Consultancy Service on Data Protection

Summary

1. Aim of consultancy is to integrate the principles of Data Protection in CartONG's approaches, using a cross-cutting and holistic manner
2. The full terms of reference in PDF may be downloaded here.
3. Consultancy services open to individuals and organizations
4. Application deadline is 10/01/2019 at 12pm (noon) GMT+1
5. Obligation of availability in the first semester of 2019

I. Background

Founded in 2006, CartONG is a French non-governmental organization specialized in mapping and information management support for humanitarian and development organizations. Our core expertise is geographic information, but we have extended it over the years to other technologies (mobile data collection, information management, remote sensing, drones, participatory mapping, etc.)

We support international aid organizations, NGOs and public authorities by providing tools, services & trainings that allow them to better plan, implement and evaluate their programs, therefore improving the impact of humanitarian aid in favor of the most vulnerable. We focus on training local staff and collaborating with local communities, in order to provide projects that are sustainable and tailored to the needs and priorities of the people we are seeking to assist.

We work with local, national and international organizations, in particular NGOs specialized in disaster response and development as well as UN agencies (MSF, UNHCR, AFD, Terre des Hommes, ACF, etc. The complete list may be found here: http://www.cartong.org/our-partners). CartONG is a fast growing & dynamic organization, gathering 25+ international staffs and 50+ active volunteers.

A list of examples of projects is available here: http://cartong.org/sites/cartong/files/CartONG%20-%20Portfolio%202016.pdf

II. Context of the consultancy

Like any NGO, CartONG is subject to compliance with the principles of data protection, and more specifically to compliance with the European General Data Protection Regulation (GDPR), which came into force in May 2018.

Given its field of activity, CartONG is particularly affected by this issue and wishes to upgrade on this subject both internally (tools, sharing of roles, procedures...) and in its relations with its partners (contractual terms, sharing of roles and responsibilities...) in order to remain a recognized stakeholder in the use of new technologies dedicated to humanitarian and development field. CartONG is moreover increasingly asked (by its partners) to manipulate sensitive personal data (medical/epidemiological data, household locations, distribution lists, etc.) or sometimes very sensitive data (location of non-state armed groups in civil war contexts, medical data with a high stigmatization risk such as HIV, etc.).

On the legal side, CartONG is facing different interpretations of the GDPR by the various legal departments of its partner NGOs. Furthermore, given its position as an organization providing services to other relief and development organizations (positioned as "Humanitarian to Humanitarian organization" https://www.h2hworks.org/), CartONG's legal status is complex (since it is similar to both a "data processor" and a "data controller" but also because of its work in partnership with a diversity of actors subject to various regulations: European but also Swiss, American organizations, UN agencies not subject to the GDPR, local country governments with their own regulations etc.).

The data protection area is also strongly affecting the organizational model of CartONG: it requires in particular a review of the roles and responsibilities of each team member and the appointment of a Data Protection Officer - DPO (and the definition of the corresponding functions).

Given the urgency of legal compliance with the GDPR, an internal data protection “working group” was set up within CartONG at the beginning of 2018. This working group made it possible to define a first internal action plan and to implement the most urgent activities. This working group also identified the need to get external support (considering the limited internal availability of specialized skills, mainly in terms of legal and data protection organizational impact) in order to implement directly some activities or review the ones drafted by the CartONG team.

Like the majority of NGOs, and despite its core expertise (data management), CartONG is currently facing challenges to be in full compliance with the GDPR. Despite the fact that good practices and reflexes exist within the team, a review of internal procedures, processes and policies, as well as the organization's relations with partners, is therefore necessary.

III. Objectives of the consultancy

This consultancy aims at supporting CartONG:

• in the design of a structured and adapted action plan to integrate data protection principles across its entire activities and project portfolio
• in the implementation of some urgent actions (particularly in relation with its partners and in its internal organization)

More precisely the following results are expected at the end of the consultancy mission:

• a detailed action plan (over 1 to 2 years) reviewed and validated by an external expert to integrate the GDPR and data protection principles in its current activities
• tools, procedures and processes to integrate the GDPR and data protection principles (both for internal activities and within relationships with partners) are in place. In particular, risk-taking with regard to the handling of partners’ sensitive data is properly assessed when necessary (concerning legal responsibilities in particular)
• the internal organization (role and responsibilities of employees and members) is reviewed to integrate practical and legal responsibilities for data protection

This consultancy mission will ONLY focus on operational data handled on behalf of partners. Administrative, HR and volunteer data that CartONG handles are out of scope of this consultancy mission and their data protection aspect will be managed directly by the CartONG team (CartONG does not have any specific needs on this point considering the similarity with all other French associations).

The change management component (training, etc.) won’t be the responsibility of the consultant(s) but of the internal CartONG team. The consultant(s) are only expected to implement the below mentioned activities and deliverables (chapter V).

The following activities are expected (the description below is a suggestion – the candidate might propose different or additional activities and will have in any case to detail its methodology in the technical offer):

1- Assessment of the CartONG situation regarding data protection through: interviews, review of data protection documentation (action plan, data register, existing procedures…) and existing related documents (partnership agreements, sub-contracting contracts, code of conduct…) as well as (possibly) discussion with CartONG partners

2- Formulation of recommendations: on the basis of the assessment of weaknesses and inconsistencies identified, recommendations to overcome them should be suggested.

3- Proposition of partnership modalities related to data protection issues:

• CartONG's environment and legal status (as a subcontractor) in relation to the diversity of its international partners will have to be clarified
• A process allowing CartONG to handle sensitive data when partners request us to do so (under which conditions to refuse/accept, alert role of CartONG toward partners, interaction modalities with partner’s DPO, internal follow-up system to put in place, etc.)
• Amendments to the most important general documents used in partnership relations (articles to be included in partnership agreements, template of data sharing agreements, etc.)

4- Proposition of an internal organization adapted to data:

• Roles and responsibilities concerning data protection (definition of tasks and scope of a DPO, possible design of a specific data protection organizational chart also describing responsibilities, etc.)
• Amendment to the most important HR policies and documents (code of conduct, IT charter, any articles to be added to or modified concerning consultant and employee contracts and job offers, etc.)

5- Optional:

• Remote support to the working group when implementing the recommendations (change management component)
• Simulation of a data management audit: Following the change management process, the simulation of a final audit will aim to ensure that all the elements have been implemented and to formulate final recommendations, if necessary.

IV. Deliverables

All deliverables are expected to be produced in English (potential French translation will be the responsibility of CartONG):

1 – Assessment report of data protection situation within CartONG and list of detailed recommendations – max. 30 pages without annexes

2a –Brief synthesis explaining the legal position of CartONG regarding its partners (on the data protection topic) – max. 5 pages without annexes

2b –Detailed process and related tools or template (check list, list of conditions…) to follow when CartONG is requested to handle personal or sensitive information from its partners

2c –Customized templates or proposed amendments in the documents used to contractualize the relations with partners (article to include or review in MoU / contracts, template of data sharing agreements…)

3a –Brief proposition of integration of data protection responsibilities within the CartONG organizational chart (including detailed tasks and scope of a DPO for CartONG) – max. 5 pages without annexes

3b –Customized templates or proposed amendments in the HR documents (code of conduct, IT charter, template of article to include in individual or consultants’ contracts…)

4 – Optional: 1 to 3 days of remote support

5 – Optional: Audit simulation report

6 – Conclusion report with remaining recommendations and debriefing

The deliverables for (2) and (3) might be updated based on the conclusions of the assessment. Priorities will be agreed upon between CartONG and the consultant(s).

V. Intervention modalities

The consultant’s responsibilities will be to provide technical expertise, particularly on the legal and organizational aspects.

The "data protection" working group will be to in charge to ensure the overall follow-up of the consultancy by meeting at least twice a month during the consultancy period. It will be in charge of validating all the deliverables of the consultant(s) and to implement them during / at the end of the consultancy. The working group is composed of information management specialists, product owners, mapping/GIS technicians, developers and database administrators.

The complete management team (technical director & project managers) as well as the board of CartONG will also be involved throughout the project (especially at the debriefing) and can be interviewed by the consultant(s).

The working group lead and co-lead will however be the two main interlocutors of the consultants: Edmond Wach and Maeve de France, both of them being Information Management Project Managers and part of the CartONG management team.

VI. Duration and work plan

The consultancy mission is expected to start around February 2019 (negotiable).

• Deliverable 1 (assessment report) is expected to be produced 1 to 1.5 month after the beginning of the consultancy
• Deliverables 2 and 3 are expected to be produced 2 to 3 months after the beginning of the consultancy
• Optional deliverable 4 (remote support) is expected to be available (on request) during two to three months
• Optional deliverable 5 (audit simulation) is expected to take place 6 months after the beginning of the consultancy
• Deliverable 6 is expected to be provided at the end of the consultancy

A presence in our HQ* is expected at least at the 3 following moments: introduction of CartONG and beginning of the assessment phase; restitution of the assessment and prioritization of deliverables 2 and 3; audit simulation and debriefing.

All other activities can be carried out remotely by the consultant(s) and it should be noted that CartONG already works very frequently in "remote" mode (between field deployments and the fact that a number of staff work remotely on a permanent basis).

* Our headquarters are based in Chambéry - a short train or bus ride away from Geneva and Lyon and their international airports.

VII. Budget

The planned budget for this consultancy is roughly between 20 000 and 30 000 €.

This project is co-funded by the FRIO mechanism (Fonds de renforcement institutionnel et organisationnel) which is coordinated by Coordination Sud. For more information: https://www.coordinationsud.org/nos-appuis-aux-ong/dispositif-frio-renforcement-ong/

For this reason, a tripartite evaluation meeting (between the FRIO secretariat, CartONG and consultant) will have be planned at the end of the mission.

For this reason too and in accordance with its mandate CartONG commits to sharing with the humanitarian community the tools and other products co-developed with the consultant(s) that may be useful to other NGOs. The dissemination of the selected deliverables will be done at least through the CartONG blog, through a session at the next Francophone Information Management NGO community of practice and through the H2H platform.

Licenses for sharing the deliverables, the exact selection of the deliverables being publicly shared, as well as the associated potential visibility for the consultant team will have to be agreed upon before the beginning of the consultancy.

NB: For private companies applying to this consultancy service and if interested (this criteria won’t be part of the selection criteria) CartONG is open to partial or additional services as pro-bono (eventually under “mécénat de compétence” framework for French companies). Services offered as pro-bono will have to be clearly specified in the financial offer.

VIII. Required qualifications

Individual consultants or organizations are expected to have:

• Significant experience within the different data protection areas (or capacity to mobilize different profiles with the following background):
  • legal (practical application of relevant legislation - including the GDPR)
  • IT (in terms of data storage, retrieval and securitization)
  • risk analysis
  • audit data management systems / compliance
• Significant (5-10 years) experience in the international data protection context and legislation (EU-GDPR but also French, Swiss, USA, Africa, Asia and Middle-East legislation), including drafting of data protection policies and procedures, technology provisions, outsourcing agreements etc.
• Previous experience working with international non-profit organizations is strongly recommended (but not mandatory), ideally in the humanitarian or international development sector
• Previous experience working with special categories of data such as medical data and/or data issued from conflict areas
• Previous experience working with organizations in sub-contractor position having several partners and projects and numerous cross-border data flows
• Previous experience working with small-size organizations (having limited resources to integrate a new topic such as data protection) integrating data protection principles (experience on organizational and HR impacts)
• Fluency in spoken and written English and French
• The possession of a certification by the International Association of Privacy Professionals (IAPP) is considered as an asset (i.e. Certified Information Privacy Association (CIPP) and Certified Information Privacy Professional/ Information Technology (CIPP/IT)).

If one consultant is not in a position to cover all expected areas, the offer can eventually be split into batches of deliverables. Considering the different areas that need to be covered, offers from organizations or companies able to mobilize more than one profile and/or grouping of individuals are however highly encouraged.

Interested individual, organization or company should submit:

• A technical offer (max. 20 pages) with detailed methodology
• A financial offer in Euros including all fees (consultancy fee rates per day, eventual transport cost and perdiem), taxes, VAT and any other costs
• Curriculum Vitae(s) of involved specialists
• At least 3 references of similar work and if possible, documentation/report/sample of previous work carried out in this technical field
• Indication of availability during 1^st semester of 2019

Depending on the quality of the offers received, CartONG reserves itself the right to proceed to a pre-selection and to request additional information, as well as organizing Skype interviews with the pre-selected candidates.

Applications must be submitted by 10/01/2019 at 12pm (noon) GMT+1 by email at: info@cartong.org, with all requested documents attached as a zip.

Please make sure to include as object: [Application - Data protection consultancy - Name]

Please make sure to include in your email, the following information:

• Your name / Name of the organization
• Address
• Registration number
• Phone number
• Skype contact

For any question related to this consultancy, you can contact either Edmond Wach or Maeve de France at: info@cartong.org mentioning [Request for information - Data protection consultancy - Name] in your object.

Selection will be based on the quality of the methodology and understanding of the present ToRs, the experience of the candidate and the capacity to mobilize the required skills as well as price.

Feedback to all candidates will be provided at the latest on 10/02/2019.