Consultancy Title: Data Protection Consultant

Division/Duty Station: Chief Data Office in the division of Data, Analytics,  Planning, and Monitoring, NYHQ USA

Duration: 14 April 2025 – 15 October 2025

Home/ Office Based: Remote

 

About UNICEF

If you are a committed, creative professional and are passionate about making a lasting difference for children, the world's leading children's rights organization would like to hear from you. For 70 years, UNICEF has been working on the ground in 190 countries and territories to promote children's survival, protection and development. The world's largest provider of vaccines for developing countries, UNICEF supports child health and nutrition, good water and sanitation, quality basic education for all boys and girls, and the protection of children from violence, exploitation, and AIDS. UNICEF is funded entirely by the voluntary contributions of individuals, businesses, foundations and governments. UNICEF has over 12,000 staff in more than 145 countries.

 

BACKGROUND

Purpose of Activity/ Assignment:

UNICEF has issued a Policy for Personal Data Protection in 2020 (the “Policy”) which applies to any personal data processing by or on behalf of UNICEF. This involves the data of the children who UNICEF serves, its staff, its individual donors, and others. The goal of the policy is to ensure that UNICEF uses personal data in line with individual’s rights and freedoms and without exposing them to inappropriate risks. The Chief Data Office (CDO) is tasked to support offices and divisions with the implementation of the Policy. For that purpose, it is centrally developing a data protection programme, a set tools, guidance, central records and training/awareness measures, to enable the organization to process personal data in compliance with the Policy and in respect of individuals’ rights to privacy. In addition, it is committed to promoting the responsible use of other sensitive data for children in line with the “Responsible Data for Children” principles and toolkit. The Data Governance and Strategy unit (DGSU) in the CDO creates and supports implementation of safeguards to minimize risks and potential harms to children, UNICEF staff, beneficiaries, and donors associated with data and digital technology, ensuring a responsible and safe digital and data transformation. The DGSU implements robust governance of all forms of data at UNICEF, enabling the organization to leverage relevant data for better decision-making and outcomes for children. The DGSU supports country offices working with national partners in advancing data governance in national dialogue and policy making. In order to fully design and support the roll-out of the UNICEF data protection programme, including responsible standards for the handling of sensitive non-personal data, establishment of data retention guidance as well as elements of awareness, training, and data protection education, UNICEF CDO needs to hire a data protection and privacy expert with strong experience on the intersection of data protection, information security, and technology to support the DGSU team. the Data Protection and Privacy Specialist (Country Office Support) will supervise the consultancy assignment. 

Scope of Work:

This assignment will contribute to the following outcomes:  1. Facilitate the implementation of data protection impact assessments by divisions and offices.  2. Enable offices and divisions to conduct a data mapping in line with the policy and maintain a record of processing activities to track compliance and manage high risks. 3. Increase the transparency of UNICEF’s exposure to risks and the implementation status of the data protection programme.  4. In collaboration with Divisions, develop guidance and tools to improve UNICEF’s processes for privacy compliant collection, use, transfer and deletion of personal data. 5. In consultation with ICTD Information Security, develop guidance on data breach response. 6.  In collaboration with selected Divisions and Offices provide support to the implementation of ROPAs, completion of DPIAs and development of guidance and other documents related to the implementation of UNICEF Policy on Personal Data Protection

The consultant is expected to support the implementation of the Policy globally, with specific focus on the development of the tools, systems and guidance developed as part of the data protection programme by UNICEF CDO Data Governance and Strategy unit in consultation with ICTD Information Security and other Divisions and Offices as needed

Terms of Reference / Key Deliverables:

Work Assignment Overview/Deliverables and Outputs/Delivery deadline

Task 1 – Support the implementation of the Record of Processing Activities Work with Division of Global Communication and Advocacy, Partnerships and Fundraising, Division of People and Culture/GSSC and Data Analytics Planning and Monitoring to support them in the completion of their respective ROPAs

- Mapping out personal data processing activities in cooperation with DGCA, PFP, DPC/GSSC, and DAPM completion of respective ROPA based on the template developed by the DGSU team. - Review and provide feedback on the ROPAs developed by DGCA, PFP, DPC/GSSC and DPAM divisions to ensure accuracy and compliance with data protection standards

30 April 2025

Task 2 – Mapping of Standard Personal Data Processing Activities and development of ROPA Taxonomy Work with DGCA, PFP, DPC/GSSC and DAPM to identify standard personal data processing activities which are applicable to different units and divisions, including to Regional and Country Offices - Conduct a structured review in collaboration with DGCA, PFP, DPC/GSSC, and DAPM to identify standard personal data processing activities applicable across headquarters, regional, and country offices. - Develop a ROPA taxonomy that categorizes these activities based on key attributes (e.g., data subject type, processing purpose, legal basis, data retention).

- Pre-populate the ROPA template with the identified standard activities to streamline its completion across different offices and divisions. - Deliver a draft ROPA taxonomy document within ensuring it aligns with organizational data governance policies and regulatory requirements. - Conduct at least one review session with key stakeholders to validate and refine the taxonomy before finalization

15 May 2025

Task 3 – Develop a Strategy for Global Training and Awareness Campaign on Data Protection for UNICEF Personnel Work with Comms to develop a Strategy for Global Training and Awareness for Personnel 

- Draft a concept note in collaboration with Comms, outlining a Global Training Strategy and Awareness Campaign on data protection for all personnel.

- Include general data protection principles, sector-specific training (programmes, fundraising, advocacy),and targeted training for country office management. - Design an awareness campaign framework to ensure continuous staff engagement.

- Propose a phased implementation plan with key milestones and delivery methods.

- Submit a draft concept note for stakeholder review

15 June 2025 

Task 4 – Support Units and Divisions on the completion of DPIAs

- Facilitate the completion of Data Protection Impact Assessments (DPIAs) for three divisions/offices through an external vendor, covering: 1. A global complaint and feedback mechanism for UNICEF beneficiaries. 2. A communications, advocacy, and survey tool for children and youth. 3. A global multimedia platform for storing and managing content related to children.

- Review and provide feedback on DPIAs prepared by the external vendor, ensuring alignment with UNICEF’s data protection standards.

- Deliver consolidated comments and recommendations for each DPIA after submission by the vendor

15 July 2025

Task 5 – Design and implementation of DSARs in specific corporate divisions Work with DGCA, PFP, DPC and DAPM in the design and implementation of their internal processes to respond to data subjects’ requests

- Draft a workflow for the internal processes for handling data subject requests in collaboration with DGCA, PFP, DPC/GSSC, and DAPM.

- Develop global guidance aligned with the UNICEF data protection audit, including an exemplary process for managing data subject rights.

- Draft a guidance document for the establishment of data subject request mechanisms and logging systems within each division.

- Draft a guidance document regarding the integration of division-level logsinto a centralized log managed by DAPM/CDO

15 August 2025

Task 6 – Revise the UNICEF data retention procedure to include personal data retention

- Revised UNICEF Data Retention Procedure incorporating personal data, in collaboration with CDO, ICTD, and DFAM.

- Develop global guidance on determining retention periods for different personal data processing activities and data subjects.

- Deliver a marked-up revised version of the Data Retention Procedure and a draft global guidance document for review

30 August 2025

Task 7 – Support establishment of retention schedules for a few corporate units Work with DGCA, PFP, DPC/GSSC and DAPM in the definition of their retention schedules

- Determine retention periods for activities in cooperation with DGCA, PFP, DPC/GSSC, DAPM, and the beneficiary data team

- Develop a draft proposal for retention periods specifically for beneficiary data, aligned with the guidance from Task 6.

- Deliver the draft proposal for review, ensuring alignment with global data retention policies

30 September 2025

Task 8 – Draft the Privacy Notice for UNICEF Staff Work with DPC/GSSC on the development of their privacy notice

- Draft privacy notice for the processing of personal data of UNICEF staff in consultation with DPC/GSSC, covering various activities carried out by DPC/GSSC in compliance with data protection regulations

- Deliver the draft privacy notice for review, ensuring clarity and transparency on data processing practices.

15 October 2025

Qualifications

Education: 

• Masters degree in Data protection and privacy law, data science, computer science or other related field

Knowledge/Expertise/Skills required *:

• At least 7 years of working experience in privacy technology or personal data protection and privacy with a strong expertise in information security and technology in practice and training
•  Good understanding of national and international data protection laws, such as GDPR, and their technical implementation 
• Good understanding of privacy enhancing technology  
• Experience in conducting and guiding nontechnical staff on data protection impact assessments. 
• Good understanding of the challenges of artificial intelligence, big data and data protection and privacy and trends in reconciling them
• Experience in developing easily understandable guidance notes or contractual language on complex technical matters.
• Prior experience working with a multilateral or UN organization is desirable.
• Competent in advanced Excel, Word, data analytics and data visualization, including digital data flow.
• Native or near-native proficiency in English (oral and written) is required. Knowledge of another UN language is an asset.  
• Demonstrated strong writing and presentation skills. Strong analytical and interpersonal communication skills, attention to detail. 
• Ability to translate business needs into technical requirements and translate complex concepts in a simple manner for a non-technical audience is highly desirable. 
• Project management skills including task prioritization, workflow coordination, and resultsdriven strategies is desirable
• Excellent organizational skills and ability to prioritize and manage multiple tasks. 
• Strong writing and interpersonal communication skills

Requirements:

Completed profile in UNICEF's e-Recruitment system and

- Upload copy of academic credentials

- Financial proposal that will include/ reflect :

• • the costs per each deliverable and the total lump-sum for the whole assignment (in US$) to undertake the terms of reference.
  • travel costs and daily subsistence allowance, if internationally recruited or travel is required as per TOR.
  • Any other estimated costs: visa, health insurance, and living costs as applicable.
  • Indicate your availability

- Any emergent / unforeseen duty travel and related expenses will be covered by UNICEF.

- At the time the contract is awarded, the selected candidate must have in place current health insurance coverage.

- Payment of professional fees will be based on submission of agreed satisfactory deliverables. UNICEF reserves the right to withhold payment in case the deliverables submitted are not up to the required standard or in case of delays in submitting the deliverables on the part of the consultant.

U.S. Visa information:

With the exception of the US Citizens, G4 Visa and Green Card holders, should the selected candidate and his/her household members reside in the United States under a different visa, the consultant and his/her household members are required to change their visa status to G4, and the consultant’s household members (spouse) will require an Employment Authorization Card (EAD) to be able to work, even if he/she was authorized to work under the visa held prior to switching to G4.  

Only shortlisted candidates will be contacted and advance to the next stage of the selection process

For every Child, you demonstrate…

UNICEF’s core values of Commitment, Diversity and Integrity and core competencies in Communication, Working with People and Drive for Results. View our competency framework at: Here

UNICEF offers reasonable accommodation for consultants/individual contractors with disabilities. This may include, for example, accessible software, travel assistance for missions or personal attendants. We encourage you to disclose your disability during your application in case you need reasonable accommodation during the selection process and afterwards in your assignment. 

UNICEF has a zero-tolerance policy on conduct that is incompatible with the aims and objectives of the United Nations and UNICEF, including sexual exploitation and abuse, sexual harassment, abuse of authority and discrimination. UNICEF also adheres to strict child safeguarding principles. All selected candidates will be expected to adhere to these standards and principles and will therefore undergo rigorous reference and background checks. Background checks will include the verification of academic credential(s) and employment history. Selected candidates may be required to provide additional information to conduct a background check. 

Remarks:  

Individuals engaged under a consultancy will not be considered “staff members” under the Staff Regulations and Rules of the United Nations and UNICEF’s policies and procedures and will not be entitled to benefits provided therein (such as leave entitlements and medical insurance coverage). Their conditions of service will be governed by their contract and the General Conditions of Contracts for the Services of Consultants. Consultants are responsible for determining their tax liabilities and for the payment of any taxes and/or duties, in accordance with local or other applicable laws. 

The selected candidate is solely responsible to ensure that the visa (applicable) and health insurance required to perform the duties of the contract are valid for the entire period of the contract. Selected candidates are subject to confirmation of fully-vaccinated status against SARS-CoV-2 (Covid-19) with a World Health Organization (WHO)-endorsed vaccine, which must be met prior to taking up the assignment. It does not apply to consultants who will work remotely and are not expected to work on or visit UNICEF premises, programme delivery locations or directly interact with communities UNICEF works with, nor to travel to perform functions for UNICEF for the duration of their consultancy contracts.