10 The WHO personal data protection policy sets out the rules and principles relating to the processing by and within WHO of personal data of individuals (see section XXII.3.1, paragraphs 40–60). The policy should be read in conjunction with the WHO policies on use and sharing of routinely collected data (see section XXII.6.1), use and sharing of data collected in emergencies (see section XXII.6.2), information disclosure, information technology (see section XIV) and information security (see section XIV.2), as well as the WHO Staff Regulations and Staff Rules and the WHO Code of Ethics.
20 The policy applies to all personal data of living individuals held by WHO, contained in any form and processed in any manner. The processing of other (non-personal) data, including anonymized data, as defined in the policy, does not fall within the scope of the policy.
30 Processing of personal data may only be carried out on a legitimate basis and in a fair and transparent matter. WHO may only process personal data based on one or more of the following legitimate bases: consent, performance of a contract, vital interests (for the benefit of the data subject or of another person), public interest and/or legitimate interests (of WHO or of a third party, including reputational or accountability). Additional security measures should be put in place for such data, such as a dual factor authentication.
Data Protection and Privacy Officer
40 The Data Protection and Privacy Officer is responsible for overseeing Implementation of the personal data protection policy.