Terms of reference – Consultancy services
Integration of the Data Protection principles in CartONG's approaches
Founded in 2006, CartONG is a French non-governmental organization specialized in mapping and information management support for humanitarian and development organizations. Our core expertise is geographic information, but we have extended it over the years to other technologies (mobile data collection, information management, remote sensing, drones, participatory mapping, etc.)
We support international aid organizations, NGOs and public authorities by providing tools, services & trainings that allow them to better plan, implement and evaluate their programs, therefore improving the impact of humanitarian aid in favor of the most vulnerable. We focus on training local staff and collaborating with local communities, in order to provide projects that are sustainable and tailored to the needs and priorities of the people we are seeking to assist.
We work with local, national and international organizations, in particular NGOs specialized in disaster response and development as well as UN agencies (MSF, UNHCR, AFD, Terre des Hommes, ACF, etc. The complete list may be found here: http://www.cartong.org/our-partners). CartONG is a fast growing & dynamic organization, gathering 25+ international staffs and 50+ active volunteers.
A list of examples of projects is available here: http://cartong.org/sites/cartong/files/CartONG%20-%20Portfolio%202016.pdf
Like any NGO, CartONG is subject to compliance with the principles of data protection, and more specifically to compliance with the European General Data Protection Regulation (GDPR), which came into force in May 2018.
Given its field of activity, CartONG is particularly affected by this issue and wishes to upgrade on this subject both internally (tools, sharing of roles, procedures...) and in its relations with its partners (contractual terms, sharing of roles and responsibilities...) in order to remain a recognized stakeholder in the use of new technologies dedicated to humanitarian and development field. CartONG is moreover increasingly asked (by its partners) to manipulate sensitive personal data (medical/epidemiological data, household locations, distribution lists, etc.) or sometimes very sensitive data (location of non-state armed groups in civil war contexts, medical data with a high stigmatization risk such as HIV, etc.).
On the legal side, CartONG is facing different interpretations of the GDPR by the various legal departments of its partner NGOs. Furthermore, given its position as an organization providing services to other relief and development organizations (positioned as "Humanitarian to Humanitarian organization" https://www.h2hworks.org/), CartONG's legal status is complex (since it is similar to both a "data processor" and a "data controller" but also because of its work in partnership with a diversity of actors subject to various regulations: European but also Swiss, American organizations, UN agencies not subject to the GDPR, local country governments with their own regulations etc.).
The data protection area is also strongly affecting the organizational model of CartONG: it requires in particular a review of the roles and responsibilities of each team member and the appointment of a Data Protection Officer - DPO (and the definition of the corresponding functions).
Given the urgency of legal compliance with the GDPR, an internal data protection “working group” was set up within CartONG at the beginning of 2018. This working group made it possible to define a first internal action plan and to implement the most urgent activities. This working group also identified the need to get external support (considering the limited internal availability of specialized skills, mainly in terms of legal and data protection organizational impact) in order to implement directly some activities or review the ones drafted by the CartONG team.
Like the majority of NGOs, and despite its core expertise (data management), CartONG is currently facing challenges to be in full compliance with the GDPR. Despite the fact that good practices and reflexes exist within the team, a review of internal procedures, processes and policies, as well as the organization's relations with partners, is therefore necessary.
This consultancy aims at supporting CartONG:
More precisely the following results are expected at the end of the consultancy mission:
This consultancy mission will ONLY focus on operational data handled on behalf of partners. Administrative, HR and volunteer data that CartONG handles are out of scope of this consultancy mission and their data protection aspect will be managed directly by the CartONG team (CartONG does not have any specific needs on this point considering the similarity with all other French associations).
The change management component (training, etc.) won’t be the responsibility of the consultant(s) but of the internal CartONG team. The consultant(s) are only expected to implement the below mentioned activities and deliverables (chapter V).
The following activities are expected (the description below is a suggestion – the candidate might propose different or additional activities and will have in any case to detail its methodology in the technical offer):
All deliverables are expected to be produced in English (potential French translation will be the responsibility of CartONG):
1 – Assessment report of data protection situation within CartONG and list of detailed recommendations – max. 30 pages without annexes
2a* – Brief synthesis explaining the legal position of CartONG regarding its partners (on the data protection topic) – max. 5 pages without annexes
2b* – Detailed process and related tools or template (check list, list of conditions…) to follow when CartONG is requested to handle personal or sensitive information from its partners
2c* – Customized templates or proposed amendments in the documents used to contractualize the relations with partners (article to include or review in MoU / contracts, template of data sharing agreements…)
3a* – Brief proposition of integration of data protection responsibilities within the CartONG organizational chart (including detailed tasks and scope of a DPO for CartONG) – max. 5 pages without annexes
3b* – Customized templates or proposed amendments in the HR documents (code of conduct, IT charter, template of article to include in individual or consultants’ contracts…)
4 – Optional: 1 to 3 days of remote support
5 – Optional: Audit simulation report
6 – Conclusion report with remaining recommendations and debriefing
* The deliverables for (2) and (3) might be updated based on the conclusions of the assessment. Priorities will be agreed upon between CartONG and the consultant(s).
The consultant’s responsibilities will be to provide technical expertise, particularly on the legal and organizational aspects.
The "data protection" working group will be to in charge to ensure the overall follow-up of the consultancy by meeting at least twice a month during the consultancy period. It will be in charge of validating all the deliverables of the consultant(s) and to implement them during / at the end of the consultancy. The working group is composed of information management specialists, product owners, mapping/GIS technicians, developers and database administrators.
The complete management team (technical director & project managers) as well as the board of CartONG will also be involved throughout the project (especially at the debriefing) and can be interviewed by the consultant(s).
The working group lead and co-lead will however be the two main interlocutors of the consultants: Edmond Wach and Maeve de France, both of them being Information Management Project Managers and part of the CartONG management team.
The consultancy mission is expected to start around February 2019 (negotiable).
A presence in our HQ* is expected at least at the 3 following moments: introduction of CartONG and beginning of the assessment phase; restitution of the assessment and prioritization of deliverables 2 and 3; audit simulation and debriefing.
All other activities can be carried out remotely by the consultant(s) and it should be noted that CartONG already works very frequently in "remote" mode (between field deployments and the fact that a number of staff work remotely on a permanent basis).
* Our headquarters are based in Chambéry - a short train or bus ride away from Geneva and Lyon and their international airports.
The planned budget for this consultancy is roughly between 20 000 and 30 000 €.
This project is co-funded by the FRIO mechanism (Fonds de renforcement institutionnel et organisationnel) which is coordinated by Coordination Sud. For more information: https://www.coordinationsud.org/nos-appuis-aux-ong/dispositif-frio-renforcement-ong/
For this reason, a tripartite evaluation meeting (between the FRIO secretariat, CartONG and consultant) will have be planned at the end of the mission.
For this reason too and in accordance with its mandate CartONG commits to sharing with the humanitarian community the tools and other products co-developed with the consultant(s) that may be useful to other NGOs. The dissemination of the selected deliverables will be done at least through the CartONG blog, through a session at the next Francophone Information Management NGO community of practice and through the H2H platform.
Licenses for sharing the deliverables, the exact selection of the deliverables being publicly shared, as well as the associated potential visibility for the consultant team will have to be agreed upon before the beginning of the consultancy.
NB: For private companies applying to this consultancy service and if interested (this criteria won’t be part of the selection criteria) CartONG is open to partial or additional services as pro-bono (eventually under “mécénat de compétence” framework for French companies). Services offered as pro-bono will have to be clearly specified in the financial offer.
Individual consultants or organizations are expected to have:
If one consultant is not in a position to cover all expected areas, the offer can eventually be split into batches of deliverables. Considering the different areas that need to be covered, offers from organizations or companies able to mobilize more than one profile and/or grouping of individuals are however highly encouraged.
Interested individual, organization or company should submit:
Depending on the quality of the offers received, CartONG reserves itself the right to proceed to a pre-selection and to request additional information, as well as organizing Skype interviews with the pre-selected candidates.
Applications must be submitted by 10/01/2019 at 12pm (noon) GMT+1 by email at: email@example.com, with all requested documents attached as a zip.
For any question related to this consultancy, you can contact either Edmond Wach or Maeve de France at: firstname.lastname@example.org mentioning [Request for information - Data protection consultancy - Name] in your object.
Selection will be based on the quality of the methodology and understanding of the present ToRs, the experience of the candidate and the capacity to mobilize the required skills as well as price.
Feedback to all candidates will be provided at the latest on 10/02/2019.