WHO Data Policy
Personal Data Protection Policy
The World Health Organization’s Personal Data Protection Policy entered into force on 15th April 2024. It marks WHO’s commitment to protect Personal Data held by WHO to continue upholding the trust of Member States and collaborating partners.
The collection, analysis, publication and dissemination of health-related data are core elements of WHO’s mandate, in line with WHO data principles. WHO must transfer and receive personal data to and from third parties in its daily operations in pursuit of this mandate.
The policy outlines the rules and principles relating to the processing of Personal Data held by WHO. The rights of the data subjects are outlined in the policy with clear mechanisms to manage possible data breaches, underscoring the roles and responsibilities of WHO’s Data Protection and Privacy Officer. The full text can be found here.
This Policy should be read in conjunction with other existing internal policies of WHO outlined in the data section of WHO’s eManual, notably:
WHO policy on the use and sharing of data collected by WHO in Member States outside the context of public health emergencies
Data are the basis for all sound public health actions and the benefits of data-sharing are widely recognized, including scientific and public health benefits. Whenever possible, WHO wishes to promote the sharing of health data, including but not restricted to surveillance and epidemiological data. The purpose of the policy is to clarify current policy and practice on use and sharing of data collected in Member States by WHO. This page summarizes the principles and requirements of the policy. The full text of the policy can be accessed here.
Policy Statement
The policy applies to the use and sharing of data collected by WHO in, and/or provided to WHO by, Member States (see Annex), outside the context of public health emergencies. The policy allows, but places no obligation on, WHO or Member States to collect, anonymize, analyse or share other health data than those already being collected, anonymized, analysed and shared.
- Terms applicable to the provision of data to WHO by Member States (see Annex)
The text in the Annex hereto should be included in all data collection forms in all data collection tools (paper-based, electronic or other) used by WHO to collect data from Member States. By providing data to WHO pursuant to these terms, Member States confirm that the data (including but not limited to the types listed in Table 1) have been collected in accordance with applicable national laws, including data protection laws to protect the confidentiality of identifiable persons. - Terms applicable to the use of the data by WHO (see Annex)
By providing data to WHO pursuant to the terms contained in the Annex hereto, Member States agree that WHO shall be entitled, subject always to measures to ensure the ethical and secure use of the data, and subject always to an appropriate acknowledgement of the country:- to use and publish the data, stripped of any personal identifiers (such data without personal identifiers being hereinafter referred to as “the Data”) and make the Data available to any interested party on request on terms that allow non-commercial, not-for-profit use of the Data for public health purposes (provided always that publication of the Data shall remain under the control of WHO);
- to use, compile, aggregate and analyse the anonymized data and publish the results in conjunction with WHO’s work and in accordance with WHO’s policies and practices.
- Measures to ensure the ethical and secure use of data
Such measures are required to protect privacy and confidentiality and avoid stigmatization or exclusion of people or communities as a result of data collection. In cases where the compilation, analysis and sharing of aggregated data raise ethical concerns or present risks with regard to confidentiality, WHO will:- use anonymization and other tools, as appropriate;
- comply with informed consent agreements where such consent is needed and respect assurances about ways in which the data (anonymized or otherwise) would be used, shared, stored or protected; and
- adopt appropriate security measures to foster public trust.
- Security of data at WHO
Information security at WHO is based on the ISO 27001 standard. WHO has formal and comprehensive information security policies with respective implementation guidelines. Policies cover information security, access to information and systems, cloud computing, application security, information classification and related security standards. As international civil servants, all WHO staff are required to adhere to confidentiality as detailed in Staff Regulation 1.6. - Additional safeguards
As an additional safeguard to WHO, to Member States and to individuals, an independent data review committee will be established at WHO to consider, on a case-by-case basis and in consultation with relevant departments in WHO, any instances where the current policy provides inadequate guidance on data-sharing.
In addition, any platforms established to share data should have an explicit ethical framework governing data collection and use.
Practical Information
The policy was introduced on 1 January 2018 and will be monitored and evaluated over a 12-month transition period (at least one data collection cycle for technical programmes in WHO). Subsequent modifications may be made taking into account the views of technical departments at WHO (compiling and analysing data), Member States (providing data) or third parties (receiving data). The policy will not be applied retrospectively to data already provided by Member States to WHO, and/or which have already been shared by WHO with third parties.
The policy:
- covers the use and sharing of data only, not biological samples;
- excludes data shared in the context of public health emergencies, including officially declared public health emergencies of international concern (PHEICs) under the International Health Regulations (2005);
- excludes data and reports from clinical trials (1)
(1) WHO’s existing position is that:
(i) all clinical trials are to be prospectively registered in a clinical trial registry meeting international standards http://www.who.int/ictrp;
and
(ii) at a minimum, a summary of results from the clinical trial are to be made publicly available within 12 months of study completion http://www.who.int/ictrp/results/reporting/en