Skip to content
Big data, little ethics: confidentiality and consent

People who experience violence or exclusion often share their traumatic experiences with service providers while receiving care – care that is most effective when individuals can be open and honest and know that what they share will remain confidential. In recent years, however, the International Rescue Committee (IRC) has seen the safety and confidentiality of data relating to the protection of individuals of concern being increasingly diluted. This trend can be traced in part to a seemingly innocuous change in the way we track and measure programmes.

In the past decade there has been a shift towards the generation and use of ‘big data’ – large volumes of structured or unstructured data. However, a lack of accountability and little understanding of the unique risks associated with protection data have encouraged a movement among large donors to request more (and more specific) data, which could be potentially damaging to individuals.

These requests are not just for over-arching, aggregated data, which are widely valued and shared in standardised, useful formats through information-sharing protocols. Rather, some influential donors are making increased demands for individual survivors’ information – and have a misplaced confidence in how they might be able to use that information. Failing to protect privacy and confidentiality can result in stigma and retribution, and ultimately will erode help-seeking behaviour, threaten the reputations of service providers, and put staff and vulnerable people at risk.

Demand for data

At the core of work with displaced survivors of violence (including of gender-based violence) and in the protection of children and those with specific needs is their right to confidentiality. Trust between service providers and clients is essential to providing effective help, and typically depends on assurances of privacy. Service providers are ethically obligated to protect client privacy and to ensure they do no harm. These precepts date back to the earliest versions of the Hippocratic Oath and are reaffirmed in the normative frameworks of social work and international aid, including those governing how information is managed in humanitarian settings.

How data are gathered, stored and secured, and how and why they are shared with other actors, demands diligence. To that end, IRC and other service providers have invested in building inter-agency systems and processes to ensure data are managed in a safe and ethical manner. These include the Child Protection Information Management System,[1] the Gender-based Violence Information Management System[2] and the Protection Information Management Initiative.[3] Inherent within these systems is the recognition that sound data sharing and reporting by donors and at coordination level can lead to multiple benefits by revealing gaps in programming, strengthening coordination and identifying opportunities for advocacy to improve programming. Each system includes clear and comprehensive data-sharing protocols and practices.

Yet despite these systems (some of which have been in place for a decade or more), the erosion of confidentiality practices is increasing. In some locations, donors’ very broad interpretations of confidentiality and consent have diluted accepted standards, for example by arguing that once consent has been given to one organisation, that consent extends to the sharing of data with any other related party.

Donors are also making increased demands for sensitive, personally identifiable case management and incident information. This takes many forms, including: requests for proprietary access to data (whereby they own the data and make ultimate decisions about its use), the creation of unprotected paper libraries of case management files that can be accessed at will, and even insistence on participation in confidential case management sessions. Such demands are often exacerbated by donors harassing service providers, including by threatening to withdraw funding if the data are withheld. The demand for confidential data has reached a level that compromises programmes for vulnerable women and children and people with specific needs, threatens reporting, discourages people from seeking assistance, and undermines client safety.

Consequences for protection programming

Examples of these harmful practices abound globally, affecting frontline staff and the people we serve.[4] In East Africa, untrained staff from a donor agency adopted supervisor-like roles over specialised, trained service provider staff, forcing referrals to their own agency and conducting follow-up contact with survivors for which their consent had not been obtained.

In Asia, a donor agency drafted standard operating procedures that called for ‘responsibility meetings’ – essentially forced mediation sessions – to be an ‘option’ for survivors of intimate partner violence. Survivors declining to participate in this mediation with the perpetrator were referred to the refugee camp leadership for administrative or legal action. This fails to recognise the long-established evidence that, rather than resulting in the abuser choosing to stop using violence to control others, facilitated mediation (especially when applied by minimally trained staff) can introduce further threats to safety for survivors or staff.[5]

In another location in East Africa, caseworkers were working to relocate one female survivor to a safe location. Before the relocation could take place, staff from the donor agency funding the programme requested that the survivor be handed over to the male community leadership to be held indefinitely at a male community leader’s house, a request that staff presented as an attempt at mediation. Mediation should always be voluntary and is not a recommended intervention, especially if facilitated by untrained staff. In the process of making this request to move the survivor, the donor staff revealed her identity, and told the male leadership that the implementing agency’s caseworker was at fault for the survivor seeking help. Thankfully, the survivor ultimately got to safety with the help of the implementing organisation and other agencies but the violations of ethical principles and of the commitment to do no harm in this case of wrongful disclosure are clear.

Each of these examples is further complicated by questions of cultural bias and paternalism. If these activities were taking place in the Global North, no doubt there would be objections and reforms would be demanded. And yet these compromises to client safety in Southern contexts continue without attracting widespread outrage and without a push for reform to mitigate these risks and hold accountable those with power. International non-governmental organisations (NGOs) can at times push back against donor pressure and threats, but local NGOs are generally more at the mercy of funders’ demands and are often faced with the prospect of either giving in or being shut down. This is a fundamental and dangerous abuse of power that can no longer be ignored.

Although there has been some positive development, for example the introduction of the European Union’s General Data Protection Regulation (GDPR), which focuses on the need to protect individuals’ data, little has been done to hold the main humanitarian donors accountable or to standardise an ethical approach that applies globally and is not limited to certain locations. Instead, we now see open and active resistance to basic, internationally recognised ethical standards that should guide our work without question. Relationships between service providers and donor agencies should be based on partnership and mutual understanding, not coercion. Access to data should follow that same logic and must be based on shared and agreed standards.


These evolving, harmful practices force the need for a new humanitarian imperative that builds on existing data protection legislation such as the GDPR but establishes the mandatory ethical management of data regardless of geographic location, under which standards are clear and uniformly followed and accountability mechanisms established. Accordingly, humanitarian actors should:


  • ensure the safety and dignity of clients as the first priority, including by extensively regulating data-sharing protocols to ensure confidentiality, consent and related protections
  • follow agreed standards for safe and ethical data management as set forth in inter-agency efforts
  • recognise the value, and support the availability, of aggregated, anonymised data for analysis that leads to improvements in services, coordination and advocacy
  • restore and defend the definitions of consent and confidentiality, recognising that having a ‘mandate’ does not replace consent and cannot be used as a specific reason for sharing data
  • unite local and international organisations to jointly reject irresponsible and harmful data practices
  • create an international body to identify and hold accountable fund-managing agencies who engage in harmful data practices and violate established standards


While working hard to be of assistance, humanitarian actors often lose sight of the fact that clients’ files should be considered in exactly the same way as their own personal medical or mental health records. Policymakers and donors must remember that behind each number and statistic are the girls, women, boys and men who, despite the risks of doing so, sought services. We owe it to them to work together to ensure that their rights to confidentiality, dignity and safety are protected.

Nicole Behnam
Senior Technical Director

Kristy Crabtree
Information Management and Technology Advisor

Violence Prevention and Response Unit, International Rescue Committee





[4] These examples are factual but some identifying information has been removed. They are drawn from IRC’s work although many other organisations have also identified similar issues with large donors.

[5]The mediation process itself maintains and contributes to the male abuser’s ongoing power and control over women and adolescent girls. The process of mediation presumes that both parties can speak equally freely, confidently and safely.” IRC (2018) ‘Intimate Partner Violence and Mediation’, GBV Blended Curriculum

This site is registered on as a development site. Switch to a production site key to remove this banner.