As data becomes more important to fulfill the World Bank Group’s Twin Goals of alleviating extreme poverty and promoting shared prosperity, so does the importance of responsibly collecting, using, and sharing data–including personal data. Recognizing this, the World Bank Group issued a Policy on Personal Data Privacy (the “Privacy Policy”) that governs the use of personal data by the World Bank Group institutions: the International Bank for Reconstruction and Development and the International Development Association (together the “World Bank”), the International Finance Corporation, the Multilateral Investment Guarantee Agency, and the International Centre for Settlement of Investment Disputes. The Privacy Policy signals to the world the World Bank Group’s leadership on the responsible use of personal data by international organizations.
Please click here to review the .
Individuals have the ability, subject to limitations and conditions, to request information about their personal data and to seek redress if they reasonably believe their personal data has been used by the Bank in violation of the Privacy Policy.
Please access the Request and Review tab for more information.
ŷbƬ Data Privacy Office oversees the World Bank’s compliance with the Privacy Policy. The Data Privacy Office’s vision is to embed data privacy by design into the fabric of the Bank’s work around the world.
Section III (7) (b) of the World Bank Group Policy on Personal Data Privacy (the “Privacy Policy”) requires the Bank to “adopt mechanism(s) to . . . provide individuals with a method, subject to reasonable limitations and conditions, to: i. request information regarding the individual’s Personal Data Processed by [the Bank] ; and ii. seek redress if the individual reasonably believes that the individual’s Personal Data has been Processed in violation of this Policy”.
The Privacy Policy expressly addresses two options for living individuals, whose personal data is processed by the World Bank:
(1) to receive information about their personal data processed by the Bank (“Request”, “Request for Information” or “Request Mechanism”); and
(2) to seek redress in case of a reasonable suspicion that their personal data is or has been processed in violation of the Privacy Policy (“Review” or “Review Mechanism”).
The Request Mechanism and Review Mechanism are established through the Bank Directive Personal Data Privacy Request and Review Mechanisms. The Bank Procedure Personal Data Privacy Request and Review Mechanisms Procedures set out requirements to conduct these proceedings.
Individuals may submit a request to the World Bank to receive information about their personal data processed by the Bank.
Scope and limitations of the Request for Information process are set out in the Bank Directive Personal Data Privacy Request and Review Mechanisms. Procedural provisions, for example on admissibility, are set out in the Bank Procedure Personal Data Privacy Request and Review Mechanisms Procedures.
To submit a Request for Information, please .
ŷbƬ’s Review Mechanism allows individuals to seek redress if they reasonably believe that their personal data has been processed by the World Bank in violation of the World Bank Group Policy on Personal Data Privacy. It is regulated by the Bank Directive Personal Data Privacy Request and Review Mechanisms. Procedural provisions, for example on admissibility, are set out in the Bank Procedure Personal Data Privacy Request and Review Mechanisms Procedures.
The Review Mechanism consists of two tiers:
(1) A first internal administrative review is conducted by the Chief Data Privacy Officer who acts as the First Tier Reviewer.
To submit a Call for Review to the First Tier Reviewer, please click here .
(2) The second-tier review is conducted:
(a) By the according to its Statute, for individuals who have standing before it.
(b) By an external, independent panel, the External Expert Reviewer, for all other individuals.
.
ŷbƬ’s External Expert Reviewer (EER), a panel composed of three members, is an independent second-tier reviewer for complaints brought by individuals who do not have standing before the World Bank Administrative Tribunal and who suspect a violation of the World Bank Group Privacy Policy by the World Bank in relation to their personal data. The EER considers such cases de novo after an internal administrative first tier review by the World Bank’s Chief Data Privacy Officer. For that purpose, it conducts written proceedings and may hold oral proceedings if necessary. The EER is assisted by a secretariat.
The External Expert Reviewer was established by the World Bank Directive Personal Data Privacy Request and Review Mechanisms. Its activities are regulated by the Bank Directive Personal Data Privacy: External Expert Reviewer which also includes a code of conduct for its members. EER meets in session twice a year for a period of up to one week to deliberate and make determinations on the Calls for Review before it.
Members of the EER are appointed by the World Bank Group President for a three-year term which may be renewed once for an additional three years.
The EER is chaired by an expert on privacy and data protection in a public sector entity and has two additional members who are familiar with the World Bank, one of them through first-hand experience.