HOME   Home

Data protection standards for NGO service providers

The purpose of the draft standards is to provide guidance to anti-trafficking NGOs, including counselling centres to protect privacy rights of trafficked persons.

It aims at setting a framework of action to evaluate, monitor and initiate data protection impacts in the daily counselling work as well as to assist establishing a long-term data protection strategy in anti-trafficking action by NGOs. The draft standards are a ‘living document’ and open for feedback by practitioners.

Standards as PDF >

1.   Basic principles of data collection for (NGO) service providers at initial counselling/ ‘identification’

  • The collection of trafficked persons’ personal data should be minimised to the absolute necessary limit. The purpose of data collection should be deliberated and harmonised with existing European and national data protection provisions.
  • Personal data that were collected for specific internal purposes should not be stored for any other purposes nor shared with external or other third parties. (‘what is nice to have is not necessarily legitimate to have’)
  • Indicators should be elaborated in cooperation with NGO service providers defining access to counselling centres for presumed trafficked persons.
  • These indicators should neither overrule nor replace individual decisions of counsellors to accept presumed victims to support structures. The indicators are intended for the support of daily counselling practice.
  • Presumed trafficked persons should have a low-threshold access to anonymous counselling. It is of paramount importance to establish a first contact with the presumed trafficked person in order to provide him/her with basic guidance to the possible next steps.
  • There is a need to establish reflection periods of at least three months in order to sustainably enable the presumed trafficked person to act in his/her best interest. The reflection period should aim at providing a safe space and sufficient time for presumed so that they may consider their options and make informed decisions. This reflection period should be granted irrespective of their willingness to cooperate with law enforcement authorities.

 2.   Data protection and data collection for (NGO) service providers during comprehensive counselling

  • NGOs should advocate and monitor that data collection of victims’ personal data by governmental/intergovernmental organisations will be reduced to the absolute minimum.
  • Personal data should be encoded with an acronym or identification code by the NGO service providers.
  • NGOs should develop and install secure soft- and hardware for their case management system with the support of ICT data protection experts. Cloud computing and data storage services, and remote access to client data should be avoided.
  • All cooperation with authorities or third parties should be based on the agreement that all data used be strictly anonymised data.
  • NGO service providers should obtain the right to refuse to provide client information or other evidence to judicial authorities.[1]
  • Internal consultations on cases should be verbal and written documentation should be discouraged.
  • The purpose of collecting and storing the trafficked person’s personal data should be clearly defined, including timeframes for retention and the date of termination of stored personal data.
  • Only designated staff members should have access to the files containing personal data of trafficked persons.
  • All data collection efforts should be based on data protection methods, such as ‘Privacy by Design’[2] and ‘Privacy Impact Assessments’[3].

3.   Information on data protection for trafficked persons by service providers

  • Legal rights for presumed trafficked persons as data subjects should be an integrated part of standard counselling.
  • Presumed trafficked persons should be informed at all stages about the use and storage of data related to their respective case.
  • Presumed trafficked persons should give their informed written consent before collecting their personal data.
  • NGO service providers should assign a staff member to be the contact person for trafficked persons in the event they want to withdraw their consent, or to access or rectify their data.

4.   Data protection and return/social inclusion

  • Any transfer of trafficked persons’ personal data across national borders should be avoided.
  • It should be secured by all stakeholders that identities of trafficked persons can not be traced during and after return and inclusion procedures.

5.   National Reporting and/or Equivalent Mechanisms (NREM)

  • The NREM should guarantee data protection standards and must secure the rights of the data subjects.
  • The protection of the trafficked persons’ privacy should be at the core of all data collection measures.
  • All data collection efforts should be based on data protection methods, such as ‘Privacy by Design’[4] and ‘Privacy Impact Assessments’[5].
  • NGO counselling centres should not be forced to provide data of their clients to governmental stakeholders or any other third party.
  • The mandate and purpose of the NREM should be based on clear cooperation standards between NGO counselling centres and the NREM.
  • NGO counselling centres should act as an autonomous stakeholder and must not be used as a data providing agency by respective governmental and intergovernmental stakeholders.
  • NGO counselling centres should be trained by IT data protection experts to fully control their technical equipment and data base and to prevent unauthorised access by third parties.
  • The NREM should have an independent status. This refers not only to be independent from the current governmental administration but also from not being influenced inter-organisational mandates and/or conflict of interests.
  • The NREM should be monitored regularly by the National Data Protection Authority and National Human Rights Institution.
  • The NREM should not have an operational role in the respective National Referral Mechanism[6].
  • The NREM should collect data in a broader context than solely trafficking in human beings by including frameworks such as economic orders, exclusion, racism, border controls, de-regulation of labour etc.



[1] OSCE NRM

[2]Privacy by Designmeans building in privacy right up front, directly into the design specifications and architecture of new systems and processes.

[3]A Privacy Impact Assessment (PIA) is one of many tools used to help organisations ensure that the choices made in the design of a system or process meet the  privacy needs of that system, typically by way of a directed set of questions, based on privacy requirements.

 

[4] Privacy by Design means building in privacy right up front, directly into the design specifications and architecture of new systems and processes.

[5] A Privacy Impact Assessment (PIA) is one of many tools used to help organisations ensure that the choices made in the design of a system or process meet the  privacy needs of that system, typically by way of a directed set of questions, based on privacy requirements.

[6] „A National Referral Mechanism (NRM) is a co-operative e framework through which state actors fulfil their obligations to protect and promote the human rights of trafficked persons, co-ordinating their efforts in a strategic partnership with civil society. The basic aims of an NRM are to ensure that the human rights of trafficked persons are respected and to provide an effective way to refer victims of trafficking to services. In addition, NRMs can work to help improve national policy and procedures on a broad range of victim-related issues such as residence and repatriation regulations, victim compensation, and witness protection. NRMs can establish national plans of action and can set benchmarks to assess whether goals are being met.” (OSCE: National Referral Mechanisms – Joining efforts to protect the rights of trafficked persons, Warsaw, 2004, p. 15)

 

 

© KOK- German NGO network against trafficking in human beings