Policy Statement
The policy applies to the use and sharing of data collected by WHO in, and/or provided to WHO by, Member States (see Annex), outside the context of public health emergencies. The policy allows, but places no obligation on, WHO or Member States to collect, anonymize, analyse or
share other health data than those already being collected, anonymized, analysed and shared.
- Terms applicable to the provision of data to WHO by Member States (see Annex)
The text in the Annex hereto should be included in all data collection forms in all data collection tools (paper-based, electronic or other) used by WHO to collect data from Member States. By providing data to WHO pursuant to these terms, Member
States confirm that the data (including but not limited to the types listed in Table 1) have been collected in accordance with applicable national laws, including data protection laws to protect the confidentiality of identifiable persons. - Terms applicable to the use of the data by WHO (see Annex)
By providing data to WHO pursuant to the terms contained in the Annex hereto, Member States agree that WHO shall be entitled, subject always to measures to ensure the ethical and secure use of the data, and subject always to an appropriate acknowledgement
of the country:
- to use and publish the data, stripped of any personal identifiers (such data without personal identifiers being hereinafter referred to as “the Data”) and make the Data available to any interested party on request on terms that
allow non-commercial, not-for-profit use of the Data for public health purposes (provided always that publication of the Data shall remain under the control of WHO);
- to use, compile, aggregate and analyse the anonymized data and publish the results in conjunction with WHO’s work and in accordance with WHO’s policies and practices.
- Measures to ensure the ethical and secure use of data
Such measures are required to protect privacy and confidentiality and avoid stigmatization or exclusion of people or communities as a result of data collection. In cases
where the compilation, analysis and sharing of aggregated data raise ethical concerns or present risks with regard to confidentiality, WHO will:
- use anonymization and other tools, as appropriate;
- comply with informed consent agreements where such consent is needed and respect assurances about ways in which the data (anonymized or otherwise) would be used, shared, stored or protected; and
- adopt appropriate security measures to foster public trust.
In addition, any platforms established to share data should have an explicit ethical framework governing data collection and use.
- Security of data at WHO
Information security at WHO is based on the ISO 27001 standard. WHO has formal and comprehensive information security policies with respective implementation guidelines. Policies cover information security,
access to information and systems, cloud computing, application security, information classification and related security standards. As international civil servants, all WHO staff are required to adhere to confidentiality as detailed in Staff
Regulation 1.6.
- Additional safeguards
As an additional safeguard to WHO, to Member States and to individuals, an independent data review committee will be established at WHO to consider, on a case-by-case basis and in consultation with relevant
departments in WHO, any instances where the current policy provides inadequate guidance on data-sharing.
Practical Information
The policy was introduced on 1 January 2018 and will be monitored and evaluated over a 12-month transition period (at least one data collection cycle for technical programmes in WHO). Subsequent modifications may be made taking into account the views
of technical departments at WHO (compiling and analysing data), Member States (providing data) or third parties (receiving data). The policy will not be applied retrospectively to data already provided by Member States to WHO, and/or which have already
been shared by WHO with third parties.
The policy:
- covers the use and sharing of data only, not biological samples;
- excludes data shared in the context of public health emergencies, including officially declared public health emergencies of international concern (PHEICs) under the International Health Regulations (2005);
- excludes data and reports from clinical trials (1)
(1) WHO’s existing position is that:
(i) all clinical trials are to be prospectively registered in a clinical trial registry meeting international standards http://www.who.int/ictrp;
and
(ii) at a minimum, a summary of results from the clinical trial are to be made publicly available within 12 months of study completion http://www.who.int/ictrp/results/reporting/en