Privacy in peril: safeguarding digital data in humanitarian blockchain initiatives

Digital dignity is a human right, widely overlooked across blockchain-based humanitarian aid initiatives. Aid organisations are rushing to integrate digital technologies for the purpose of enhanced efficiency, accountability, immutability, and near real-time recording of transactions for transparency. However, as dozens of health and cash distribution pilot programmes have demonstrated, an essential human right is often disregarded: the right to digital privacy. This oversight exposes programme participants to potentially life-threatening situations, and risks undermining trust in non-governmental organisations and in the humanitarian system as a whole.

Addressing privacy considerations as an afterthought is an approach that must change. Digital privacy rights must be prioritised and embedded into the design of any systems at the earliest stages and carried through implementation, monitoring and post-pilot evaluation. Technologies that handle personally identifiable data, including financial and behavioural, must be subject to the same standards of human rights compliance as any other intervention – particularly in high-risk humanitarian contexts.

Digital right to privacy contextualised by aid instruments

International human rights instruments recognise privacy as a fundamental right. Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights affirm an individual’s right to be protected against arbitrary interference with their privacy, family, home or correspondence. The UN Human Rights Council and General Assembly have explicitly affirmed that the rights to privacy under these articles fully apply to the digital space, asserting that the same protections against arbitrary interference with privacy extend to digital environments.

These rights are as relevant in digital humanitarian contexts as in any other setting. Crisis-affected people do not forfeit their rights to digital privacy or data protection simply because they receive health or cash aid assistance through a digital framework. Published guidance – including the Principles on Personal Data Protection and Privacy in Humanitarian Action developed by the International Committee of the Red Cross and the United Nations Office for the Coordination of Humanitarian Affairs (OCHA), and the Sphere Handbook – underscore this point. These principles emphasise the need for data minimisation, informed consent and security safeguards.

Risks introduced by blockchain systems

While blockchain systems can enhance transparency and traceability, these features are at odds with the humanitarian needs of discretion and confidentiality. Traditional public blockchains, like Bitcoin and Ethereum, store all transactions in transparent, publicly accessible ledgers. Once information is entered into an immutable ledger, it cannot be deleted or amended, raising questions about data protection rights such as erasure or rectification under frameworks like the EU General Data Protection Regulation (GDPR). Even when identifiers are pseudonymous, transaction metadata such as timing, amount and patterns of behaviour can be correlated with known identities – especially in the context of a humanitarian pilot or a similar use case for vulnerable populations with a concentrated pool of users. Some humanitarian blockchain pilots have attempted to introduce data-protection features, such as off-chain storage of personal data or use of biometric authentication. Yet these solutions often introduce their own risks, such as centralisation of sensitive data or long-term data exposure over time due to poor access controls.

Case studies where privacy fell short

The World Food Programme’s Building Blocks project

The World Food Programme’s Building Blocks project, piloted to deliver aid to Syrian refugees in a Jordanian refugee camp, aimed to streamline cash transfers using a blockchain ledger. However, the integration of biometric identifiers like iris scanners and the lack of transparency about data governance arrangements ‘in terms of how the system operates, what data is recorded, where it is stored, who has permission to access the data, and for what purposes’, raises concerns about potential inferences of sensitive behavioural patterns based on transaction history; strong anonymisation techniques or zero-knowledge protections were not used in the gathering and storage of this data.

UNHCR Iris Scan Biometric Database and digital identity pilots

Initiatives like the UNHCR Iris Scan Biometric Database, which has been in use since 2012, have deployed blockchain-enabled digital identity systems in a variety of humanitarian contexts. The use cases include managing transactions for food, cash and shelter. While systems like these are intended to be self-sovereign, coupling private keys tied to biometric data, such as iris scans, could open pathways for re-identification and exclusion, especially when deployed without robust privacy frameworks. On the closed networks of permissioned ledgers there are risks, as Nabben corroborates within the context of the World Food Programme: ‘digital identities are being created that are permanently linked to biometric indicators which could then be hacked and traced back to family members or used as leverage to direct behaviours’. These design frameworks underscore the need for stringent Privacy Impact Assessments and adherence to human rights standards before scaling such interventions.

Start-up-fuelled pilots

Multiple start-up-led pilots have embraced blockchain technology to improve aid traceability, but they often neglect digital privacy safeguards. A concrete example comes from a study conducted in Jordan, where a refugee-aid organisation partnered with private developers to deploy a blockchain-based cash-for-work system. These pilots functioned more as ‘spectacles’ for donors, maximising visibility rather than protecting participant data. In addition the ‘data is secure and visible to a “decentralised network” of coordinated organisations’, implying that pseudonymous records were being shared across participating organisations. However, even a decentralised network can expose sensitive metadata of programme participants if correlated with off-chain information. This form of pilot design neglects confidentiality and privacy norms, potentially exposing individuals to profiling or discrimination. Cheesman argues that such projects ‘conjure’ blockchain solutions to draw funding and attention, often ignoring the real risks to aid workers and refugees.

Paths forward: designing for privacy

To align with human rights standards, and to provide base-level dignity and autonomy for crisis-affected people, blockchain-based humanitarian systems must be privacy-preserving by default. This requires more than access restrictions; systems must be designed to minimise data exposure and respect individual autonomy from the outset.

Blockchain-based systems will continue to proliferate and it is the responsibility of aid organisations to practice due diligence. They can do so through four overarching steps.

Design and risk assessment

• Conducting Privacy Impact Assessments, utilising the guidance of blockchain privacy experts, and revisiting them regularly.
• Engaging blockchain privacy experts throughout the project lifecycle.
• Assessing and limiting re-identification risk, particularly when using pseudonymised or biometric data.

Participatory and rights-based approaches

• Include meaningful consultations with crisis-affected people during system design and evaluation, not merely post-deployment feedback.
• Honour informed consent and opt-out mechanisms.
• Provide accessible feedback mechanisms for crisis-affected people and avenues for redress if harm occurs.
• Include training for all stakeholders and crisis-affected people, to ensure a base level of understanding for the technologies employed, their associated risks, rights and processes related to consent, and opt-out mechanisms.

Data governance and minimisation

• Collect only the minimum data necessary for service delivery and auditability.
• Define and enforce clear data-retention policies, with secure deletion protocols.
• Encrypt sensitive data using privacy-preserving methods like zero-knowledge proofs – widely used across technology, security and privacy domains – to enable one party to prove to another that a statement is true without revealing any other information.

Accountability and oversight

• Mandate open-source transparency by requiring that core components of blockchain-based humanitarian systems be publicly auditable, with source code made available for independent review and community oversight.
• Establish multi-stakeholder oversight, including crisis-affected people, donors, blockchain privacy subject matter experts, and compliance professionals.
• Align funding with privacy standards; this should be the remit of donors and international agencies. Procurement and evaluation criteria should reward privacy-preserving system design, not just scale or visibility. Only through such systemic alignment can the humanitarian sector achieve ethical, impactful innovation.

Conclusion

The promise of blockchain and other digital technologies in humanitarian response is real, but so are the risks. Privacy is not merely a technical concern, it is a human right. Failing to protect the data and identities of crisis-affected people can have real-world consequences of exclusion, exploitation, or violence.

Privacy considerations must be integrated into every stage of pilot and programme implementation. The humanitarian sector must treat privacy as central, not peripheral, to innovation. Blockchain pilots must demonstrate that privacy is respected not just in theory, but in architecture, policy and practice.

Alex Bornstein, Interim Executive Director and Chief Operating Officer, Zcash Foundation

Elise Hamdon, Ph.D., Chief Communications Officer, Zcash Foundation