WHO Personal Data Protection Policy

The World Health Organization’s Personal Data Protection Policy entered into force on 15th April 2024. It marks WHO’s commitment to protect Personal Data held by WHO to continue upholding the trust of Member States and collaborating partners. 

The collection, analysis, publication and dissemination of health-related data are core elements of WHO’s mandate, in line with WHO data principles. WHO must transfer and receive personal data to and from third parties in its daily operations in pursuit of this mandate.  

The policy outlines the rules and principles relating to the processing of Personal Data held by WHO. The rights of the data subjects are outlined in the policy with clear mechanisms to manage possible data breaches, underscoring the roles and responsibilities of WHO’s Data Protection and Privacy Officer.  

This Policy should be read in conjunction with other existing internal policies of WHO outlined in the data section of WHO’s eManual, notably: 

I)Policy on Use and Sharing of Data Collected in Member States by WHO Outside the Context of Public Health Emergencies,  

II) Policy statement on Data Sharing by WHO in the Context of Public Health Emergencies; 

III)Information Disclosure Policy  

IV) WHO’s policy on sharing and resuse of research data  

V) WHO Staff Regulations and Staff Rules and  

VI) WHO Code of Ethics and Professional Conduct.