It’s not just privacy regulators and businesses that play an important role in privacy and data protection. Intergovernmental organisations (IGOs) also make an important contribution through their information handling rules, policies or practices.

IGOs have influence because their data handling standards are usually expected to be implemented at a domestic level by the sovereign states that are members of these organisations, or that work with them. In addition, IGOs often handle some personal information themselves. Two examples of IGOs with far reaching influence are Interpol and the United Nations.

While many specialist privacy committees within IGOs are leaders in developing sets of best practice privacy principles and frameworks, their parent organisations have a rather mixed record of carrying those principles forward into their general policy or administrative work.

As a result, privacy commissioners working collectively at global level called upon IGOs to formally commit to abide by principles that are compatible with principal international instruments dealing with privacy. More particularly, privacy commissioners are seeking the following undertakings:

• IGOs that hold or process personal information should establish appropriate mechanisms to ensure compliance with applicable data protection principles, such as the establishment of internal but operationally independent supervisory authorities with control powers; and
• IGOs with a role in promulgating standards or rules that affect personal data handling at domestic level to develop should adopt suitable mechanisms to ensure that data protection considerations are effectively taken into account, such as the use of privacy impact assessments and consultation with recognised data protection authorities.

A number of IGOs have taken privacy seriously for many years and established organisational privacy rules and internal oversight and control measures. A long-standing example is Interpol’s independent monitoring body, the Commission for the Control of Interpol's Files, which was set up in 1982. A more recent example, which built on many years of privacy work, was the creation in 2015 of the Data Protection Office within the international humanitarian organisation, the International Committee of the Red Cross.

It is also pleasing to be able briefly to report upon two significant recent efforts within United Nations institutions.

UN developments

The first is within the UN’s Global Pulse. This is the UN’s programme that seeks to harness big data for development and humanitarian action. Global Pulse is an initiative that explores how new, digital data sources and real-time analytics technologies can provide a better understanding of changes in human well-being and emerging vulnerabilities.

There are legitimate concerns about privacy that present challenges to harnessing big data sets for public benefit. Accordingly, the programme has adopted a set of 10 privacy principles and integrates these into the programme by use of privacy impact assessment.

The second example involves the UN High Commissioner for Refugees (UNHCR). In May 2015, the UNHCR published its policy on the protection of personal data of persons of concern to UNHCR. The position of a data protection officer at UNHCR headquarters was also established to monitor compliance with the policy, provide advice and annually report to the assistant high commissioner for protection.

The UNHCR’s important mission in working for millions of refugees and with thousands of other organisations active in the field means that UNHCR internal standards will inevitably also have an external impact. More information about this development is available in a blog post by Alexander Beck and Christopher Kuner entitled Data Protection in International Organisations and the New UNHCR Data Protection Policy: Light at the End of the Tunnel? 

International