Consultancy – Data Protection Consultant, DAT Team (CDO), DAPM NYHQ (remote-based)

UNICEF has issued a Policy for Personal Data Protection in 2020 (the “Policy”) which applies to any personal data processing by or on behalf of UNICEF. This involves the data of the children who UNICEF serves, its staff, its individual donors, and others. The goal of the policy is to ensure that UNICEF uses personal data in line with individual’s rights and freedoms and without exposing them to inappropriate risks.

Consultancy Title: Data Protection Consultant

VA Category: Research, Planning Monitoring and Evaluation

Section/Division/Duty Station: CDO/Data Governance Section/ DAPM NYHQ (remote-based)

Duration:  11 months (15 May 2024 – 15 April 2025)

BACKGROUND

UNICEF has issued a Policy for Personal Data Protection in 2020 (the “Policy”) which applies to any personal data processing by or on behalf of UNICEF. This involves the data of the children who UNICEF serves, its staff, its individual donors, and others. The goal of the policy is to ensure that UNICEF uses personal data in line with individual’s rights and freedoms and without exposing them to inappropriate risks.

Purpose of Activity/Assignment:

The Chief Data Office (CDO) is tasked to support offices and divisions with the implementation of the Policy. For that purpose, it is centrally developing a data protection programme, a set of tools, guidance, central records and training/awareness measures, to enable the organization to process personal data in compliance with the Policy and in respect of individuals’ rights to privacy. In addition, it is committed to promoting the responsible use of other sensitive data for children in line with the “Responsible Data for Children” principles and toolkit.

Scope of Work:

The Information Security team is responsible for establishing, maintaining, and continually improving UNICEFs cybersecurity program, to ensure the confidentiality, integrity, and availability of UNICEF’s digital assets. In order to fully design and support the roll-out of the UNICEF data protection programme, including responsible standards for the handling of sensitive non-personal data, and address the related elements of UNICEFs cybersecurity program, UNICEF CDO and UNICEF Information Security need to hire a data protection and privacy technology expert with strong experience on the intersection of data protection, information security and technology.

Terms of Reference / Deliverables

The consultant is expected to support the implementation of the Policy worldwide, with specific focus on the development of the tools, systems and guidance developed as part of the data protection programme by UNICEF CDO in collaboration with ICTD Information Security. To carry out this work, the Chief Data Office is seeking out the support of a consultant with the following objectives:

1. Facilitate the implementation of data protection impact assessments by divisions and offices.
2. Enable offices and divisions to conduct a data mapping in line with the policy and maintain a record of processing activities to track compliance and manage high risks.
3. Increase the transparency of UNICEF’s exposure to risks and the implementation status of the data protection programme.
4. In collaboration with ICTD Information Security, develop guidance and tools to improve UNICEF’s and partners’ technology and processes for the secure and privacy compliant collection, use, transfer and deletion of sensitive data.
5. In collaboration with ICTD Information Security, align the UNICEF personal data breach procedure with the ICTD security incident procedure.
6. Development of a UNICEF position on data harvesting technologies

Note:  While the deliverables include an estimated number of days, these numbers are a rough estimate, the payments will be made based on the satisfactory completion of each deliverable in their entirety, and receipt of invoice, and will not be based on the number of days worked.

Deliverable 1: Enabling UNICEF to conduct Data Protection Impact Assessments (DPIAs)

In collaboration with ICTD,

1. Develop technical wording to establish an LTA with a vendor to conduct data protection impact assessments (DPIA) with offices and divisions, advise on quotes, strength and weaknesses of vendors, and manage the set-up of two such LTAs UNICEF internally.
2. Assess at least three DPIA tools of privacy platform service providers. Tool should allow, inter alia, for initial screening of necessity of DPIA (checklist), UNICEF local and central use, integrated data flow chart tool, central access to DPIA database.  The platform should be easily adaptable to UNICEF DPIA procedure, templates and methodology. It should furthermore be configurable to include AI risk assessments, and RD4C assessments. Consult on integration with UNICEF infrastructure. Develop technical wording to establish such a contract and manage the set-up of the contract UNICEF internally in collaboration with ICTD.
3. Identify to what extent vendors (can) include privacy threat modelling into the DPIA service, whether separate tools exist and recommend approach on privacy threat modelling for UNICEF.
4. Based on the LTA and the DPIA platform, support one data protection impact assessment for a digitally enabled intervention of a CO based on a UNICEF corporate platform as per selection of the CDO/ICTD, analyse the outcomes from the process, incl. the cooperation with the vendor, and lessons learned for the CDO to improve the DPIA process and the existing DPIA guidance and risk mitigation measures.
5. Create a framework how the conclusions and recommendations from the platform DPIA can in turn guide risks assessments for local deployments of such a solution in each country.
6. Develop TORs for an LTA with vendors to provide for privacy enhancing technology based on the different UNICEF stakeholder needs (such as D&A and other stakeholders to be identified), such as generative adversarial networks, homomorphic encryption, differential privacy, etc.

Deliverables/Outputs:

a. Provide:

• Terms of reference for the LTA
• Overview over the steps of the contracting process, and preparation of all deliverables from CDO side.
• Written analysis of the quotes of at least three vendors, strengths and weaknesses and recommendation for selection.

Deliverable deadline: 15 June 2024

b. Provide:

• Terms of reference
• If data flow diagram technology is not available in the respective privacy platform, source other easily usable privacy compliant digital tools for data flow diagrams and develop simple guidance how to use it in the context of the DPIA.
• Written analysis of vendors’ quotes, strengths and weaknesses, incl. on configurability in line with the first column, UNICEF system infrastructure integration and recommendation for selection
• If data flow diagram technology is not available in the respective privacy platform, source other easily usable privacy compliant digital tools for data flow diagrams and develop simple guidance how to use it in the context of the DPIA.

Deliverable deadline: 30 June 2024

3. Written recommendation how to integrate privacy threat modelling into UNICEF DPIA process, and/or into UNICEF information security threat modelling, and with which tool, if any.

Deliverable deadline: 30 June 2024

4. Provide:
   • One complete DPIA report with the draft recommendations from the CDO.
   • Written mark-up of DPIA template, process, guidance with suggestions for the improvement of these documents, including the current list of risks and risk mitigation measures

Deliverable deadline: 31 December 2024 (depends on when LTA/contract is in place)

5. Develop a framework/checklist how COs can assess country-specific risks for the roll-out of the

Deliverable deadline: 31 December 2024 (depends on when LTA/contract is in place)

6. Develop TORs for an LTA with vendors to provide privacy enhancing technologies in line with identified needs of UNICEF.

Deliverable deadline: 31 August 2024

Deliverable 2: Central registries

1. ROPA

Please quote separately for these two alternative items:

Alternative 1)

Design an approach for UNICEF offices to maintain a registry of processing activities (ROPA), including guiding their use of such registries; Note: this activity applies to both new processing activities (for which a go-forward approach is required) as well as existing processing activities (for which a retroactive approach is required).

1. Apply the implemented approach in HQ division, one regional office, and one country office to validate its function and generate recommendations for further refinement. Based on the recommendations, facilitate refinement of the approach and implementation.

Alternative 2)

Jointly with a UNICEF vendor contracted for the ROPA based data mapping and in consultation with relevant UNICEF stakeholders, develop a risk-based plan (risk focus, sequence of offices).Accompany the UNICEF vendor conducting the personal data mapping and populating the ROPA based on the vendor’s tool with a CO and an HQ division and develop a guide for offices and divisions on the ROPA, its purpose and use and how to maintain it going forward when the backward looking ROPA has been completed.

Analyse the data, and its gaps, from a risk perspective with a goal to advise UNICEF on its exposure to harm data subjects.

1. In collaboration with ICTD, elicit how a digital system could be implemented to record and report policy implementation measures in line with Section 45.1 of the policy. Such a system should be integrated with and pull information from any other systems that exist or are envisages (e.g., the ROPA, the DPIA database, and others).  Support the Data Protection Officer and the Information Governance function in the ongoing data mapping from a personal data processing perspective in line with the Policy.
2. In collaboration with ICTD and in line with task 3, develop a central registry for recording personal data breaches confidentially and in an automated manner in line with the UNICEF Procedure on Personal Data Breaches, which should be interoperable with the ICTD registry for data breaches.
3. In collaboration with ICTD, visualize data analytics (in real time) relating to the implementation of the data protection programme (progress on work areas of the programme, data breaches, number of requests for support, number of mandatory DPIAs, number of completed DPIAs)

Deliverables/Outputs:

1. ROPA

Please quote separately for these two alternative items:

Alternative 1):

• • Written approach how to conduct the data mapping based on the ROPA,
  • Written plan for the sequence of the offices and divisions to be supported by the consultant.
  • Short, practical and precise guidance to offices and divisions about the ROPA, its purpose/uses and how to maintain it, tying in with the UNICEF data protection handbook.

Deliverable deadline: 15 June 2024

Alternative 2)

• Written plan for the sequence of the data mapping conducted by the vendor (delivery date: 15 June 2024)
• Short, practical and precise guidance to offices and divisions about the ROPA, its purpose/uses and how to maintain it, and tying in with the UNICEF data protection handbook.
• Written analysis of the personal data results from the data mapping, and a presentation of the key findings for management

Deliverable deadline: 31 October 2024

1. Provide a written recommendation how to operationalize a digital system to record and report policy implementation measures which takes into consideration the input from ICTD and CDO.

Deliverable deadline: 30 September 2024

2. Provide written guidance on operationalizing a digital system for recording personal data breaches which takes into consideration the input from ICTD and CDO.

Deliverable deadline: 30 January 2025

3. Technically implementable written plan how metrics relating to the implementation status of the data protection programme can be displayed (ideally in real time) on the data protection SharePoint site.

Deliverable deadline: 30 January 2025

Deliverable 3: Review and align the currently being revised personal data breach procedure with the security incident procedure

Deliverables/Outputs: Based on consultations with ICTD, legal office and CDO, provide written mark-up how to amend the personal data breach procedure and/or the security incident procedure; and provide a final draft following consultation and comments with ICTD and CDO.

Delivery deadline: 31 December 2024

Deliverable 4: – Data harvesting technology – Support the coordination by CDO of the cross-functional process to come up with a UNICEF position on data harvesting technologies for UNICEF programmes and administration including a list of measures to address the issue.

Deliverables/Outputs: Based on input from relevant UNICEF stakeholders provide a first draft of the following documents, as well as, after input of ICTD and CDO, a final draft considering such input

1. Work plan to come up with formal UNICEF position, incl. consultation with relevant UNICEF stakeholders.
2. Draft position paper (based on existing draft) considering risks, opportunities, and impact on UNICEF operations, based on input from relevant offices/divisions.
3. Guidance note explaining what this new position means for UNICEF programmes, as well as list of steps to be taken to update any relevant documentation, such as procurement processes.

Delivery deadline: 31 January 2025

Deliverable 5: Contracts

In collaboration with ICTD and the legal office, review the UNICEF standard security measures to be added to contracts with NGOs in high-risk / low-capacity contexts and private sector partners.

Deliverables/Outputs: Provide written standard security measures to be added to contracts and/or agreements based on the type of partners, e.g., NGOs in high-risk / low-capacity contexts, private sector partners, government partners etc. The written security measures shall include input from the legal office and ICTD. A final draft shall be provided following consultation with legal office, ICTD and CDO.

Delivery deadline: 28 February 2025

Deliverable 6: Standards and guidelines

Develop internal standards and guidance notes, in close collaboration with ICTD and other CDO team members, cross-referencing the UNICEF digital resilience model.

Deliverables/Outputs: Develop and submit for review internal standards and guidance notes, on each of the following topics based on the input of ICTD and CDO; provide a final draft following comments/consultation of the initial draft:

1. the responsible use of artificial intelligence from the privacy perspective with the goal to integrate this into related principles, checklists, guidance, risk assessments, and procedures which are being developed.
2. secure transfer of sensitive data between UNICEF and partners and internally
3. the secure anonymization of data – this work will involve, together with the DAPM MICS team, the identification of a risk level where re-identification is acceptable to the organization.
4. privacy by design and default for technologies to be acquired or built/configured in UNICEF.
5. encryption and pseudonymization, and guidance
6. the secure data destruction (physical and digital), and
7. data protection and privacy for business owners presenting their projects to the ICTD PPM (including a checklist).

Delivery deadline:15 April 2025

For all deliverables, even if not expressly mentioned in the above, the consultant shall provide a first draft and, following written comments and/or an oral consultation, a final version of all deliverables.

No travel is envisaged for this consultancy.

Qualifications

Education

• Masters degree in Data protection and privacy law, data science, computer science or other related field

Work experience

At least 7 (seven) years of working experience in privacy technology or personal data protection and privacy with a strong expertise in information security and technology in practice and training

• Good understanding of national and international data protection laws, such as GDPR, and their technical implementation
• Experience in conducting and guiding non-technical staff on data protection impact assessments.
• Good understanding of the challenges of artificial intelligence, big data and data protection and privacy and trends in reconciling them
• Experience in developing easily understandable guidance notes or contractual language on complex technical matters.

Competencies

• Prior experience working with a multilateral or UN organization is desirable.
• Good understanding of privacy enhancing technology
• Competent in advanced Excel, Word, data analytics and data visualization, including digital data flow.
• Native or near-native proficiency in English (oral and written) is required. Knowledge of another UN language is an asset.
• Demonstrated strong writing and presentation skills. strong analytical and interpersonal communication skills, attention to detail.
• Ability to translate business needs into technical requirements and translate complex concepts in a simple manner for a non-technical audience is highly desirable.
• Project management skills including task prioritization, workflow coordination, and results-driven strategies is desirable.
• Excellent organizational skills and ability to prioritize and manage multiple tasks.
• Strong writing and interpersonal communication skills.

Requirements: 

• Completed profile in UNICEF’s e-Recruitment system
• Upload copy of academic credentials
• Financial proposal that will include:
• the costs per each deliverable and the total all-inclusive (lump-sum) fees for the whole assignment (in US$) to undertake the terms of reference.
  • travel costs and daily subsistence allowance, if internationally recruited or travel is required as per TOR.
  • Any other estimated costs: visa, health insurance, as applicable.
  • Indicate your availability
• Any emergent / unforeseen duty travel and related expenses will be covered by UNICEF.
• At the time the contract is awarded, the selected candidate must have in place current health insurance coverage.
• Payment of professional fees will be based on submission of agreed satisfactory deliverables. UNICEF reserves the right to withhold payment in case the deliverables submitted are not up to the required standard or in case of delays in submitting the deliverables on the part of the consultant.

Health Insurance:The Consultant is fully responsible for arranging at their own expense, such as life, health, and other forms of insurance covering the term of the Contract as he or she considers appropriate.  The Consultant is not eligible to participate in the life or health insurance schemes available to UNICEF and United Nations staff members.

For every Child, you demonstrate… 

UNICEF’s values of Care, Respect, Integrity, Trust, Accountability, and Sustainability (CRITAS). 

To view our competency framework, please visit  here. 

UNICEF is here to serve the world’s most disadvantaged children and our global workforce must reflect the diversity of those children. The UNICEF family is committed to include everyone, irrespective of their race/ethnicity, age, disability, gender identity, sexual orientation, religion, nationality, socio-economic background, or any other personal characteristic.

UNICEF offers reasonable accommodation for consultants/individual contractors with disabilities. This may include, for example, accessible software, travel assistance for missions or personal attendants. We encourage you to disclose your disability during your application in case you need reasonable accommodation during the selection process and afterwards in your assignment. 

UNICEF has a zero-tolerance policy on conduct that is incompatible with the aims and objectives of the United Nations and UNICEF, including sexual exploitation and abuse, sexual harassment, abuse of authority and discrimination. UNICEF also adheres to strict child safeguarding principles. All selected candidates will be expected to adhere to these standards and principles and will therefore undergo rigorous reference and background checks. Background checks will include the verification of academic credential(s) and employment history. Selected candidates may be required to provide additional information to conduct a background check. 

Remarks:  Only shortlisted candidates will be contacted and advance to the next stage of the selection process.

Individuals engaged under a consultancy or individual contract will not be considered “staff members” under the Staff Regulations and Rules of the United Nations and UNICEF’s policies and procedures, and will not be entitled to benefits provided therein (such as leave entitlements and medical insurance coverage). Their conditions of service will be governed by their contract and the General Conditions of Contracts for the Services of Consultants and Individual Contractors. Consultants and individual contractors are responsible for determining their tax liabilities and for the payment of any taxes and/or duties, in accordance with local or other applicable laws. 

The selected candidate is solely responsible to ensure that the visa (applicable) and health insurance required to perform the duties of the contract are valid for the entire period of the contract. Selected candidates are subject to confirmation of fully-vaccinated status against SARS-CoV-2 (Covid-19) with a World Health Organization (WHO)-endorsed vaccine, which must be met prior to taking up the assignment. It does not apply to consultants who will work remotely and are not expected to work on or visit UNICEF premises, programme delivery locations or directly interact with communities UNICEF works with, nor to travel to perform functions for UNICEF for the duration of their consultancy contracts.