In response to reports that iris scan technology supplied by UK-registered company, IrisGuard, is being used by the World Food Programme (WFP) and the United Nations High Commissioner for Refugees (UNHCR) in refugee camps and urban centers in Jordan, on 5 May, 2021, Access Now contacted the organizations to raise human rights concerns, and ask a series of questions.
“We recognize that new technologies can help humanitarian aid agencies scale up their operations and facilitate more efficient and effective aid distribution to affected communities. However, we are very alarmed by the mass-scale collection and use of refugees’ sensitive biometric data for identification and authentication purposes,” the letter stated.
Below is the response from the UNHCR.
Thank you for your interest in our work and the important questions raised.
Biometric collection in refugee contexts is undertaken as part of refugee registration and follows recommendations from UNHCR’s Executive Committee. In its 2001 Conclusion number 91 (LIII), on Registration of Refugees and Asylum-Seekers, the Executive Committee encouraged both States and UNHCR to introduce new techniques and tools to enhance the identification and documentation of refugees and asylum-seekers, including biometric features. UNHCR collects and processes biometric data primarily for the purpose of registration, identity management and documentation, which is a tool for refugee protection and lies at the heart of UNHCR’s protection mandate.
All registration data, including biometric data, is stored on servers with multiple protection layers which consider numerous risk factors, including physical and digital protection systems. The risks are regularly assessed, and the protection systems are updated and further enhanced, considering the sophistication of modern digital risks.
The processing of all personal data of Persons of Concern (POCs), including biometric data, is regulated by UNHCR’s Data Protection Policy (2015), which sets out four legitimate bases for processing, namely: (i) consent, (ii) vital and best interest of the POC, (iii) UNHCR mandate and (iv) security of the POC or third party. All personal data of POCs collected by UNHCR is treated as confidential and is not shared with partner organizations unless there is a specific purpose to do so, in which case the data transfer is assessed against all data protection principles and safeguards, including the identification of an appropriate legitimate basis permissible under the said policy.
A refusal to biometrically enrol does not impact an individual’s status with UNHCR and the use of iris technology for assistance delivery is not linked in any way to the eligibility criteria for assistance.
In Jordan, a Memorandum of Understanding was signed between the Hashemite Kingdom of Jordan and UNHCR in 1988 and amended in 2014. This MOU sets out the areas of activities of UNHCR and guarantees rights for refugees residing in Jordan. UNHCR’s sharing of personal data of POCs with the Government of Jordan (the Ministry of Interior) is limited to basic biodata, for the specific and legitimate purpose of protection of the POCs, including prevention of refoulement and is shared in line with UNHCR’s Data Protection Policy. The Government of Jordan does not have access to biometric data collected by UNHCR. UNHCR does not share biometric data with the Government of Jordan in line with the principle of necessity and proportionality as set out in UNHCR’s Data Protection Policy.