The Legal Department
The Legal Department is responsible for managing the day-to-day legal affairs of Mercy Corps and its various functions. This includes overseeing provision of legal services to Mercy Corps and its affiliates and, supporting field and global operations and programs and providing document review and guidance for various agreements. The Legal Department maintains a variety of templates for internal use such as contracts for services, MoUs, and data privacy agreements.
The Data Protection & Privacy Team (DPP)
The Mission of the Data Protection and Privacy team (DPP) is to build capacity for implementing responsible data practices regarding personal data throughout Mercy Corps while safeguarding, protecting, and “doing no harm.” DPP supports stakeholders with a range of data protection best practices and regulations worldwide.
Purpose / Project Description:
Mercy Corps’ programs collect and share a wide range of data, including personally identifiable and demographically identifiable information. Programs have a range of measures in place for data management and protection that adhere to industry best practice, donor and Mercy Corps requirements. However, standard data sharing agreement templates and clauses are needed to operationalize the agency’s Responsible Data Policy to enable quick, standard and efficient deployment among programs and partners.
Mercy Corps regularly enters into data processing agreements with vendors and contractors and data sharing agreements with sub-grantees, consortia groups, and other partners. Data sharing agreements set out the purpose of the data sharing, cover what happens to the data at each stage, set standards and help all the parties involved in sharing to be clear about their roles and responsibilities. They provide a coordination mechanism to support data-sharing between agencies, ministries, universities, non-governmental organizations (NGOs), private interests, and other stakeholders, and ensure that appropriate data-sharing protocols and security are in place.
The consultant will develop global data sharing and data processing agreement templates and clauses, as well as accompanying guidance for use by different Mercy Corps programs, business units and in a variety of circumstances and countries (e.g. controller processor, joint controllers, etc.). Such agreement templates and clauses are expected to be tailored to common scenarios. When Mercy Corps templates cannot be used, detailed guidance for review of third party data sharing and processing agreements and clauses needs to be provided to Mercy Corps team members.
Consultant Deliverables:
-
Conduct a data sharing and data processing agreement assessment. The consultant will review the library of existing relevant materials, speak with stakeholders, use comparative and peer data, and other resources as appropriate to assess Mercy Corps needs and priorities and define Mercy Corps priorities for data sharing agreements and clauses templates.
-
Draft data sharing and data processing agreement templates for use in priority areas. Specific types of templates will be fleshed out in the needs assessment, but should include, without limitation (1) joint controller agreement for use in consortia; (2) data processing agreement; (3) data sharing agreement; and others as appropriate.
-
Review select existing data sharing agreements and consult on any needed adjustments.
-
Develop a catalogue of data sharing clauses for incorporation in other agreements and memoranda of understanding, where standalone data sharing agreements are not used.
-
Develop guidelines to be used by Mercy Corps staff when reviewing third-party data sharing and data processing agreements and clauses.
-
Develop guidance and/or standard procedures for use of the templates for agreements and clauses.
-
Drawing upon the above, the consultant will summarize methodology, findings, recommendations deliverables that were produced, and gaps that remain to be addressed in a final presentation to stakeholders.
The Consultant will report to:
General Counsel and Associate General Counsel
The Consultant will work closely with:
Primarily the DPP jurist, as well as other staff of both the Legal Department and DPP team. Will liaise with the Data Protection Officer for European offices.
Timeframe / Schedule:
3 months
Required Experience & Skills:
Minimum of 7 years of experience with:
-
Data protection, privacy or responsible data activities, including experience with data privacy/risk impact assessments, data sharing and data processing agreements, data processing inventories, and creating operational guidance in a global organization;
-
Strong working knowledge of, and experience with, international, regional, and national relevant data protection legislation, including GDPR, privacy, and breach notification laws, and interaction of multiple jurisdictional requirements;
-
Project management and business analysis skills;
-
Experience with large, diverse, geographically dispersed organizations. Demonstratable experience working with the non-profit/charity sector is required; preference for prior experience with humanitarian organizations or international non-governmental organizations.
-
Proven communication, presentation, and training skills, with experience conveying complex, nuanced information in a concise manner, for both in person and remote team members.
-
High-level familiarity with a broad range of data protection, privacy and compliance risk areas and mitigation strategies
-
Excellent drafting skills, and fluency in English. A writing sample may be requested.
Success Factors
The ideal candidate will have a nuanced understanding of interconnected issues of policy and data protection regulations as well as a demonstrated experience drafting, negotiating and managing data sharing and data processing agreements particularly in a multi-jurisdictional setting. The candidate will have significant experience drafting templates and translating complex legal concepts into easy-to-understand guidance. The candidate must be familiar with the technical aspects of data transfers and must be able to effectively provide technical expertise to advance project objectives.
Diversity, Equity & Inclusion
Achieving our mission begins with how we build our team and work together. Through our commitment to enriching our organization with people of different origins, beliefs, backgrounds, and ways of thinking, we are better able to leverage the collective power of our teams and solve the world’s most complex challenges. We strive for a culture of trust and respect, where everyone contributes their perspectives and authentic selves, reaches their potential as individuals and teams, and collaborates to do the best work of their lives.
We recognize that diversity and inclusion is a journey, and we are committed to learning, listening and evolving to become more diverse, equitable and inclusive than we are today.
Equal Employment Opportunity
We are committed to providing an environment of respect and psychological safety where equal employment opportunities are available to all. We do not engage in or tolerate discrimination on the basis of race, color, gender identity, gender expression, religion, age, sexual orientation, national or ethnic origin, disability (including HIV/AIDS status), marital status, military veteran status or any other protected group in the locations where we work.
Safeguarding & Ethics
Mercy Corps team members are expected to support all efforts toward accountability, specifically to our stakeholders and to international standards guiding international relief and development work, while actively engaging communities as equal partners in the design, monitoring and evaluation of our field projects. Team members are expected to conduct themselves in a professional manner and respect local laws, customs and MC’s policies, procedures, and values at all times and in all in-country venues.