Software Data Protection and Security Assessment At Handicap International – Humanity & Inclusion

1. Introduction and Background Information

1.1. Humanity and Inclusion

Humanity and Inclusion (HI) – previously known as Handicap International – is an independent and impartial aid organisation working in situations of poverty and exclusion, conflict and disaster. We work alongside people with disabilities and vulnerable populations, taking action and bearing witness in order to respond to their essential needs, improve their living conditions and promote respect for their dignity and fundamental rights. HI is working in more than 60 countries over the World.

1.2. Physical and functional rehabilitation For 40 years, HI has been providing rehabilitation services to help people with disabilities, injuries, trauma or other health conditions reach and maintain a maximum level of functioning. Our rehabilitation experts implement and promote an inclusive and comprehensive approach, ensuring the entire rehabilitation process is adapted to each person’s needs and specific context. Our activities take into account the personal and contextual resources and barriers to accessing and benefiting from rehabilitation and related services, paying specific attention to the role of caregivers and communities in the rehabilitation process. Since 2016, HI has been researching and testing the use of emerging technologies in ortho-prosthetic fitting, remote service provision and online training, particularly for low- and middle income countries and complex situations. Based on our findings, we are working on improving access to rehabilitation services through an innovative service delivery model that combines the existing delivery setup in a given context with the use of digital technologies and 3D printing. In underserved areas, the provision of services can be supported by HI remotely and implemented by local partners. As a result, HI has developed an open source, multidisciplinary telerehabilitation software.

1.3. Telerehabilitation

Telerehabilitation can be defined as the use of information and communication technologies (ICT) to provide rehabilitation or assistive technologies services to people remotely in their home or other environments. Recent evidence suggests that telerehabilitation can be as effective as face-to-face therapy in treating specific pathologies. Telerehabilitation can improve access to rehabilitation services, reduce health care costs and facilitate continuity of care. Telerehabilitation complements traditional approaches to rehabilitation service provision. The optimal use and deployment of telerehabilitation faces human, technological and organizational barriers. HI is running several telerehabilitation projects involving use of software and side exchange, storage, use and acquisition of patients’ personal data with and between service providers.

1.4. OpenTeleRehab OpenTeleRehab connects rehabilitation professionals with service users to improve access to rehabilitation services and contribute to universal health coverage by facilitating discharge, transition of care and follow-up. The software that allows its users to access tailormade rehabilitation treatment plans adapted to a variety of conditions. It enables rehabilitation professionals to provide continued support and follow-up via chat or video communication, including plan adherence and goal achievement tracking.

OpenTeleRehab is made of 4 different platforms: – Admin web portal: to manage content, system settings and decentralized users management. – Therapist web portal: to manage patients accounts, design treatment plans, set up appointments, and exchange with patients. – Patient mobile app: to access treatment plans on and off-line, provide feedbacks, request appointments and exchange with therapist via chat, audio or video communication. – Open access library web portal: allowing rehabilitation community and peers to access, contribute to a global telerehabilitation clinical library.

1.5. Security and Privacy Following the Principles for Digital Development, addressing privacy and security in digital development involves careful consideration of which data are collected and how data are acquired, used, stored and shared. Organizations must take measures to minimize collection and to protect confidential information and identities of individuals represented in data sets from unauthorized access and manipulation by third parties. Responsible practices for organizations collecting and using individual data include considering the sensitivities around the data they have collected, being transparent about how data will be collected and used, minimizing the amount of personal identifiable and sensitive information collected, creating and implementing security policies that protect data and uphold individuals’ privacy and dignity, and creating an end-of-life policy for post-project data management.

HI seeks to run an external data protection and security assessment of the system and processes and a strict compliance with the General Data Protection Regulation.

2. Assignment 2.1. Assignment Objectives: The consultant(s) will be in charge of running an in-depth security and data protection assessment of OpenTeleRehab and side exchange, storage, use and acquisition of patients’ personal data. The consultant will be in charge to provide cost-effective, practical recommendations aligned with local and international standards and contexts and data protection principles.

2.2. Modalities The consultant(s) will: Conduct a Data Protection Compliance Assessment including practical roadmap to comply with local and international (GDPR) rules and regulations about data protection. The assessment should include practical roadmap to comply with relevant regulations and consequences of noncompliance (e.g., fines or sanctions).

Conduct a Data Protection Impact Assessment to make a connection between the data protection principles and the data processing carried out and identify data protection and security related risks to facilitate the implementation of effective technical measures to protect personal data.

Develop a Risk Management Plan outlining the countermeasures needed to address high-priority threats from the Data Protection Impact Assessment. This plan should describe the mechanisms that will be put in place to ensure data protection through the data management cycle and to comply with the data protection principles. The Risk Management Plan should include practical roadmap to mitigate identified risks, prioritize the threats or vulnerabilities, considering damage potential, number of affected users, exploitability and reputational risk.

Run a security assessment of the software following international standards. For each system vulnerability identified, provide practical roadmap to increase security at software level under cost-effective and open source model.

2.3. Deliverables – Data Protection Compliance Assessment and roadmap – Data Protection Impact Assessment – Risk Management Plan – Security assessment and roadmap for OpenTeleRehab

2.4. Consultant and HI’s Responsibilities The consultant (group): – Identifies and proposes methodologies to provide aforementioned deliverables – Provides aforementioned deliverables and presents them to HI technical team

HI: – Validates deliverables – Provides necessary documents or information

2.5. Additional information – Expected duration: flexible duration with deliverables to be submitted no later than 1st October 2022. – Expected budget: flexible budget based on methodology and quality of proposal. – Details of consultancy to be discussed and refined with consultant(s).