WaterAid is an international non-governmental organization founded in 1981 and focused on improving poor people’s access to safe water, hygiene and sanitation in developing countries. WaterAid Rwanda is one of the many Country Programmes of WaterAid around the world and it was officially registered and started operating in Rwanda in 2010. We work with various partners including the Ministry of Infrastructure for overall coordination and performance of the WATSAN sector including policy work.

Website: https://www.wateraid.org

Terms of References (ToRs) for Data Protection Assessment in WaterAid Rwanda

  1. Background

WaterAid Rwanda is committed to ensuring the protection of personal and sensitive data in line with the Rwanda Data Protection and Privacy Law No. 058/2021, donor requirements, and internal policies. As part of strengthening our information governance framework, a Data Protection Assessment will be conducted to evaluate current data handling practices across programmatic and operational functions, identify risks, and recommend practical measures to enhance compliance and safeguard the rights of individuals whose data the organization processes.

  1. Purpose of the Assignment

The purpose of this assessment is to:

  1. Review the organization’s current data collection, storage, processing, sharing, and disposal practices.
  2. Assess compliance with national data protection regulations, and international best practices.
  3. Identify gaps, risks, and vulnerabilities in data management systems.
  4. Recommend practical and cost-effective measures for improvement.

3. Objectives

The overall objective of this assessment is to evaluate the organization’s data protection framework and practices, and to recommend actionable measures to ensure full compliance with applicable data protection regulations and internal policies.

The specific objectives are to:

  1. Assess current data handling, storage, sharing and disposal practices.
  2. Review existing policies, procedures, and data security measures.
  3. Evaluate risks related to data breaches, unauthorized access, and misuse.
  4. Review data protection practices among third-party service providers and implementing partners.
  5. Provide an actionable improvement plan with clear timelines and responsibilities.

4. Scope of Work

The consultant/assessment team will:

  1. Review existing policies, systems, procedures, contracts, consent forms, and other relevant documents.
  2. Assess programmatic, HR, and administrative data management systems.
  3. Conduct interviews and consultations with key staff and departments.
  4. Identify potential data protection risks and vulnerabilities.
  5. Develop a report highlighting gaps, risks, and prioritized recommendations.
  6. Present findings and proposed action plan to management.

5. Methodology

The assessment will combine:

  • Desk review of documentation.
  • Review of data systems and access controls.
  • . Benchmarking against Rwanda’s Data Protection and Privacy Law
  1. Expected Deliverables

The consultant/assessment team will provide:

  1. Inception report – outlining methodology, work plan, and data collection tools
  2. Data Protection Assessment Report – including findings, risk analysis, and recommendations.
  3. Action Plan – with prioritized steps, responsible persons, and timelines.
  4. Presentation of Findings to the management team.

7.Duration & Timeline

The assignment is expected to take approximately 4 weeks including review and report submission.

  1. Qualifications of the Consultant/Team
  • Proven expertise in data protection and privacy regulations, including the Rwanda Data Protection and Privacy Law.
  • Experience in conducting organizational assessments.
  • Knowledge of NGO operations and donor requirements.
  • Strong analytical, report-writing, and communication skills.
  • Experience working with NGOs or development organizations is an asset
  1. Reporting and Coordination

The consultant will report to Head of Finance and ICT and work closely with the Head of People as well as the ICT, PMEAL, and Program teams.
Deliverables will be reviewed and approved by the management team of WaterAid Rwanda.

  1. Budget

The total consultancy fee will be agreed based on the scope and duration of the assignment. Interested consultants or firms are required to submit a financial proposal along with their technical proposal, clearly indicating the proposed professional fees and any related costs (including taxes).

  1. Confidentiality

All data and information accessed during this assignment will be treated as strictly confidential and used solely for the purpose of this assessment.

  1. How to Apply

All applications to be sent in a PDF format in one scanned document via email: WARwanda@wateraid.org

  • Application dates are from 12 to 19 November 2025 at 3:00pm
  • Contact Name: WaterAid Rwanda
  • Contact phone: +250788318824

Disclaimer:

WaterAid Rwanda reserves the right to contact only those institutions or agencies who are shortlisted for further evaluation.

 

Attachment

 

attachment_file_488cdc0cb285b7029926