Context aware file sharing protocol designed for mobile devices
INFORMATION SHARING AND DATA PROTECTION PROTOCOL …
Transcript of INFORMATION SHARING AND DATA PROTECTION PROTOCOL …
1
INFORMATION SHARING AND DATA PROTECTION
PROTOCOL FOR COMPREHENSIVE CASE MANAGEMENT
INCLUDING FAMILY TRACING AND REUNIFICATION (FTR)
Unaccompanied and Separated Children Working Group (UASC WG)
and Case Management Task Force (CMTF), South Sudan
June 2019
2
TABLE OF CONTENTS
Acronyms …………………………………………………………………………………………………………………………………………..3
1. Introductions and background information…………………………………………………………………………………..4
1.1 Information management principles and Standard definitions ………………………………………………………….5
2. Purpose…………………………………………………………………………………………………………………………………………6
3. Ground rules, confidentiality, access to information and data protection……………………………………..5
3.1 Ground rules……………………………………………………………………………………………………………………………………..5
3.2 Confidentiality of data and information management……………………………………………………………………...6
3.2.1 Information management…………………………………………………………………………………………………………7
3.2.2 Confidentiality Agreement………………………………………………………………………………………………………. 7
3.2.3 Child Participation……………………………………………………………..........................................................8
3.2.4 Best Interests of the Child ……………………………………………………………………………………………………….8
3.2.5 Access to information and data protection ………………………………………………………………………………8
3.2.5.1. Adherence to the protocol …………………………………………………………………………………………………..8
3.2.5.2 Passwords……………………………………………………………………………………………………………………………..8
3.2.5.3 Information management during FTR process……………………………………………………………………….8
3.2.5.4 Information Management by Handling Agency …………………………………………………………………….8
3.2.5.5 Information sharing with community members for FTR………………………………………………………..9
3.2.5.6 Information Management by Receiving Agency ……………………………………………………………………9
3.2.5.7 Information management during Case Management processes …………………………………………..9
3.2.5.8 Information Sharing with Authorities during Reunification………………………………………………… 10
4. Data security and protection ………………………………………………………………………………………………………..10
4.1. Storage of paper files……………………………..………………………………………………………………………………….…..10
4.2 Electronic files………………………………………………………………………………………………………….……………………..11
5. Systems administrator and authorised users for CPIMS/CPIMS+…………………….………………………..……12
6. Specific types of information shared by CP organisations………….……………………………………….………….12
7. Data Sets ………………………………………………………………………………………………………………………………………14
8. Time Limit …………………………………………………………………………………………………………………………………….19
9. Breaches of the Information Sharing and Data Protection Protocol ………………………………………………19
10. Emergency evacuation and relocation plan…………………………………………………………………………………20
11. Annexes………………………………………………………………………………………………………………………………………21
12. Signatories of the Information Sharing and Data Protection Protocol……………….…………………………21
3
ACRONYMS
UASC- Unaccompanied and Separated Children
CMTF- Case Management Task Force
CPIMS- Child Protection Information Management System
CPIMS+- Child Protection Information Management System + (Primero platform)
SOP- Standard Operating Procedures
CP- Child Protection
UN –United Nations
DPIA – Data Protection Impact Assessment
CCM- Comprehensive Case Management
UNCRC – United Nations Convention on the Rights of Children
UNHCR- United Nations High Commissioner for Refugees
IOM-International Organization for Migration
UNICEF- United Nations Children's Fund
ICRC - International Committee of the Red Cross
CPSC- Child Protection Sub cluster
CPWG- Child Protection Working Group
ISP- Information Sharing Protocol
CPMS- Child Protection Minimum Standards in Humanitarian in Action
IASC- Inter Agency Steering Committee
MGCSW- Ministry of Gender, Child and Social Welfare
FTR-Family Tracing and Reunification
RRF- Rapid Respond Funds (Funded through IOM)
UNFPA- The United Nations Population Fund
UNIMISS-United Nations Mission in South Sudan
WHO-World Health Organization
PSS-Psycho Social Support
PFA-Psychological First Aid
OHCHR- Office of the High Commissioner for Human Rights
4
1. INTRODUCTION AND BACKGROUND INFORMATION
The Unaccompanied and Separated Children Working Group (UASC WG) and the Case Management
Task Force (CMTF) under the Child Protection Sub-Cluster in South Sudan have been working towards
strengthening case management system in South Sudan. The Information Sharing and Data Protection
Protocol, which was last updated in March 2017, has now been revised to reflect current context in line
with developments in South Sudan. This includes the Comprehensive Case Management Standard
Operating Procedures (SOPs) launched in September 2018 that will help to expand the scope from UASC
and Family Tracing and Reunification (FTR) to comprehensive case management services supporting the
most vulnerable children1 facing child protection risks and the piloting and transition from Child
Protection Information Management System (CPIMS) system to CPIMS+ for the Child Protection
organisations. The revisions also provide guidance for all child protection actors on safeguarding
children and families’ information and data and on helping to establish data evacuation plans
considering external risks faced by organisations working in South Sudan. This will ensure that all Child
Protection organisations agree on Information Sharing and Data Protection Protocols to support safe
and ethical data storage, sharing, archiving, other processing, and destruction as a last resort.
1.1 Information management principles and standard definitions
Confidentiality: Ensuring that information disclosed by a child is not used without assent of the child
and consent from the parent or legal guardian. It should not be shared without the child’s
permission, except in exceptional circumstances (i.e. where necessary for the protection and safety
of the child in line with best interests or where service providers are required by law to report
abuse).
Informed Consent: It is the voluntary agreement of an individual who has the legal capacity to give
consent. To provide consent, the individual must have the capacity and maturity to know about and
understand the services being offered and be legally able to give his consent. Parents/ caregivers are
typically responsible for giving for their child to service services until the child reaches 18 years of
age. Children over 15 are able to provide informed consent themselves, however their parent or
caregiver should be included with the child’s permission2.
Informed assent: It is the expressed willingness to participate in services. For younger children who
are by definition too young to give informed consent, but old enough to understand and agree to
participate in services, the child’s “informed assent” is sought. Informed assent is the expressed
willingness of the child to participate in services
Mandatory Reporting: Laws or policies that require certain agencies and/or persons in helping
professions (teachers, social workers, health staff, etc.) to report actual or suspected child abuse
(e.g. physical, sexual, neglect, emotional and psychological abuse, and unlawful sexual intercourse.
In South Sudan, the Child Act (2008) section 34, states “it shall be the general duty of any member of
the community, who reasonable suspects that a child’s rights have been, or are being, or likely to be
1 subjects of case management include but are not limited to Internally Displaced Persons (IDP), refugees, host community children, Orphans and Vulnerable Children (OVC), Persons living with Disabilities (PLWD), Unaccompanied and Separated Children (UASC), Children Associated with Armed Forces and Groups (CAAFAG), and any other children affected by child protection concerns as detailed in Vulnerability and Risk Assessment Criteria in the SOPs. 2 Informed Consent/Assent section 4.3. Comprehensive Case Management SOPs, South Sudan, September 2018
5
infringed upon, to report the matter to a Chief or Social Worker, a Local Government Official, the
police, or the Public Attorney who shall promptly investigate the case and take appropriate action,
including submitting it to the Court for redress on behalf of the child.” The penalty in South Sudan for
not reporting can be a fine and/or up to 6 months in jail.
Need-to-know: The case-by-case disclosure of information only with those individuals for whom the
information will be used for the protection of the child.
Personal Data: Any data or related information about an individual who can be identified from that
data and other information. Personal data includes biographical data (bio-data) such as name, sex,
marital status, date and place of birth, country of origin, country of asylum, individual registration
number, occupation, religion and ethnicity, biometric data (such as a photograph, fingerprint, facial
or iris image), as well as any expression of opinion about the individual, such as assessments of the
status and/or specific needs.
Personal Data breach: A breach of data security leading to the accidental or unlawful/illegitimate
destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transferred,
stored or otherwise processed.
A Handing Over Agency is the Child Protection organization which carries out one or more parts of
the process of identification, documentation, interim care (where necessary), tracing and
reunification of a child and then turns over the remaining processes or the case itself (i.e., the
physical transfer as well as electronic) to another agency.
A Receiving Agency is the Child Protection organization that takes over the case of a Vulnerable
child from another agency during any phase of the process for completion of remaining actions and
phases.
2. PURPOSE
This Information Sharing and Data Protection Protocol has been revised to be in line with the
Comprehensive Case management SOPs for South Sudan launched in September 2018 and
accommodates recent developments in South Sudan aiming at strengthening Case Management
systems. It has been revised by the UASC WG and CMTF partners implementing Child Protection
interventions and coordinating within the CPSC in South Sudan. It helps to ensure the highest possible
standards of information and Case Management principles, safety of children and caregivers, safe and
ethical data storage, sharing, archiving processing and destruction as a last resort. It will also ensure
coordinated flow of information, define type of agreed information and data sets to be shared with CP
actors, non-CP actors, Donors, Government, local authorities and UN agencies. Lastly, the Information
Sharing and Data Protection Protocol provides regulations and guidelines for all child protection
members which is also complementary and integral to the comprehensive case management SOPs and
complements the UASC SOPSs for South Sudan. It ensures that information is only accessed to those
authorised to do so in line with child’s best interests, confidentiality and ‘need to know’ principles. All
organisations signing this Protocol agree to comply with it insofar as it does not contradict their internal
data protection or other relevant policies.
6
3. GROUND RULES, CONFIDENTIALITY, ACCESS TO INFORMATION AND DATA PROTECTION
3.1 Ground rules
All Child Protection Sub-Cluster members have to ensure:
There is clarity on the need to share the information (see 1.1. ‘need to know’ principle)
The Handing Over Agency will only share with the Receiving Agency the personal data that is needed
for the Receiving Agency to be able to provide the assistance/services needed, and not
unnecessarily share more personal data.
All case workers and Child Protection staff are sensitised, understand and adhere to this Information
Sharing and Data Protection Protocol.
That the child/caregiver has given their assent/consent for information to be shared in line with
Comprehensive Case management SOPs.
The person with whom the information is to be shared with, belongs to an agency that has signed
this Inter-Agency Information Sharing and Data Protection Protocol.
Electronic documents containing personal data must be password protected using passwords stored
in a secure place. The means used to share such electronic documents and the means used to share
the password should be different such as sharing in different email communication.
Paper files with personal data are kept in a lockable cabinet by the agency in possession of them.
Case Information shared verbally should be transmitted in a confidential place.
Child Protection staff using work mobile phones for recording case data, voice recording, photos
have to seek consent/assent from children and caregivers and use it solely for Case management,
FTR or to facilitate Referrals and access to services in line with identified needs.
A reasonable level of security for supplied information, personal or non-personal, and process the
information accordingly and as established in the Data Protection Protocols.
Where serious safety concerns, mandatory reporting laws in South Sudan require social workers,
teachers and health workers to report cases of actual or suspected child abuse to local authorities.
Mandatory reporting laws should be explained to the child and parent/caregiver during the
informed consent process. Decisions regarding compliance with mandatory reporting laws should be
taken by the Management team for the protection of the workers.
An agreement or code of conduct outlining these obligations is signed by all staff with access to
personal data related to child protection case management and FTR.
3.2 Confidentiality of data and Information Management
This Information Sharing and Data Protection Protocol is based on confidentiality, information
management and do no harm principles. Keeping data confidential is critical to protecting children’s
safety and security to prevent the misuse of information for purposes beyond their control, including
their exploitation, stigmatization and abuse, either intentionally or unintentionally. Confidentiality is the
condition on which sensitive data is protected and disclosed only to authorised persons during
reporting, interview, tracing and record keeping. It can be a legal protection and assurance of the
beneficiary right to privacy. Information can be stored or transmitted verbally, on paper or
electronically. In all circumstances, confidentiality must be maintained and the child and/or
parent/caregiver’s choices/informed assent/consent sought and adhered to.
7
3.2.1 Information management
This protocol also adheres to the Child Protection Minimum Standards in Humanitarian in Action (CPMS) 3standard 5 in which up-to-date information necessary for effective child protection programming is
collected, used, stored and shared, with full respect for confidentiality, and in accordance with the ‘do
no harm’ principle and the best interests of children.
3.2.2 Confidentiality Agreement
Any child based on their evolving capacity can choose the level of detail in which they are willing for
their personal information to be shared. This also enables him or her to highlight any information that
they do not want any particular person or organization to know. E.g., they prefer to hold some personal
information from family members in order to communicate face-to-face.
3.2.3 Child Participation
Confidentiality is central to the principles of ‘Best interests’ and ‘Participation’ for children as per UNCRC
and South Sudan Child Act 2008.4 It is therefore important to ensure that the child actively participates
in decisions and issues that affect their well-being and recovery from distressful events. However, the
extent to which their opinions are taken into account will depend on age and maturity and what is in
their Best interests. It is recommended to look at the evolving capacity of the child to determine if a
child is capable of making decisions and taking action where they could understand the implications of
their participation. For UASC placed under temporary care, the case workers should ensure that the
child (based on evolving capacity) is given an opportunity to confidently share and express their own
wishes, including wishes to change their current care arrangements in case they are abused or exploited.
3.2.4 Best Interests of the Child
If a child’s safety or well-being is in severe danger or the child is at risk, case workers have a
responsibility to refer or pass information to humanitarian organisations or local authorities within the
referral pathway. When caseworkers work with a child who is old enough to understand this potential
exception to confidentiality, they should be informed about it from the beginning. The child may choose
not to tell anything to the case worker; however, the loss of trust that comes from sharing information
without the child’s knowledge will be very damaging and in most cases a careful explanation on the
limits of who would need to be informed and the reasons for this will reassure the child.5
If the child does not provide permission for sharing information (assent), it is important to consider the
child’s ability to understand the consequences of the decision. Determination has to be made that
sharing the information will be in the best interests of the child (i.e. If Child Protection organization
believe the consequences of failing to refer would be serious putting the child at more risk hence
sharing the information against his/her wishes and in line with his/her best interests; considering safety
3 Child Protection Minimum Standards for Child Protection in Humanitarian Action, 2012, Standard 5: 'Information Management' 4 These principles are outlined in the United Nations Convention on the Rights of the Child, and the Organisation of African Unity African Charter on the Rights and Welfare of the Child. 5 Comprehensive Case Management SOPs South Sudan. Consent section.
8
of the child and dignified support if the parent/caregiver refuse permission to share information, then
the same considerations of acting in the best interests of the child will apply.
3.2.5 Access to information and data protection
3.2.5.1. Adherence to the protocol
The protocol constitutes a strict set of rules that all organisations participating in Child Protection, Case
Management and Family Tracing and Reunification interventions in South Sudan must adhere to. All
organisations participating in such interventions must have their staff oriented and complying with it
and their Head of Organisation will sign this Information Sharing and Data Protection Protocol. All
organisations must therefore commit to share this ISP and Data Protection protocol to all Child
Protection staff, ensure that they are well trained and adhere to the Protocol. Any breach of the
Information Sharing and Data Protection Protocol will be dealt with in accordance to the policies and
procedures set by each organisation, discussed at the CMTF and presented to the CPSC for any further
actions.
3.2.5.2 Passwords
All Child Protection organisation staff computers must have a strong password (i.e. containing at least 8
characters including numbers, capital letters and special characters and avoiding words that could be
easily guess such as Child2019). Computers must be programmed to automatically lock if the user is
away from the machine. Electronic Case Files or Excel Sheets, including Excel Sheets and Files exported
from the database, must be password protected using the passwords provided by the sender that is
confidentially shared using different means.
3.2.5.3 Information management during FTR process
Family Tracing and Reunification can only be functional if information is shared promptly and efficiently
to enhance tracing and reunification. Data of UASC should be shared for family tracing purposes as soon
as it is available (daily, weekly) and as necessary for the purposes of tracing and reunification.
The CPIMS/CPIMS+ is the main data management tool for FTR in South Sudan. All Child Protection
organisations should therefore ensure that any data on unaccompanied, separated and missing children
is included in the CPIMS/CPIMS+ at field and national level. All organisations implementing FTR must
have CPIMS installed and encrypted data should be transferred to national level database that is
managed by Save the Children International System Administrator through the CPIMS export/import
function on a weekly basis. The database keep data of children who are separated, unaccompanied,
missing and other at risk children. It facilitates instant matching of records, allowing for rapid
identification of possible 'lost' or relocated children6.
3.2.5.4 Information Management by Handling Agency
FTR data should be collected using the Case Management and FTR toolkit (forms) including informed
assent/consent of the child. All FTR focal points in each organisation are responsible for ensuring
information of children is collected appropriately, well stored and managed. Within a specific
6 IA CP IMS factsheet
9
organisation, the information should only be shared with staff working directly on FTR for the purposes
of follow up monitoring, child verification and reintegration follow up. Only statistical or anonymised
information (e.g. number of separated/unaccompanied children documented, number of monitoring
visits or number of children reunified) should be shared with others not working directly with children.
3.2.5.5 Information sharing with community members for FTR
Child’s information should only be shared with parties that will facilitate FTR. During tracing and
verification, community mechanisms can be very helpful to facilitate identification of families. When
using mass tracing method (e.g. public sharing of lists or photographs), or door to door tracing, it is
important to only share essential information that will guide the case worker for tracing. All other
information about the child should be cross-referenced from the records by the case worker and not
with the entire community to verify the information. During follow up monitoring, the case worker
should provide updates to the child on the outcome of tracing, as well as gather any information that
can further assist.
3.2.5.6 Information Management by Receiving Agency
During the FTR process, information about cases may be shared with the Receiving Agency7; either to
verify the details of the adult for reunification to occur or case transfer in case the child or the adult to
be traced has moved location. For adult verification, information about the adult, location, local leaders
and name of the child is sufficient for sharing with Receiving Agency for the purpose of tracing the adult
and verifying if they are the parents/caregivers of the child. These should be cross-referenced by the
handling agency, to see if the information matches and to proceed with reunification. In situations of
case transfer, the entire case file of the child shall be shared in order to continue FTR and Case
Management. In any case, informed assent/consent of the child should have been sought during
registration, to ensure that sharing of the data is ethical. During case transfer, this will need to be clearly
communicate to the child and the family and seek consent to continue receiving services. The data shall
be shared in soft copy through the CPIMS or CPIMS+. Data about cases may also be shared with a
receiving agency, in cases where an organisation stops its operations in a location and hands over to a
different organisation. This should be done with prior consultation and meeting with CMTF/UASC WG
and CPSC in which records of the minutes should be shared and archived. In this case, paper files
(physical files) are handed over to the Receiving Agency8.
3.2.5.7 Information management during Case Management process
In line with the Case Management SOPs, inter-agency vulnerability criteria must be used to identify
vulnerable children to receive Comprehensive Case Management services. The informed assent/consent
of the child should be sought before registration, during referrals to access other services, before
discussion in case conferences or before case transfer. Complex cases will be discussed with only
members concerned with the case and in line with the case conferences guidelines as stated in the Case
Management SOPs, complex cases will be flagged for support and advocacy to the CMTF. All partners
7 Comprehensive Case Management SOPs, South Sudan. Case transfer section. 8 Handover guidelines within the Case Management and UASC SOPs, South Sudan.
10
must strive not to discuss cases with children’s details over emails and identifiable information must not
be shared.
During Referrals, the Referring Agency must only share the bio-data of the child needed to provide the
service (e.g. name, age and address). This can only be done if the child and the family has agreed to this
referral being made on their behalf considering of their participation. At all times, the handling agency
should take the responsibility to ensure all ethical procedures are followed.9
3.2.5.8 Information Sharing with Authorities during Reunification
Close coordination should be maintained between authorities at airports/transit points and FTR
organisation. This coordination will be led by Save the Children and UNICEF and individual organisations
will ensure safe and smooth movement of children during reunification and prior communication to
Authorities related to FTR processes. In cases where organisations perceive that sharing information of
children may put their families at risk or in fear, advance notice should be given to the National Security
at airport/transit port, with an explanation of what FTR organisations do, so that children are not
interviewed on arrival. Coordination support should be sought from the Ministry of Gender, Child, Social
Welfare, Ministry of Humanitarian Affairs and Department of Humanitarian Affairs. It is important to
note that what is required by National Security varies from State to State and may need to be
negotiated at State level, with the support of State level focal points from the Child Protection Working
Group or Child Protection Sub-Cluster.
4. DATA SECURITY AND DATA PROTECTION
4.1 Storage of paper files
All children undergoing comprehensive case management processes should be assigned a unique code
autogenerated by the system. The code should be used to refer to the child’s case either verbally, on
paper or electronically (including in word documents, emails, skype conversations, etc.) in place of any
identifiable information such as name or date of birth. The paper forms should be stored in lockable
cabinets. It is the responsibility of each partner to budget for and procure lockable cabinets. The forms
provide necessary details for case workers to do their work and where possible forms should be stored
in locations or sites where the case work is on-going. The information needed at the central level is for
the purpose of case monitoring, transfer of data between States, in support of international tracing and
for backup. In addition, each organisation has a responsibility to conduct regular security and risk
assessments to determine security of data and information and develop actions to mitigate those.
Therefore, it is not necessary to maintain original paper case files at headquarter offices.
Paper files should be stored as follows:
1. Each case should be stored in its individual case file clearly marked with the individual case code on
the cover of the file. It is imperative that the child’s name should not appear on the cover of the file.
9 Identification and registration form and Case Management SOPs on obtaining consent/assent.
11
2. Each case should be kept in a secure place and accessible only by assigned and responsible
personnel. This usually means that they are stored in a lockable filing cabinet and the keys kept with
the person responsible for the information.
3. Each case should be transferred by hand between people responsible for the information.
4. The original copies should be kept safely with the registering organisation at State level.
5. Printing, photocopying or scanning of data related to children should be in-house (within office
premise) and no files should be printed, photocopied, or scan in public printing places. Any extra
copies of forms should be fully destroyed.
6. Original documents (such as school certificates, birth certificates etc.) useful during case
management processes should be scanned and then returned to the child/family.
7. Paper files and/or filing cabinets should be marked with a color-coding system according to
sensitivity of data they contain and inform the order of priority in which they should be
removed/destroyed in the event of an emergency evacuation or relocation. The colour coding will
be determined by the CMTF.
8. The CPIMS/CPIMS+ should be considered to transfer data between Child Protection organisations
together with paper files for continuity of comprehensive case management services. Ensure case
handover meetings are held in line with Case Management SOPs.
9. Storage rooms or offices containing paper or electronic information should be secured and locked
when not in use.
4.2 Electronic files
1. All laptops, phones, tablets used for Comprehensive Case Management should be installed with up-
to-date anti-virus software for prevention of loss of information, useful data and only accessed by
assigned authorised users.
2. Staff are not allowed to save case management and FTR information on their personal electronic
devices. Only work-assigned devices can be used for managing information related to child
protection case management and FTR.
3. They should also be encrypted using strong password to prevent unauthorised access. It is
recommended that the password should contain at least 8 characters including numbers, capital
letters, special characters that cannot be easily guessed. In addition, any default shared network
drives should be disabled and the password must be changed on a regular basis.
4. The authorised personnel should ensure the laptops, tablets or phones are locked when not in use
and stored in a safe place. When authorised personnel leave the organisation, the organisation
should ensure proper handover of all information and data as well as to erase any identifiable
information before handover. Their access should also be immediately disabled or revoked in the
CPIMS or CPIMS+.
5. All electronic information of children should be password protected and the password should
change on a regular basis or when some authorised personnel leaves the organization.
6. Information should be transferred online by encrypted or password protected files ensuring e-mails
are only sent to the intended recipient.
12
7. Memory sticks (USBs) should be passed by hand between people responsible for the information
and be password protected and the file erased immediately after transfer. Ensure that the file is also
permanently erased from the recycle bin files.
5. SYSTEM ADMINISTRATOR AND AUTHORISED USERS FOR CPIMS/CPIMS+
1. When a user of the CPIMS/CPIMS+ ceases to be an authorised user or System Administrator, their
access to the system should be immediately revoked and a new administrator or authorised user
assigned. The System Administrator has the responsibility to ensure only authorised users access
the CPIMS/CPIMS+
2. Hosting data on the cloud service must be in line with South Sudan national legislation. Minimum
standards of data security should be met by any cloud services provider, for example ISO 27000.
Cloud services should also include automatic data backups, failover features, and full encryption.
3. It may be necessary for organisations to share data with the CPIMS/CPIMS+ Help desk for technical
support. Whenever possible, this data should be limited to anonymised data. In the event that the
identification of a specific record is required in order address a problem, partners should always
refer to this record using the unique identifier. Help Desk technical support teams should be
required to sign confidentiality waivers.
4. Closed files are archived accordingly in the CPIMS+ and it is not possible to delete case files. Once
they are closed they no longer show up as active case in the case worker case list.
6. SPECIFIC TYPES OF INFORMATION SHARED BY CHILD PROTECTION ORGANISATIONS
Recipients of
information
When Why To whom What How
Government
and local
authorities
supporting
FTR or Case
Management
services
When there is
conflict or
displacement and
there is need to
determine the
best interest of
the child and
advocate for
access to services
Access to services
for child and family
For accountability
Safety of the child
and case worker
Government social
workers
Police,
Security officers
Ministry of
Humanitarian Affairs
and disaster
management
Local authorities staff
(Child Protection
officers from
Department of Social
Welfare)
South Sudan Relief,
Bio data,
referring and
receiving
agencies
Electronically, physical
documents, phone
calls and emails when
applicable
13
Rehabilitation and
Reintegration
Commission (RRC)
Donors At proposal and
design stage for
fundraising and
for quality
reporting to show
progress and
impact
Resource
mobilization,
Advocacy,
Fundraising,
Accountability,
Compliance
Donor focal person Statistics, trends
and Success
stories
Reports, Emails and
meetings
ICRC, UN
agencies and
CPSC
As required
during crisis
situation (armed
conflict, flood,
epidemic,
intercommunal
conflict etc.)
Advocacy purpose
Fundraising
Immediate
response
Focal points within IOM;
UNICEF; UNHCR; UNFPA
IOM; CPSC;UNIMISS;
ICRC
Statistics,
Aggregared
data, Sitreps,
Assessments,
Reports
Emails,
Direct contacts,
physical documents,
Coordination
meetings,
Dissemination through
humanitarian
dissemination
platforms,
Relief webs,
Newspapers and briefs
Other service
providers
When cases that
cannot be solely
supported by the
CP organisation
and needs to
refer to additional
services within
case
management
after seeking
assent/consent
Referrals for other
services including
specialised services
and included in the
existing referral
pathways for
service provision
agreed by CPWGs
To CP and non CP actors
within the referral
pathway including
Health, Nutrition,
Education, legal
services; among others.
Includes CMTF and
UASC WG leads.
Inter-agency
referral form,
case plans
Email, paper copies
and meetings
14
Other Child
Protection
organisation
When handover
to another CP
organisations is
needed as per
handover
guidelines
Funding constrains,
Change of child or
adult location,
When partners are
moving out of a
locality or due to
end of funding
cycle. CPSC to
come up with
measures to ensure
longer term
projects are funded
to prevent causing
harm to children.
New CP organisation
taking up the cases
Physical forms,
backend and
CPIMS system,
Hard and soft
copies
Physical case files and
Electronic after
completing the assent
and consent
7. DATA SETS
The purpose of the table below is to provide information on the different data sets that will be required
for Child Protection organisations to beshared with different agencies using the ‘need to know’
principle.
UN Agencies /ICRC Dataset/Information Reason for sharing
UNICEF Bio-data
Dates of referral
Case Summary
Sending and receiving
organisation
Physical address of child home
Case History i.e services
provided /referrals etc.
Introduction letter (to be used
for flight bookings and
immigration clearance).
Sharing Personal Data is only allowed for the purpose of
flight booking or when referring for direct services to
UNICEF FTR Specialist and focal point. UNICEF supports
information sharing with WFP and UNHAS related to flights
booking to support family tracing and reunifications
As last resort UNICEF provides direct services to children
and their families in some locations where there is no any
other Child Protection partner.
IOM Bio-data (smuggled and
trafficked children only).
Parents/caregivers name.
Summary of the case (i.e.
smuggled or trafficked
children)
Referring agency
Date of referral
IOM provides technical and practical support to migrant
children ensuring that they are able to access a wide range
of protection and assistance services including assisted
voluntary return and reintegration (AVRR) in order to
support children’s sustainable recovery from a situation of
vulnerability, exploitation, and abuse. Protection and
assistance services also include providing migrant children
with access to solutions, such as return and reintegration
to the country of origin, local integration, alternative care
15
options and resettlement to a third country as per their
best interests. IOM should be notified of any cases of
smuggled or trafficked children. IOM does not require
sharing of case ID but need different data sets for
information.
ICRC Bio-data
Circumstances of separation
Current location
Date of separation
Name of parents/primary
caregiver
Last known address,
Details of current caregivers,
tribe/sub tribe (etc.)
ICRC has a specific mandate under the Geneva Convention
to ensure humanitarian protection and assistance for
survivors of armed conflict and emergencies. ICRC plays a
key role in FTR cross-border, reunification of adults and
restoring family links. They locate people, exchange
messages, reunite families and clarify the fate of missing
persons. ICRC will evaluate on case by case basis and will
give feedback to the referring agency. Information of
children needing cross border tracing will be shared with
the ICRC focal point.
UNHCR Bio-data
Parents/Caregiver’s name
Summary of the case
Referring agency
Date of referral
Introduction letters (to be
signed by the Representative)
As the protection agency mandated to protect refugee, returnee and displaced populations, UNHCR’s core activity is protection of refugee children and asylum seekers. UNHCR works directly and through partners, with national authorities, other international and local organisations to assist and protect refugee children, ensure that those who are unaccompanied or separated are cared for and have access to family tracing and reunification services (FTR), that children are registered at birth and children with disabilities are supported. Depending on their needs UNHCR conducts case management on a child’s individual case including but not limited to best interest assessments (BIAs) and best interest determinations (BID) to plan future interventions and find the most viable durable solution in line with its Policy on the Protection of Personal Data of Persons of Concern. UNHCR also supports repatriation in both involuntarily or
spontaneous repatriation. Cross border case management
between South Sudan and other countries will be carried
out by the ICRC in collaboration with UNHCR and other
appropriate designated CP agencies. UNHCR doesn’t
require sharing of case ID but need different data sets for
information.
WHO
Aggregated data with
situational reports
Protection issues
WHO requires situational reports/overview of the situation
16
Affected population
Type of support required
Affected age group
Gender
Location
Dates
CPSC at National level Case Summary
Aggregated data
Dates
Sending and receiving agencies
Affected population
Location
The Child Protection Sub-Cluster is the primary forum for
coordinating Child Protection activities in South Sudan
during the current emergency. It is co-led by the
Government of South Sudan Ministry of Gender, Child and
Social Welfare (MOGCSW) and UNICEF on behalf of the
humanitarian response. It supports a coordinated,
comprehensive and predictable response for children
affected by the conflict and other emergencies across
South Sudan. All organisations providing child protection
services, including case management, should be working as
part of the CPSC to ensure effective coordination and
positive results for children.
National-level coordination entails: Mapping of key
partners at different levels & capacity assessment;
Coordination with key partners at the national level
Supporting State level Child Protection coordination
structures; Planning and strategy development, Policies &
standards setting and tools development, capacity
building, and quality assurance, and National Coordination
and thematic review
CPWGs at state level Case Summary
Aggregated data
Dates
Sending and receiving agencies
Affected population
Location
Field level CPSC focal points are present in all States and
some deep field sites. These focal points are responsible
for coordinating state level implementation of Child
Protection activities. All organisations providing child
protection activities at State or Community level should be
represented at the CPSC coordination meetings to ensure
positive results for children.
State level coordination structure is under the leadership
of the focal point of the Child Protection Sub-Cluster and
oversee implementation of the provisions of SOPs.
They also provide regular update to the Juba national level
coordination structure on progress, problems and
constraints, including a request for any possible support
17
while ensuring diversification and participation of other
actors
Donors/External
requests
Situational reports- based on
numbers, location, time,
protection concerns and scope
of the problem
Success stories- with consent or
assent of the caregiver and
child, information given will be
guided by the do no harm
principles and best interests of
the child
Statistical reports containing
age, gender and services
provided
Type of services
provided/action taken
Further support required
Provide funding and required resources to implement Child
Protection interventions.
Organisations are required to only share aggregated and
anonymous data with donors. Sharing Personal Data with
external actors is not allowed because it is not necessary or
appropriate and violates the principles of confidentiality,
need-to-know information sharing, the best interests of
the child, and potentially the do-no-harm principle.
CMTF Case Summaries
Age
Date
Sending and receiving agencies
Physical address of child home
Consent /Assents
Case History i.e services
provide /referrals etc
Support required from CMTF
In 2017, the Child Protection Sub-Cluster recognised a
need to standardise Case Management for Child Protection
and provide appropriate services beyond Family Tracing
and Reunification. This led to the formation of the Case
Management Task Force (CMTF), a focused a group of case
management actors who collaborate to develop shared
tools, strengthen case management practices and monitor
the referral system.
CP and non CP actors
within the referral
pathway
Summary of the case
Name of the child
Age of the child
Name of referring person
(indicate name referring and
for feedback
Name of referring organization/
agency
Date of referral for follow up
and respond in line with
established timeframes
Receiving
No need to share case ID to other non CP actors for access
of services
Recommendations
Use email for communication, phone or thuraya for
organisations working in remote locations where there
is no access to internet
There is need for follow up with the receiving agencies
How data should be shared
From CPIMS+ user to CPIMS+ user – To share
information and referrals through the systems
18
party/agency/organization
Date of receipt of the referral
Consent for referral/take new
consent and where possible,
accompany the beneficiary to
access services
Address and how beneficiary
can be contacted
Type of services to be provided
(for the receiving organization
to know what type of action to
be undertaken)
CPIMS+ User to non CPIMS+ user – referrals can still be
done through attachments, email or physically taking or
linking children and their families to receiving agencies
Recommendations for feedback mechanisms
Organisations to follow up to confirm whether service
have been provided and to see if the Protection
concerns have been addressed or whether a child has
been reunified
Any other follow up with the referring agencies to be
done
Consent or assent to be sought before referring cases
Government/Local
Authorities
The following information can be
shared with local Authorities
Bio data- Name, age, photo,
gender (only during
reunification and safety at the
transit/transit point
Name of the caregivers for
verification purposes
For Referals that require access
for legal services – report to
special unit (Ministry of
Gender) which includes name,
age and offence
Organisations working in different locations to
coordinate and collaborate with local authorities to
provide support to vulnerable children
Data sets during case
transfer
All relevant information to be
shared with the receiving agency
for continuity of care and support
Key consideration:
Safety of the child
Consent or assent is sought
Receiving agency to have
signed the ISP
Receiving organization to have
CPIMS/CPIMS+ installed and in
use
To share open and active cases
Social workers from receiving
All organisations to follow case transfer SOPs and
CMTF to develop additional guidance note for case
transfers
How data to be shared
CPIMS+ to CPIMS+ can share referrals and case
transfers
CPIMS+ to non CPIMS+ to share referrals through
offline forms using the interagency referrals form
From non CPIMS+ to CPIMS- Not to share unless they
have signed ISP
19
8. TIME LIMIT
The commitment to uphold confidentiality and adhere to the Information Sharing and Data Protection
Protocol is not time bound. It will take effect on June 2019 and Child Protection organisations will use
and adhere to the protocol as members of the UASC WG, CMTF and CPSC in South Sudan. In June 2020,
after one year of trial of the Information Sharing and Data Protection Protocol, the CPSC with support
from UASC WG and CMTF will review the effectiveness, use of and adherence to the protocol. After that,
the ISP will then be revised on an annual basis if the change in context requires a review.
9. BREACHES OF THE INFORMATION SHARING AND DATA PROTECTION PROTOCOL
A breach means accidental or unlawful/illegitimate destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transferred, stored or otherwise processed.
Organisations affected by data breaches will notify the CMTF an immediate action will be taken if
the breach is likely to harm the child or family.
During monthly meetings, CMTF should look into data breaches and present findings and
recommendations to CPSC and SAG member for further actions i.e. written warning, suspension,
dismissal as a CPSC member.
and transferring agency to hold
meeting with the child and
caregiver and possibly conduct
introduction
Consent to be sought before
case transfer
To hold case load transfer
meeting in presence of the
third party
To include soft copies and
physical files
Data sets and
information sharing for
Anonymized data
Bio data, protection concerns,
type of service provided,
number of cases closed,
number of open cases,
Sex/gender of the child to be
included
Regular aggregated data to be
generated and discussed during
weekly and monthly
coordination meetings
Who to be shared with
CMTF lead and co-lead
Members of CMTF
CPSC
Other sectors, Government and donors
Recommendations
Using summarized data and report for advocacy on Child
Protection work in South Sudan
20
In the event the breaching partner is a member of Steering Advisory Group, the member will not sit
in the meeting where the specific data breach will be discussed and will be informed of the process,
provided that the specific member was able to provide comments on the breach in advance.
CMTF in collaboration with the CPSC will conduct awareness and capacity building on the ISP and
Data Protection protocol.
The CP organisations reserve the right to refuse sharing of information about all reported cases to
any external actor unless mutual understanding is made considering the measures to prevent any
potential harm to the child.
10. EMERGENCY EVACUATION AND RELOCATION PLAN
In the event of an evacuation and relocation, the management of the organisation must ensure that the
laptop(s) where the database is setup, its back up systems and paper files are moved to a safe location.
When moving database assets and paper files is not possible, management should ensure assets are
destroyed and papers burnt as a last resort after approval by the Child Protection Manager or equivalent
position. Information saved in the backup system will then become the only source of information of
cases. It should be noted that in some circumstances, it may not be necessary to destroy files and
therefore is more important to ensure they are properly secured and protected during the period of
evacuation and relocation. This is a judgment call that will need to be made by the management
depending on security assessment.
A clear evacuation and relocation plan should be developed with a ‘scheme of delegation’ dictating who
has responsibility for making decisions regarding removing or destroying data (for both paper and
electronic data). The plan should include various scenarios, taking into account the risks of violent
attacks, natural disasters, and heavy rains. This plan should be incorporated into the standard
evacuation and relocation plan for the whole organisation by Security Managers and Management Staff
and the sensitive nature of children’s data must be highlighted to all involved staff.
Heads of Child Protection organisations, Security Managers, Logistic Managers, Information Technology
Managers, Management team and Child Protection staff should know their individual responsibilities
detailed in the evacuation and relocation plan and be aware of the sensitive nature of data being
collected. Briefing on the evacuation plan should be part of the standard induction checklist for relevant
staff. Evacuation and relocation drills should be carried out periodically to ensure each individual knows
their responsibilities and is able to act quickly in an emergency evacuation and relocation. In the event
of a deteriorating security situation, evacuation and relocation plans should be reviewed and if
necessary, re-evaluated by Senior Management and Security personnel or equivalent depending on each
organisation.
21
11. ANNEXES
South Sudan Case management SOPs
UASC SOPs for South Sudan
FTR and CM forms
South Sudan Handbook for Case Workers
South Sudan FTR Handbook
Child Protection Minimum Standards in Humanitarian Action
12. SIGNATORIES OF THE INFORMATION SHARING AND DATA PROTECTION PROTOCOL
This section is for declaration of acceptance to comply, provided that there is no contradiction to the
organisation’s internal data protection or other relevant policies, and indicates the name of each
organisation, positions of representatives, sign and date.
With the signature below I declare that the authority or agency represented will comply fully with this
child protection case management Data Protection and Information Sharing Protocol.
AGREED ON BEHALF OF UNICEF
Name: Mohamed Ayoya
Title: Country Representative
Date:
Signature:
AGREED ON BEHALF OF SAVE THE CHILDREN INTERNATIONAL
Name: Rama Hansraj
Title: Country Director
Date:
Signature:
AGREED ON BEHALF OF MTT
Name:
Title:
Date:
Signature:
22
AGREED ON BEHALF OF CRO
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF INTERSOS
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF UNIDOR
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF HOLD THE CHILD
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
23
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
24
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
25
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
26
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
27
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
28
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
29
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
30
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature:
AGREED ON BEHALF OF
Name:
Title:
Date:
Signature: