Technical Competency
Confidentiality and Information Protection
Assessing
How to assess or score: for non-subject matter experts
Whatever your question (if you choose or adapt a question from the Anchoring section or create your own), the Deep Dive table can help you identify positive and negative aspects – green or reg flags in a candidate’s answers.
For a simple scoring or assessment scheme, you can simply assign +1 to positive or green flag content and -1 to red flag answers.
For a scoring system of say 0-3 for each question, we would recommend the following matrix to be used in combination with the Deep Dive table for each value or competency.. We recommend printing copies of the Deep Dive tables, as well as the full Murad Code, so that these can be easily consulted when assessing a candidate.
| Scoring / grading | Values |
|---|---|
| 0 | Misaligned (harmful, unsafe, or dismissive answers) with red flags - No elements demonstrated or more than 1 limiting behaviors shown. |
| 1 | Weak alignment (superficial, misses core principles) with 1 or 2 red flags - Only 1 or 2 elements demonstrated, with more than 1 limited behaviour also shown. |
| 2 | Partial alignment (mentions some key elements but incomplete) with 1 or no red flags - A good number of elements demonstrated but also 1 red flag or concern raised. |
| 3 | Strong alignment (clear survivor-centred reasoning, practical actions, responsibility) with no red flags - Multiple elements demonstrated and no red flags or limiting behaviours raised. |
Below, there is also an assessment guide to the sample questions provided in the Anchoring section.
Sample written test EXAMPLES
Hypothetical (can be based on relevant context and job requirements):
1. One of your team returns from an in-country visit and has brought with them SCRSV survivor medical health and psycho-social counselling records from community-based humanitarian services. There is no record of survivor-consent to share this information with your organisation. What is your response?
Main elements of a good answer: immediate recognition that this may be a serious breach of confidentiality; emphasis on survivor privacy and agency [and MC8.5 potential to undermine trust in and therefore access to humanitarian services]; secure/seal the records pending investigation – no access, no use, highest levels confidentiality; establish facts through open questions and inquiry with team on visit – source, consent, how transported/ stored/accessed /used so far; if no consent and consent records cannot be provided, determine whether the records need to be destroyed or returned; address breaches with “never event” style team reflection to identify systemic issues and changes required, address any individual issues with training/professional development plan or disciplinary steps if needed; report internally as per safeguarding and data protection procedures; consider if grant reporting required; consider visit to return records and report breach to community-based service provider.
Red flags: willingness to keep or use since have it with consent of organisation (not survivors); minimising or failing to recognise seriousness; no reference to survivor consent or privacy; focus on getting into system and protecting its confidentiality as part of their normal records management.
2. You have been asked to lead a documentation exercise in an area where this is government violence against civilians, including CRSV. What measures do you design and implement in relation to secure communication and confidentiality around the work?
Main elements of a good answer: risk assessment as a key measure of preparation [MC 5.3] – including risks to privacy to survivor, staff and information; ensure contextual understanding of the risks to comms and privacy/confidentiality including cyber hacking, surveillance, check points; for comms – secure encrypted comms channels with an understanding of level of sophistication of local threat, separation of work and personal comms, emergency comms if internet/mobile service goes down, training and resourcing to ensure personnel have own MiFi, VPNs, protocols and practice around secure comms; clear sets of information management protocols which consider whether electronic data on encrypted, passworded small drives safer than handwritten notes, use of anonymity-pseudonyms-case codes, approach at check-points or high risk areas; consideration of safe spaces and comms with survivors – low profile/camouflaged access and contact points; ensuring privacy and not being overheard with clear protocols for potential interruption; informed consent process with clear records to ensure storage and use in accordance with survivor autonomy and control; contingency planning any response for any breach or confiscation or loss of data/information. Focus on survivor safety and privacy.
Red flags: vague answer with little detail or measures which identify or mitigate privacy and confidentiality threats. Ignores risk of government surveillance, hacking or confiscation.
Technical:
1. Application Exercise: Share a copy of Principle 7.8 of the Murad Code and ask the candidate to reflect on how they would operationalise it in a practical situation (e.g. team training, field protocols, handling a breach).
See Q2 above. Expectation of contextual knowledge, risk assessments and series of protocols (SOPs and work tools which reinforce) and training with simulated exercises; drills and checks/supervision, breach response mechanisms. Element of survivor control-consent-privacy in answer so not just protection of organisational work product.
Red flags: vague or undetailed, focused on reminders to staff – no protocols, no practice, no monitoring and no response/reaction system in event of issue.
2. What are the central elements of a discussion with a survivor about confidentiality and privacy?
Main elements of good answer: plain language which is understood by the survivor; foundation of survivor rights – emphasis on their control and autonomy in terms of their information - that they can say no, limit and withdraw consent, what is possible on withdrawal of consent and any limitations on that; discussion of confidentiality measures in place and the limitations of confidentiality that apply in that context; discussion of what the survivor wants in terms of preservation and use – not just your own intended purpose and wishes about sharing and use of the information provided; a clear informed consent process to identify consented categories of use and users (who the information can be shared with and what they can use it for); risks of providing, storing, sharing and using information explained clearly and honestly; survivor given time to make decisions or get advice; discussion of how survivors are an actor in the confidentiality system – that they can chose to keep this private too; should include a two way conversation about any concerns or questions of the survivor.
Red flags: use of jargon/technical language not attuned to survivor; no mention of survivor rights; no mention of limitations – overpromising or guaranteeing total confidentiality; no mention of survivors as part of the confidentiality measures.
3. Identify and explain how to manage three potential risks of poor handling of information when working with survivors.
Main elements of a good answer: safety risks – if privacy/confidentiality lost, major potential repercussions for survivor (retaliation, stigma, retraumatisation, revictimisation, in some settings criminalisation; negative disclosure experiences area associated with poor health and well-being outcomes); as well as safety of personnel/team/ organisation in the field (retaliation, associated stigma); further safety of information and operations; trust/credibility risks – survivors lose trust in you/your organisation but also others providing vital life-saving services, deters further disclosures and access to services – part of the association between negative disclosure experiences and poor MHPSS and broader health outcomes; also lose trust of partners, donors and reputation; legal risks – see above in terms of potential criminalisation of survivors in certain settings; as an organisation may face legal liability or breach of duty of care.
Red flags: focuses only on harm to operations and organisation, missing major potential risks to survivors and affected communities, minimises or fails to understand potential impact.
Sample interview questions
1. Can you give an example of when you demonstrated responsibility when managing and protecting sensitive survivor-related information?
Main elements of a good answer: describes concrete detailed example, recognises seriousness and importance with a focus on survivor safety and autonomy, includes measures mentioned in answers to questions above (hypothetical Q2, technical Q1).
Red flags: vague undetailed response, focuses on organisational compliance/reputation and not survivor safety, no concrete measures described.
2. Give me an example of when you had to decide whether to share a survivor’s information. What steps did you take to make sure consent was informed and specific? OR describe a situation where someone asked you for information you were not permitted to share. How did you handle it?
Main elements of a good answer: clear process of checking, reviewing/renewing if changes of circumstances or time lapsed, specific express informed consent from survivor; describes process of renew or approach to discuss informed consent and potential use (recognising imbalance in powers and taking steps to reduce pressure to accept); if no clarity on consent, refuses to share – survivor autonomy, control and safety foregrounded in answer.
Red flags: little resistance to authority, no reference to existing consent or checking consent records, no recognition that a renewed informed consent may be needed – no reference to survivor participation/consent in the decisions being taken. No reflection on learning and changed approach if insufficient resistance to sharing without consent.
3. Describe a situation where you had to balance organisational reporting requirements with protecting survivor confidentiality. What was your approach?
Main elements expected in answer: focus on prioritising survivor consent and safety; includes discussion of measures like consent checks and renewal, risk assessments, coding/pseudonyms, use of deidentified statistics/aggregated data, restricted access/redactions; discussing with management/donors if reporting requirements compromise survivor safety, ethics, Murad Code, etc. [MC 4.7]
Red flags: prioritising donor/management reporting over survivor confidentiality, a casual approach to this, no recognition of ethical and safety issues arising.