Vulnerable people in the world’s troublespots could be at risk because of sloppy handling of sensitive data by a UN agency, according to an internal audit. In response, the World Food Programme told IRIN it was “working to get ahead of the curve” on data-handling, would address weaknesses, and spend more on systems.
The internal audit of WFP beneficiary management, dated November 2017, found a litany of data protection failings across the UN agency’s digital and paper-based systems. WFP handles huge amounts of personal data without proper safeguards, according to the review. The audit says “major improvement” is needed to reduce risks in systems that powered aid for over 82 million people in 2016.
Despite the criticisms, WFP vowed to press on with its initiative to build a large centralised system. The agency told IRIN in a written response that its goal was to have a platform that could power more than just food-related aid. It should be “holding data for WFP’s entire caseload of some 80+ million people and providing a platform to deliver assistance for all the needs of a household, beyond food,” the response said.
WFP said its flagship SCOPE management platform, which the audit found to be seriously flawed, “will significantly improve beneficiary information and identity management”, insisting, “the audit findings back this up”. The agency told IRIN it would be “working through the challenges of bringing the new system up to speed”.
The damning audit emerged as aid agencies worldwide adjust to sweeping new EU legislation that governs personal data and enters into force in May, the General Data Protection Regulation. IRIN interviews suggest the GDPR will lead to an overhaul of best practice in the humanitarian sector.
‘Accident waiting to happen’?
According to the audit, WFP fails to follow rules it has set itself, which are aligned with international best practice and the GDPR. “Policies have been designed to protect the data and privacy of beneficiaries and comply with local requirements, but have not yet been effectively implemented,” the audit said. In its response to IRIN, WFP said the agency was “closely following developments, standards and best practice in this field”.
Data specialists contacted by IRIN were alarmed but not shocked at the report. “This set of findings screams ‘accident waiting to happen’, as well as a lack of understanding by senior [WFP] management of WTF is going on with their data at country level," said one.
The audit appears tough, but data protection officials in other aid agencies said WFP’s issues were not unique: the findings could apply to many in the sector and some applauded the transparency. One said, after reviewing the report: “I’m sure that other entities both in and out of the UN who are delivering digital forms of aid, including identity management, would fail a similar audit.” Sean McDonald, CEO of messaging platform FrontlineSMS, told IRIN: “these problems are big and difficult everywhere.” WFP’s response said the findings were “challenges that should be expected.”
Among the many issues, grouped under five high-risk and five medium-risk headings, the audit found that extraneous information was being gathered. In more than one case, WFP and its partner organisations collected more personal information than was needed, “without a specified and legitimate purpose”, and again, contrary to policy.
In a particularly charged example, a WFP “cooperating partner” recorded people’s religion. The agency did not clarify the details, and the report does not say where it happened, but the audit team only visited Malawi, Sudan, and Myanmar. Of the three, only Myanmar has any significant diversity of religious adherence, and religion is a key factor in its recent violence. (The audit also made desk reviews of operations in Bolivia, Guinea Bissau and the Occupied Palestinian Territories).
The report also said beneficiaries did not give their informed consent to the use of personal data, and data was routinely copied without encryption or password protection. Both findings go against WFP’s data protection policy.
The SCOPE of the problem
WFP has made numerous public announcements about the innovative impact and potential of its central web-based application SCOPE, which now holds records on 26 million people, 5.8 million of which include fingerprints or photos. The system went live in 2014 and should manage both cash or in-kind programmes. According to WFP, it is designed for “beneficiary registrations, intervention setups, distribution planning, transfers and distribution reporting.”
[A tweet from WFP in Chad]
The audit found it unreliable and unable to meet the needs of many country offices. As a result, SCOPE handles less than 10 percent of the WFP’s caseload. Another audit, of WFP’s Bangladesh operation, repeats a finding that the SCOPE system cannot reliably edit and update records.
Most of WFP’s operations were so far unable to use SCOPE. Among the problems were the following:
❌ Data uploaded into SCOPE was “incomplete and/or inaccurate”
❌ Many of the 61 offices in which it had been installed had problems uploading and downloading data
❌ The system did not reliably allow operators to correct errors and update beneficiary data
❌ It does not allow for sufficient “beneficiary conditionality”, customised reporting, data analytics, and reconciliations
❌ User support and help-desks could not meet demand
McDonald, of FrontlineSMS, told IRIN: “They went out too early, with something they didn't fully understand, and are now having to solve the difficult, basic problems that would have been a lot easier 61 countries ago.”
WFP imagines one day earning revenue from running beneficiary management as a service. However, the system is far from ready: also, around three quarters of the records (some 17 million people) aren’t being used, according to the audit.
WFP told IRIN that some dormant records were a “preparedness” measure: “former beneficiaries are kept in the system to ensure that WFP can respond faster when these beneficiaries are again in need.” This contrasts with WFP’s policy, which says “personal data that is no longer needed for fulfilling the purpose for which it was collected should either be destroyed or returned.”
Reviewing the report as a whole, "I'd question whether humanitarian organisations should ever build their own tech, but these are project management, planning, and resource problems,” McDonald added.
WFP claimed it had reviewed its options in 2011, and building the application in-house was the only affordable option. However, the agency said that, over a 10-15 year horizon, it might work with “potential new partners or software providers”.
Data protection “by design and default”
An NGO manager dealing with data protection said the SCOPE database failed the test of data protection “by design and default”, a phrase from the GDPR that summarises the shift the new law aims to promote. Having so much personal information in a single database was "alarming" and a natural target, they said.
The official added that NGO partners of WFP (many are EU-based) are often obliged to share data with the SCOPE system and cede control of the data to WFP without clear data-sharing agreements.
McDonald said technology was only one piece of the puzzle. He argued that humanitarian treaties, accords, and principles are “the product of huge amounts of work on culture and organisational change.” People are trying to “code around the difficult process of building shared cultural and operational infrastructure.” - IRIN