Yayasan Humanis dan Inovasi Sosial

(Team of) Consultant Data Management and Complience System of Yayasan Humanis dan Inovasi Sosial

Request for Expression of Interest

Yayasan Humanis dan Inovasi Sosial (Yayasan Hivos) is an Indonesian organization affiliated with Hivos, born out of an active collaboration between Netherlands based Hivos and several like-minded Indonesian academics and civil society leaders who subscribe to the values and mission of Hivos. The purpose is to promote humanist values in the social, health, and cultural fields which is defined in terms of the ability for each individual to assess and decide independently and responsibly, the right to freedom, dignity and a passion to create a just and tolerant society.

Yayasan seeks qualified candidates for the position of:

Title                      :  (Team of) Consultant Data Management and Complience System of Yayasan Humanis dan Inovasi Sosial

Duty Station       :  Jakarta, Indonesia

Report to             :  DMEL Coordinator & PO DDP

Duration              :  3 (three) months



As of May 2018, all organizations in the EU must comply with new the European privacy legislation, the Personal Data Protection Regulation (GDPR) (further specified for the Netherlands in the Dutch Algemene Verordening Gegevensbescherming: AVG). This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data and counts for the whole of Hivos. It set rules for instance on what personal data we can register, how to secure these data, what we can do with them, what clauses to include in contracts with third parties and what to do in case of a data leak. This GDPR will replace the current law for the protection of personal data (Wet bescherming persoonsgegevens – Wbp) in the Netherlands and will be applicable to data subjects residing in the EU.

In the Philippines, The Philippines’ Data Privacy Act of 2012, or Republic Act 10173 was formed by the National Privacy Commission and became enforceable on 8 September 2012. This lays forth a set of requirements designed to protect individual personal information in information and communications systems in both government and private organizations and create the National Privacy Commission (NPC). Established in early 2016, the NPC issued the Implementing Rules and Regulations of Republic Act No. 10173  (‘IRR’), which became enforceable on 9 September 2016. The IRR provides, in greater detail, the requirements that individuals and entities must comply with when processing personal data, as well as the sanctions for violations of the Act.

In Timor-Leste, the Constitution of the Democratic Republic of Timor-Leste enacted on 20 May 2002 became the constitutional safeguards regarding the protection of personal data and privacy as a general right applicable to citizens. It means, there is no general and comprehensive legislation on the protection of personal data i.e. no national general law on the protection of privacy and data, cybercrime, cybersecurity, and other privacy-adjacent legislation. In any event, there are some provisions on the processing of personal data and the protection of privacy included in different legislative instruments, aimed either at specific legal and regulatory obligations, or at the processing of information by public entities.

Indonesia has officially enacted its first-ever Personal Data Protection Law (“PDP Law”). After years of discussions and several postponements, on 20 September 2022, Indonesia’s House of Representatives officially passed the Personal Data Protection Bill. The PDP Law will apply to any person, foreign and domestic organization, both public and private, including an International Organization that processes the personal data of Indonesian citizens and other activities stipulated under the PDP Law. The PDP Law is closely based on the European Union General Data Protection Regulations (“EU GDPR”). It provides several critical changes to personal data protection regulations, such as Data Controller and Data Processor, Legal Basis to Process Personal Data, Obligations on Agreement(s) Related to Personal Data Processing, Data Protection Authority (“DPA”), Data Protection Officer (“DPO”), Data Processing Impact Assessment (“DPIA”), Cross-Border Personal Data Transfer, and Criminal Sanctions.

Aim of the assignment

Currently operating in the above countries (Indonesia, the Philippines and Timor-Leste), Yayasan Humanis dan Inovasi Sosial needs to comply with the legislation. Relevant colleagues (MT, HR, Finance, Communications, DMEL, PMs) should be aware of the privacy legislations and what this means for the processes of Yayasan Humanis dan Inovasi Sosial. Understanding the compliance will lead to the ability to communicate the process with partners/ grantees/ other relevant stakeholders.

The (Team of) Consultant will perform a detailed assessment of all personal data processing processes within the organization. Where, when, how, and why is personal data being processed and who is involved. Think of staff data, private, donors, prospects, complaints register, individuals that are contracted, but also of M&E and research that we initiate that involves the collection of personal data. The assessment will include a data processing impact assessment (DPIA) for projects or activities with high privacy risks which includes pre-assess the privacy risks of data processing processes and then taking measures to reduce the risks.

The (Team of) Consultant will create an awareness strategy about the concepts of privacy by design and privacy by default for all Yayasan Humanis dan Inovasi Sosial staff. Privacy by design means that processes for new products and services are designed as such that personal data are well protected. Privacy by default means that an organization must take technical and organizational measures to ensure that, by default, only personal information is processed that is necessary for the specific goal it wants to achieve.

The (Team of) Consultant will create a set of Standard Operational Procedure (SOP) including but not limited to templates for identification of personal data process, data collection, data management & processing, data storage, data transfer, data analysis, communication, data deletion etc. including agreements with the third partner who handle data on our request (protect these data, destroy it after a certain period and report back in case of a data leak).

The (Team of) Consultant will train staff on 1) identifying personal data processed in Yayasan Humanis dan Inovasi Sosial projects/programs’ activities including the formats and technology used; 2) communicating the policy including SOP and templates to partners, grantees, or other relevant stakeholders; and 3) responding a personal data leak or personal data breach including documenting all data leaks that happened in the organization.


  1. Concise Report on Data Protection Requirement in the 3 countries.
  2. Detailed Assessment Report including Data Processing Impact Assessment (DPIA)
  3. Recommendations for Yayasan HIVOS Strategy about Privacy By Design and By Default. The recommendation should cover two aspects: a) Yayasan Humanis and Inovasi Sosial Management including HR and Finance; and b) Program/Project-Related requirements including design, monitoring, evaluation and learning purposes, project reports, photos, and data sharing.
  4. Data Management or Data Privacy Protection Standard Operational Procedure (SOP) including but not limited to templates for data collection, data management & processing, data storage, data transfer etc. including agreements with the third partner who handles data on our request (protect these data, destroy it after a certain period and report back in case of a data leak).
  5. Privacy Policy and Privacy Protection Checklist for partners/grantees including: informed consent template, data usage for social media and photos, and responding data breaches.
  6. A training and socialization of the deliverables to all staff of Yayasan Humanis dan Inovasi Sosial


Consultant Qualifications

The following are the selection criteria for the team of consultant(s):

  • Solid experience and proven track record of carrying out compliance on data privacy in Indonesia, the Philippines, and Timor-Leste for at least 5 years
  • Demonstrable relevant academic and practical experience on the described assignment.
  • Excellent reporting and communication skills

Timeframe and Budget

The draft of final evaluation report should be presented no later than 12 weeks after the commencement of the contract. The maximum budget for the entire assignment is USD5,000 The budget offered will be subject to negotiation after selection of the (Team of) Consultant


Expression of Interest

The overall proposal will be judged based on scoring criteria below:

Technical Criteria Technical Sub-Criteria Maximum Points
Technical Approach (5 pgs) –         Description of the approach and method proposed for the requirements listed above 40
Personnel (2 pgs) –         Description of qualifications and unique skillset of each team member, as well as balance and complementary of skills within the team

–         Description of home-office and support personnel, as relevant

–         Provide a maximum of three-page CV of each candidate proposed (non-page count Annex)

Management Plan (2 pgs) –         Description of how the consultant/s will support assessment team before, during, and after fieldwork (e.g. preparation, validation workshop, stakeholders’ interviews, etc.)

–         Description of the consultant/s’ home office support throughout assessment activities, including how it intends to ensure technical quality of all deliverables, maintain regular client communication, and comply with all contractual requirements

Institutional Capacity and Past Performance (3pgs) –         Description of consultant/s experience conducting past similar assignment(s)

–         Sample of work (if possible)

Total: 12 pages Maximum points

(Minimum score for technical compliance: 70)

100 total


The expression of interest should also contain Financial Quotation. A financial quotation should be submitted in IDR with VAT. The financial quotation should be based on all estimated costs of the assignment including:

  • Consulting fees to be charged;

●             Projected logistical and other expenses to be incurred