TERMS OF REFERENCE FOR RISK CONSULTANT
Purpose of assignment
The purpose of this assignment is to understand the risks of sharing biometric data, which is categorised as “sensitive category data”, with our partners.
Simprints is a nonprofit technology4development company based out of Cambridge, UK. Our mission is to transform the way the world fights poverty. Simprints builds technology to radically increase transparency and effectiveness in global development, making sure that every vaccine, every dollar, every public good reaches the people who need them most. Over the past 4 years, we have worked with partners (our customers, in the traditional sense) like BRAC, Mercy Corps, and Concern Worldwide to implement our identification solution across projects in 12 countries. We are supported by funders like the Global Innovation Fund, Children’s Investment Fund Foundation, Gates Foundation, UKAID, DRK Foundation, ARM, and Autodesk. We are contracted to deliver accurate ID to 10m beneficiaries by 2022.
Simprints is deeply committed to upholding the highest privacy and data security standards. To date, our policy has been to act as “data controllers” for the biometric data we collect and there has been little need to share biometric data with our partners. As we scale, and as our work involves closer collaboration with governments, there is greater demand on Simprints to act as a “data processor.” We are intent on offering interoperability with other biometric systems to avoid vendor lock-in and to ensure long-term sustainability, and are looking for a consultant to help us evaluate the risks of sharing biometric data with our partners.
Scope of work
We are looking for an experienced consultant to conduct a social and political risk analysis of one or more countries where we may collect and share biometric data of its citizens with government agencies. Most likely, this analysis will be limited to one country, with the opportunity to take on additional assignments in the future. The due diligence analysis should focus on social and political risks that might lead to biometric data being breached and/or misused. The consultant will be reporting to the Director of Operations and supported by Simprints’ Executive Coordinator where needed.
- Gather information internally
- Speak with Simprints’ Director of Privacy and Data Security, Chief Technology Officer and/or Chief Product Officer, and Director of Operations to understand our data processing activities, data flows, and relationships with partners.
- Synthesize data on social and political stability in the country.
- Compile relevant policies, frameworks, and laws pertaining to privacy and data protection.
- Examine the current use of biometrics by the government and other key actors in the country.
- Document how personal identifiable information (PII) is currently used by and shared between government agencies.
- Note if any privacy or data breaches have occurred in the country, and the consequences of those breaches.
- Create a risk matrix describing different the risks along with the likelihood and severity of each risk
- Design a risk management strategy to mitigate the identified risks, using insights from other countries and tech4dev / global development organisations.
The deliverables are (1) a detailed risk assessment report and (2) a presentation to the leadership team.
- ToR release: 21 Oct 2019
- Application deadline: 18 Nov
- Decision by: 20 Nov 2019
- Start date: late Nov (25-27th of November)
- Time frame: 15 working days
- End date: mid Dec (16-18th of December)
Place of work and expectations
The consultant can choose to work from our office in Cambridge, UK, or work remotely. The Executive Coordinator will organise calls/meetings with key internal stakeholders on the first few days to gather information and context. The consultant is required to have weekly check-ins with the Director of Operations to share updates throughout the assignment and to conduct a final presentation for the leadership team between 16-18 Dec 2019.
- Exceptional research, analysis, and problem-solving skills
- Minimum 5 years of experience in political risk, risk management, and/or risk consulting
- Thorough understanding of data ethics and GDPR
- Prior experience in global development a plus
- Ability to work collaboratively in a team environment with stakeholders at all levels of the team
- Ability to communicate complex ideas effectively, both verbally and in writing, in English
How to apply
Please upload your CV, daily rate, 2 references (employers or clients), and a one-page outline of your approach for taking on this role here.