Consultant - Privacy Impact Assessment for MEL Tech Suite - Remote

Monitoring & Evaluation Anywhere, United States



Mercy Corps is a leading global organization powered by the belief that a better world is possible. In disaster, in hardship, in more than 40 countries around the world, we partner to put bold solutions into action — helping people triumph over adversity and build stronger communities from within.

Mercy Corps has developed a MEL Tech Suite that is a group of technologies that Mercy Corps has chosen to ensure that programs can most effectively collect, store, analyze, visualize and use data for adaptive management. Technologies in the MEL Tech Suite have been vetted in terms of their reliability, interoperability, and security. In view of that, Mercy Corps needs a Privacy Impact Assessment (PIA) to go with each technology to ensure all technologies comply with all privacy standards and regulations. The selected technologies are Ona, R, STATA, MaxQDA, Atlas.ti, and QGIS.

Purpose / Project Description:

Mercy Corps will be collecting, storing, analyzing, and visualizing data that has Personally Identifiable and/or Sensitive Information (PII) using the aforementioned technologies. To ensure data integrity, protection, mitigate privacy risks and comply with all data regulations, Mercy Corps requires a Privacy Impact Assessment to achieve the following objectives:

Consultant Objectives:

Conduct a Privacy Impact Assessment for each technology (Ona, R, STATA, MaxQDA, Atlas.ti, Tola, and QGIS) with the following focus:

  • Identify and assess all privacy risks associated with each technology, applying Mercy Corps’ PIA tools and guidance.
  • Assess risks associated with the collection, maintenance, and protection of Personally Identifiable Information for each technology.
  • Identify and evaluate the potential risks of a data breach for each technology.
  • Assess the potential effect of a data breach on Mercy Corps and programme participants for each technology.
  • Recommend appropriate privacy and security measures to mitigate unacceptable protection risks to data for each technology
  • Review Mercy Corps processes, policies and procedures to ensure each technology complies with all data protection, security and safeguarding standards and relevant regulations (such as GDPR). To ensure understanding, a brief review of existing contracts or data sharing agreements may be necessary.
  • Conduct a data flow analysis for each technology.

Consultant Deliverables:

The Consultant will deliver the following::

  • Output: Comprehensive mapping of all privacy risks for each technology.
  • Output: Comprehensive impact analysis of a data breach for each technology.
  • Output: Actionable recommendations on mitigating privacy risks and ensuring regulatory compliance for each technology.
  • Output: Data flow report for each technology.
  • Output: A Privacy Impact Assessment report for each technology. It should comprehensively cover the following for each technology:
    • Technology Overview
    • Data Types, Sources and Use
    • Data Access and Sharing
    • Notice and Consent
    • Data Retention and Disposal
    • Data Security

Timeframe / Schedule: 

  • Familiarize with Mercy Corps PIA requirements, tools, and guidelines – (1 day)
  • Conduct PIA assessment for Ona, R, Stata, MAXQDA, Atlas.ti, QGIS, TolaData – (approximately 7 days)
  • Produce first draft of deliverables for review by Mercy Corps – (4 days)

The Consultant will report to:

Program Specialist  

The Consultant will work closely with:
The HQ, IT, MEL and Data Protection and Privacy teams

Required Experience & Skills:

  • Minimum of 5 years of experience with:
    • Data protection, privacy or responsible data activities, including experience with privacy impact assessment, data privacy/risk impact assessments, data sharing or processing agreements, data processing inventories, incident response, and creating operational guidance
    • Project management and business analysis
    • Large, diverse, geographically dispersed organizations. Experience with international development or humanitarian settings is strongly preferred.
  • Proven communication, presentation, and training skills, with experience conveying complex, nuanced information in a concise manner, for both in person and remote team members.
  • Strong working knowledge of international, regional, and national data protection, privacy and breach notification laws
  • High-level familiarity with a broad range of data protection, privacy and compliance risk areas and mitigation strategies.
  • Experience using some of the technologies mentioned in the scope of work.
  • CIPP certification, or similar certification is preferred
  • Proficiency in English (required), French and Spanish (preferred).

Diversity, Equity & Inclusion
Achieving our mission begins with how we build our team and work together. Through our commitment to enriching our organization with people of different origins, beliefs, backgrounds, and ways of thinking, we are better able to leverage the collective power of our teams and solve the world’s most complex challenges. We strive for a culture of trust and respect, where everyone contributes their perspectives and authentic selves, reaches their potential as individuals and teams, and collaborates to do the best work of their lives. 

We recognize that diversity and inclusion is a journey, and we are committed to learning, listening and evolving to become more diverse, equitable and inclusive than we are today.

Equal Employment Opportunity
We are committed to providing an environment of respect and psychological safety where equal employment opportunities are available to all. We do not engage in or tolerate discrimination on the basis of race, color, gender identity, gender expression, religion, age, sexual orientation, national or ethnic origin, disability (including HIV/AIDS status), marital status, military veteran status or any other protected group in the locations where we work.

Safeguarding & Ethics
Mercy Corps team members are expected to support all efforts toward accountability, specifically to our stakeholders and to international standards guiding international relief and development work, while actively engaging communities as equal partners in the design, monitoring and evaluation of our field projects. Team members are expected to conduct themselves in a professional manner and respect local laws, customs and MC's policies, procedures, and values at all times and in all in-country venues.