Audit Exposes UN Food Agency Poor Data-Handling


Vulnerable people in the world’s troublespots could be at risk because of sloppy handling of sensitive data by a UN agency, according to an internal audit. In response, the World Food Programme told IRIN it was “working to get ahead of the curve” on data-handling, would address weaknesses, and spend more on systems.

The internal audit of WFP beneficiary management, dated November 2017, found a litany of data protection failings across the UN agency’s digital and paper-based systems. WFP handles huge amounts of personal data without proper safeguards, according to the review. The audit says “major improvement” is needed to reduce risks in systems that powered aid for over 82 million people in 2016.

Despite the criticisms, WFP vowed to press on with its initiative to build a large centralised system. The agency told IRIN in a written response that its goal was to have a platform that could power more than just food-related aid. It should be “holding data for WFP’s entire caseload of some 80+ million people and providing a platform to deliver assistance for all the needs of a household, beyond food,” the response said.

WFP said its flagship SCOPE management platform, which the audit found to be seriously flawed, “will significantly improve beneficiary information and identity management”, insisting, “the audit findings back this up”. The agency told IRIN it would be “working through the challenges of bringing the new system up to speed”.

The damning audit emerged as aid agencies worldwide adjust to sweeping new EU legislation that governs personal data and enters into force in May, the General Data Protection Regulation. IRIN interviews suggest the GDPR will lead to an overhaul of best practice in the humanitarian sector.

‘Accident waiting to happen’?

According to the audit, WFP fails to follow rules it has set itself, which are aligned with international best practice and the GDPR. “Policies have been designed to protect the data and privacy of beneficiaries and comply with local requirements, but have not yet been effectively implemented,” the audit said. In its response to IRIN, WFP said the agency was “closely following developments, standards and best practice in this field”.

This set of findings screams ‘accident waiting to happen’, as well as a lack of understanding by senior [WFP] management of WTF is going on with their data at country level,” said one.

The audit appears tough, but data protection officials in other aid agencies said WFP’s issues were not unique: the findings could apply to many in the sector and some applauded the transparency. One said, after reviewing the report: “I’m sure that other entities both in and out of the UN who are delivering digital forms of aid, including identity management, would fail a similar audit.” Sean McDonald, CEO of messaging platform FrontlineSMS, told IRIN: “these problems are big and difficult everywhere.” WFP’s response said the findings were “challenges that should be expected.”

Among the many issues, grouped under five high-risk and five medium-risk headings, the audit found that extraneous information was being gathered. In more than one case, WFP and its partner organisations collected more personal information than was needed, “without a specified and legitimate purpose”, and again, contrary to policy.

In a particularly charged example, a WFP “cooperating partner” recorded people’s religion. The agency did not clarify the details, and the report does not say where it happened, but the audit team only visited Malawi, Sudan, and Myanmar. Of the three, only Myanmar has any significant diversity of religious adherence, and religion is a key factor in its recent violence. (The audit also made desk reviews of operations in Bolivia, Guinea Bissau and the Occupied Palestinian Territories).

The report also said beneficiaries did not give their informed consent to the use of personal data, and data was routinely copied without encryption or password protection. Both findings go against WFP’s data protection policy.

The SCOPE of the problem

WFP has made numerous public announcements about the innovative impact and potential of its central web-based application SCOPE, which now holds records on 26 million people, 5.8 million of which include fingerprints or photos. The system went live in 2014 and should manage both cash or in-kind programmes. According to WFP, it is designed for “beneficiary registrations, intervention setups, distribution planning, transfers and distribution reporting.”

The audit found it unreliable and unable to meet the needs of many country offices. As a result, SCOPE handles less than 10 percent of the WFP’s caseload. Another audit, of WFP’s Bangladesh operation, repeats a finding that the SCOPE system cannot reliably edit and update records.

Most of WFP’s operations were so far unable to use SCOPE. Among the problems were the following:

❌ Data uploaded into SCOPE was “incomplete and/or inaccurate”

❌ Many of the 61 offices in which it had been installed had problems uploading and downloading data

❌ The system did not reliably allow operators to correct errors and update beneficiary data

❌ It does not allow for sufficient “beneficiary conditionality”, customised reporting, data analytics, and reconciliations

❌ User support and help-desks could not meet demand

McDonald, of FrontlineSMS, told IRIN: “They went out too early, with something they didn’t fully understand, and are now having to solve the difficult, basic problems that would have been a lot easier 61 countries ago.”


Sign up for Updates

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of new posts by email.