1

INFORMATION SHARING AND DATA PROTECTION

PROTOCOL FOR COMPREHENSIVE CASE MANAGEMENT

INCLUDING FAMILY TRACING AND REUNIFICATION (FTR)

Unaccompanied and Separated Children Working Group (UASC WG)

and Case Management Task Force (CMTF), South Sudan

June 2019

2

TABLE OF CONTENTS

Acronyms …………………………………………………………………………………………………………………………………………..3

1. Introductions and background information…………………………………………………………………………………..4

1.1 Information management principles and Standard definitions ………………………………………………………….5

2. Purpose…………………………………………………………………………………………………………………………………………6

3. Ground rules, confidentiality, access to information and data protection……………………………………..5

3.1 Ground rules……………………………………………………………………………………………………………………………………..5

3.2 Confidentiality of data and information management……………………………………………………………………...6

3.2.1 Information management…………………………………………………………………………………………………………7

3.2.2 Confidentiality Agreement………………………………………………………………………………………………………. 7

3.2.3 Child Participation……………………………………………………………..........................................................8

3.2.4 Best Interests of the Child ……………………………………………………………………………………………………….8

3.2.5 Access to information and data protection ………………………………………………………………………………8

3.2.5.1. Adherence to the protocol …………………………………………………………………………………………………..8

3.2.5.2 Passwords……………………………………………………………………………………………………………………………..8

3.2.5.3 Information management during FTR process……………………………………………………………………….8

3.2.5.4 Information Management by Handling Agency …………………………………………………………………….8

3.2.5.5 Information sharing with community members for FTR………………………………………………………..9

3.2.5.6 Information Management by Receiving Agency ……………………………………………………………………9

3.2.5.7 Information management during Case Management processes …………………………………………..9

3.2.5.8 Information Sharing with Authorities during Reunification………………………………………………… 10

4. Data security and protection ………………………………………………………………………………………………………..10

4.1. Storage of paper files……………………………..………………………………………………………………………………….…..10

4.2 Electronic files………………………………………………………………………………………………………….……………………..11

5. Systems administrator and authorised users for CPIMS/CPIMS+…………………….………………………..……12

6. Specific types of information shared by CP organisations………….……………………………………….………….12

7. Data Sets ………………………………………………………………………………………………………………………………………14

8. Time Limit …………………………………………………………………………………………………………………………………….19

9. Breaches of the Information Sharing and Data Protection Protocol ………………………………………………19

10. Emergency evacuation and relocation plan…………………………………………………………………………………20

11. Annexes………………………………………………………………………………………………………………………………………21

12. Signatories of the Information Sharing and Data Protection Protocol……………….…………………………21

3

ACRONYMS

UASC- Unaccompanied and Separated Children

CMTF- Case Management Task Force

CPIMS- Child Protection Information Management System

CPIMS+- Child Protection Information Management System + (Primero platform)

SOP- Standard Operating Procedures

CP- Child Protection

UN –United Nations

DPIA – Data Protection Impact Assessment

CCM- Comprehensive Case Management

UNCRC – United Nations Convention on the Rights of Children

UNHCR- United Nations High Commissioner for Refugees

IOM-International Organization for Migration

UNICEF- United Nations Children's Fund

ICRC - International Committee of the Red Cross

CPSC- Child Protection Sub cluster

CPWG- Child Protection Working Group

ISP- Information Sharing Protocol

CPMS- Child Protection Minimum Standards in Humanitarian in Action

IASC- Inter Agency Steering Committee

MGCSW- Ministry of Gender, Child and Social Welfare

FTR-Family Tracing and Reunification

RRF- Rapid Respond Funds (Funded through IOM)

UNFPA- The United Nations Population Fund

UNIMISS-United Nations Mission in South Sudan

WHO-World Health Organization

PSS-Psycho Social Support

PFA-Psychological First Aid

OHCHR- Office of the High Commissioner for Human Rights

4

1. INTRODUCTION AND BACKGROUND INFORMATION

The Unaccompanied and Separated Children Working Group (UASC WG) and the Case Management

Task Force (CMTF) under the Child Protection Sub-Cluster in South Sudan have been working towards

strengthening case management system in South Sudan. The Information Sharing and Data Protection

Protocol, which was last updated in March 2017, has now been revised to reflect current context in line

with developments in South Sudan. This includes the Comprehensive Case Management Standard

Operating Procedures (SOPs) launched in September 2018 that will help to expand the scope from UASC

and Family Tracing and Reunification (FTR) to comprehensive case management services supporting the

most vulnerable children1 facing child protection risks and the piloting and transition from Child

Protection Information Management System (CPIMS) system to CPIMS+ for the Child Protection

organisations. The revisions also provide guidance for all child protection actors on safeguarding

children and families’ information and data and on helping to establish data evacuation plans

considering external risks faced by organisations working in South Sudan. This will ensure that all Child

Protection organisations agree on Information Sharing and Data Protection Protocols to support safe

and ethical data storage, sharing, archiving, other processing, and destruction as a last resort.

1.1 Information management principles and standard definitions

Confidentiality: Ensuring that information disclosed by a child is not used without assent of the child

and consent from the parent or legal guardian. It should not be shared without the child’s

permission, except in exceptional circumstances (i.e. where necessary for the protection and safety

of the child in line with best interests or where service providers are required by law to report

abuse).

Informed Consent: It is the voluntary agreement of an individual who has the legal capacity to give

consent. To provide consent, the individual must have the capacity and maturity to know about and

understand the services being offered and be legally able to give his consent. Parents/ caregivers are

typically responsible for giving for their child to service services until the child reaches 18 years of

age. Children over 15 are able to provide informed consent themselves, however their parent or

caregiver should be included with the child’s permission2.

Informed assent: It is the expressed willingness to participate in services. For younger children who

are by definition too young to give informed consent, but old enough to understand and agree to

participate in services, the child’s “informed assent” is sought. Informed assent is the expressed

willingness of the child to participate in services

Mandatory Reporting: Laws or policies that require certain agencies and/or persons in helping

professions (teachers, social workers, health staff, etc.) to report actual or suspected child abuse

(e.g. physical, sexual, neglect, emotional and psychological abuse, and unlawful sexual intercourse.

In South Sudan, the Child Act (2008) section 34, states “it shall be the general duty of any member of

the community, who reasonable suspects that a child’s rights have been, or are being, or likely to be

1 subjects of case management include but are not limited to Internally Displaced Persons (IDP), refugees, host community children, Orphans and Vulnerable Children (OVC), Persons living with Disabilities (PLWD), Unaccompanied and Separated Children (UASC), Children Associated with Armed Forces and Groups (CAAFAG), and any other children affected by child protection concerns as detailed in Vulnerability and Risk Assessment Criteria in the SOPs. 2 Informed Consent/Assent section 4.3. Comprehensive Case Management SOPs, South Sudan, September 2018

5

infringed upon, to report the matter to a Chief or Social Worker, a Local Government Official, the

police, or the Public Attorney who shall promptly investigate the case and take appropriate action,

including submitting it to the Court for redress on behalf of the child.” The penalty in South Sudan for

not reporting can be a fine and/or up to 6 months in jail.

Need-to-know: The case-by-case disclosure of information only with those individuals for whom the

information will be used for the protection of the child.

Personal Data: Any data or related information about an individual who can be identified from that

data and other information. Personal data includes biographical data (bio-data) such as name, sex,

marital status, date and place of birth, country of origin, country of asylum, individual registration

number, occupation, religion and ethnicity, biometric data (such as a photograph, fingerprint, facial

or iris image), as well as any expression of opinion about the individual, such as assessments of the

status and/or specific needs.

Personal Data breach: A breach of data security leading to the accidental or unlawful/illegitimate

destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transferred,

stored or otherwise processed.

A Handing Over Agency is the Child Protection organization which carries out one or more parts of

the process of identification, documentation, interim care (where necessary), tracing and

reunification of a child and then turns over the remaining processes or the case itself (i.e., the

physical transfer as well as electronic) to another agency.

A Receiving Agency is the Child Protection organization that takes over the case of a Vulnerable

child from another agency during any phase of the process for completion of remaining actions and

phases.

2. PURPOSE

This Information Sharing and Data Protection Protocol has been revised to be in line with the

Comprehensive Case management SOPs for South Sudan launched in September 2018 and

accommodates recent developments in South Sudan aiming at strengthening Case Management

systems. It has been revised by the UASC WG and CMTF partners implementing Child Protection

interventions and coordinating within the CPSC in South Sudan. It helps to ensure the highest possible

standards of information and Case Management principles, safety of children and caregivers, safe and

ethical data storage, sharing, archiving processing and destruction as a last resort. It will also ensure

coordinated flow of information, define type of agreed information and data sets to be shared with CP

actors, non-CP actors, Donors, Government, local authorities and UN agencies. Lastly, the Information

Sharing and Data Protection Protocol provides regulations and guidelines for all child protection

members which is also complementary and integral to the comprehensive case management SOPs and

complements the UASC SOPSs for South Sudan. It ensures that information is only accessed to those

authorised to do so in line with child’s best interests, confidentiality and ‘need to know’ principles. All

organisations signing this Protocol agree to comply with it insofar as it does not contradict their internal

data protection or other relevant policies.

6

3. GROUND RULES, CONFIDENTIALITY, ACCESS TO INFORMATION AND DATA PROTECTION

3.1 Ground rules

All Child Protection Sub-Cluster members have to ensure:

There is clarity on the need to share the information (see 1.1. ‘need to know’ principle)

The Handing Over Agency will only share with the Receiving Agency the personal data that is needed

for the Receiving Agency to be able to provide the assistance/services needed, and not

unnecessarily share more personal data.

All case workers and Child Protection staff are sensitised, understand and adhere to this Information

Sharing and Data Protection Protocol.

That the child/caregiver has given their assent/consent for information to be shared in line with

Comprehensive Case management SOPs.

The person with whom the information is to be shared with, belongs to an agency that has signed

this Inter-Agency Information Sharing and Data Protection Protocol.

Electronic documents containing personal data must be password protected using passwords stored

in a secure place. The means used to share such electronic documents and the means used to share

the password should be different such as sharing in different email communication.

Paper files with personal data are kept in a lockable cabinet by the agency in possession of them.

Case Information shared verbally should be transmitted in a confidential place.

Child Protection staff using work mobile phones for recording case data, voice recording, photos

have to seek consent/assent from children and caregivers and use it solely for Case management,

FTR or to facilitate Referrals and access to services in line with identified needs.

A reasonable level of security for supplied information, personal or non-personal, and process the

information accordingly and as established in the Data Protection Protocols.

Where serious safety concerns, mandatory reporting laws in South Sudan require social workers,

teachers and health workers to report cases of actual or suspected child abuse to local authorities.

Mandatory reporting laws should be explained to the child and parent/caregiver during the

informed consent process. Decisions regarding compliance with mandatory reporting laws should be

taken by the Management team for the protection of the workers.

An agreement or code of conduct outlining these obligations is signed by all staff with access to

personal data related to child protection case management and FTR.

3.2 Confidentiality of data and Information Management

This Information Sharing and Data Protection Protocol is based on confidentiality, information

management and do no harm principles. Keeping data confidential is critical to protecting children’s

safety and security to prevent the misuse of information for purposes beyond their control, including

their exploitation, stigmatization and abuse, either intentionally or unintentionally. Confidentiality is the

condition on which sensitive data is protected and disclosed only to authorised persons during

reporting, interview, tracing and record keeping. It can be a legal protection and assurance of the

beneficiary right to privacy. Information can be stored or transmitted verbally, on paper or

electronically. In all circumstances, confidentiality must be maintained and the child and/or

parent/caregiver’s choices/informed assent/consent sought and adhered to.

7

3.2.1 Information management

This protocol also adheres to the Child Protection Minimum Standards in Humanitarian in Action (CPMS) 3standard 5 in which up-to-date information necessary for effective child protection programming is

collected, used, stored and shared, with full respect for confidentiality, and in accordance with the ‘do

no harm’ principle and the best interests of children.

3.2.2 Confidentiality Agreement

Any child based on their evolving capacity can choose the level of detail in which they are willing for

their personal information to be shared. This also enables him or her to highlight any information that

they do not want any particular person or organization to know. E.g., they prefer to hold some personal

information from family members in order to communicate face-to-face.

3.2.3 Child Participation

Confidentiality is central to the principles of ‘Best interests’ and ‘Participation’ for children as per UNCRC

and South Sudan Child Act 2008.4 It is therefore important to ensure that the child actively participates

in decisions and issues that affect their well-being and recovery from distressful events. However, the

extent to which their opinions are taken into account will depend on age and maturity and what is in

their Best interests. It is recommended to look at the evolving capacity of the child to determine if a

child is capable of making decisions and taking action where they could understand the implications of

their participation. For UASC placed under temporary care, the case workers should ensure that the

child (based on evolving capacity) is given an opportunity to confidently share and express their own

wishes, including wishes to change their current care arrangements in case they are abused or exploited.

3.2.4 Best Interests of the Child

If a child’s safety or well-being is in severe danger or the child is at risk, case workers have a

responsibility to refer or pass information to humanitarian organisations or local authorities within the

referral pathway. When caseworkers work with a child who is old enough to understand this potential

exception to confidentiality, they should be informed about it from the beginning. The child may choose

not to tell anything to the case worker; however, the loss of trust that comes from sharing information

without the child’s knowledge will be very damaging and in most cases a careful explanation on the

limits of who would need to be informed and the reasons for this will reassure the child.5

If the child does not provide permission for sharing information (assent), it is important to consider the

child’s ability to understand the consequences of the decision. Determination has to be made that

sharing the information will be in the best interests of the child (i.e. If Child Protection organization

believe the consequences of failing to refer would be serious putting the child at more risk hence

sharing the information against his/her wishes and in line with his/her best interests; considering safety

3 Child Protection Minimum Standards for Child Protection in Humanitarian Action, 2012, Standard 5: 'Information Management' 4 These principles are outlined in the United Nations Convention on the Rights of the Child, and the Organisation of African Unity African Charter on the Rights and Welfare of the Child. 5 Comprehensive Case Management SOPs South Sudan. Consent section.

8

of the child and dignified support if the parent/caregiver refuse permission to share information, then

the same considerations of acting in the best interests of the child will apply.

3.2.5 Access to information and data protection

3.2.5.1. Adherence to the protocol

The protocol constitutes a strict set of rules that all organisations participating in Child Protection, Case

Management and Family Tracing and Reunification interventions in South Sudan must adhere to. All

organisations participating in such interventions must have their staff oriented and complying with it

and their Head of Organisation will sign this Information Sharing and Data Protection Protocol. All

organisations must therefore commit to share this ISP and Data Protection protocol to all Child

Protection staff, ensure that they are well trained and adhere to the Protocol. Any breach of the

Information Sharing and Data Protection Protocol will be dealt with in accordance to the policies and

procedures set by each organisation, discussed at the CMTF and presented to the CPSC for any further

actions.

3.2.5.2 Passwords

All Child Protection organisation staff computers must have a strong password (i.e. containing at least 8

characters including numbers, capital letters and special characters and avoiding words that could be

easily guess such as Child2019). Computers must be programmed to automatically lock if the user is

away from the machine. Electronic Case Files or Excel Sheets, including Excel Sheets and Files exported

from the database, must be password protected using the passwords provided by the sender that is

confidentially shared using different means.

3.2.5.3 Information management during FTR process

Family Tracing and Reunification can only be functional if information is shared promptly and efficiently

to enhance tracing and reunification. Data of UASC should be shared for family tracing purposes as soon

as it is available (daily, weekly) and as necessary for the purposes of tracing and reunification.

The CPIMS/CPIMS+ is the main data management tool for FTR in South Sudan. All Child Protection

organisations should therefore ensure that any data on unaccompanied, separated and missing children

is included in the CPIMS/CPIMS+ at field and national level. All organisations implementing FTR must

have CPIMS installed and encrypted data should be transferred to national level database that is

managed by Save the Children International System Administrator through the CPIMS export/import

function on a weekly basis. The database keep data of children who are separated, unaccompanied,

missing and other at risk children. It facilitates instant matching of records, allowing for rapid

identification of possible 'lost' or relocated children6.

3.2.5.4 Information Management by Handling Agency

FTR data should be collected using the Case Management and FTR toolkit (forms) including informed

assent/consent of the child. All FTR focal points in each organisation are responsible for ensuring

information of children is collected appropriately, well stored and managed. Within a specific

6 IA CP IMS factsheet

9

organisation, the information should only be shared with staff working directly on FTR for the purposes

of follow up monitoring, child verification and reintegration follow up. Only statistical or anonymised

information (e.g. number of separated/unaccompanied children documented, number of monitoring

visits or number of children reunified) should be shared with others not working directly with children.

3.2.5.5 Information sharing with community members for FTR

Child’s information should only be shared with parties that will facilitate FTR. During tracing and

verification, community mechanisms can be very helpful to facilitate identification of families. When

using mass tracing method (e.g. public sharing of lists or photographs), or door to door tracing, it is

important to only share essential information that will guide the case worker for tracing. All other

information about the child should be cross-referenced from the records by the case worker and not

with the entire community to verify the information. During follow up monitoring, the case worker

should provide updates to the child on the outcome of tracing, as well as gather any information that

can further assist.

3.2.5.6 Information Management by Receiving Agency

During the FTR process, information about cases may be shared with the Receiving Agency7; either to

verify the details of the adult for reunification to occur or case transfer in case the child or the adult to

be traced has moved location. For adult verification, information about the adult, location, local leaders

and name of the child is sufficient for sharing with Receiving Agency for the purpose of tracing the adult

and verifying if they are the parents/caregivers of the child. These should be cross-referenced by the

handling agency, to see if the information matches and to proceed with reunification. In situations of

case transfer, the entire case file of the child shall be shared in order to continue FTR and Case

Management. In any case, informed assent/consent of the child should have been sought during

registration, to ensure that sharing of the data is ethical. During case transfer, this will need to be clearly

communicate to the child and the family and seek consent to continue receiving services. The data shall

be shared in soft copy through the CPIMS or CPIMS+. Data about cases may also be shared with a

receiving agency, in cases where an organisation stops its operations in a location and hands over to a

different organisation. This should be done with prior consultation and meeting with CMTF/UASC WG

and CPSC in which records of the minutes should be shared and archived. In this case, paper files

(physical files) are handed over to the Receiving Agency8.

3.2.5.7 Information management during Case Management process

In line with the Case Management SOPs, inter-agency vulnerability criteria must be used to identify

vulnerable children to receive Comprehensive Case Management services. The informed assent/consent

of the child should be sought before registration, during referrals to access other services, before

discussion in case conferences or before case transfer. Complex cases will be discussed with only

members concerned with the case and in line with the case conferences guidelines as stated in the Case

Management SOPs, complex cases will be flagged for support and advocacy to the CMTF. All partners

7 Comprehensive Case Management SOPs, South Sudan. Case transfer section. 8 Handover guidelines within the Case Management and UASC SOPs, South Sudan.

10

must strive not to discuss cases with children’s details over emails and identifiable information must not

be shared.

During Referrals, the Referring Agency must only share the bio-data of the child needed to provide the

service (e.g. name, age and address). This can only be done if the child and the family has agreed to this

referral being made on their behalf considering of their participation. At all times, the handling agency

should take the responsibility to ensure all ethical procedures are followed.9

3.2.5.8 Information Sharing with Authorities during Reunification

Close coordination should be maintained between authorities at airports/transit points and FTR

organisation. This coordination will be led by Save the Children and UNICEF and individual organisations

will ensure safe and smooth movement of children during reunification and prior communication to

Authorities related to FTR processes. In cases where organisations perceive that sharing information of

children may put their families at risk or in fear, advance notice should be given to the National Security

at airport/transit port, with an explanation of what FTR organisations do, so that children are not

interviewed on arrival. Coordination support should be sought from the Ministry of Gender, Child, Social

Welfare, Ministry of Humanitarian Affairs and Department of Humanitarian Affairs. It is important to

note that what is required by National Security varies from State to State and may need to be

negotiated at State level, with the support of State level focal points from the Child Protection Working

Group or Child Protection Sub-Cluster.

4. DATA SECURITY AND DATA PROTECTION

4.1 Storage of paper files

All children undergoing comprehensive case management processes should be assigned a unique code

autogenerated by the system. The code should be used to refer to the child’s case either verbally, on

paper or electronically (including in word documents, emails, skype conversations, etc.) in place of any

identifiable information such as name or date of birth. The paper forms should be stored in lockable

cabinets. It is the responsibility of each partner to budget for and procure lockable cabinets. The forms

provide necessary details for case workers to do their work and where possible forms should be stored

in locations or sites where the case work is on-going. The information needed at the central level is for

the purpose of case monitoring, transfer of data between States, in support of international tracing and

for backup. In addition, each organisation has a responsibility to conduct regular security and risk

assessments to determine security of data and information and develop actions to mitigate those.

Therefore, it is not necessary to maintain original paper case files at headquarter offices.

Paper files should be stored as follows:

1. Each case should be stored in its individual case file clearly marked with the individual case code on

the cover of the file. It is imperative that the child’s name should not appear on the cover of the file.

9 Identification and registration form and Case Management SOPs on obtaining consent/assent.

11

2. Each case should be kept in a secure place and accessible only by assigned and responsible

personnel. This usually means that they are stored in a lockable filing cabinet and the keys kept with

the person responsible for the information.

3. Each case should be transferred by hand between people responsible for the information.

4. The original copies should be kept safely with the registering organisation at State level.

5. Printing, photocopying or scanning of data related to children should be in-house (within office

premise) and no files should be printed, photocopied, or scan in public printing places. Any extra

copies of forms should be fully destroyed.

6. Original documents (such as school certificates, birth certificates etc.) useful during case

management processes should be scanned and then returned to the child/family.

7. Paper files and/or filing cabinets should be marked with a color-coding system according to

sensitivity of data they contain and inform the order of priority in which they should be

removed/destroyed in the event of an emergency evacuation or relocation. The colour coding will

be determined by the CMTF.

8. The CPIMS/CPIMS+ should be considered to transfer data between Child Protection organisations

together with paper files for continuity of comprehensive case management services. Ensure case

handover meetings are held in line with Case Management SOPs.

9. Storage rooms or offices containing paper or electronic information should be secured and locked

when not in use.

4.2 Electronic files

1. All laptops, phones, tablets used for Comprehensive Case Management should be installed with up-

to-date anti-virus software for prevention of loss of information, useful data and only accessed by

assigned authorised users.

2. Staff are not allowed to save case management and FTR information on their personal electronic

devices. Only work-assigned devices can be used for managing information related to child

protection case management and FTR.

3. They should also be encrypted using strong password to prevent unauthorised access. It is

recommended that the password should contain at least 8 characters including numbers, capital

letters, special characters that cannot be easily guessed. In addition, any default shared network

drives should be disabled and the password must be changed on a regular basis.

4. The authorised personnel should ensure the laptops, tablets or phones are locked when not in use

and stored in a safe place. When authorised personnel leave the organisation, the organisation

should ensure proper handover of all information and data as well as to erase any identifiable

information before handover. Their access should also be immediately disabled or revoked in the

CPIMS or CPIMS+.

5. All electronic information of children should be password protected and the password should

change on a regular basis or when some authorised personnel leaves the organization.

6. Information should be transferred online by encrypted or password protected files ensuring e-mails

are only sent to the intended recipient.

12

7. Memory sticks (USBs) should be passed by hand between people responsible for the information

and be password protected and the file erased immediately after transfer. Ensure that the file is also

permanently erased from the recycle bin files.

5. SYSTEM ADMINISTRATOR AND AUTHORISED USERS FOR CPIMS/CPIMS+

1. When a user of the CPIMS/CPIMS+ ceases to be an authorised user or System Administrator, their

access to the system should be immediately revoked and a new administrator or authorised user

assigned. The System Administrator has the responsibility to ensure only authorised users access

the CPIMS/CPIMS+

2. Hosting data on the cloud service must be in line with South Sudan national legislation. Minimum

standards of data security should be met by any cloud services provider, for example ISO 27000.

Cloud services should also include automatic data backups, failover features, and full encryption.

3. It may be necessary for organisations to share data with the CPIMS/CPIMS+ Help desk for technical

support. Whenever possible, this data should be limited to anonymised data. In the event that the

identification of a specific record is required in order address a problem, partners should always

refer to this record using the unique identifier. Help Desk technical support teams should be

required to sign confidentiality waivers.

4. Closed files are archived accordingly in the CPIMS+ and it is not possible to delete case files. Once

they are closed they no longer show up as active case in the case worker case list.

6. SPECIFIC TYPES OF INFORMATION SHARED BY CHILD PROTECTION ORGANISATIONS

Recipients of

information

When Why To whom What How

Government

and local

authorities

supporting

FTR or Case

Management

services

When there is

conflict or

displacement and

there is need to

determine the

best interest of

the child and

advocate for

access to services

Access to services

for child and family

For accountability

Safety of the child

and case worker

Government social

workers

Police,

Security officers

Ministry of

Humanitarian Affairs

and disaster

management

Local authorities staff

(Child Protection

officers from

Department of Social

Welfare)

South Sudan Relief,

Bio data,

referring and

receiving

agencies

Electronically, physical

documents, phone

calls and emails when

applicable

13

Rehabilitation and

Reintegration

Commission (RRC)

Donors At proposal and

design stage for

fundraising and

for quality

reporting to show

progress and

impact

Resource

mobilization,

Advocacy,

Fundraising,

Accountability,

Compliance

Donor focal person Statistics, trends

and Success

stories

Reports, Emails and

meetings

ICRC, UN

agencies and

CPSC

As required

during crisis

situation (armed

conflict, flood,

epidemic,

intercommunal

conflict etc.)

Advocacy purpose

Fundraising

Immediate

response

Focal points within IOM;

UNICEF; UNHCR; UNFPA

IOM; CPSC;UNIMISS;

ICRC

Statistics,

Aggregared

data, Sitreps,

Assessments,

Reports

Emails,

Direct contacts,

physical documents,

Coordination

meetings,

Dissemination through

humanitarian

dissemination

platforms,

Relief webs,

Newspapers and briefs

Other service

providers

When cases that

cannot be solely

supported by the

CP organisation

and needs to

refer to additional

services within

case

management

after seeking

assent/consent

Referrals for other

services including

specialised services

and included in the

existing referral

pathways for

service provision

agreed by CPWGs

To CP and non CP actors

within the referral

pathway including

Health, Nutrition,

Education, legal

services; among others.

Includes CMTF and

UASC WG leads.

Inter-agency

referral form,

case plans

Email, paper copies

and meetings

14

Other Child

Protection

organisation

When handover

to another CP

organisations is

needed as per

handover

guidelines

Funding constrains,

Change of child or

adult location,

When partners are

moving out of a

locality or due to

end of funding

cycle. CPSC to

come up with

measures to ensure

longer term

projects are funded

to prevent causing

harm to children.

New CP organisation

taking up the cases

Physical forms,

backend and

CPIMS system,

Hard and soft

copies

Physical case files and

Electronic after

completing the assent

and consent

7. DATA SETS

The purpose of the table below is to provide information on the different data sets that will be required

for Child Protection organisations to beshared with different agencies using the ‘need to know’

principle.

UN Agencies /ICRC Dataset/Information Reason for sharing

UNICEF Bio-data

Dates of referral

Case Summary

Sending and receiving

organisation

Physical address of child home

Case History i.e services

provided /referrals etc.

Introduction letter (to be used

for flight bookings and

immigration clearance).

Sharing Personal Data is only allowed for the purpose of

flight booking or when referring for direct services to

UNICEF FTR Specialist and focal point. UNICEF supports

information sharing with WFP and UNHAS related to flights

booking to support family tracing and reunifications

As last resort UNICEF provides direct services to children

and their families in some locations where there is no any

other Child Protection partner.

IOM Bio-data (smuggled and

trafficked children only).

Parents/caregivers name.

Summary of the case (i.e.

smuggled or trafficked

children)

Referring agency

Date of referral

IOM provides technical and practical support to migrant

children ensuring that they are able to access a wide range

of protection and assistance services including assisted

voluntary return and reintegration (AVRR) in order to

support children’s sustainable recovery from a situation of

vulnerability, exploitation, and abuse. Protection and

assistance services also include providing migrant children

with access to solutions, such as return and reintegration

to the country of origin, local integration, alternative care

15

options and resettlement to a third country as per their

best interests. IOM should be notified of any cases of

smuggled or trafficked children. IOM does not require

sharing of case ID but need different data sets for

information.

ICRC Bio-data

Circumstances of separation

Current location

Date of separation

Name of parents/primary

caregiver

Last known address,

Details of current caregivers,

tribe/sub tribe (etc.)

ICRC has a specific mandate under the Geneva Convention

to ensure humanitarian protection and assistance for

survivors of armed conflict and emergencies. ICRC plays a

key role in FTR cross-border, reunification of adults and

restoring family links. They locate people, exchange

messages, reunite families and clarify the fate of missing

persons. ICRC will evaluate on case by case basis and will

give feedback to the referring agency. Information of

children needing cross border tracing will be shared with

the ICRC focal point.

UNHCR Bio-data

Parents/Caregiver’s name

Summary of the case

Referring agency

Date of referral

Introduction letters (to be

signed by the Representative)

As the protection agency mandated to protect refugee, returnee and displaced populations, UNHCR’s core activity is protection of refugee children and asylum seekers. UNHCR works directly and through partners, with national authorities, other international and local organisations to assist and protect refugee children, ensure that those who are unaccompanied or separated are cared for and have access to family tracing and reunification services (FTR), that children are registered at birth and children with disabilities are supported. Depending on their needs UNHCR conducts case management on a child’s individual case including but not limited to best interest assessments (BIAs) and best interest determinations (BID) to plan future interventions and find the most viable durable solution in line with its Policy on the Protection of Personal Data of Persons of Concern. UNHCR also supports repatriation in both involuntarily or

spontaneous repatriation. Cross border case management

between South Sudan and other countries will be carried

out by the ICRC in collaboration with UNHCR and other

appropriate designated CP agencies. UNHCR doesn’t

require sharing of case ID but need different data sets for

information.

WHO

Aggregated data with

situational reports

Protection issues

WHO requires situational reports/overview of the situation

16

Affected population

Type of support required

Affected age group

Gender

Location

Dates

CPSC at National level Case Summary

Aggregated data

Dates

Sending and receiving agencies

Affected population

Location

The Child Protection Sub-Cluster is the primary forum for

coordinating Child Protection activities in South Sudan

during the current emergency. It is co-led by the

Government of South Sudan Ministry of Gender, Child and

Social Welfare (MOGCSW) and UNICEF on behalf of the

humanitarian response. It supports a coordinated,

comprehensive and predictable response for children

affected by the conflict and other emergencies across

South Sudan. All organisations providing child protection

services, including case management, should be working as

part of the CPSC to ensure effective coordination and

positive results for children.

National-level coordination entails: Mapping of key

partners at different levels & capacity assessment;

Coordination with key partners at the national level

Supporting State level Child Protection coordination

structures; Planning and strategy development, Policies &

standards setting and tools development, capacity

building, and quality assurance, and National Coordination

and thematic review

CPWGs at state level Case Summary

Aggregated data

Dates

Sending and receiving agencies

Affected population

Location

Field level CPSC focal points are present in all States and

some deep field sites. These focal points are responsible

for coordinating state level implementation of Child

Protection activities. All organisations providing child

protection activities at State or Community level should be

represented at the CPSC coordination meetings to ensure

positive results for children.

State level coordination structure is under the leadership

of the focal point of the Child Protection Sub-Cluster and

oversee implementation of the provisions of SOPs.

They also provide regular update to the Juba national level

coordination structure on progress, problems and

constraints, including a request for any possible support

17

while ensuring diversification and participation of other

actors

Donors/External

requests

Situational reports- based on

numbers, location, time,

protection concerns and scope

of the problem

Success stories- with consent or

assent of the caregiver and

child, information given will be

guided by the do no harm

principles and best interests of

the child

Statistical reports containing

age, gender and services

provided

Type of services

provided/action taken

Further support required

Provide funding and required resources to implement Child

Protection interventions.

Organisations are required to only share aggregated and

anonymous data with donors. Sharing Personal Data with

external actors is not allowed because it is not necessary or

appropriate and violates the principles of confidentiality,

need-to-know information sharing, the best interests of

the child, and potentially the do-no-harm principle.

CMTF Case Summaries

Age

Date

Sending and receiving agencies

Physical address of child home

Consent /Assents

Case History i.e services

provide /referrals etc

Support required from CMTF

In 2017, the Child Protection Sub-Cluster recognised a

need to standardise Case Management for Child Protection

and provide appropriate services beyond Family Tracing

and Reunification. This led to the formation of the Case

Management Task Force (CMTF), a focused a group of case

management actors who collaborate to develop shared

tools, strengthen case management practices and monitor

the referral system.

CP and non CP actors

within the referral

pathway

Summary of the case

Name of the child

Age of the child

Name of referring person

(indicate name referring and

for feedback

Name of referring organization/

agency

Date of referral for follow up

and respond in line with

established timeframes

Receiving

No need to share case ID to other non CP actors for access

of services

Recommendations

Use email for communication, phone or thuraya for

organisations working in remote locations where there

is no access to internet

There is need for follow up with the receiving agencies

How data should be shared

From CPIMS+ user to CPIMS+ user – To share

information and referrals through the systems

18

party/agency/organization

Date of receipt of the referral

Consent for referral/take new

consent and where possible,

accompany the beneficiary to

access services

Address and how beneficiary

can be contacted

Type of services to be provided

(for the receiving organization

to know what type of action to

be undertaken)

CPIMS+ User to non CPIMS+ user – referrals can still be

done through attachments, email or physically taking or

linking children and their families to receiving agencies

Recommendations for feedback mechanisms

Organisations to follow up to confirm whether service

have been provided and to see if the Protection

concerns have been addressed or whether a child has

been reunified

Any other follow up with the referring agencies to be

done

Consent or assent to be sought before referring cases

Government/Local

Authorities

The following information can be

shared with local Authorities

Bio data- Name, age, photo,

gender (only during

reunification and safety at the

transit/transit point

Name of the caregivers for

verification purposes

For Referals that require access

for legal services – report to

special unit (Ministry of

Gender) which includes name,

age and offence

Organisations working in different locations to

coordinate and collaborate with local authorities to

provide support to vulnerable children

Data sets during case

transfer

All relevant information to be

shared with the receiving agency

for continuity of care and support

Key consideration:

Safety of the child

Consent or assent is sought

Receiving agency to have

signed the ISP

Receiving organization to have

CPIMS/CPIMS+ installed and in

use

To share open and active cases

Social workers from receiving

All organisations to follow case transfer SOPs and

CMTF to develop additional guidance note for case

transfers

How data to be shared

CPIMS+ to CPIMS+ can share referrals and case

transfers

CPIMS+ to non CPIMS+ to share referrals through

offline forms using the interagency referrals form

From non CPIMS+ to CPIMS- Not to share unless they

have signed ISP

19

8. TIME LIMIT

The commitment to uphold confidentiality and adhere to the Information Sharing and Data Protection

Protocol is not time bound. It will take effect on June 2019 and Child Protection organisations will use

and adhere to the protocol as members of the UASC WG, CMTF and CPSC in South Sudan. In June 2020,

after one year of trial of the Information Sharing and Data Protection Protocol, the CPSC with support

from UASC WG and CMTF will review the effectiveness, use of and adherence to the protocol. After that,

the ISP will then be revised on an annual basis if the change in context requires a review.

9. BREACHES OF THE INFORMATION SHARING AND DATA PROTECTION PROTOCOL

A breach means accidental or unlawful/illegitimate destruction, loss, alteration, unauthorised

disclosure of, or access to, personal data transferred, stored or otherwise processed.

Organisations affected by data breaches will notify the CMTF an immediate action will be taken if

the breach is likely to harm the child or family.

During monthly meetings, CMTF should look into data breaches and present findings and

recommendations to CPSC and SAG member for further actions i.e. written warning, suspension,

dismissal as a CPSC member.

and transferring agency to hold

meeting with the child and

caregiver and possibly conduct

introduction

Consent to be sought before

case transfer

To hold case load transfer

meeting in presence of the

third party

To include soft copies and

physical files

Data sets and

information sharing for

Anonymized data

Bio data, protection concerns,

type of service provided,

number of cases closed,

number of open cases,

Sex/gender of the child to be

included

Regular aggregated data to be

generated and discussed during

weekly and monthly

coordination meetings

Who to be shared with

CMTF lead and co-lead

Members of CMTF

CPSC

Other sectors, Government and donors

Recommendations

Using summarized data and report for advocacy on Child

Protection work in South Sudan

20

In the event the breaching partner is a member of Steering Advisory Group, the member will not sit

in the meeting where the specific data breach will be discussed and will be informed of the process,

provided that the specific member was able to provide comments on the breach in advance.

CMTF in collaboration with the CPSC will conduct awareness and capacity building on the ISP and

Data Protection protocol.

The CP organisations reserve the right to refuse sharing of information about all reported cases to

any external actor unless mutual understanding is made considering the measures to prevent any

potential harm to the child.

10. EMERGENCY EVACUATION AND RELOCATION PLAN

In the event of an evacuation and relocation, the management of the organisation must ensure that the

laptop(s) where the database is setup, its back up systems and paper files are moved to a safe location.

When moving database assets and paper files is not possible, management should ensure assets are

destroyed and papers burnt as a last resort after approval by the Child Protection Manager or equivalent

position. Information saved in the backup system will then become the only source of information of

cases. It should be noted that in some circumstances, it may not be necessary to destroy files and

therefore is more important to ensure they are properly secured and protected during the period of

evacuation and relocation. This is a judgment call that will need to be made by the management

depending on security assessment.

A clear evacuation and relocation plan should be developed with a ‘scheme of delegation’ dictating who

has responsibility for making decisions regarding removing or destroying data (for both paper and

electronic data). The plan should include various scenarios, taking into account the risks of violent

attacks, natural disasters, and heavy rains. This plan should be incorporated into the standard

evacuation and relocation plan for the whole organisation by Security Managers and Management Staff

and the sensitive nature of children’s data must be highlighted to all involved staff.

Heads of Child Protection organisations, Security Managers, Logistic Managers, Information Technology

Managers, Management team and Child Protection staff should know their individual responsibilities

detailed in the evacuation and relocation plan and be aware of the sensitive nature of data being

collected. Briefing on the evacuation plan should be part of the standard induction checklist for relevant

staff. Evacuation and relocation drills should be carried out periodically to ensure each individual knows

their responsibilities and is able to act quickly in an emergency evacuation and relocation. In the event

of a deteriorating security situation, evacuation and relocation plans should be reviewed and if

necessary, re-evaluated by Senior Management and Security personnel or equivalent depending on each

organisation.

21

11. ANNEXES

South Sudan Case management SOPs

UASC SOPs for South Sudan

FTR and CM forms

South Sudan Handbook for Case Workers

South Sudan FTR Handbook

Child Protection Minimum Standards in Humanitarian Action

12. SIGNATORIES OF THE INFORMATION SHARING AND DATA PROTECTION PROTOCOL

This section is for declaration of acceptance to comply, provided that there is no contradiction to the

organisation’s internal data protection or other relevant policies, and indicates the name of each

organisation, positions of representatives, sign and date.

With the signature below I declare that the authority or agency represented will comply fully with this

child protection case management Data Protection and Information Sharing Protocol.

AGREED ON BEHALF OF UNICEF

Name: Mohamed Ayoya

Title: Country Representative

Date:

Signature:

AGREED ON BEHALF OF SAVE THE CHILDREN INTERNATIONAL

Name: Rama Hansraj

Title: Country Director

Date:

Signature:

AGREED ON BEHALF OF MTT

Name:

Title:

Date:

Signature:

22

AGREED ON BEHALF OF CRO

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF INTERSOS

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF UNIDOR

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF HOLD THE CHILD

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

23

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

24

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

25

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

26

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

27

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

28

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

29

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

30

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature:

AGREED ON BEHALF OF

Name:

Title:

Date:

Signature: