NRC Data Protection Policy
LAST UPDATED DECEMBER 2018
Table of Contents
- The Rights of the Data Subjects
- When NRC is Processing Data on Behalf of Others
- When Publishing Pictures of Individual Persons
- Questions Related to NRC`s Data Protection Policy?
NRC helps people fleeing from conflict and disasters in countries worldwide. To provide
adequate assistance, NRC must collect information, including Personal Data. NRC
processes Personal Data to fulfil obligations towards beneficiaries, employees, public
authorities, donors, partners and other stakeholders.
The NRC Data Protection policy establishes the organisation’s standard on how to protect the privacy of the individuals whose data is processed in line with applicable legislation and humanitarian principles such as the following:
NRC vision: Rights respected People protected
NRC Mission statement: NRC works to protect the rights of displaced and vulnerable persons during crisis.
Sphere protection principle: Avoid exposing people to further harm as a result of your actions.
Art. 12 Universal Declaration of Human rights:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence.
Art. 8 Charter of Fundamental Rights of the European Union: Everyone has the right to the protection of personal data concerning him or her.
NRC staff, partners or suppliers processing Personal Data on behalf of NRC must do this in accordance with the EU General Data Protection Regulation 2016/679 - GDPR (NRC is a Norwegian based organisation, subjected to GDPR) and data protection legislation that is relevant in the country in which the processing (as defined below) of Personal Data takes place. This applies both to Personal Data stored on electronic format and in a paper archive. When GDPR, local legislation or donor requirements conflicts, NRC shall always comply with whichever offers the highest level of privacy protection.
Other legislation, such as tax and employment and labour laws might also be relevant for how and what type of Personal Data regarding employees NRC may process.
The NRC Code of Conduct set out how NRC staff act and handle sensitive and confidential information. The privacy of all persons whose data is being processed by NRC shall be safeguarded in accordance to this policy. This policy, together with principles and guidelines presented in this document, is part of NRC’s internal control on processing of Personal Data.
The following definitions describe key terminology related to Data Protection and will be
used in all documents related to this subject.
Personal Data shall mean any information relating to an identified or identifiable natural person ('Data Subject'). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity, such as but not limited to, name, address, phone number, e-mail, photo, IP address, title etc.
Special categories of Personal Data
Special categories of Personal Data are information about racial or ethnic background, political opinion, philosophical or religious belief, health conditions, sexual orientation, membership in trade union, genetic and biometric data.
Data relating to criminal offences and convictions may only be processed under the control of official authority or when authorised by national law.
It is important to be aware that in complex emergencies and conflict situations any type of Personal Data may be regarded as “sensitive”, even though it does not fall under the definition of special categories in Personal Data legislation. This is due to context and what (harm) that information could bring to people in case it should fall in the wrong hands.
Processing of Personal Data (“Processing”) means any operation, or set of operations, performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, printing, publishing, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
The individual person whose Personal Data is being processed.
Data controller (“Controller”) shall mean the natural or legal person, public authority, agency or any other body which alone, or jointly with others, determines the purposes and means of the processing of Personal Data.
Data processor (“Processor”) shall mean a natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the data controller, including partners, outsourcing companies, cloud storage providers, software providers (e.g. Unit4, Telecomputing, WebCruiter, Microsoft etc.).
Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her. As far as possible, NRC wants the consent to be in writing. NRC will use declarations of Consent in various contexts in which Personal Data are processed.
Data breach (“Data Breach”) means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
To comply with Personal Data protection regulations, NRC shall ensure that Personal Data
- Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
- Processed lawfully, fairly and in a transparent manner;
- Adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
- Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
- Kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.
- Protected against unauthorised access, loss and destruction
- Made available to allow Data Subjects’ right to access their Personal Data;
- The Data Subject has unambiguously given their consent; or
- Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract; or
- Processing is necessary for compliance with a legal obligation to which the controller is subject; or
- Processing is necessary in order to protect the vital interests of the Data Subject; or
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the Data Subject which require protection.
3.1 Obtain information fairly and lawfully
All Personal Data processed by, or on behalf of, NRC shall be collected and used fairly. The
processing of Personal Data by NRC should be within the reasonable expectation of the
Data Subjects and not have unjust adverse effects on his or her rights.
The processing must have a lawful basis from one of the following conditions:
- Permitted or Required by National Law
NRC may process information about employees and consultants and private donors in accordance with employment law, tax law, marketing laws and other national legislation.
- Contractual necessity
NRC may process Personal Data when necessary in order to prepare for or enter into a contract with a Data Subject.
- Legitimate interest
NRC may process Personal Data to fulfil a legitimate interest such as (but not limited to); manage user accounts, distribution lists, security incidents, recruitment, communication with partners, donors, suppliers and vendors. NRC will document the legitimate interest and ensure that Personal Data is only processed based on legitimate interest if it does not override the fundamental rights and freedoms of the individual.
In absence of legal justifications, contractual relationship or legitimate interest, NRC shall ask for consent when processing Personal Data. The consent must be given freely/voluntarily and in an informed manner, which means that prior to collecting Personal Data, the Data Subject (or the guardian of the Data Subject in case of a minor) must be informed about their rights.
The consent must be displayed by an explicit action by the Data Subject preferably by signature or use of tick boxes for electronic data collection tools. Oral consent is not recommended as NRC must be able to provide proof of having obtained informed consent if requested by the Norwegian Data Protection Authority. If it is impossible to get verifiable consent from the Data Subject, due to emergencies or conflict situations, the NRC representative must document how oral consent was obtained from the Data Subject. All verifiable consent (or the NRC representative’s documentation) must always be filed for future reference.
- Protect the vital interest of a person
NRC can process Personal Data when it is necessary to ensure the safety and security of the Data Subject, and the person is unable to give consent due to physical or legal incapability.
In such case, the NRC`s representative must write down/document the reasons for processing on this basis, so that NRC can be able to explain the situation later for the Data Subject or the Data Protection Authority.
3.2 Purpose limitation
Personal Data processed by or on behalf of NRC can only be used for informed/agreed
specific and predetermined purposes. The Personal Data can only be processed in a way
that is compatible with those purposes.
3.3 Data minimisation
The amount of personal information collected shall be an absolute minimum. Only data
necessary for the specific purpose can be processed and it cannot be stored longer than is
necessary to carry out the original purpose.
The Personal Data shall be:
- adequate and relevant for the purpose of the processing;
- sufficient to carry out the purpose
- not excessive – only the type of information that is needed to fulfil the purpose;
NRC shall make sure that any need for special categories of data is justified and limited to the bare necessity.
Be aware that in some countries where NRC operates, processing special categories of (sensitive) Personal Data might require to register with the national Data Protection Commissioner (before data collection starts).
3.4 Information quality
NRC will ensure that the Personal Data is validated against the purpose and that it is kept up to date. NRC will take reasonable steps to ensure the accuracy of the Personal Data and keep them updated if incorrect or misleading.
3.5 Storage limitationNRC shall only keep Personal Data for as long as needed to fulfil the purpose, requirements by donors or public authority.
Personal Data shall be deleted (or in the case of paper documents destroyed via burning or shredding):
- when it no longer serves the defined purpose;
- when no legal obligations or donor agreements require NRC to keep it;
- if it contains incorrect information that cannot be corrected.
3.6 Information security
NRC shall ensure safe storage of personal data. Personal data processed by, or on behalf
of NRC, shall be kept safe from unauthorized access, loss and unintended disclosure,
changes or deletion. Security measures shall be proportionate to the above mentioned
risks and the sensitivity of the data. This is particularly important where the processing
involves transmission of data over a network or transported outside NRC premises (both
paper documents and information residing on electronic equipment).
Where processing is carried out on NRC’s behalf, NRC must choose a Processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.
The carrying out of processing by way of a Processor, must be governed by a contract or legal act, binding the Processor to NRC and stipulating in particular that the Processor shall act only on instructions from NRC.
Examples of security measures
- Authentication with a password or equivalent on equipment and data sources holding Personal Data;
- Multi-factor authentication to access electronic Personal Data;
- Ensure access control based on purpose specification (see Section 3.1);
- Log activities/transactions in network and data sources holding Personal Data;
- Ensure backup and test if recovery is possible;
- Use encryption when transferring Personal Data over a network;
- Secure premises where Personal Data are stored (both electronic and physical data) from all unauthorised access;
- Have system in place to destroy data (electronic and physical data) in emergencies such as evacuation of offices3.
3.7 NRC’s Responsibility towards Data Protection Law
NRC shall establish and document measures to ensure compliance with this policy. This
responsibility rests with every country program, regional office, representation office as
as Head Office.
- at all times keep an updated document with information about the type of Personal Data that is being processed, the purpose and lawful basis of the processing, where it is stored, for how long it is kept and who can access it;
- at all times keep updated log on Data Breaches (loss or unintentional disclosure of Personal Data) and corrective actions. Report all Data Breaches to the DPO immediately after being aware of the situation;
- ensure signed data processer agreements with partners and/or suppliers that impose the same requirements on the data processors as resting upon NRC.
4 The Rights of the Data Subjects
Processing of personal data shall be transparent. It is the responsibility of NRC to inform
Data Subject about the collection and use of Personal Data.
The Data Subjects have the right to be informed about:
- Who you are representing (contact details of the Data Controller);
- The purpose of the data collection. Why you need to collect personal data;
- The lawful basis of the processing. If it is consent, inform about the right to withdraw consent at any time;
- What type of Personal Data is needed;
- How long do we need to keep the data;
- If the Personal Data was obtained from a third party, who or what was is the source;
- Who will have access to the Personal Data and if it will be shared with a third party
NRC shall ensure that the Personal Data is made available to the Data Subject on request.
The identity of the person requesting Personal Data must be determined before any information is revealed. If the Data Subject finds that the information is incorrect, it is NRC’s responsibility to ensure that the data is corrected or deleted, if correction is not possible.
The Data Subject’s right to see what type of Personal Data NRC holds on them does not include the right to see entire documents. Do not release information if this discloses information about other individuals.
NRC will delete Personal Data according to the retention policy or on Data Subjects request when it is no longer needed to fulfil the purpose for which it was collected.
5 When NRC is Processing Data on Behalf of Others
Whenever NRC is engaged as an implementing partner and processes data on behalf of
others, we act as a data processor and shall ensure that there is a signed data processor
agreement4 with the data controller that specifies the requirements of the data controller.
In such case, NRC will ensure that every NRC staff involved in the collaboration are
with the terms. If a Partner data protection policy is in conflict with the NRC data
policy, NRC shall always comply with the most privacy-friendly regulation.
Example: collecting beneficiary registration data on behalf of UNHCR.
6 When Publishing Pictures of Individual Persons
An important task of NRC is to advocate for people whose rights and interest are violated. A
powerful tool in this work is to publish stories and photos of individuals and groups of
An image is regarded as Personal Data when it identifies an individual and the general rule is that an informed consent is required. Photos showing a group of people where the situation, activity or event is the subject of the photo, can be published without consent as long as the pictures are harmless and in no way are offensive to those portrayed5. However, the rules for information quality and security still apply.
When in doubt, consider the following:
- Is it ethically correct to publish the picture?
- Does the image display an assembly of people in the open air or events that are of general interest?
- Is there potential for the image to later present harm to the personal safety, dignity, and physical or psychological well-being of the individual(s) in the photo?
- Section 5 in the NRC Code of Conduct: “I will ensure that portrayal of individuals and their circumstances is fairly represented in terms of their capacities and vulnerabilities. All efforts must be made to explain how photos and stories will be used and to obtain permission from the individuals for the use of their photos and stories“
Still in doubt? Ask for informed consent or refrain from publishing the image.
7 Questions Related to NRC's Data Protection Policy?
If you have any questions or issues related to NRC`s data protection policy, please don`t
hesitate to contact:
Norwegian Refugee Council – NRC
Telephone number: +47 23 10 98 00 (Switchboard)