1. Rationale

1. UNDP uses personal data (residents, partners, donors, its staff, etc.) in a range of activities, whether it is to assess the impact of policies and shocks on different players in a country or during the design, implementation and evaluation of projects and programs on the ground or to manage human and supply resources to implement projects and programs on the ground or to manage human and supply resources. Examples of personal data include data that directly identify an individual (e.g. a name, a date of birth) or combinations of data (e.g. demographic data, location data) that make the individual identifiable. What constitutes personal data is dynamic and contextual. A single data source may not make an individual identifiable. However, in combination, and with the application of new technologies, data sources may make the individual identifiable. Therefore, each data source should be assessed for actual or potential personal data content.

2. UNDP must consider opportunities and risks in the use of personal data, including in combination with evolving technologies (e.g. social media, artificial intelligence). The protection of this data is essential to upholding fundamental rights to privacy and the UN-system wide personal data protection and privacy principles. This Policy implements these UN principles, UNDP Data Principles and governs the processing of personal data by UNDP. The Policy stipulates a compliance framework for appropriate personal data protection throughout the data life cycle (e.g. collection, storage, analysis, transfer, deletion, processing and publishing). Under the Policy UNDP commits to process personal data in ways that are appropriately:

1. justified;
2. for defined purposes;
3. limited in scope to that necessary for defined purposes;
4. performed for accuracy and currency;
5. secure and confidential;
6. limited in time;
7. transparent to the persons the data is about, and allows requests for access, change, deletion, or limits on processing (including automated decision-making); and
8. protected upon transfer to others.

Related implementation measures are provided.

3. This policy does not constitute a waiver whether express or implied of the privileges and immunities of UNDP or its staff.

 

2. Scope of Application

 

4. This Policy uses terms, such as “personal data”, “data subjects”, “processing”, “data controller”, and “data processor” and other terms as defined in Annex 1.

5. This Policy applies solely to the processing of the personal data of living individuals.

6. This Policy applies only to personal data collected and/or further processed by UNDP filing and storage systems and provides protection that is appropriate to the risks and sensitivity regarding the personal data processed by particular filing and storage systems.

7. All UNDP personnel are required to process personal data in accordance with this Policy. Roles and Responsibilities are identified in Annex 3.

8. The following topics are outside the scope of this Policy:

a. anonymous or anonymized information processed for statistical and research purposes;

b. data that can identify a group, demographic or community, but not an individual or individual’s unique georeferenced point;

c. personal data of deceased data subjects; and

d. confidential information that does not include personal data such as business secrets: see UNDP Information Disclosure Policy.

These matters may be subject to possible regulation under other Policies or warrant application of principles from UNDP Data Principles and from this Policy, mutatis mutandis.

9. This Policy complements other UNDP regulations relating to data or information, such as the Information Disclosure Policy, the Record Retention, Data Security and Contingency Policy. This Policy will be implemented subject to:

i) The privileges and immunities of the United Nations

ii) overriding legal obligations, such as reporting requirements, relevant resolutions, regulations, rules, or decisions of the General Assembly, Secretary-General or Executive Board;

iii) the Office of Internal Audit and Investigations Charter; and

iv) fundamental rights and freedoms of the data subjects or other persons.

 

3. Policy Statements

 

10. In its interpretation and application to the personal data, the best interest of the data subject will be a primary consideration, and an interpretation and application that do no harm will be sought.

11. UNDP personnel will take particular care in processing the personal data of vulnerable data subjects.

12. The processing of particularly sensitive personal data is allowed only where necessary to carry out UNDP’s mandate. Where such processing occurs, appropriate organizational and technical safeguards will be used to protect the data subjects against identified risks associated with the processing, including the risk of discrimination.

13. The roles and responsibilities of UNDP (as a controller or a processor) and UNDP associates involved must be defined prior to the personal data collection and further processing of personal data to ensure accountability under this Policy.

13.1 As a controller, UNDP may only engage with processors, including UNDP associates, that provide appropriate commitment and assurance of meeting the requirements of this Policy or equivalent personal data protection standards, with the exception of paragraphs 42 to 49. As a joint controller, UNDP will agree in writing with other controllers the responsibilities of each and will disclose the arrangement to the data subject where appropriate.

13.2. As a processor, subject to the conditions of section 9, UNDP will notify data controllers of its data protection requirements and will not knowingly process personal data received that were not collected in compliance with this Policy. UNDP may only process data on documented instructions from the controller, subject to any pre-existing obligations UNDP has to process that were disclosed to the controller. UNDP may only engage with (sub-)processors, including UNDP associates, upon consent of the controller, and where the (sub-)processor agrees to assume the same data protection obligations as UNDP made to the controller.

14. Risks associated with the processing of personal data will be managed in accordance with UNDP’s Enterprise Risk Management Policy, including by taking into account the confidentiality and level of sensitivity of the personal data that are processed.

 

4. Policy Elements

 

4.1. Personal data protection principles

4.1.1. Legitimate and fair processing

15. One or more legitimate bases is required for the processing of personal data. The legitimate bases are:

1. The consent of the data subject, or the representative of a vulnerable data subject where appropriate (“consent”)
2. To prepare for or perform a contract with the data subject, including a contract of employment (“contract”)
3. To protect the life, physical or mental integrity of the data subject or another person (“vital interests”)
4. To protect or advance the interests of people UNDP serves, and particularly those interests UNDP is mandated to protect or advance (this legitimate basis would constitute “UNDP’s legitimate interest” as well as the “beneficiary interest”)
5. Compliance with a public legal obligation to which UNDP is subject (“legal obligation”)
6. Other legitimate interests of UNDP consistent with its mandate and obligations, including the establishment, exercise, or defense of legal claims or for UNDP accountability (“other legitimate interests”)

16. Consent, often supported by other legitimate bases, is the preferred basis for processing. In some cases, obtaining consent may be impractical, including because: the data subject is a minor; the capacity of the data subject to consent cannot be reasonably assessed, and substitute alternative consent is unavailable.

17. Personal data will be processed in a manner that is transparent to the data subject, in conformity with paragraphs 25 and 26.

4.1.2. Purpose specification

18. Personal data will be processed for specified and limited purposes, which are consistent with the mandate of UNDP and are determined prior to the time of collection.

19. UNDP may further process personal data for purposes other than those specified at the time of collection: i) if consent is obtained to further processing; ii) if such further processing is compatible with those original purposes and the risks of further processing do not outweigh the benefits it entails for the data subject; iii) if UNDP is required to process further for statistical, historical or scientific purposes; iv) to establish UNDP accountability; or v) for the establishment, exercise or defense of legal claims.

4.1.3. Necessity and proportionality

20. The processing of personal data will be relevant, limited and adequate to what is necessary in relation to the purpose(s) specified for processing. This requires, in particular, ensuring that the personal data collected are not excessive for the purposes for which they are collected, and that the period for which the data are stored in the UNDP filing or storage system, is no longer than necessary, in conformity with paragraph 24.

4.1.4. Accuracy

21. Reasonable efforts will be made to process personal data with accuracy and currency. The accuracy of the personal data to be retained will be reassessed periodically. Frequency of accuracy review will depend on factors such as the relative time sensitivity of the personal data. Determination of reassessment frequency will be substantiated and documented. Personal data in archives need not be reassessed, corrected or kept current.

4.1.5. Security

22. Personal data will be classified in accordance with a contextual assessment of its sensitivity, in accordance with UNDP information security standards.

23. Appropriate organisational, administrative, physical and technical safeguards and procedures will be implemented to protect the security of personal data, including against or from accidental or unauthorized destruction, loss, alteration, disclosure, access, or unplanned loss of availability. Such measures may include logging access, changes to or deletion of personal data.

4.1.6. Limited retention

24. Personal data will be retained in the UNDP filing or storage system:

24.1 Permanently, if the criteria under UNDP’s policies and procedures on archiving are met;

24.2 For the time required to achieve the purposes for which the personal data were collected. Those responsible for stipulating and implementing appropriate retention standards will substantiate and document i) how long the personal data is needed for the intended purpose(s), ii) after which period of time the data will become stale or no longer useful for the intended purpose(s), iii) the appropriate retention period for the personal data based on assessment of retention needs, iv) how to safely and appropriately destroy or archive the personal data at the end of the determined retention period. Note: retention periods exceeding 10 years require additional substantiation.

4.2. Notice of personal data processing

25. UNDP will provide to the data subject the information contained in Annex 2, when collecting their personal data.

26. When personal data are collected by UNDP (as controller) from a source other than the data subject or vulnerable data subject’s representative, the information contained in Annex 2 will be provided to each identified data subject within a reasonable period, having regard to the logistical constraints to which UNDP is subject.

4.3. Data subject requests to interact with their personal data

27. Access, correction, deletion, objection and restriction to processing of personal data, and objection to automated decision-making may be requested, subject to the conditions below, by an individual who provides sufficient evidence of being the relevant data subject.

28. Such requests will be limited to personal data within UNDP’s filing system that directly identify the data subject and not to data that could indirectly identify the data subject.

29. Where such requests relate to personal data held in unstructured format, including written reports, and other files from which personal data extraction would not be possible employing reasonably available resources, UNDP would generally decline to fulfill the request, unless overriding considerations demanded otherwise. Such overriding considerations could include upholding the best interest of the data subject or fundamental rights and freedoms of individuals.

30. Data subject requests will be addressed by UNDP in accordance with the mechanism set out in Annex 2, taking into account possible overriding considerations in the application of this Policy (see paragraph 9) and the provisions below.

4.3.1. Access

31. Unless it adversely affects the rights and freedoms of others, upon request, the data subjects will be provided with confirmation as to whether personal data concerning the data subject are being processed, and, where that is the case, information about requested categories of personal data held by UNDP.

32. Access to UNDP archives will be provided in accordance with applicable policies and procedures specific to archives.

4.3.2. Correction

33. A request from the data subject to update or correct personal data will be granted, unless the requested change would be inaccurate or the data are contained in a record held in the UNDP archives.

34. In order to preserve the integrity of UNDP archives, a note may be included in the relevant archival file to indicate that a correction request has been made.

4.3.3. Deletion

35. Subject to the conditions specified in this Policy and paragraph 36, a request by a data subject to have personal data deleted from the UNDP filing system will be granted when: i) the personal data were not processed in compliance with this Policy; ii) retention of the personal data would not be in compliance with this Policy; iii) in cases where the only legitimate basis for processing is consent, the data subject withdraws the consent on which the processing was based; or iv) a request has been granted to fully restrict processing under paragraph 38.

36. Personal data will not be deleted in the following circumstances: i) conditions specified in section 9; ii) there are overriding vital interests, beneficiary interests or other legitimate interests; iii) UNDP is required to process further for statistical, historical or scientific purposes.

37. Records held in UNDP archives will not be deleted, in order to preserve the integrity of UNDP records.

4.3.4. Objection to and restriction of processing

38. Data subjects may, at any time, object to or request restriction of the processing of their personal data if: i) the processing would not be in compliance with this Policy; ii) in cases where the only legitimate basis for processing is consent, the data subject withdraws the consent on which the processing is based; or iii) on compelling grounds relating to their particular situation. The request may be granted unless there are overriding vital interests as provided in section 9, beneficiary interests, or other legitimate interests.

4.4. Personal data transfers

39. Transfers may only occur when there is a legitimate basis for both personal data transfer and data processing. What constitutes a legitimate basis has been set out in paragraph 15 above, and these legitimate bases apply equally to data processing and data transfers.

40. Each of the data protection principles and sections of this Policy applies equally to data processing and data transfers. In particular, transfers will only occur where the conditions set out in paragraph 13 are met.

4.5. Policy Implementation

4.5.1. Awareness-raising

41. UNDP will provide training and take appropriate action to raise awareness so as to ensure the effective implementation of this Policy by its personnel, taking into account resource and logistics constraints.

4.5.2. Planning

42. In acting as a controller and determining the means of processing personal data (including when creating databases), UNDP will incorporate “data privacy by design and by default” into planning, development, and decision making, and implement appropriate technical and organizational measures, such as data minimization and pseudonymization.

43. When UNDP acts as a controller and the processing of personal data is likely to involve high risks to the rights and freedoms of the data subjects, in particular where new technologies are involved, a data protection impact assessment (DPIA) may be conducted prior to the processing to identify the risks, any corresponding mitigating measures, and inform whether the processing will proceed.

4.5.3. Monitoring

44. UNDP will take practical measures to monitor compliance with this Policy, including the development and maintenance of centralized registers of:

44.1 Key measures taken by offices to implement this Policy;

44.2 UNDP filing and storage systems that include personal data, which register will contain i) the name and contact details of the information asset owner; ii) the purposes of the processing; iii) categories of the data subjects and data sources; (iv) types of personal data concerned; v) categories of recipients to whom the personal data have been or can be disclosed or otherwise transferred;vi) default retention periods; and vii) where possible, a general description of the technical and organizational security measures pursuant to 23.

44.3 personal data breaches, and the nature of any data subject notifications made because of those breaches.

4.5.4 Personal data breach

45. A personal data breach regulation will be established, addressing, among other things, appropriate reporting channels, review or investigations of incidents, technical responsive measures, and notifications to data subjects and others.

4.6. Accountability

46. Roles and responsibilities for implementing this Policy appear in Annex 3. A failure to comply with the Policy may amount to misconduct (if the result of gross negligence, recklessness, or deliberate conduct).

47. UNDP will define other requirements of an implementing structure, Procedures, Standards, and Guidance to operationalize and monitor implementation of this Policy. UNDP will adopt an appropriate oversight structure to interpret the Policy, in particular, if handling data subjects’ requests.

4.7. Special considerations in Emergency Contexts

48. In designated emergencies, or when OAI (or other duly authorized investigative bodies within the UN system) requesting data that is otherwise protected, derogation from data protection regulations may exceptionally be provided by the Chief Data Officer, after consultation with the Chief Information Security Officer, Chief Information Officer, Data Governance Group, and the UNDP Country Representative, and in line with other applicable policies in UNDP. Derogations may address: the selection of legitimate bases for processing; assessment of necessity and proportionality in processing; accuracy, security, and retention measures; the timing, format, and method of notice to data subjects regarding the processing of their data; assessment of the adequacy of safeguards on transfers; the form of data protection impact assessments; and the timing of responses to data subject requests and central registration of filing systems.

49. The preceding is without prejudice to the needs of authorized UNDP offices acting pursuant to their official functions, and such offices may act in accordance with the needs of their mandate. In addition, the preceding cannot supersede UN-wide mandated protections.

4.8. Transitional Measures

50. This Policy will be progressively implemented. There will be a 12 months transitional period from the effective date noted above for full adherence to the policy document. During this time, a comprehensive implementation plan will be rolled out. Successful completion of the implementation plan will require full cooperation at the Bureau, Region and Country levels regarding key implementation activities such as the compilation of personal data inventories; performance of data risk assessments; the drafting of guidance and notice documents and data protection training (e.g., train the trainer activities, etc.). Requests for implementation delay such as exemptions from specific provisions of this Policy, for specific time periods and filing systems, may be granted by the Chief Data Officer after consultation with Chief Information Security Officer, following a request made by a Bureau or Regional Director, following a risk assessment. Such exemptions will be noted in any relevant information notice.

 

5. ANNEX 1: DEFINITIONS

 

5.1 Archives are, as the context requires, either physical or electronic recorded information that has been deemed of sufficient administrative, fiscal, legal, historical or informational value as to warrant permanent retention under the relevant UNDP regulation, or a designated facility containing such information objects.

5.2 Anonymous or anonymized information means information about a person whose identity cannot be determined.

5.3 Consent means, in light of the information provided to the individual data subject, any freely given, specific and informed agreement of a data subject or the representative of a vulnerable data subject to the processing of their personal data. In the case of vulnerable data subjects, such consent will be provided by their representative, with due consideration of the best interest of the data subject. Consent as defined and used in this Policy is intended to provide the data subject with agency as to the collection and further processing of their data. The consent is often supported by other legitimate bases for data processing such as UNDP’s legitimate interest, beneficiary interest, vital interest or contract. Data subject’s or representative’s requests for withdrawal or alteration of consent will be reviewed and acted on with due consideration to the best interest of the data subject and the legitimate bases relied on for the collection and processing of the personal data.

5.4 Controller means the entity or individual, including a public authority, agency or other body, who, alone or jointly with others, determines the purposes and means of the processing of personal data.

5.5 Data Protection Impact Assessment (DPIA) means a standardized assessment building on the HLCM Principles and other recognized international data protection principles that assesses the impact of the envisaged processing activities on the protection of personal data and on the rights and freedoms of the data subjects. A DPIA aims to identify mitigating measures, if any, in order to avoid or minimize such impact.

5.6 Data subject means an individual whose personal data is subject to processing under this Policy, regardless of who provided the personal data or how it was found. For the purpose of the Policy, the term data subject includes, but it is not limited to past, potential or current beneficiaries, individual donors, supporters, suppliers, individuals in other UNDP associate organizations and personnel.

5.7 Particularly Sensitive personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union/staff association membership, genetic data and biometric data capable of uniquely identifying a natural person, data concerning health, or data concerning an individual’s sex life or sexual orientation.

5.8 Personal data means any information relating to an identified or identifiable individual (‘data subject’). An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, phone number, audiovisual materials, location data, an online identifier, ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual or iii) assessments of the status and/or specific needs, such as in the context of assistance programmes. The definition of what constitutes personal data is contextual and expanding particularly due to enhancements in technology and methods for identifying individuals.

5.9 Personal data breach means a breach of security leading to the accidental or unauthorized destruction, loss, alteration, disclosure, access, or unplanned loss of availability of personal data that is unencrypted or can be decrypted. A breach does not exist where access is the result of disclosure or access consistent with official functions.

5.10 Personal data transfer means any action that makes personal data accessible or otherwise available to another party, other than the data subject, regardless of the media and format (electronically or physically). Movement of data or provision of access to data to other individuals within UNDP is not a personal data transfer. Personal data transfer includes transfers within a country as well as data transfers from the country where the data was originally collected to another country or countries.

5.11 Process or processing means any operation or set of operations performed on personal data, whether by automated means or manually, such as collecting, recording, structuring, consulting, retrieving, using, transferring, disclosing, sharing or otherwise making available, or deleting.

5.12 Processor means an individual or entity, including a public authority, agency or other body, which processes personal data on behalf of the controller.

5.13 Pseudonymization means any technical process under which personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable individual.

5.14 UNDP associate means one of the following kinds of entities with which UNDP has a contractual relationship or collaboration arrangement: a civil society partner, bilateral or multilateral partner, National Committee, supplier or vendor, corporate partner, or a sub-contractor of any of these entities. It does not include governments.

5.15 UNDP filing and/or storage system means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis. This includes databases and other repositories of personal data, as well as archives, administered by or on behalf of UNDP.

5.16 UNDP personnel means UNDP staff, individual consultants and contractors, UNVs, interns, volunteers, gratis personnel, UNDP goodwill ambassadors, individuals serving on loan or deployed under Stand-by Personnel arrangements to UNDP, and persons working for UNDP through an employment agency or similar arrangement.

5.17 Vulnerable data subject refers to data subject who are reasonably not able to provide informed consent. Vulnerability comes in many forms specially when there are inadequate protections. Someone can be vulnerable to data abuse based on their gender, sexual orientation, age, medical history, an abusive intimate relationship, social marginalization or involuntary displacement, etc. The degree of vulnerability also varies based on intersecting inequalities, conditions and situations.

 

6. ANNEX 2: REQUESTS OF IDENTIFIED DATA SUBJECTS TO INTERACT WITH THEIR PERSONAL DATA

 

6.1. Provision of information about the processing of a data subject’s personal data

6.1.1. Pursuant to paragraph 25 and 26, the following information will be provided to the data subject, in writing or orally:

1. the purposes for which their personal data will be processed;
2. whether personal data about the data subject will be collected from other sources, and the categories of such sources (which could include other UN agencies, government sources, UNDP associate sources, publicly available information);
3. the anticipated retention period;
4. whether their personal data will be transferred to third parties, the categories of third parties to which their personal data will be transferred, and whether they may be outside the country in which the data subject is located;
5. the importance that data subjects provide accurate and complete personal data as well as changes to their personal situation pursuant to paragraph 21 of the Policy;
6. how to request access to their personal data, or correction or deletion of it; to object to or to restrict the processing of their personal data; and any further recourse that might be available.

6.1.2. Such information will be provided in a clear and plain language as well as in a format adapted to the age, maturity and vulnerability of the data subjects.

6.2. How data subjects can make requests for access, correction, deletion, objection to a restriction of processing, or objections to automated decision-making

6.2.1 UNDP will consider a request made orally or in writing by a data subject.

6.3. UNDP responses to requests for access, correction, deletion, objection to a restriction of processing, or objections to automated decision-making

6.3.1. In assessing or responding to the request, the person responding:

1. May ask for further detail, if the request does not contain sufficient detail to enable UNDP to identify and locate the record with reasonable efforts;
2. Will respond to the request within a reasonable time, orally or in writing, and pursuant to paragraph 17 and paragraph 48 and 49;
3. Will generally limit requests to structured personal data, unless overriding reasons demand otherwise. Such overriding reasons could include upholding the best interest of the data subject or essential rights and freedoms of individuals;
4. Will not reveal personal data about the data subject, unless there is sufficient proof that the person asking for the information is the data subject;
5. May deny the request if there are grounds for believing that the request is manifestly abusive, fraudulent, or obstructive to the purpose of processing;
6. Will provide reasons if the request is denied, other than if it is denied on grounds that it is manifestly abusive, fraudulent, or obstructive to the purpose of processing;
7. Will provide access in a form (oral, in print, digitally, or through online access) that is reasonably practical to UNDP and the person requesting, if access is granted;
8. Will provide information about any available recourse or review mechanism that has been established and could be used by the data subject or vulnerable data subject’s representative.

7. ANNEX 3: ROLES AND RESPONSIBILITIES

Chief Data Officer	Delegated overall responsibility for operationalization of the data protection framework within UNDP	41-45
	Designating implementing and oversight structures to support the operationalization and interpretation of the policy	46
	Overall responsibility for making decisions associated with personal data breaches	45
Data Governance Group	Providing technical advice to the Chief Data Officer in operationalizing the data protection programme within UNDP	41-45
	Where another implementing structure has not been designated by the Chief Data Officer, providing technical assistance to offices in: effecting data privacy by default and design, reviewing safeguards with associates, conducting Data Protection Impact Assessments, and addressing data subject requests	4, 13, 27-40
	Receiving, evaluating and presenting annual reports on the implementation of the policy.	44.1
	Advising on personal data protection aspects of personal data breaches	44.3
Regional Directors	Monitoring implementation of the policy in their respective regions, and through their Regional Directors, inform the Chief Data Officer of data protection risks, and issues that impair the effectiveness of the policy or the data protection programme in general	14
Heads of Office (Regional Directors in Regions, Bureau Directors in Bureaus, Representatives in country/area offices)	Responsible for ensuring the implementation of the policy in their offices	41-45
	Determining which and how special considerations apply to the processing of personal data during a declared emergency, across all information assets in their offices	48, 49
	Responsible for making sure non-archival retention of records is substantiated and documented as follows:: i) how long the personal data is needed for the intended purpose(s), ii) after which period of time the data will become stale or no longer useful for the intended purpose(s), iii) the appropriate retention period for the personal data based on assessment of retention needs, iv) how to safely and appropriately destroy or archive the personal data at the end of the determined retention period. Note: retention periods exceeding 10 years require additional substantiation.	24
	Approving and signing specific agreements with associates that contain safeguards for data protection, and maintaining oversight over the implementation of the safeguards	13, 39-40
	Maintaining and keeping current a register of UNDP filing systems that contain personal data in their respective offices	44.2
	Reporting, through the relevant Regional Directors, on the office’s implementation of the policy, and designate Focal Points to assist in such reporting and coordination	44.1
	Monitoring training undertaken by the office’s personnel	41
Bureau Directors	Responsible for prescribing appropriate general safeguards to be employed by associates whose relationship they manage, in consultation with, as appropriate, the Office of Legal Services?, the Chief Data Officer and the Chief Information Officer and his delegates	13, 39-40
	Within existing or designated regulatory authority, and as necessary, identifying, or establishing a procedure for identifying, specific data, persons or entities and activities that fall within the policy-prescribed definitions of “personal data”, “particularly sensitive personal data”, “controller”, “processor”, “processing” and “data subject”	Annex 1
	Within existing or designated regulatory authority, and as necessary, identifying, or establishing a procedure for identifying, any legal basis specified in the Policy for personal data collection and transfer, the purpose of data collection and transfer, and any exceptions based on fundamental rights and freedoms in an emergency context	Annex 1
	Within existing or designated regulatory authority, and as necessary, establishing standards and procedures for securing informed consent, and procedures to respond to requests of data subjects to interact with their personal data.	Annex 1
	Within existing or designated regulatory authority, and as necessary, establishing retention periods shorter than 10 years	24
Comptroller	Responsible for deciding whether to grant requests to retain non-archival records longer than stipulated in applicable data retention standard. And, if such request is granted, responsible for making sure exception from the applicable retention standard is substantiated and documented. Note: the granting of records retention requests where no retention standard has been promulgated, should be of temporary duration only, and contingent on prompt implementation of such retention standard.	24
Chief Information Officer and his delegates	Responsible for administration of the Information Security Programme	23
	Creating a register of personal data breaches	45
	Notifying to Information Asset Owner and/or Head of Office of a personal data breach, as part of a personal data breach response	45
Data Management Owner (DMO) (person or group designated pursuant to UNDP STANDARD ON INFORMATION SECURITY: ASSET MANAGEMENT)	Responsible to the Head of Office in implementing and monitoring implementation of this policy in connection with a designated information asset within the UNDP filing system	41-45
	Under the supervision of the Head of Office, and in consultation with, as appropriate, the Data Protection/Privacy Specialist (OED) and the Chief Information Officer and his delegates, determining new means of processing personal to implement ‘data protection by design and by default’, including by determining whether the information asset is expected to contain records of personal data	42
	Under the supervision of the Head of Office, and in consultation with, as appropriate, the Data Protection/Privacy Specialist (OED), conducting a Data Protection Impact Assessment	42
	Defining the role of UNDP as controller or processor in connection with the designated information asset	11
	Under the supervision of the Head of Office, and in consultation with, as appropriate, the Data Protection/Privacy Specialist (OED) and the Chief Information Officer and his delegates, implementing appropriate organizational and technical safeguards in connection with the processing of particularly sensitive personal data	11
	Under the supervision of the Head of Office, determining a legitimate basis for processing data to be recorded for the designated information asset	15
	Unless otherwise prescribed by regulation, under the supervision of the Head of Office, determining how and in what circumstances consent will be pursued	16
	Specifying the purpose for personal data processing, and the personal data categories and items necessary to fulfill this purpose, based on the principle of personal data minimization.	18
	Approving further processing for purposes beyond those specified at the time of collection	19
	Documenting personal data protection measures in connection with the designated information asset	44, 50
	Periodically reassessing the accuracy of personal data. Frequency of accuracy review will depend on factors such as the relative time sensitivity of the personal data. Determination of reassessment frequency will be substantiated and documented, and reassessment frequency should in all circumstances be less than every 5 years	21
	Reviewing appropriateness of retention period and process stipulated in Retention Standard document every 5 years. Continuously ensuring that retention period and retention and destruction process stipulated in Retention Standard document are complied with.	24.2
	Under the supervision of the Head of Office, and with the advice of the Data Protection/Privacy Specialist (as appropriate) or implementing structure designated by the Senior Management, receiving and deciding upon requests for access, correction, deletion, objection to and restriction of processing, or objection to automated decision-making	27-38
	Notifying affected data subjects affected by personal data breaches, as authorized under the personal data breach procedure	45
Data Steward	Assigned by the Data Management Owner (DMO) to data management related responsibilities and day to day operations	10-14, 27-40, 44-49
	Knowing, understanding and applying this policy	10-26
All UNDP personnel	Completing prescribed courses for data protection	41
	If not already so prescribed or designated, determines whether data that they are processing constitutes personal data and communicates same to the information asset owner	4
	Determining the age of a data subject where required during personal data processing or data interaction requests, and taking particular care in the processing of personal data of vulnerable categories of data subjects	11
	Providing information about personal data processing at the time that they collect it	25-26