Principles on Personal Data Protection and Privacy
INTRODUCTION: PURPOSE AND SCOPE
Purpose: These principles (the “Principles”) set out a basic framework for the processing of “personal data”, which is defined as information relating to an identified or identifiable natural person (“data subject”), by, or on behalf of, the United Nations System Organizations in carrying out their mandated activities.
These Principles aim to:
(i) harmonize standards for the protection of personal data across the United Nations System Organizations;
(ii) facilitate the accountable processing of personal data for the purposes of implementing the mandates of the United Nations System Organizations; and
(iii) ensure respect for the human rights and fundamental freedoms of individuals, in particular the right to privacy.
Scope: These Principles apply to personal data, contained in any form, and processed in any manner.
The United Nations System Organizations are encouraged to adhere to these Principles and may issue detailed operational policies and guidelines on the processing of personal data in line with these Principles and each Organization’s mandate.
Personal data should be processed in a non-discriminatory, gender sensitive manner.
Where appropriate, these Principles may also be used as a benchmark for the processing of non-personal data, in a sensitive context that may put certain individuals or groups of individuals at risk of harms.
United Nations System Organizations should exercise caution when processing any data pertaining to vulnerable or marginalized individuals and groups of individuals, including children.
In adherence with these Principles, the United Nations System Organizations should conduct risk-benefit assessments or equivalent assessments throughout the personal data processing cycle.
Implementation of these Principles is without prejudice to the privileges and immunities of the relevant United Nations System Organizations concerned.
FAIR AND LEGITIMATE PROCESSING
The United Nations System Organizations should process personal data in a fair manner, in accordance with their mandates and governing instruments and on the basis of any of the following:
(i) the consent of the data subject;
(ii) the best interests of the data subject, consistent with the mandates of the United Nations System Organization concerned;
(iii) the mandates and governing instruments of the United Nations System Organization concerned; or
(iv) any other legal basis specifically identified by the United Nations System Organization concerned.
Personal data should be processed for specified purposes, which are consistent with the mandates of the United Nations System Organization concerned and take into account the balancing of relevant rights, freedoms and interests. Personal data should not be processed in ways that are incompatible with such purposes.
PROPORTIONALITY AND NECESSITY
The processing of personal data should be relevant, limited and adequate to what is necessary in relation to the specified purposes of personal data processing.
Personal data should only be retained for the time that is necessary for the specified purposes.
Personal data should be accurate and, where necessary, up to date to fulfill the specified purposes.
Personal data should be processed with due regard to confidentiality.
Appropriate organizational, administrative, physical and technical safeguards and procedures should be implemented to protect the security of personal data, including against or from unauthorized or accidental access, damage, loss or other risks presented by data processing.
Processing of personal data should be carried out with transparency to the data subjects, as appropriate and whenever possible. This should include, for example, provision of information about the processing of their personal data as well as information on how to request access, verification, rectification, and/or deletion of that personal data, insofar as the specified purpose for which personal data is processed is not frustrated.
In carrying out its mandated activities, a United Nations System Organization may transfer personal data to a third party, provided that, under the circumstances, the United Nations System Organization satisfies itself that the third party affords appropriate protection for the personal data.
United Nations System Organizations should have adequate policies and mechanisms in place to adhere to these Principles.