Mercy Corps regularly enters into data processing agreements with vendors and contractors and data sharing agreements with sub-grantees, consortia groups, and other partners. Data sharing agreements set out the purpose of the data sharing, cover what happens to the data at each stage, set standards and help all the parties involved in sharing to be clear about their roles and responsibilities. They provide a coordination mechanism to support data-sharing between agencies, ministries, universities, non-governmental organizations (NGOs), private interests, and other stakeholders, and ensure that appropriate data-sharing protocols and security are in place.
The Consultant will develop global data sharing and data processing agreement templates and clauses, as well as accompanying guidance for use by different Mercy Corps programs, business units and in a variety of circumstances and countries (e.g. controller processor, joint controllers, etc.). Such agreement templates and clauses are expected to be tailored to common scenarios. When Mercy Corps templates cannot be used, detailed guidance for review of third-party data sharing and processing agreements and clauses needs to be provided to Mercy Corps team members.
Detailed Position Description:
Mercy Corps is a leading global organization powered by the belief that a better world is possible. In disaster, in hardship, in more than 40 countries around the world, we partner to put bold solutions into action — helping people triumph over adversity and build stronger communities from within.
The position's timeframe is 3 months, it will report to General Counsel and Associate General Counsel. The Consultant will work closely with Primarily the DPP jurist, as well as other staff of both the Legal Department and DPP team. Will liaise with the Data Protection Officer for European offices.
The Legal Department:
The Legal Department is responsible for managing the day-to-day legal affairs of Mercy Corps and its various functions. This includes overseeing provision of legal services to Mercy Corps and its affiliates and, supporting field and global operations and programs and providing document review and guidance for various agreements. The Legal Department maintains a variety of templates for internal use such as contracts for services, MoUs, and data privacy agreements.
The Data Protection & Privacy Team (DPP):
The Mission of the Data Protection and Privacy team (DPP) is to build capacity for implementing responsible data practices regarding personal data throughout Mercy Corps while safeguarding, protecting, and “doing no harm.” DPP supports stakeholders with a range of data protection best practices and regulations worldwide.
Purpose / Project Description:
Mercy Corps’ programs collect and share a wide range of data, including personally identifiable and demographically identifiable information. Programs have a range of measures in place for data management and protection that adhere to industry best practice, donor and Mercy Corps requirements. However, standard data sharing agreement templates and clauses are needed to operationalize the agency’s Responsible Data Policy to enable quick, standard and efficient deployment among programs and partners.
Mercy Corps regularly enters into data processing agreements with vendors and contractors and data sharing agreements with sub-grantees, consortia groups, and other partners. Data sharing agreements set out the purpose of the data sharing, cover what happens to the data at each stage, set standards and help all the parties involved in sharing to be clear about their roles and responsibilities. They provide a coordination mechanism to support data-sharing between agencies, ministries, universities, non-governmental organizations (NGOs), private interests, and other stakeholders, and ensure that appropriate data-sharing protocols and security are in place.
The Consultant will develop global data sharing and data processing agreement templates and clauses, as well as accompanying guidance for use by different Mercy Corps programs, business units and in a variety of circumstances and countries (e.g. controller processor, joint controllers, etc.). Such agreement templates and clauses are expected to be tailored to common scenarios. When Mercy Corps templates cannot be used, detailed guidance for review of third party data sharing and processing agreements and clauses needs to be provided to Mercy Corps team members.
Consultant Deliverables:
- Conduct a data sharing and data processing agreement assessment. The consultant will review the library of existing relevant materials, speak with stakeholders, use comparative and peer data, and other resources as appropriate to assess Mercy Corps needs and priorities and define Mercy Corps priorities for data sharing agreements and clauses templates.
- Draft data sharing and data processing agreement templates for use in priority areas. Specific types of templates will be fleshed out in the needs assessment, but should include, without limitation (1) joint controller agreement for use in consortia; (2) data processing agreement; (3) data sharing agreement; and others as appropriate.
- Review select existing data sharing agreements and consult on any needed adjustments.
- Develop a catalogue of data sharing clauses for incorporation in other agreements and memoranda of understanding, where standalone data sharing agreements are not used.
- Develop guidelines to be used by Mercy Corps staff when reviewing third-party data sharing and data processing agreements and clauses.
- Develop guidance and/or standard procedures for use of the templates for agreements and clauses.
- Drawing upon the above, the consultant will summarize methodology, findings, recommendations deliverables that were produced, and gaps that remain to be addressed in a final presentation to stakeholders.
Qualifications: Minimum of 7 years of experience with:
- Data protection, privacy, or responsible data activities, including experience with data privacy/risk impact assessments, data sharing and data processing agreements, data processing inventories, and creating operational guidance in a global organization.
- Strong working knowledge of, and experience with, international, regional, and national relevant data protection legislation, including GDPR, privacy, and breach notification laws, and interaction of multiple jurisdictional requirements.
- Project management and business analysis
- Experience with large, diverse, geographically dispersed organizations. Demonstratable experience working with the non-profit/charity sector is required, preference for prior experience with humanitarian organizations or international non-governmental organizations.
- Proven communication, presentation, and training skills, with experience conveying complex, nuanced information in a concise manner, for both in person and remote team members.
- High-level familiarity with a broad range of data protection, privacy and compliance risk areas and mitigation strategies
- Excellent drafting skills, and fluency in English. A writing sample may be requested.
Success Factors:
The ideal candidate will have a nuanced understanding of interconnected issues of policy and data protection regulations as well as a demonstrated experience drafting, negotiating, and managing data sharing and data processing agreements particularly in a multi-jurisdictional setting. The candidate will have significant experience drafting templates and translating complex legal concepts into easy-to-understand guidance. The candidate must be familiar with the technical aspects of data transfers and must be able to effectively provide technical expertise to advance project objectives.
Application Submission Information:
Please see the detailed Position description and apply here: https://jobs.jobvite.com/careers/mercycorps/job/oDl2sfwc?__jvst=Employee&__jvsd=sIWUDgwW&__jvsc=Url&bid=n3bmwcwN