or any other means of communication, or when using
information already available on the Internet.
open call for information
Protection actors should ensure that individuals have access to enough information on the purpose of the data collection and the way in which the information they send will be managed and disclosed. This is necessary in order to consider that when sending information, those who did so have given their informed consent to the disclosure of the data.
It is important that both the risks and the precautions taken are explained, in an understandable manner, to those who wish to send information. Whether all or only part of the information is publicly available and whether it can be traced to them should also be clarified. Who can have access to the information that is not made public but shared within a more restricted circle should also be specified. If so, would this circle include national human rights commissions, or National Red Cross/Red Crescent Societies? Does it include UN peacekeeping operations or other internationally-mandated military and police forces in countries where they are deployed? What controls will be put on access to the information, for what period of time will it normally be held and actively used? Is the information going to remain accessible for years or will it be deleted after some time? Finally, those providing information should also know whether they will be able to re-access the information they have sent to correct or delete it. Of course, once information is published online, it can be copied (“scrapped”) by an unlimited number of websites. This information can then be modified, commented, aggregated with other information, taken out of context and therefore transformed into something completely different. It is therefore difficult, if not impossible, to ensure that information published online will be used for the purpose for which it was originally collected, and that it can be modified or deleted according to the wishes or the best interest of the person concerned. Those who send information must be duly informed and understand this.
If part of the information is not made public but only shared with selected organizations, then the standards on cooperation and exchange presented at the end of this chapter must be respected. It is especially important that before sharing data, the organization collecting the data remains responsible for ensuring that each of its partners has the will and capacity to respect data protection standards.
Professional standards for Protection Work
crowdsourcing and crisis mapping platforms
There are thousands of different crowdsourcing and crisis mapping projects accessible on the Internet, or off line. Only a small number contain what could be considered sensitive protection information. Nevertheless, since 2008 there has been a tendency to turn to crowdsourcing to monitor trends of incidents and abuses in emerging crises.
Whereas the first exercises were conducted without clear procedures to assess and to subsequently limit the risks faced by individuals who participated or who were named, the groups engaged in crisis mapping efforts over the years have become increasingly sensitive to the need to identify and manage these risks. Among others, the need to pay special attention to the protection of minors sending information, or being named or located in information received, is largely acknowledged. Taking into account the necessary precautions in the designing of
platforms inviting the public to submit information has rendered these platforms more complex to manage. There is no exhaustive methodology for doing so. The commentary in these standards outlines some of the key elements protection actors should take into account to integrate the notion of informed consent in the best possible way.
using information on the Internet coming from different online sources
In addition to the option of launching a website with an open call for information as described in Standard 40, protection actors may also trawl the Internet in search of relevant information. They can do so by copying data publicly available on the Internet (from tweets, social networks, other websites), or get non-public data that has been collected online by other actors/websites following an agreement with them.
It is often very difficult or even impossible to identify the original source of the information found on the Internet and to ascertain whether the information obtained has been collected fairly/lawfully with the informed consent of the persons to whom this data relates. In other words, personal data accessible on the Internet is not always there as a result of a conscious choice of the individuals concerned to share information in the public domain.
The fact that information is retrievable does not mean that it was necessarily meant to be “public” in the first place, and that it can be posted on a protection actor’s web page without the necessary precautions. One has the duty to verify the consent of the person whose data is to be used. When such consent cannot be realistically obtained, information allowing the identification of victims or witnesses, should only be relayed in the public domain if the expected
97 mAnAGInG SEnSItIVE protEctIon InFormAtIon