As data becomes more important to fulfill the World Bank Group’s Twin Goals of alleviating extreme poverty and promoting shared prosperity, so does the importance of responsibly collecting, using, and sharing data–including personal data. Recognizing this, the World Bank Group issued a Policy on Personal Data Privacy (the “Privacy Policy”) that governs the use of personal data by the World Bank Group institutions: the International Bank for Reconstruction and Development and the International Development Association (together the “World Bank”), the International Finance Corporation, the Multilateral Investment Guarantee Agency, and the International Centre for Settlement of Investment Disputes. The Privacy Policy signals to the world the World Bank Group’s leadership on the responsible use of personal data by international organizations.
Please click here to review the Privacy Policy.
Individuals have the ability, subject to limitations and conditions, to request information about their personal data and to seek redress if they reasonably believe their personal data has been used by the Bank in violation of the Privacy Policy.
Please access the Request and Review tab for more information.
The World Bank Data Privacy Office oversees the World Bank’s compliance with the Privacy Policy. The Data Privacy Office’s vision is to embed data privacy by design into the fabric of the Bank’s work around the world.
Section III (7) (b) of the World Bank Group Policy on Personal Data Privacy (the “Privacy Policy”) requires the Bank to “adopt mechanism(s) to . . . provide individuals with a method, subject to reasonable limitations and conditions, to: i. request information regarding the individual’s Personal Data Processed by [the Bank] ; and ii. seek redress if the individual reasonably believes that the individual’s Personal Data has been Processed in violation of this Policy”.
The Privacy Policy expressly addresses two options for living individuals, whose personal data is processed by the World Bank:
(1) to receive information about their personal data processed by the Bank (“Request”, “Request for Information” or “Request Mechanism”); and
(2) to seek redress in case of a reasonable suspicion that their personal data is or has been processed in violation of the Privacy Policy (“Review” or “Review Mechanism”).
The Request Mechanism and Review Mechanism are established through the Bank Directive Personal Data Privacy Request and Review Mechanisms. The Bank Procedure Personal Data Privacy Request and Review Mechanisms Procedures set out requirements to conduct these proceedings.
Individuals may submit a request to the World Bank to receive information about their personal data processed by the Bank.
Scope and limitations of the Request for Information process are set out in the Bank Directive Personal Data Privacy Request and Review Mechanisms. Procedural provisions, for example on admissibility, are set out in the Bank Procedure Personal Data Privacy Request and Review Mechanisms Procedures.
To submit a Request for Information, please click here.
The World Bank’s Review Mechanism allows individuals to seek redress if they reasonably believe that their personal data has been processed by the World Bank in violation of the World Bank Group Policy on Personal Data Privacy. It is regulated by the Bank Directive Personal Data Privacy Request and Review Mechanisms. Procedural provisions, for example on admissibility, are set out in the Bank Procedure Personal Data Privacy Request and Review Mechanisms Procedures.
The Review Mechanism consists of two tiers:
(1) A first internal administrative review is conducted by the Chief Data Privacy Officer who acts as the First Tier Reviewer.
To submit a Call for Review to the First Tier Reviewer, please click here click here.
(2) The second-tier review is conducted:
(a) By the World Bank Administrative Tribunal according to its Statute, for individuals who have standing before it.
(b) By an external, independent panel, the External Expert Reviewer, for all other individuals.
Bank Directive Personal Data Privacy Request and Review Mechanisms.
Bank Procedure Personal Data Privacy Request and Review Mechanisms Procedures
The World Bank’s External Expert Reviewer (EER), a panel composed of three members, is an independent second-tier reviewer for complaints brought by individuals who do not have standing before the World Bank Administrative Tribunal and who suspect a violation of the World Bank Group Privacy Policy by the World Bank in relation to their personal data. The EER considers such cases de novo after an internal administrative first tier review by the World Bank’s Chief Data Privacy Officer. For that purpose, it conducts written proceedings and may hold oral proceedings if necessary. The EER is assisted by a secretariat.
The External Expert Reviewer was established by the World Bank Directive Personal Data Privacy Request and Review Mechanisms. Its activities are regulated by the Bank Directive Personal Data Privacy: External Expert Reviewer which also includes a code of conduct for its members. EER meets in session twice a year for a period of up to one week to deliberate and make determinations on the Calls for Review before it.
Members of the EER are appointed by the World Bank Group President for a three-year term which may be renewed once for an additional three years.
The EER is chaired by an expert on privacy and data protection in a public sector entity and has two additional members who are familiar with the World Bank, one of them through first-hand experience.
Ryan Calo, a US national, has been appointed as Chair of the three-member External Expert Reviewer panel. Mr. Calo is an internationally recognized privacy law scholar and has been a professor of law and adjunct professor of computer and information science at the University of Washington since 2012. He was previously a director of privacy research for a Stanford University center and a privacy attorney at a Washington, DC based law firm. Mr. Calo advises various privacy organizations, including the Future of Privacy Forum, and has testified before different legislatures on privacy and other aspects of emerging technologies.
Dr. Nathalie Moreno, a Franco-British national, has been appointed as Member of the External Expert Reviewer. Ms. Moreno is a highly regarded international data protection & cybersecurity lawyer with a broad-based international practice and sectoral knowledge. Ms. Moreno has been a Partner for Data Protection & Cybersecurity at Addleshaw Goddard, LLP, in London since 2020. Ms. Moreno previously was partner in different Washington DC, Paris and London based international law firms and also served as a legal consultant at the European Commission in Brussels and at the World Bank in Washington DC, in the first part of her legal career.
Ximena Puente de la Mora, a Mexican national, has been appointed as Member of the External Expert Reviewer. Ms. Puente de la Mora is an expert in privacy, transparency, information technologies and human rights. Ms. Puente de la Mora is inter alia a former federal deputy of the 64th legislature of Mexico and was the first Commissioner President of the National Institute of Transparency, Access to Information and Personal Data Protection of Mexico from 2014 to 2017. She also served as the President of the Ibero-American Data Protection Network and as the President of the Mexican National Transparency System. The field of data protection and privacy issues has become one of her main areas of expertise ever since writing her PhD dissertation 18 years ago. Ms. Puente de la Mora’s familiarity with the World Bank includes her role as Member of the Board of Directors of the World Bank’s Global Partnership for Social Accountability 2017 – 2018.
Bank Directive Personal Data Privacy: External Expert Reviewer