Consultant - Beneficiary Data Retention Advisor

Background of the project 

IRC’s Measurement Unit is investing significantly to improve the use of technology in M&E within its programs in international Crisis Response, Recovery and Development (CRRD). This includes a transition to digital data collection tools with increasing volume of data stored in cloud servers. With increasing volume of data, including sensitive and personally identifiable information being collected, IRC requires a data retention policy for data about our beneficiaries to accompany existing policies and guidance on data protection and storage.

The consultant will review existing IRC policies and practices, as well as those of our donor and peer agencies, and synthesize them into a set of recommendations to form the basis of a new policy and guidance materials. Following the successful completion of this synthesis, the assignment may be extended to include the drafting of that new policy.

For the purpose of this assignment, beneficiary data is defined as data about the individuals to whom IRC provides services through its Crisis Response, Recovery and Development division, the services provided to them and the results of that service.

Scope of Work:

• Review current IRC data retention and security policies and document all elements of them which govern the retention of beneficiary data.
• Conduct a desk review of the data retention legislation relevant to IRC’s retention of beneficiary data such as the EU’s GDPR.
• Conduct a desk review of the data retention policies of IRC’s key donors (including but not limited to PRM, BHA, FCDO, ECHO, GiZ, GFFO, SIDA) to identify and document key donor compliance requirements related to beneficiary data retention.
• Develop interview questions for Key Informant Interviews to assess current practice, to be agreed by Director of Data and Monitoring.
• Conduct key informant interviews with approx. 10 relevant staff including the Director of Data and Monitoring, Sr Advisor for M&E Technology, Chief Information and Security Officer, Director of Data Insights, Architecture and Systems, Chief IT Security Officer, Sr Director of Donor Compliance, Sr M&E Advisor for Violence Prevention and Response and representatives from regional and in-country MEAL teams. Record notes from KIIs and synthesize findings in to 2-3 page written summary of current state.

Deliverables:

1. Notes from Key Informant Interviews, including examples of existing good practice identified through KIIs.
2. Synthesis report summarizing current state
3. Recommendations report of 10-20 pages (inclusive of references, annexes and footnotes) detailing:

•  Legal standards which must be reflected in future policy/guidelines;
• Donor compliance standards which must be included in the policy/guidelines;
• Sections of existing IRC policies with which a new beneficiary data retention policy should be consistent;
• A recommended maximum and minimum timeframe for retention of different forms of beneficiary data.