 Happy Data Protection Day, everyone. Greetings from Geneva. My name is Christina Vasalaco-Kinaike, and I'm a senior legal officer with the International Organization for Migration. I'm delighted to be with you here today to moderate this virtual panel discussion on the topic of data protection and privacy within UN system organizations. As you already know, we have gathered five lawyers and data protection experts from different UN entities, and they are really eager to come here and join us in the virtual room so that they can share with you all the information that they can about their data protection-related work, delve into the challenges they're facing, and maybe some opportunities for the future. Before, though, I ask them to join us. I would like to give the virtual floor to IOM's deputy director general, Amy Pope, who would also like to welcome you to this event, but also share some initial thoughts about today's event. Good morning, good afternoon, and good evening to everyone joining us from different corners of the world today. I am very happy to welcome you all on behalf of IOM to this virtual panel discussion on data protection and privacy within UN system organizations. We are very pleased to be hosting this event as part of Data Protection Day 2022. Data Protection Day or Data Privacy Day, as it's sometimes called outside of Europe, has been taking place every year across the world on the 28th of January, since it was first initiated in Europe in April, 2006, by the Committee of Ministers of the Council of Europe. It corresponds to the anniversary of the opening for signature of the Council of Europe's Convention 108 for the protection of individuals with regard to the automatic processing of personal data, which has been for over 30 years, a cornerstone of data protection in Europe and beyond. At IOM, we've marked this day by organizing various events and activities with the goal of raising awareness both among our staff and beyond about data protection and privacy rights. The right to privacy is a universal human right. Its universality means it is equally applicable to those who live in peace and prosperity, as well as those who are vulnerable. Privacy enables the enjoyment of other rights, the free development and expression of an individual's personality, identity and beliefs and their ability to participate in their community's life. While data is important to understand migration, collecting, sharing and processing data can pose risks associated with the right to privacy of data subjects if we don't have the appropriate safeguards in place. Thus, it's important to use the best resources available to enable informed migration policy while still securing fundamental privacy rights and safety of data subjects. Ultimately, protecting personal data means protecting the people to whom this data belongs. It's often overlooked and it does not solely apply to particularly vulnerable groups that we work with such as victims of trafficking, but all human beings. But these concepts are not mutually exclusive. To find out how different UN organizations are handling the various challenges linked to data protection and privacy, we have brought together five knowledgeable experts from the United Nations in Geneva, Vienna and New York to share with us their experience. I have no doubt our virtual audience, including me, will enjoy what promises to be an enriching and fruitful discussion. So I thank you very much for being part of this conversation today. And I thank you for your work going forward. Thank you, Deputy Director General. It is indeed very important to keep in mind that data protection derives from the right to privacy, which is mentioned in the Universal Declaration of Human Rights, which was adopted by the United Nations General Assembly in 1948. And another very important point that you made is how protecting data is truly about protecting people. When we talk about protecting data is not about protecting in a way impersonal numbers but it is about human beings. So I'm very glad to see that our panelists have joined us in the virtual room just now. I would just like to make two quick points before I introduce them to you. So first of all, very briefly to explain why is IOM organizing this panel discussion today. So we are in January 2022, Data Protection Day. And it has been a bit over three years since the UN system organizations adopted the UN Data Protection and Privacy Principles in 2018. So I think since more than three years have passed, it's a good time to take stock about what has happened during this time and what are the plans of UN system organizations for the future. And one quick clarification here would be to say that the focus of the discussion will really be on the internal policies and procedures of UN system organizations. And my second point would simply be to tell you that in the next hour or so what we aim to accomplish would be to truly delve into the world of data protection within the UN to look into the challenges and identify opportunities. So with this in mind, I would like to start introducing our panel. So I would like to introduce to you Giovanna Bollieu who is a senior legal officer with the ILO. We also have with us Isabel Robin who is a legal officer with the International Atomic Energy Agency. And also Mila Romanov who is a data policy and governance lead as well as a privacy specialist with the UN Global Pulse. We also have with us Christine Adam from IOM as well, Deputy Legal Counsel. And last but not least Francesco Messineo who is a legal officer with the UN Secretariat. So again, very happy to have all those experts with us here today. And to really kickstart the discussion, I would like to ask Mila who had quite a central role back in 2018 when the UN data protection and privacy principles were adopted to maybe explain this story to us. How was the idea, how did this idea come about to adopt those principles? What led to their adoption? And why are they important? Thank you very much, Christina. And they pleased to be here today and speaking on such an important topic. Sure, so a Global Pulse was a special initiative of the UN Secretary General since its inception in 2008 in response to the economic crisis with dealing a lot at that point with data and primarily with the new sources of data. Through our work, we've been working a lot or engaging a lot with various United Nations organizations. And we noticed that there is definitely a lack of common principles and common practices of how first of all we are working with each other and how we are sharing data between the UN organizations. But also we realized that it affects primarily our work with non-UN entities. And as the legislation has started to come up in various countries and parts of the world, we realized together with the entire UN system organizations that we do need to have a common standard that we could apply while working with each other. So in 2016, we have established the United Nations Privacy Policy Group with the sole goal of simply exchanging best practices between each other. And fast forward into 2018 as more and more data protection legislation has been adopted around the world and also increasing our work with the Global Privacy Assembly, which is the International Forum of Data Privacy and Data Protection Commissioners, we realized that we need to come together and produce a document, an instrument that would help us in a formal way work on data protection and increase data flows and ensure protection of that data. So many organizations and then at the end of all of the organization of the United Nations system has joined this wonderful effort. And over the course of about a year and a half or two years, I would say we've reached a consensus through multiple negotiations to adopt the principles on the protection of personal data and privacy in 2018. The principles were adopted by, adopted through the mechanism of the High Level Management Committee of the United Nations CEB, the Executive Board and since then, the sole goal of this effort was that the principles serve as the high level framework for data protection across the United Nations system. And the objective was that all other organizations that have then adopted the principles within their internal procedures implement them through their own guidelines through their own policies, formal policies. And Christina, you were right. Now we're in 2021 and unfortunately, we also hit a very big crisis of COVID-19 which also increased the necessity of using data, not just personal but overall data and especially within the UN system and especially in humanitarian operation. What I would say that the principles while adopted in 2018 were important and crucial to us to implement but now more so than ever in 2020 as we were hit with COVID-19 crisis, we realized that we need to acknowledge the need for utilizing data and we need to acknowledge the emergency situation in which such data is being used. With COVID-19, the United Nations system and the UN Privacy Policy Group have come together once again to address the issues of using data as a critical resource to address COVID-19 crisis in their internal United Nations operations. And of course, acknowledging the importance of human rights in every approach as we are using data in our operations, the United Nations Privacy Policy Group acknowledged the need to be not only transparent in order to develop trust while we're deploying data in our operations but also in implementing applicable mechanisms and procedures to ensure that we are properly managing risks in accordance with the principles that were adopted in 2018. One of the distinguishing factors of the joint statement as well as the United Nations principles on the protection of personal data and privacy is that it acknowledges that not only we need to protect and take into account the risks associated with the use of personal data but also non-personal data used in sensitive context. Which points to the fact that many United Nations system organizations are dealing with the group harms. As to say when we are using non-personal data but in, for example, emergency situations with vulnerable populations, we need to think about the group harms and the risks that come with the use of non-sensitive personal data, even when it is aggregated and not directly identifiable. Also, with the use of new emerging technologies, especially with the use of artificial intelligence, we're acknowledging that these risks are becoming more obvious. So with that, the United Nations system organizations have worked together to stress the importance of taking into account the group privacy as well as the group harms while dealing with data protection and privacy and while using data to enrich and to advance the United Nations system organization operations. Thank you very much, Christina. Thank you, Mila. I will make a quick clarification point for our audience as well that we are already in 2022. It is January, but it's this time of the year when it's difficult for all of us, of course, to remember what year we're in. I think COVID-19 has made this a tad more difficult and January is always a tough month in this regard. But thank you, Mila, in particular about explaining and highlighting the importance of the work of the UN privacy policy group. I know that many people in our audience come from UN system organizations and maybe they're not all familiar about the important work of this group has done. I can definitely confirm its importance and so on. I've been there, I think, since day zero in this endeavor, as well as for the drafting and the adoption of the principles in 2018 and for the COVID statement, which is also very important. They're both documents that are publicly available for anyone who would like to read them. You also talked about new technologies, which is, of course, an area of quite a lot of interest since many UN system organizations are using or are planning to use more and more new technologies. And the advice from legal and data protection experts is crucial when the decision is being taken for those technologies to be used. And with this in mind, I think we're nicely passing into our next speaker coming from an agency focusing on nuclear technologies. So IAEA and Isabel. So Isabel, I understand that the IAEA has adopted or had adopted back then in 2018 the UN data protection and privacy principles. So it would be interesting to hear whether this is the policy that the IAEA is now following how was maybe the existing policy influenced by those principles and what type of data processing are we talking about when we talk about atomic energy over to you, Isabel. Thank you very much, Christina. Thank you for giving me the floor. Introducing my response here. I'm just gonna recall indeed that the IAEA is part of the UN system. It's a real organization based on a statute and relationship agreement with the UN. Just, I believe like the UN, we have our own regulation and rules. But that said, of course, I can directly echo what Mila was saying. We adopted the UN principle on data protection privacy in 2018. And in 2020, we issued our own personal data privacy policy, which is, of course, heavily inspired from the principle themselves. But we did, of course, adapt to our legal framework. That policy specifically was supplemented by additional separate procedure, for instance, for record to handle personal data breach and to basically, I believe now everybody is really used to it, but to record virtual events as we just doing now. This is the data protection policy really sort of in a strict sense of meaning. But of course, we have a set of pre-existing policy governing several aspects of personal data. The agency that constitute broadly speaking the data protection framework. And so now I can refer, for instance, to what we had originally in place governing the processing of personal staff, personal information, security rules, and CCTV at the premises at the headquarters, or the rules governing archive and record management, together with the retention schedules and the way that personal data captures in these tools, in these data retention tools. So the data protection policy, the principles are of course, the backbone to our policy. For now, this is the way it is, but I can of course, mention that we are currently drafting a new framework that will govern in more detail the data protection governance framework, broadly speaking, together with processes and expected redress mechanism. And just touching, of course, now on, and I'm sure we'll talk more about this later, but on third party access to their data and possibly correction deletion. I just wanted to mention that we already have a set of guidelines in place that allows us to handle consistently the request from the data subjects. And so I just like to take a step back and since you have the question about how, you know, how personal data is relevant under the agency's mandate, to understand this, it's important to know that by virtue of its mandate, information security has always been at the top of the agency's agenda and specifically data governance agenda. So you may know, the public may know the agency as the UN watchdog, but of course there's much more to a mandate, but it's always been the case that we've worked with ensuring that the data entrusted to us by the member states where it was securely handled and that trust was over an overarching concern when ensuring the verification of nuclear material on their behalf. And so in that regard, you know, data classification has based on the level of sensitivity of this data has always been solely anchored in agency processes, body speaking. And so we didn't have any basically difficulty to adapt to the new requirements or to speak new, but of course they've always been there governing that specific category that is personal data. And so we've adapted the same sort of reflexes in terms of classification. And I can say that the agency's information security culture was the entry point to introduce a solid data protection culture in the delivery of a mandate. So specifically I mentioned of course the safeguards and proliferation, that's one part, but there's another part of a mandate and that is of course more common to other organization. The agency as part of its mandate holds a high number of scientific events and trains fellow and various aspect of the peaceful use of nuclear energy. And the implementation of data protection policy on that aspect and tail of course revising, processing and with the way we process personal data of this participant and the meeting participant and issuing the relevant privacy notices in the registration process. So I can mention this, of course, is two main aspects of the mandates, event, organization, training and proliferation. But let's say I must of course recognize that the mandate of the agency is not geared towards service to individual beneficiaries. When staff and those for instance data on human health, these would be data coming through aggregates in the form of aggregates. So in a very de-anonymized manner. And so that wouldn't be a concern in the day to day work. Still in closing there on my response, I'd like to mention that data protection is now fully integrated in the delivery of all agency projects regardless of department and the area of work. And this include of course the process to ensure that for instance data protection is taken into account for the procurement processes and any IT, for the speaking in the IT projects. Thank you very much Isabel. I think this is extremely interesting to hear. I think myself included, I was thinking of members of our audience, but myself included definitely I'm a bit unfamiliar with the mandate really of the agency, of the IAEA and the designation of it being the nuclear watchdog and so on. But in terms of data protection, what I find very interesting is the link you made between data protection and data security and especially nowadays more cyber security. I think that these are two areas of work that of course need to go hand in hand. And it's interesting how data security in particular is more, let's say applicable even to non-personal data, no matter about the type of information as long as it is highly confidential, strictly confidential. It is important to keep it secure. But often I would say in the legal world there would be some confusion about what is the difference between data protection and data security and isn't it the same? And I know that many lawyers would say that data security is included, it's part of data protection, whereas ICT experts would say that data protection is under data security. At least I have heard both views in a way, but in any case very interesting to hear about all of this and it would be good now to move to another UN system organization that has I think been influenced by the 2018 UN principles. So I would ask then Francesco from the UN Secretariat to talk to us about how the 2018 principles actually were taken into account by the UN Secretariat and also to talk maybe again in terms of the mandate of the UN Secretariat, the work that it does, how is data protection relevant for your work? Thank you very much, Christina. It's a pleasure to be here. And as you mentioned in the beginning, I work in the Office of Legal Affairs and we have a very privileged view in the Office of Legal Affairs in New York as to the wide variety of data protection and handling of personal data really by the whole Secretariat of the United Nations. It would be interesting in that regard to try and think about the various types of personal data that we employ, that we actually process and the various situations in which that happens. So let me start by trying to give an overview of what these situations might be. First of all, of course, there is the intergovernmental organs. Every year at the end of the year, there is of course the General Assembly that garners much attention in the media, but beyond that, of course, there's the Security Council, the General Assembly, all the principal organs and when you're talking about that, you're talking about hundreds of delegates and GOs, participants, other diplomatic conference, side events, in all of these situations, there are personal data that are handled by our colleagues in the Secretariat in one way or another. Then there are of course the subsidiary bodies, all the bodies that have been created by the General Assembly or by the Security Council or through other intergovernmental processes. For example, in Geneva where you are, there are all of the human rights treaty bodies just to give you an example that fall under the Secretariat and the human rights treaty bodies means that our colleagues in Geneva would handle on a daily basis, highly sensitive information about human rights violations and other potential breaches, therefore sometimes incredibly sensitive type of data. In the Hague and in Arusha, for example, you have the criminal tribunals, the residual mechanism for criminal tribunals and there you have information about accused people, victims, attorneys, judges themselves, prosecutors. And in New York, you have extremely sensitive Security Council sanctions and counterterrorism committees that also handle personal data and sometimes financial information and sometimes highly, highly sensitive information there. And all over the world really, what falls under the United Nations Secretariat includes all of the peace support operations, be they peacekeeping operations or other political mandates or operations that are all across the world where you don't have just the personal information of staff members, you also have the personal information of the troops or the police that are contributed to those operations. You have local government officials that come into contact with those operations. You have the population at large really, all over the world. And then the United Nations Secretariat organizes throughout all of its mandates several training and capacity building events. And at those training and capacity building events, whenever you're organizing them, unfortunately, not so much in person as we used to, you would handle a lot of personal information just by the hundreds and hundreds of applications you always receive for such training events. And in terms of the other pillars of the work of the United Nations, I mentioned human rights, there's of course the pillar of humanitarian assistance and the work that humanitarian law, sorry, of humanitarian work that we do. And you have beneficiaries of assistance data which is extremely sensitive and many of the agencies that are here today and colleagues that I'm sure are listening will be very attuned to how complex it is to handle personal data when it comes to beneficiaries of assistance. And of course the other pillar of sustainable development is also a situation in the case where you have plenty of personal data, travel data, medical data, data related to legal claims. There is pretty much all of it is there. And so what are we doing about it? Further to the 2018 principles that have been mentioned, a key component of the Secretary General's data strategies in 2020 was precisely improving on our existing policies on data protection and privacy. And so in the last couple of years, we've been working on a new Secretary General's bulletin on data protection and privacy for the United Nations Secretariat. This bulletin, which is currently underway and it's being worked on by Global Pulse, Mila knows a lot about it of course, and OHCHR together with the Office of Legal Affairs and several other parts of the Secretariat is going to try and address all types of data processing within the whole Secretariat and try to create an overarching framework that would be respecting privacy. And that will also in a very innovative way take into account the aspect of group privacy that Mila was referring just now. And so we'll also refer to non-personal data in a sensitive context. So I've exhausted what I had to say for now, but I'd be happy to discuss more later on about the details of all of this, but thank you. Thank you very much, Francesco. I think that many of the people in our audience can very much relate to all the different processing operations and data subjects and so on that you referred to because truth is that within one single legal entity in the UN there's so much processing of personal data taking place, whether it is from a less sensitive nature so to speak, such as meeting participants from a very small event taking place in Geneva, New York, Vienna to extremely highly sensitive personal data. And also very happy to hear and I'm sure many of our audience members as well, are happy to hear that the secretariat is, I don't say embarking, but it's in the final stages of adopting internal guidance, specific internal guidance, let's say, because there is already rules here and there, but specific internal guidance on data protection. And jumping from this, so from the secretariat working on this in the form of an SG's bulletin to an organization that has been doing data protection actually for quite some time. So I would like to ask Christine from IOM to talk to us about IOM's experience. So IOM has had its policies since 2009. It's been more than 10 years that there have been experience in implementing that policy. So I'm sure many of our listeners today would be happy to hear what IOM has to say on the topic of data protection. Over to you, Christine. Thanks a lot, Christina. And hello to everybody, virtually and globally. I'm happy to be joining this panel of data protection experts here today as we are celebrating Data Protection Day 2022, as we were reminded. Protecting individuals' personal data is an integral part of protecting their right to life, human dignity and well-being. And that is important to IOM's mandate and mission. IOM is the leading intergovernmental organization in the field of migration and is committed to the principle that human and orderly migration benefits migrants and society. The organization was founded in 51 and formally joined the United Nations System in 2016. We have at the moment 174 member states and counting 450 feed locations around the world with 23,000 personnel. So the presence of IOM around the world has grown, in particular over the last 10 years or so. And this has been in part a reflection of the increased focus on migration governance, but also due to the reality concerning the growth in displacement and the humanitarian needs of migrant populations. So we work with migrant and we process personal data of millions of beneficiaries worldwide in order to fulfill our mandate. And for that reason, that's one of the reasons that IOM attaches a very significant importance to data protection. So just to give you a few of the numbers, I mean, in the IOM COVID-19 response alone, we were reaching out to 37 million of beneficiaries for risk communication and community engagement. And we have been providing more than 90 people with critical water, sanitation and hygiene supplies globally. We have been providing return services to many and we have been providing COVID tests. So in some instances in these global response to migration issues, IOM operates in situations where personal data protection legislation may be only developing or may be non-existent or may be not entirely enforceable. The United Nations Conference on Trade and Development estimates that 16% of countries worldwide are still without the data protection and privacy legislation. And IOM is operating in a majority of them. So I think that this different factors were responsible that IOM was one of the first international organizations to develop its own internal guidance in 2009 concerning data protection, the IOM data protection principles. And these are mandatory for the personnel of the organization. And then in 2010, we issued the data protection manual, which is publicly available and elaborates on the practical implementation of IOM's data protection principles. So these two documents form the backbone of IOM's legal framework on data protection and along with other complementary material guide IOM staff in processing personal data of migrants. There are other frameworks too in the organization. So in 2017, we adopted a migration data governance policy that provides a high level framework for dealing with all migration data. So that's not only personal data, but all migration data. And it established a governance structure and assigned roles and responsibilities with regards to migration data. And then the IOM data strategy of 2020 also highlights the importance of data protection and privacy. I would also like to highlight at IOM as an observer to the Global Privacy Assembly since 2016. We have been participating in the conference and we found it very useful as we were learning a lot from the regulatory data protection experts and in particular the opportunity to discuss current trends and challenges. IOM is part of the UN Privacy Policy Group. And in 2018, we joined other UN system organization in adopting the personal data protection privacy principles that Mila and all the other colleagues were already mentioned. IOM's legal department is the organizational focal point for data protection. And we take into account these principles when providing data protection related advice to the IOM office around the world. Even so, the principles are not binding for us. We have found them to be very useful as they were developed after the IOM principle. So they are more recent and take into account the recent developments in data protection. A big part in our how we try to respond to data protection issues is training. And they have been trying to focus resources on the training. We have been training since the start of the data protection principles. And at the moment we are training roughly 500 to 600 staff per year. And in addition to that, in 2020, we have launched a two hours online training on IOM's data protection principles, which became also mandatory for all IOM staff members last year. And another experience I think that for us was important or lessons learned is that for us, it has been crucial to focus on raising awareness and educating our personnel and also engaging early and often with senior leadership on issues of data protection. And so we really would like to continue on that road and we aim to maintain and further expand hopefully the organization's data protection culture. In concluding, I would like to say that while data collection and data analysis, especially in our area of work in IOM, it's very important and it's very useful to identify migration patterns and trends and it's necessary to provide humanitarian assistance to those in needs. On the other hand, we need to really protect and safeguard the privacy rights of migrants. And those rights cannot be overlooked in the process. And as already mentioned by IOM's CDG, data privacy and data protection are not about the protection of personal data but are really about the protection of the people themselves. Thank you. Thank you very much, Christine. I think the engagement of senior leadership that you mentioned is extremely crucial. Again, many of our audience members can relate to that and similar to that, the creation of a data protection culture in an organization is very important because often it is important to have this culture in place to be able to advocate more towards senior leadership as well. And also another important point that I think you mentioned is the, I think this is what is called really an evolution in an organization that starts with the adoption of a data protection policy and later on realizes that personal data is not the only data set that we should be caring about. Yes, it is very important. Of course, we need to protect the right to privacy but in order even to ensure better data protection, it's good to have a data governance policy that really governs the different data sets in a way the different data that the organization processes. So, and then on top of the data governance policy having a clear data strategy. I think these three levels have been very clearly elaborated in IOM one after the other as it happens in all organizations from the bottom up in the past years. So thank you for explaining this as well. And now I would like to move to Giovanna. So Giovanna works actually in a unique tripartite organization in the UN family which I always found extremely fascinating at this tripartite nature. And understanding also that the mission of the ILO is to promote decent work for all workers around the world. I think it would be interesting to hear from you Giovanna how is data protection reflected in the ILO's work? Thank you, Christina. Thank you very much for the invitation to the Data Protection Day which we've given some more attention to in recent years. Yes, the ILO is the only tripartite organization where we bring together governments, employers and workers to discuss matters of interest related to labor standards and to develop programs that promote decent work for men and women. So going to the question that you asked about how the ILO has been working with data protection related to its mandate. In 1997, a code of practice was elaborated with a committee of experts that was endorsed for distribution by our governing body which is our executive board. Now this was a remarkable piece of work because at the time it looked at different aspects that had already been examined and were the basis of work with the OECD and the EU and that are resounding themes that we hear today lawful and fair processing used only for the purposes for which the information is collected, data minimization, et cetera. So although they're more than 30 years old, you know, I still find it 20 years old. I still find it fascinating to read the protection of workers' personal data code of practice because there are still themes that resound today. So when talking to colleagues, this is sometimes something that they refer to in their daily work still in the way that they would probably look at surveys, data collection, different things that they still look back towards. The ILO in 2016 did adopt a policy that is focused on the protection of personal data. And those again are themes that we have heard come out from the UN privacy policy group and that talk about again, the principles around authorized use, adequate relevant and not excessive. So the ILO does have a policy in place around the protection of personal data. Since 2016, that guides ILO officials on how data is collected and how it may be used and how it may be stored in all those aspects. So when the privacy policy group commenced its work, the ILO was a natural actor to join and we did participate actively because we saw that we had data protection issues not only internally but externally because we do advise constituents, we do advise workers and employers groups and different aspects of our daily work take into account sensitive aspects such as highlighted by Francisco around labor violations, labor inspections and things like that that may be sensitive and they have personal data received by different projects that we have. So one of the aspects that the ILO has been keen to focus on with us, with yourselves has always been that ongoing discussion about the harmonization of standards across the UN system and to facilitate the accountable processing of personal data. So I think that these types of conversations amongst ourselves also raise the awareness of officials so that when they're handling personal data that it's not something only implicit in their day to day work but that is something that has to be more structured and formal so that they can take it into account in a more, yeah, in a better way in their daily work because we're all looking at ensuring that human rights and those fundamental freedoms of individuals are protected and they can lead to discrimination in the workplace. If personal data is relieved whether it's our health status we have the recommendation on HIV and AIDS in the workplace to give an example so health status would be a concern. The ILO has been doing quite a bit in the sense of what we heard about data security. We are an ISO 27001 certified organization that looks at the information security management systems that looks at having the different is a comprehensive framework for the information security systems and that help to ensure integrity and confidentiality of information. We have colleagues in IT and in other units that are looking at improving and keeping up to date systems and that's an ongoing conversation. As a result of the interaction with the privacy policy group in 2018 we formed an informal working group at the ILO between legal IT, procurement, et cetera to begin to brainstorm how we can take into account data protection in different aspects of the ILO's work. Since then we've reviewed and renewed the ILO's terms and conditions that now have specific data protection language including breach notifications and other aspects that need to be taken into account with vendors for goods and services. This has been a very important aspect of the work because sometimes we call upon third parties to deliver services to the ILO and they may be given information that has personal data. And so we've had to agree around certain themes to be a little bit more detailed than it was in the past. So that's been an area that we've looked at just closing some gaps. We've also conducted a mapping exercise with key units about where personal data is contained. Sometimes it's about ILO staff, sometimes it's about vendors and sometimes it's about beneficiaries and that work continues because as we're all looking to see is how we can best receive and treat and maintain and safeguard that information and also discuss other areas around data minimization and using the data for the purposes that it's been provided for. But the ILO in its mandate we see continues to collect and use data not only personal data, but as you highlighted is part of the UN data strategy. We collect quite a bit of data that is anonymized and there has to be that aspect that is taken into account that we've talked about in passing about the UN Secretary General's data strategy and that's really important because that helps the work of each organization. I did wanna mention one thing that you also brought up, Christina is around the cybersecurity. And there's an area there that we've begun to look at through our IT colleagues who are members of the, it's called the Interagency Security Management Subgroup and they've been looking at the JIU report on cybersecurity that I think will have a little bit of impact on the work that you do and that we all do here this year as we're looking at different aspects. So presently the data protection function is devolved to the Office of the Legal Law Officer and that officials that collect data are responsible for the management of that data. So as a result, we're looking at raising awareness of the colleagues and how they manage and manage well the data that they are receiving and discussing with them different aspects. So I think I'll leave it there for now. Thank you very much, Giovanna. Thank you very much for taking us back to 1997 and the very important guidelines of the ILO from back then on the protection of personal data workers, which of course, I mean, the guidelines are from 1997, but especially in relation to health data, again now with the pandemic going on, I'm sure it's a topic that we can all relate to as well as I really like that you highlighted the importance of building synergies within our own organizations with other departments. I do know that the creation of yet another working group of yet another task force and so on is maybe, I don't know, it might not be particularly seen as, let's say, welcoming for often in our respective organizations, but at the same time, having those synergies is very important. So we need to find a way to make this work. I know we've been going on for some time now, but I do have one final question for Mila to finish in a way setting the scene of data protection or respective organizations. Since Mila talked to us earlier about the work of the UNPPG and the adoption of the data protection principles, I would just, but she works at the UN Global Pulse. I think Mila, it's really nice if you could talk to us a bit about the work of UN Global Pulse, specifically on data protection. And following that, I will start asking you the questions that have come in from the audience. So Mila, over to you and UN Global Pulse. Thank you, Christina. I'll be brief. Indeed, the reason why we, as I mentioned at the beginning of my introductory remarks is that the reason why we started this effort across the UN system is because it was helpful to our internal operations and specifically what we've noticed since I joined the team in 2012, but way before then is that we needed to have policies internally and guidelines to help us work with non-UN entities because that's what Global Pulse's work is built on is ensuring that the United Nations has access to data and technology and since day one, the mission of United Nations Global Pulse was ensure that we broker the relationship with not only governments, but primarily private sector and open up unlock the use of data by the UN. And as you know, in private sector and many other governments, data protection has already, data protection issues have been much on the rise and been paid attention to very increasingly thanks to that, of course, many of the revelations since 2013, but way, way before then. So I would say that in 2012, we started developing our internal guidances and procedures on data protection. And I wanna say with admitting that actually we looked at IOM even before IOM joined officially the United Nations system. I still remember the day when I was looking at the manual and looking at all the guidances and principles and actually we'll admit that that informed our own internal policies and principles at the UN Global Pulse at that time back in 2012. But since 2012 a lot has changed, of course, not just that we developed the internal guidelines and principles, the key of our work was actually working with the UN organizations because the core of our work is working with the UN system and not just by ourselves. Hence, a lot of our own policies and procedures were informed by the work of other entities with various mandates. And as we developed our guidance and received multiple feedbacks from various organizations, even before they had their official privacy policies and principles, and I would say that, of course, a lot of the work has been done working together with our Office of Legal Affairs and Francesco is here representing our Office of Official Office of Legal Affairs. And I've been working at Global Pulse as primarily as a privacy specialist, although I do have a legal background, I'm an attorney. But I wanna stress the fact that since day one at Global Pulse, we acknowledge the need that it's not just that we need legal protection for data and that we need to engage, of course, the technologist, the data scientist and because the Global Pulse consists of data scientists and data engineers and partnerships officers. So a lot of the work, a lot of the principle that we developed, the internal operational guidelines, the data mapping that we've developed approach that we've developed, as well as the risks, harms and benefits assessment, which is, I would say, an equivalent, but much more broader than the original data protection impact assessment was developed together with not just legal professionals but also data scientists and data engineers and information security officers at Global Pulse and within the UN system organizations. And the UN Privacy Policy Group itself, which we established in 2016 played a crucial role in our internal policies and procedures because that was the reason, actually, one of the reasons of why we wanted to organize this group. And I would say one key point because I don't want to take a lot of the time on the Global Pulse's work is that I think one of the biggest challenges was managing the risk that come with the use of new technologies and the use of large amounts of data, big data, old word, but still very relevant to our today. Everybody started talking about emerging technologies, artificial intelligence, but I do believe that it's all about data. We have algorithms, but they're nothing unless we have quality data used within those algorithms, no matter what type of technology we use. So with that, we developed risks, harms, and benefits assessment, which is the tool to complement the theoretical and policy guidelines, and actually helps us implement it in practice, and which is based on technologies, the risks of group harms that I mentioned before, but also acknowledges the risks of not using the data. Global Pulse's work is based a lot on what actually the Secretary General Data Strategy is about, that we need to utilize the value of data, and so what we acknowledge through approach, and the way we approach our privacy practices is that it's not just about the individual privacy, it's not about just the risk to individuals through the use of data, but it's also managing that risk of when we are not using the data in the United Nations operations to implement our mandates, and that it is our duty to actually manage these risks so that in the end we can use the data to help people that we are supposed to help, sorry for the redundancy, but that's the truth. So the key thing I would say in my final words is that while we are all implementing privacy principles and they are the backbone of further policies and procedures that are being developed or have already been developed, they've been inspired by already a lot of the work that have been accomplished by many UN organizations prior to the adoption of the 2018 principles. And I think this is just a stepping stone, right, as we're moving forward in further implementing and acknowledging the new risks that are coming our way and working together as one. And I think that's the key thing of the principles as well as us working together as the United Nations system. Thank you. Thank you very much, Mila. I think it is important to keep in mind, of course, how useful it is for all of us to work together, but also how the development of a policy as such does not solve all of our problems. Like simply having a policy is maybe step one or step 0.1 to a very long journey to come in terms of implementation and this implementation having lawyers working hand in hand with technical specialists, data security, cybersecurity specialists in particular is very important. So thank you again very much, Mila. I think it's time to move to the very interesting questions that have been sent to us already from our audience. And some of them are actually coming from UN entities that I'm not sure exactly whether they're starting their journey in developing data protection policies or there may be later on or thinking of revising them. But one of those questions related to where should the data protection function, so to speak, sit? Should it be within a separate unit that would only be covering data protection as is the case in some organizations? Should it be within the legal department? Which is the case for example in IOM and so on. I'm sure there are pros and cons in each approach. For this question maybe I would ask Isabel to explain to us the perspective and the idea that IAA has followed in this respect. Thank you very much, Christina. And I will explain exactly how the agency has distributed the rules. Not sitting in one place specifically, but just read across different layers of responsibility across the organization. First of all, of course, I want to refer to the all data protection officer. We have one central person who's responsible for providing guidance, ensuring compliance with our data protection policy. And she's an emissary officer who is in one of the department who's dedicated half of time on this function. I cannot mention a structure without referring to the chief information security officer. It's a very important part of the work on this. And he's actually supporting by ensuring that personal data are adequately protected from technical standpoint. And of course cybersecurity standpoint as well. We have a privacy working group who has been steering the policy and overlooking the implementation. And it was created in 2019. So before of course the policy and composed of sort of the main data stewards, procurement, finance, we have in there all the different departments, division of human resources as well, and our archive specialists, and of course, legal. And then we have also a representative in that working group, our network of privacy focal points. These are the staff specifically trained and trained to ensure and to be focal points in the departments to answer and to address all internal questions on data protection at the agency. And of course, across the different units, each head of the unit can have separate roles on ensuring adequate protection of personal data. So of course the deputy general director who have this sort of overseeing role, we have division directors who are called informations stewards and they're just making decisions in terms of classification. We have our information cost student who are the one who actually are tasked with the actual action of processing the data. And they are so responsible for ensuring that adequate protection is in place at all time. And we have this broad category which is vested in all personnel to ensure that data are protected. And to make this happen, we have available training and we have a broad range of resources available to them online internally. So... Thank you, Isabelle. Sorry to interrupt. I think that many organizations can get inspired by this one specific and concrete example from the IAA. I'm going to jump to the next question because I know that many have come in. So I would like the panel to answer as many as possible. So the next one, no surprise. It seems that there is still some confusion out there around the applicability, so to speak, or enforcement of regional and national laws, but especially the European General Data Protection Regulation, the GDPR, to UN system organizations. So since we do have a lawyer from the Office of Legal Affairs, from the UN Secretariat, I would ask Francesco if you could maybe settle this matter once and for all in a way. Thank you so much, Christina. Well, the short answer is no, meaning that the regional and national data protection regulations do not apply to the activities and the handling of data by United Nations system organizations. This is because of our privileges and immunities, but more fundamentally because it would not be possible for a small subset of the membership of the 193 members on the case of the United Nations Secretariat of the United Nations General Assembly, it wouldn't be possible for a small number of those to attempt to regulate the activities and the inner working of the organizations in relation to the handling of data. And the handling of data really is everything we do in a way. So it is such a fundamental aspect of our work that attempting to regulate it indirectly or directly would just not be possible. But just in relation to the European Union General Data Protection Regulation, it has been also accepted by the European Union and dialogue that has been going on since 2018 with the European Union institutions that the GDPR does not in fact apply to United Nations system organizations directly. All of the problems, practical problems that have, that if a reason are mostly about third parties that are bound, of course, under their own law by European Union law that believe that they are obliged by chapter five with the General Data Protection Regulation to actually attempt to impose certain obligations on a UN system organization that they come into relation with. But this is something that has created quite a bit of practical problems. And the position of the United Nations system organizations as a matter of law is that this should not be happening. And so I hope this very briefly clarifies this very complex issue. But I'm happy to discuss more when you all fight. Thank you, Francesco. I like having brief answers on this point. Like the answer of no is particularly, I don't know, useful, hoping that our audience members can just take no away from that answer or maybe some people watching us coming from the private sector who might be data processors of the UN might find this particularly enlightening in a way. I think this is very useful to have a short answer in this way. We've had many questions coming in around challenges that the UN system organizations are facing and especially in relation to COVID-19 pandemic and so on. So I would like to ask maybe Christine from IOM to talk about maybe one main challenge that IOM has been facing, especially given the long experience of applying a data protection policy. So Christine, over to you. Thanks, Christina. So there are a number of challenges, but maybe let me talk about the one that we are looking at right now. For this year and next year is the revision of IOM's data protection principles and the manual that I was talking about before. So we are starting a two-year program in this area. And we are very happy that we have finally received funding for this initiative, but at the same time, it's of course a very challenging undertaking. So the program looks at the complete review of our legal framework on data protection in order to update it with the latest developments in technology and in data protection law. And we have heard that from Mila and we have heard it from others. So of course, the development in the data protection area also in the technologies, cloud computing, artificial intelligence, et cetera, is so fast and it needs to be taken into account. And we hope that with that new and updated manual that and principles that will take into account the recent developments, we hope that that will help us to provide better and more targeted data protection advice to our operations. Now, what is the challenge about that is that we are in like many of the organizations here and like any bigger organizations that we are an organization that is operating in so many different countries and contexts. So our contexts are reaching from migration management over peace building and stability to humanitarian and we need to take into account these different, many different aspects when developing a new data protection guidelines. And we also need to take into account that maybe it's not like we are not talking about a framework only for one region, but it's a framework that is supposed to cover many countries and all our operations and evolve. So it's more or more sinking as it needs to go into that. So we will have broad consultations with colleagues in IOM, but also outside IOM on substantive measures, but also practical issues, how to take into account the different levels of connectivity, for example, in different places we are working. So yeah, that's a little outlook from our side. Thanks. Thank you, Christine. And I will just move straight away to the next challenge question, which is around the impact that the pandemic has had in our data protection work. So Giovanna, over to you, if you could enlighten us on ILO's view on how the pandemic has impacted our data protection work. Thank you, Christina. Well, we could look at it through some examples such as the hosting of virtual meetings and transferring participant information to third party services. That has required us to inform the participants through what would have been our old registration forms that their information is being transferred to third party service providers, for example. So just taking into account good lessons that we've been looking at and saying, how are we working in the past and what we need to adapt internally? There was the encouragement of officials to inform of their vaccination status. However, again, that information goes exclusively to the medical service. So the information in of itself has to be to the appropriate interlocutor taken into account what type of information that is as medical information is sensitive that only goes to the medical advisor. So that wasn't much of discussion that was well understood by all that were involved in those conversations from the very beginning, but also in the field. So you may wanna ensure between the headquarters and the field that there's the same understanding and the same application of rules and just always having that type of same result because data protection in the headquarters or in the field deserve the same type of attention. Online training courses is another area that we've seen because as colleagues are not able to move from one location to another or to information to constituents or training to constituents, that goes a little bit into the meetings, but one example that we were just discussing was providing innovative technologies to constituents and helping them and looking at privacy by design, although the ILO and those circumstances is not collecting the information per se, where databases, platforms, whatever those innovative technologies are is that they're already designed with the privacy by design aspect from the very beginning that the conversations with those constituents take certain aspects on board because although we could say it's for a constituent and they must apply their own national law, I think there was a good point made by one of the panelists that the level of sophistication at the national level or the regional level may be different and it also may not be an enforcement mechanism may be as robust. So looking at those different aspects, those are challenges that we've seen with COVID but still being there for our constituents and providing them services on an ongoing basis. Those are two or three examples. Thank you, Christina. Thank you, Giovanna. And I think in particular in terms of hybrid meetings, all of us as lawyers have been, I'm sure, asked to advise on how can we hold hybrid meetings or completely online meetings and how could Member States be voting, for example, in our online meetings and so on. So these are all very interesting areas that we've, I'm sure, all been asked to give advice to. There is one last, I think, question that I would like to ask from the audience that I find particularly interesting also because of the way that is phrased. So I'll phrase it that way. So the question is how are international data transfers handled within the UN? And also how, whether there are best practices in terms of internal transfers between UN system organizations. Now, to be honest, I have not pinpointed one of you that could maybe answer that. You can raise your real hand if you would like, if you would be interested on answering this, maybe to start with. And any of you could, of course, compliment. Yes, Giovanna, go ahead. Oh, I'll just jump in here because two things come to mind is that with data transfers, something that is reiterated by the UN, by the ILO is that we would look at transferring data to countries where the 1947 convention has been exceeded to because we're looking at the inviolability of our archives. That's one aspect. And then also to see the necessity and inform what exactly is being transferred. So that would be one area. Thank you. Thank you, Giovanna. I think the link between transfers and privileged immunities is something that we should always be taking into account, of course, as international organizations when we transfer data outside of the organization. Anyone else that would like to add to this? Yes, Christine. Maybe on the aspect of the internal transfer with the UN system, I think that's something that we have also realized needs some more attention. I mean, in IOM, we don't yet have a template. We don't have a standard. So that's certainly something that we have seen as a need to work on in the future. Thanks, Christine and Mila, with your virtual hand. Thank you. I would say that in terms of the data transfers, I think one of the biggest steps towards data transfers, at least as we see it on global files, was one, the adoption of the principles because in a way it kind of gave that common standard, right, or sort of push a more comfort level to exchange data within. But also, I mentioned it before, is with the third parties. I think while the principles push the idea, the more of a efforts within each organization to further implemented into binding policies internally within each organization, it also sort of set the bar and signaled the third parties on how that they can trust the United Nations system as well as us feeling more comfortable imposing, I would say, or setting the bar with the third parties of how we are transferring data outside to say that this is actually the standard and it's up to date with the new risk, with the coming risks. And I think the more we are keeping it up to date and internally at internal levels within each organization, the easier it will also be for us to transfer data with each other and also outside exchange data with outside entities. Thank you, Mila. And over to Francesco. I raised my normal hand. I just wanted to say, I think this is an extremely difficult conversation and one which I think we will need a lot of work in the coming years. I think we need to be, this is my personal opinion. Obviously, I think we need to be very realistic about the fact that each of our United Nations system organizations has its own regulatory framework and its own intergovernmental organs underlying those regulatory frameworks as well. And therefore, we cannot probably get to a point where we presume to impose to each other any particular rules beyond the ones that each of us already have adopted. So it will be important, I think at some point to acknowledge and recognize in our mutual transfers that each of the two entities will abide their own rules on privacy and protection. And therefore, that's why it's so important the work that Mila has been doing for many years and all of us have been doing together of trying to harmonize and coordinate these rules through the mechanism that exists for coordination of United Nations family of organizations. And thus, I would leave it at that. I don't know whether colleagues agree on that or not, but... I think I would agree on that just because I'm as the moderator. I feel like I have some executive privileges here. But I would just like to... In the way the question that was formulated around international data transfers and I think it is important to state, especially for the audience members watching us now, who are not part of the UN system family in a way and might be a bit confused around that, that when a UN system organization transfers data from one office in country X, let's say, from New York to Geneva, this is not an international transfer. This is a transfer taking place within the same jurisdiction. So we're talking about an internal transfer within an organization, even though in a way a border is being crossed, the border is not relevant to us because we're in the same safe space, so to speak, in the same jurisdiction of the same organization. So what international organizations, UN system organizations would call international, so to speak, data transfers would be more any transfer taking place from the organization externally, whether it is to a state, to another entity and so on. I just wanted to clarify this. I would like to jump if that's all right with everyone too. I like this title, The Rapid Fire Question, which is a question that I have for all of you and I would just like all of the panelists in wrapping up this beautiful panel discussion today to answer extremely briefly. And no surprise, this question also had come from the audience, but I formulated it in a bit in my own way to ask, how can UN system organizations really work together in order to progress together in the area of data protection? So this is my question to all of you and I would start first with Isabel. What would Isabel's answer be? Very short answer, coordination is key. It's key in having the UN's voice heard globally and including with global players and important players, not global players, but important players such as the C, we've talked about the GDPR and we've heard Francesco's being known when they're on a personal question. So having the position heard and fully implemented is key and coordination is key in that regard as well. Informal networking, formal discussion and coordination initiatives at all level are really extremely important as well. And we actually cherish the possibility to just reach out to our colleagues out there, to receive feedback, to be able to adjust ourselves and that nobody wants to reinvent the wheel when such good practice exists out there. So of course it's not a one size fit all that will never be the case. Everybody, each organization has to be able to adjust some policy to fix it mandate, but we have to keep coordination at all level and including the highest level. Thank you, Isabel. Giovanna, what is your answer? How can we work better together? Oh, continue these types of conversations. We see in the field that we will have projects with IOM or we'll have them with UNHCR and that we have to share data to assist constituents, to assist beneficiaries and if we don't have synergies, then it will be impossible to help those beneficiaries. So these types of conversations help to facilitate that work on the ground to the people that need it the most so that as Francisco said, we have our own regulatory structures but we have to be able to work together for our beneficiaries. And I think that these conversations continue to assist that and we've had a lot of conversations falling from the 2018 PPG. So it's always good when we're able to exchange as Isabel says. Thank you. Thanks, Giovanna and Mila. How can we progress together? I would say in addition to everything that has been said, we also need to work with non-UN entities because I think we're all learning from each other from within but also by working with others. And I think it's crucial while we're building partnerships with the government's civil society, private sector and academia, it's important that we're also engaging with those critical stakeholders. That's one. And I think one of the forums that was mentioned before is the Global Privacy Assembly. I think it stays very relevant and important for us to at least be part of it and observe as we have been for many years. That that's one thing. And then second, I would say importance of including in these conversations, the data protection conversations, various types of skills and professions. And I mentioned that before, but outside of legal, I think we do need to have true data and technologists would be part of these conversations in order to succeed in managing the current and future risks. Thank you. Thanks, Mila and Francesco. Thank you. And all work together. Thank you, Mila, for bringing in multi-stakeholder approaches, which are so important to the Secretary General these days. But as the lawyer, allow me to say, do not necessarily create new entities. We have the CB, the system chief executive boards of coordination of all United Nations system organization. And those processes can actually be very helpful in trying to bring together the whole UN family. Was that short enough? It was, it was. That's great, Francesco. Thank you. And over to Christine. Thanks. I think harmonization, working towards better harmonization because as Giovanna mentioned that, I mean, we are working in the same countries often needing the same data. Wouldn't it be great if we would not need to duplicate the efforts, but could easier share data amongst each other and use it? So how this can be done? Having this kind of conversations, working together, looking at what can be developed in terms of agreement templates and how can we better work on a common approach? Thanks. Thank you, Christine. And I would like to add my view on this small question in the end, simply to say that, similar to what many of you have already said, the importance of raising awareness and creating this data protection culture within all of the UN system organizations together, but also raising awareness about the importance of data protection and the data protection work that we do also externally. The Global Privacy Assembly, it's definitely a very good forum for that, but just to say that I do not think that UN system organizations are, so to speak, really promoting all the data protection work that they're doing and it's so much work that is being done. So I think working together and with what you already mentioned, with coordination, with synergies, inside, outside, legal and harmonization, the important thing is also to raise awareness about all this work that we're doing. So I would just like to wrap up this discussion and simply to summarize, in a way, all these different areas that we have covered. So we've heard from all of you legal data protection specialists on the data protection work that your respective organizations do. And I think the beauty of this panel is how the mandates of your respective organizations are so different. So I think this brings a really nice, somehow, mosaic of experience in data protection. And then I think we have also clearly established what the different policies exist that are already in place, certain of them currently being revised and I'm sure this would be of great help to many UN colleagues listening to us out there that are currently embarking on this journey. But we've also heard of a lot of challenges that all of us are facing, whether they're linked to the revision as such of data protection policies or to their actual implementation, in particular when new technologies are being used and when more technical cyber security be data security experts are needed, of course, to work with us together so that we are able to speak the same language and provide appropriate advice in these areas or whether it is challenges linked specifically to the COVID-19 pandemic that we're still in those days. But last but not least, those challenges could also be turned into opportunities. Again, with working together with synergies, with coordination, harmonization and so on. So I would like to thank all the panelists. Thank you very much, all of you, for your time today, for providing your insights in your data protection work. This is very much appreciated and I'm sure that our audience has very much appreciated listening to all of these different views. So I would like to wish everyone a beautiful morning, afternoon or evening, no matter in which area of the world you're in. And I truly hope to see many of you in future data protection discussions. Thank you all. Thank you, dear panelists, very much. Goodbye. Thank you, Christina. Thank you. It's been a pleasure. Thank you very much. Thank you, everybody. Bye. Bye-bye.