[ March 2021]
The Humanitarian Data Exchange (HDX) is an open data platform managed by the United Nations Office for the Coordination of Humanitarian Affairs (OCHA) through its Centre for Humanitarian Data (the Centre). These Terms of Service (hereafter ‘Terms’ or ‘these Terms’) describe how HDX is managed and how the platform should be used. OCHA will update these Terms as needed, and will post notice of significant updates on HDX and through the HDX mailing list.
HDX organizations and users are bound by these Terms. If you do not agree with the Terms, you should discontinue use of HDX. If you have any questions or comments about these Terms or HDX, please visit our Frequently Asked Questions or send an email to firstname.lastname@example.org
- User account. HDX is an open platform and anyone can use it without creating a user account. Signing up with HDX gives users access to additional features such as the ability to receive notifications about data; joining an organization as a member, editor or admin; and requesting access to datasets shared via HDX Connect, among other benefits.
- Organization account. Data can only be shared on HDX by approved organizations. Organizations can represent a formal legal entity such as a non-governmental organization, or an informal collective such as an Information Management Working Group. OCHA reviews requests to create an organization account to: (1) verify the identity of the requester and (2) determine whether the data that will be shared meets the requirements set out in the DATA SCOPE AND CRITERIA section below.
- You may delete your user or organization account at any time. When you delete your account, OCHA will delete any personal data we collected in order to create the account. When an organization account is deleted, the data shared by the organization is also deleted from HDX.
- There are three categories of humanitarian data which may be shared on HDX:
a. Data about the context in which a humanitarian crisis is occurring (e.g. administrative boundaries, locations of schools, health facilities and other physical infrastructure, and baseline socio-economic indicators).
b. Data about the people affected by the crisis and their needs (e.g. needs assessment data, movement data and locations of affected people).
c. Data about the response by organizations seeking to help those who need assistance (e.g. who-is-doing-what-where, community perception surveys, and funding levels).
- All data shared on HDX must meet the following criteria:
a. Public and private datasets may not contain any personal data. Aid worker contact details may be shared within a private dataset, if those aid workers have provided consent. Personal data is information, in any form, that relates to an identified or identifiable natural person.
b. Public and private datasets may not contain any sensitive non-personal data. This includes information which, while not relating to an identified or identifiable natural person, may, by reason of its sensitive context, put certain individuals or groups of individuals at risk of harm.
c. Data must have been collected in a fair and legitimate manner with a defined purpose and in line with principles of necessity and proportionality.
d. Data must be shared in a supported data format. HDX supports all common data formats and offers built-in preview support for CSV, TXT, XLS, and JSON formats. Map previews are possible from geographic data in zipped shapefile, KML and GeoJSON formats.
- Organizations should keep their data on HDX up-to-date in order to present the latest available information.
- There are three ways to share data on HDX:
a. Public: Data is accessible to anyone who visits HDX, whether or not they are a registered user.
b. Private: Data is accessible only to registered users who are members of the organization that uploaded the data on HDX.
c. HDX Connect: The metadata of a dataset is available and the contributing organization can decide whether or not to grant access to the full dataset when requested by a registered user.
- Organizations must specify an appropriate license for all data they share publicly. Organizations are free to choose the license for their data. We have suggested some options here.
- Organizations may use HDX to share data from other sources if the applicable license allows for onward sharing.
- After downloading a public dataset, users must follow the applicable license when using and sharing the data.
- Organizations may use the HDX Connect feature to direct users to data hosted outside of HDX. In such cases, organizations should link directly to the specific dataset described on HDX and not to a more general landing page of an external platform.
- When an organization grants access to data requested via HDX Connect, the data does not pass through the HDX infrastructure.
- In order to ensure data quality and to prevent any sensitive data from being exposed through HDX, OCHA reviews all datasets that are shared publicly or privately on the platform. This review consists of:
a. An automated scan for sensitive data using Google’s Data Loss Prevention (DLP) tool, to flag and prioritize data for manual review by OCHA.
b. A manual review based on a quality assurance checklist that includes the completeness of metadata, the relevance of the data to humanitarian action, the integrity of the data resources, and the absence of any sensitive data, among other criteria.
- If the manual review under 13(b) shows that a dataset contains personal or sensitive data, the dataset is placed ‘under review’. While data is under review, users will only be able to consult the metadata.
- For microdata such as household survey results, OCHA runs a disclosure risk assessment to assess the risk of a person or group being re-identified. All datasets labeled as ‘microdata’ by the contributing organization at the point of upload are automatically placed under review. The dataset will remain under review until OCHA is able to determine that the risk of re-identification is below the risk threshold and that any sensitive data has been removed from the dataset by the organization. More information about this process is available here.
- If a user notices personal or sensitive data shared through the HDX platform they should contact email@example.com immediately to request that the data be removed.
- HDX is built using CKAN, an open-source data management system.
- Data that is uploaded to HDX is stored by OCHA on servers provided by Amazon Web Services. Data is encrypted in transit and at rest. The servers are located in Virginia, the United States of America.
- All data uploaded to HDX is sent via Google’s DLP API for automated scanning for sensitive data using the DLP algorithm. Data is encrypted in transit and scanned through DLP’s content method on servers located in the European Union. Data is not retained by Google in this process.
- OCHA will never alter the values within datasets shared through HDX without prior permission from the contributing organization.
- Data shared privately through the HDX platform will never be shared further by OCHA without prior permission from the contributing organization.
- OCHA will make a dataset private if it is found to violate these Terms and will contact the contributing organization to discuss next steps.
- Deleted datasets cannot be retrieved by users, but will continue to exist in backups of the HDX database which are maintained for 30 days.
- Organizations are responsible for the data they share on HDX. OCHA assumes no liability whatsoever for data shared on HDX. While OCHA upholds a high standard for the quality and timeliness of the data shared on HDX, we cannot verify data accuracy. Sharing data through HDX does not imply the transfer of any rights over this data to OCHA. OCHA disclaims all warranties, whether express or implied.
- Data and information on HDX do not imply the expression or endorsement of any opinion on the part of OCHA or the United Nations. This includes opinions concerning the legal status of any country, territory, city or area or of its authorities, or concerning the delimitation of its frontiers or boundaries.
- User contact details are only shared with the administrator of an HDX organization if the user requests access to an HDX Connect dataset.
- OCHA upholds the highest standard of data protection for the personal data of HDX users and organization administrators. In case such personal data is exposed, OCHA will notify all affected individuals and remedy the incident.
- If you would like to disable the tracking described above under clause 28, you can install the Google Analytics Opt-out Browser Add-on to disable Google Analytics tracking. Mixpanel respects “Do Not Track” settings in web browsers. Follow the instructions in this guide to prevent your browser from sending data to Mixpanel. The data collected by these tracking systems will be retained indefinitely in order to understand how user behavior is changing over time.
- Emails sent by OCHA to registered HDX users may contain web beacons, which allow OCHA to track information about how many people have viewed its email campaigns. OCHA will never share personal data from this tracking with third parties other than with MailChimp, our mailing list provider, which has access by default. The data collected by this tracking system will be retained indefinitely in order to understand how readership of the emails is changing over time.
- OCHA is mandated by United Nations General Assembly Resolution 46/182 and guided by the Humanitarian Principles. OCHA is governed by the applicable guidance and policies established by the United Nations General Assembly and the United Nations Secretariat. Notably, personal data is processed according to the 1990 Guidelines for the Regulation of Computerized Data Files and in line with the UN Principles on Personal Data Protection and Privacy.