Vulnerable people shouldn’t have to pay a steep price to receive assistance. But that’s what happens when people who need aid are asked to hand over their sensitive biometric data.
Over the past decade, representatives from major UN agencies helping refugees and migrants in Bangladesh, Iraq, Jordan, Kenya, and Yemen have told me that they need to collect biometric data – iris scans or fingerprints, for example – in order to provide assistance to vulnerable people who have fallen victim to violent conflict, disasters, or famine.
Biometric identities help them rule out fraud and increase efficiency, they say. An agency like the World Food Programme, for example, can use biometric data to ensure people are who they say they are, and whether they are entitled to receive a service like cash assistance.
The quest for efficiency and safeguards against fraud is important, but measures to achieve these goals are unacceptable if they put vulnerable people at greater risk. Collecting biometric data in humanitarian crises can do just that: It can be improperly shared or stored; it can fall into the wrong hands during a change in government; or it can be hacked and leaked.
The humanitarian response in Ukraine shows that there’s another path forward: Many agencies have dropped the requirement to collect biometric data while responding to a massive, cross-border crisis. It’s an important step.
Since February 2022, Russia’s full-scale invasion of Ukraine has prompted a humanitarian catastrophe that has been met with one of the largest emergency responses in recent history – in Ukraine and in its neighbouring countries.
I spoke with six humanitarians working on the Ukraine response who were intimately involved in initial discussions around humanitarian support. All said that at the outset, some humanitarian partners assumed that biometrics would be integrated into the response and would be used to prevent “double-dipping” – a central concern related to fraud.
But the pattern of humanitarian data collection did not play out as usual: Ukrainians didn’t want to pay the price of biometrics, and some humanitarian groups are also pushing back.
“Many agencies have dropped the requirement to collect biometric data while responding to a massive, cross-border crisis. It’s an important step.”
The government of Ukraine has a data protection law, which it enforces, and it took a firm position that it did not want international organisations collecting its residents’ biometric data. Digital literacy is high in Ukraine, and Ukrainian civil society groups expressed discomfort at the idea of aid groups collecting sensitive personal data.
A coalition of international NGOs banded together to tell UN agencies that they would not collect biometrics as part of their response. These organisations noted that in addition to the regulations in Ukraine, any data collection in neighbouring countries like Poland and Romania would be governed by the European Union’s data protection regulation (GDPR), which classifies biometrics as a special category known as “sensitive data” with higher protections. They also said that they wanted to keep the data they were collecting on their own systems, rather than feeding it to UN agencies to input into their systems, as has become the norm in most humanitarian responses.
The people I spoke to said that since they were not depending as much on UN agencies for funding compared to other crises, they were able to push back against biometrics.
Another significant factor was the momentum that discussions around data and data-sharing have gained in recent years. One aid group sent a data protection expert to Kyiv to the network that coordinates cash assistance. This expert has helped aid groups limit the data they collect, and to store and share it more safely.
As a result, UN agencies and other humanitarian partners registered people in other ways, such as by using their Ukrainian national tax identity numbers or their passport.
Aid agencies are using a recently developed blockchain-based system to share this data among themselves, encrypted and masked, so that organisations can verify identities and prevent “double-dipping”, without the need to store data in a central location.
This shift away from biometrics has happened in a mammoth cash assistance operation, where dozens of international organisations have transferred more than $1 billion, according to aid groups that specialise in cash.
There are unique elements that help make this shift possible – most Ukrainians have a tax identity number, for example. But humanitarian aid groups can still draw lessons from Ukraine to improve their data collection policies in other responses.
Even if an agency needs to collect biometric data – as the UN’s refugee agency, UNHCR, may for stateless people or people without identity documents – it could ensure that this is kept separate from other response activities. The sensitive personal data collected to register a person for an identity document, for example, would not be used as part of food or shelter distributions.
Experts point out that humanitarian aid groups can confirm people’s identities in safer ways without resorting to collecting sensitive biometric data. The International Committee of the Red Cross, which has a policy that limits its collection of biometric data, has been spearheading cutting-edge research with academics to develop alternative token-based methods to verify someone’s identity. Its position is that the risks of biometric data collection currently outweigh the benefits, at least for the most common use cases of beneficiary registration and management.
No aid worker I spoke to in Ukraine said the systems in place are perfect. Some were concerned by the Ukrainian government’s refusal in some cases to share even the most limited personal information of beneficiaries, which aid workers deem crucial in making decisions about where to prioritise their resources. And some humanitarian groups may well push to integrate biometrics further down the line.
Nevertheless, this shift away from biometrics is a significant step in the direction of protecting the rights of people who use aid.
If humanitarians care about the right to privacy and their responsibility to do no harm, then they should build on the creative and protective approach adopted in Ukraine.
Biometric data is extremely sensitive. It shouldn’t be the price vulnerable people must pay to get assistance.
