As data becomes more important to fulfill the World Bank Group’s Twin Goals of alleviating extreme poverty and promoting shared prosperity, so does the importance of responsibly collecting, using, and sharing data–including personal data. Recognizing this, the World Bank Group issued a Policy on Personal Data Privacy (the “Privacy Policy”) that governs the use of personal data by the World Bank Group institutions: the International Bank for Reconstruction and Development and the International Development Association (together the “World Bank”), the International Finance Corporation, the Multilateral Investment Guarantee Agency, and the International Centre for Settlement of Investment Disputes. The Privacy Policy signals to the world the World Bank Group’s leadership on the responsible use of personal data by international organizations.
Please click here to review the .
Individuals have the ability, subject to limitations and conditions, to request information about their personal data and to seek redress if they reasonably believe their personal data has been used by the Bank in violation of the Privacy Policy.
Please access the Request and Review tab for more information.
ŷbƬ Data Privacy Office oversees the World Bank’s compliance with the Privacy Policy. The Data Privacy Office’s vision is to embed data privacy by design into the fabric of the Bank’s work around the world.
Section III (7) (b) of the World Bank Group Policy on Personal Data Privacy (the “Privacy Policy”) requires the Bank to “adopt mechanism(s) to . . . provide individuals with a method, subject to reasonable limitations and conditions, to: i. request information regarding the individual’s Personal Data Processed by [the Bank] ; and ii. seek redress if the individual reasonably believes that the individual’s Personal Data has been Processed in violation of this Policy”.
The Privacy Policy expressly addresses two options for living individuals, whose personal data is processed by the World Bank:
(1) to receive information about their personal data processed by the Bank (“Request”, “Request for Information” or “Request Mechanism”); and
(2) to seek redress in case of a reasonable suspicion that their personal data is or has been processed in violation of the Privacy Policy (“Review” or “Review Mechanism”).
The Request Mechanism and Review Mechanism are established through the Bank Directive Personal Data Privacy Request and Review Mechanisms. The Bank Procedure Personal Data Privacy Request and Review Mechanisms Procedures set out requirements to conduct these proceedings.
Individuals may submit a request to the World Bank to receive information about their personal data processed by the Bank.
Scope and limitations of the Request for Information process are set out in the Bank Directive Personal Data Privacy Request and Review Mechanisms. Procedural provisions, for example on admissibility, are set out in the Bank Procedure Personal Data Privacy Request and Review Mechanisms Procedures.
To submit a Request for Information, please .
ŷbƬ’s Review Mechanism allows individuals to seek redress if they reasonably believe that their personal data has been processed by the World Bank in violation of the World Bank Group Policy on Personal Data Privacy. It is regulated by the Bank Directive Personal Data Privacy Request and Review Mechanisms. Procedural provisions, for example on admissibility, are set out in the Bank Procedure Personal Data Privacy Request and Review Mechanisms Procedures.
The Review Mechanism consists of two tiers:
(1) A first internal administrative review is conducted by the Chief Data Privacy Officer who acts as the First Tier Reviewer.
To submit a Call for Review to the First Tier Reviewer, please click here .
(2) The second-tier review is conducted:
(a) By the according to its Statute, for individuals who have standing before it.
(b) By an external, independent panel, the External Privacy Review Panel, for all other individuals.
.
ŷbƬ’s External Privacy Review Panel (EPRP), a panel composed of three members, is an independent second-tier reviewer for complaints brought by individuals who do not have standing before the World Bank Administrative Tribunal and who suspect a violation of the World Bank Group Privacy Policy by the World Bank in relation to their personal data. The EPRP considers such cases de novo after an internal administrative first tier review by the World Bank’s Chief Data Privacy Officer. For that purpose, it conducts written proceedings and may hold oral proceedings if necessary. The EPRP is assisted by a secretariat.
The External Privacy Review Panel was established by the World Bank Directive Personal Data Privacy Request and Review Mechanisms. Its activities are regulated by the Bank Directive Personal Data Privacy: External Privacy Review Panel which also includes a code of conduct for its members. EPRP meets in session twice a year for a period of up to one week to deliberate and make determinations on the Calls for Review before it.
Members of the EPRP are appointed by the World Bank Group President for a three-year term which may be renewed once for an additional three years.
The EPRP is chaired by an expert on privacy and data protection in a public sector entity and has two additional members who are familiar with the World Bank, one of them through first-hand experience.
Ryan Calo, a US national, has been appointed as Chair of the three-member External Privacy Review Panel. Mr. Calo is an internationally recognized privacy law scholar and has been a professor of law and adjunct professor of computer and information science at the University of Washington since 2012. He was previously a director of privacy research for a Stanford University center and a privacy attorney at a Washington, DC based law firm. Mr. Calo advises various privacy organizations, including the Future of Privacy Forum, and has testified before different legislatures on privacy and other aspects of emerging technologies.
Dr. Nathalie Moreno, a Franco-British national, has been appointed as Member of the External Privacy Review Panel. Ms. Moreno is a highly regarded international data protection & cybersecurity lawyer with a broad-based international practice and sectoral knowledge. Ms. Moreno has been a Partner for Data Protection & Cybersecurity at Addleshaw Goddard, LLP, in London since 2020. Ms. Moreno previously was partner in different Washington DC, Paris and London based international law firms and also served as a legal consultant at the European Commission in Brussels and at the World Bank in Washington DC, in the first part of her legal career.
Ximena Puente de la Mora, a Mexican national, has been appointed as Member of the External Privacy Review Panel. Ms. Puente de la Mora is an expert in privacy, transparency, AI, information technologies and human rights. Ms. Puente de la Mora previously served as a federal deputy of Mexico's 64th legislature and was the first President Commissioner of the National Institute of Transparency, Access to Information and Personal Data Protection of Mexico from 2014 to 2017, an autonomous constitutional body. She also held roles as the President of the Ibero-American Data Protection Network and President of the Mexican National Transparency System. With over 20 years of expertise in data protection and privacy, dating back to her PhD dissertation, Ms. Puente de la Mora is connected to the World Bank through her involvement with the Global Partnership for Social Accountability. 