MIGA Personal Data Review & Redress Mechanism
Introduction
This statement outlines how the Multilateral Investment Guarantee Agency (“MIGA”, “our”, “us” or “we”) allows individuals (“you” or “your”) to make requests with respect to personal data held by MIGA in accordance with principle seven of the World Bank Group Personal Data Privacy Policy (the “Privacy Policy”). The process described below applies to personal data collected by MIGA on or after February 1, 2021.
How to Submit a Request
Current staff may submit requests using the webform available here.
If you are not a current staff member of MIGA or another World Bank Group institution, you may submit a request using the webform available here.
How We Validate Requests
Upon receipt, requests are first evaluated by the MIGA Data Privacy Office (MIGA DPO). Our validation criteria provide that requests may be rejected in certain circumstances, including where:
(i) the identity of the requester cannot be authenticated;
(ii) the requester fails to provide sufficient information to allow MIGA to reasonably respond to the request;
(iii) the request is overly broad or excessive when balanced with the resource and cost implications of responding to the request;
(iv) the request is repetitive of a previous request submitted by, or behalf of, the same requester; or
(v) the request is clearly intended to circumvent reasonable document production restrictions under legal, administrative or similar proceedings.
If your request is rejected during the validation process, you will be given reasons and have the opportunity to request reconsideration by the MIGA DPO. If the MIGA DPO confirms a rejection decision, you will also have an opportunity to appeal. These opportunities are discussed in further detail below.
How We Process Requests – Search & Review
Once a request is validated, a search for your personal data will be conducted using the identifying information you provided when you submitted your request. We may ask for additional information to assist us in conducting the search (e.g., relevant date ranges, information about how you have engaged with MIGA, or other details that may assist to scope out our search).
Once a personal data search has been performed, the MIGA DPO will make available to you your personal data held by MIGA or, if none is found in the relevant systems or databases, will inform you accordingly. At this time, you may also request additional information about the processing of your personal data by MIGA. For clarity, you will not be entitled to the documents or files containing the personal data.
How We Process Requests – Option to Request Reconsideration
When the MIGA DPO has provided what it reasonably believes to be a full response to your request, it will inform you of your options to:
i. Request reevaluation, if you reasonably believe MIGA holds additional personal data about you; or
ii. Indicate that you believe your personal data has not been processed in accordance with the Privacy Policy.
In either of these cases, the MIGA DPO will reevaluate the search and/or review the processing against the requirements of the Privacy Policy and respond accordingly.
How We Process Requests – Option to Appeal
When the MIGA DPO has provided what it reasonably believes to be a full response to your reconsideration request, it will inform you of your option to appeal the MIGA DPO’s decision should you feel that your request has not been handled appropriately. If you are staff or former staff under the applicable WBG Staff Rule 4.01, you may appeal to the World Bank Administrative Tribunal pursuant to the provisions of the Statute of the World Bank Administrative Tribunal. More information regarding the World Bank Administrative Tribunal, including filing instructions and FAQs, can be found here.
If you are an external requester, you may appeal to the MIGA Privacy Review Panel, as further described below. The MIGA Privacy Review Panel consists of senior MIGA staff members who are independent of the MIGA DPO team and who have not been involved in validating, assessing or responding to your request. The MIGA Privacy Review Panel will conduct an independent review of any matter brought before it for appeal.
Upon completion of its appeal review, the MIGA Privacy Review Panel will require the MIGA DPO to make available (i) any additional information it determines is appropriate and consistent with the Privacy Policy or (ii) its decision on what actions, if any, should be taken by MIGA. Decisions of the MIGA Privacy Review Panel are final.
Reasonable Limitations and Conditions
As provided for in the Privacy Policy, MIGA may place reasonable limitations and conditions on its obligation to respond to requests received through the above procedure, including the following:
Validation Requirement
As described above, MIGA may reject requests that do not meet our validation requirements.
In addition, if the MIGA DPO determines a request submitted to MIGA will better be addressed through a procedure operated by another WBG Institution or mechanism, it may re-direct the request to the appropriate mechanism and notify the requester accordingly.
Scope of Search
Personal data searches will be conducted in the systems, or portions of systems, designated by the MIGA DPO based on a comprehensive personal data inventory conducted by MIGA’s technology team that is focused on personal data in structured formats at that point in time. The list of designated systems will be updated as MIGA’s technical search capacity expands.
Exceptions to Disclosure
Notwithstanding any of the foregoing, MIGA may withhold or redact personal data from a response when it falls into one of the following categories:
- the personal data may be sought through a separate mechanism available to the requester;
- the personal data is processed by MIGA pursuant to confidential internal or deliberative processes;
- the personal data is sought for purposes that are clearly unfounded;
- providing the personal data or information would:
- compromise the security and safety of another individual;
- disclose information about another individual who can be identified that you are not deemed authorized to receive;
- disclose information subject to third-party confidentiality obligations;
- disclose commercially sensitive information; or o breach a regulatory obligation applicable to a third-party who provided such personal data to MIGA.
- the personal data is processed in the context of communication or a transaction between MIGA and a company, institution, government agency or other legal entity where the requester is acting on behalf of such legal entity;
- the personal data is subject to attorney-client privilege or similar professional confidentiality regimes, and/or other applicable legal privileges or immunities, or processed in relation to legal, administrative or similar proceedings or preparation in reasonable anticipation of legal, administrative or similar proceedings;
- providing the personal data is reasonably likely to render impossible or seriously impair the achievement of an archival, research or statistical purpose.
MIGA will apply the above exceptions as necessary and proportionate to balance the legitimate interest of MIGA and its ability to fulfill the mission, mandate and purpose entrusted to it by its member countries, and MIGA's legal rights and obligations, with the legitimate interest of the requester.
Other Limitations
The above procedure is available to individual natural persons making requests regarding their own personal data. Requests related to personal data of an individual other than the requester will be rejected, unless the requester has (i) an applicable power of attorney or (ii) proof of legal guardianship of a minor and is making the request on such minor’s behalf. Requests from legal entities other than natural persons will be rejected.
MIGA may place reasonable timelines on a requester’s ability to ask for reconsideration or appeal under this procedure, as well as the amount of time responsive data is made available to requesters in MIGA’s relevant data portal. Requesters will be given notice of these timelines when they submit a request and as they move through the process.
Requests and all related communications must be in writing and, to the extent practicable, be in English, and all responses of the MIGA DPO will be given in English.
Privacy Questions
Questions related to MIGA’s personal data review & redress mechanism can be directed to MIGA’s Data Privacy Office at dpo@worldbank.org.
Changes to This Statement
This statement was last updated on the date listed above. If we change it, we will post the new version to this website.