sometimes delay or complicate asylum claims. When Raddington Report spoke with Renata Avila, the World Wide Web Foundation’s Senior Digital Rights Advisor, she explained that “technology should be a tool of empowerment and agency for the most vulnerable populations. Unfortunately, many refugees fear that their biometric data will be used to further restrict their rights — for instance, placing them in age or ethnic categories that do not get priority”.

The UNHCR recognises that a heightened refugee data protection system is required. Although some organisations, namely the International Organisation for Migration, have acted fast with internal restructuring, most organisations still lag behind.

For instance, in 2013, the International Committee of the Red Cross (ICRC) reviewed its Professional Standards for Protection Work guidelines in an attempt to improve systems for managing sensitive information. But the changes failed to trigger real change. Reports in November unsurprisingly revealed that Red Rose, a popular online system for handling aid distribution used by the ICRC, had important security problems, leaving it prone to hacks.

Appreciating the magnitude of the issue, the UNHCR published a new policy in May 2015 on ‘The Protection of Personal Data and Persons of Concern to UNHCR’. The policy directly addressed the issue of data protection for refugees, outlining the obligations, rights and measures around the collection of personal data. But while this was an important step in tackling the issue of refugee protection, it still fails to embody a comprehensive solution.

The realities of humanitarian work reveal that organisations like the UN must often bend to the will of their host states, as the government’s say supersedes any humanitarian demands. Governments could then force organisations to share their collected data as a conditionality to their operations–but is this really a possibility?

The UNHCR’s policy remains unclear on what is perhaps the most important issue regarding data protection: access of third party organisations. From setting up campsites to organising transport and supplies, the UN does not operate alone–it has several established partnerships with both NGOs and big corporations like Microsoft. By failing to outline the restrictions that apply to third parties, the current policy provides a dangerous loophole for these third parties to share and process data in insecure ways. This undercuts much of the purpose of the policy, reducing it to something more akin to a statement of intent, rather than real structural change.

In essence, new measures taken by humanitarian agencies fall short in recognising data protection as a human right, evident through their activities and operations. As Renata Avila accurately pointed out: “improvement of aid delivery and efficiency is certainly compatible with the respect of fundamental rights, and privacy and data protection should be guiding principles for the aid community. At the end of the day, it is a matter of dignity”.

About the author

LUCIEN BEGAULT is a Staff Writer at Raddington Report. His areas of interest cover contemporary Middle Eastern politics, British politics, development, security and culture.