UNICEF, the United Nations children’s agency has said it may have caused a data breach to reveal the private information of thousands of online learners through the Agora platform.

The Agora website gives UNICEF staff and public members the chance to go through free training courses that teach on children’s rights, humanitarian action, research and data.

An email holding the private data of 8,253 users enrolled onto courses on immunisation went out to around 20,000 Agora users in late August of this year.

When quizzed about the leak, UNICEF’s media chief, Najwa Mekki told the Devex website:

“This was an inadvertent data leak caused by an error when an internal user ran a report … The personal information accidentally leaked may include the names, email addresses, duty stations, gender, organization, name of supervisor and contract type of individuals who had enrolled in one of these courses, to the extent that these details were included in their Agora user’s profile.”

“Our technical teams promptly disabled the Agora functionality which allows such reports to be sent and blocked the Agora server’s ability to send out email attachments. These measures will prevent such an incident from reoccurring, Mekki continued.

This week, Agora members were sent a message describing how they may have had an email sent to them on August 26th which held “a spreadsheet that included the basic personal information of some of our users.”

The users were requested to “permanently delete the email and all copies of the file from your mailing system and download folder, as well as from [their] recycle bin.”

The message also held an apology issued by UNICEF, and an explanation about the launching of “an internal assessment and review…as soon as the issue was reported.”

“The problem was quickly addressed to ensure that it does not happen again,” the email continued.

Managing director of CyberSMART, Clare Sullivan, explained to Devex that UN agencies are probably “exempt from the EU’s General Data Protection Regulation (GDPR), a reality that is yet to be tested in a lawsuit. If a UNICEF data breach were to be the concern of the GDPR, then the organisation would have to notify relevant data protection authorities within 72 hours of the leak having been discovered.

The case was not reported to any further authorities, Mekki explained, stating: “UN entities are not subject to GDPR.”

Evelyne Kemunto, Lawyer at Privacy Culture Ltd said:

“Although not a subject of GDPR, the UN is a subject of international law as was determined by the Advisory Opinion of the International Court of Justice(ICJ) in the Reparations for Injuries Suffered Case, (1949). The fact that it is a subject of international law means that it possesses international legal personality which grants it international rights and obligations. It also means that the UN has capacity to take certain types of actions as well as be held accountable in the international level. Although the GDPR cannot be said to directly apply to the UN, this institution has an obligation to respect the right to privacy which is entrenched in Article 12 of the Universal Declaration of Human Rights (UDHR) and Article 17 of the International Covenant on Civil and Political Rights(ICCPR) both of which form part of the international bill of human rights. The data breach committed by UNICEF is a violation of the right to privacy of the data subjects involved.

“Being an intergovernmental organisation, the UN is created by states through its constituent document which is the UN Charter. This enables it to to exercise functions that states attribute to it. The UN enjoys rights that enable it to exercise those functions including immunity from domestic prosecutions. The UN enjoys immunity from every form of judicial process as is enjoyed by foreign governments. However, the Secretary-General of the UN has the right and the duty to waive the immunity of any official in any case where, in his opinion, the immunity would impede the course of justice and can be waived without prejudice to the interests of the United Nations. Which begs the question, should the breach of privacy by a UN agency necessitate an immunity waiver? What is the ideal forum for holding the UN accountable for privacy breaches?

“With the wake of the GDPR standards of privacy, there is no doubt that there is a glaring need to have an internationally acceptable accountability mechanisms that incorporates GDPR standards of respecting privacy and protecting personal information for subjects under international law.”