Confidentiality and Information Protection

Elements expected for all roles

Examples of statements or behaviours which indicate the need for further development

• The central importance of confidentiality and information protection to security and safety, trust, privacy, integrity of work and many other aspects of survivor-centred, trauma-informed approaches

• What types of information are sensitive and require confidentiality and information protection measures

• Main/common threats to information protection and confidentiality (internal/external) in relevant contexts during collection, transit, holding and sharing/use, including the risks of communication through digital and other formats including cloud-based storage, analysis and translation software and programs, AI tools, etc [MC 5.3, 7.8]

• Main types of risk mitigation and information protection measures for each of the main threats/risks [MC 5.3, 7.8]

• The principle of data minimisation and basic common principles of other relevant data protection laws which apply in all relevant contexts (where collected, where in transit, where held – physical and electronically on server, where use and share) [MC 4.10, 6.7]

• National laws relating to access to or handling of information including police and judicial powers, mandatory reporting, handling of different types of information and personal data (including images depicting sexual violence or child abuse), which apply in all relevant contexts (where collected, where in transit, where held – physical and electronically on server, where used and shared) [MC 4.10, 6.7]

• Telling family and friends about their work experiences including survivor interactions

• Talking about work on public transport, airports or in taxis

• Conducting interviews or work on confidential material in public places

• Not distinguishing between different types of information

• Logging on to public WIFI in airports, hotels, etc. with devices holding work or confidential information

Expected for all roles

Specific to programming (designing and delivering SCRSV programming)

Specific to survivor interaction roles (direct interaction with survivor to gather information)

Examples of behaviour which indicate a need for further development

• Handle confidential information safely and confidentially

• Deidentify/redact written information or statements (including understanding ‘mosaic’ or cumulative information identification), including the use of codes, pseudonyms and other identity protection measures in all files, notes, storage and use

• Communicate confidentially in that context

• Ensure clear, accurate and updated record and tracking of informed consent related to information

• Assess information risks (including evaluating contextual factors) and determine appropriate risk mitigation and protection measures to adequately address those risks in all relevant contexts

• Define, designate and communicate which types of programme information are to be treated as confidential

• Develop protocols to inform approach to national laws which limit confidentiality or may allow access to information and when not to collect information if it cannot be handled confidentially

• Design and implement methodology which protects, removes, minimises or separates confidential information from work records.

• Design, resource, implement, regularly review and monitor effective information management and protection protocols for all aspects of activities which ensures information can be collected, transported/ transferred, held, used or shared confidentially in all relevant contexts for programming (with expert advice when needed)

• Create a restricted access and monitoring system for confidential information

• Designate clear responsibilities and tasks for team in terms of information management and protection

• Test systems and monitor implementation of protocols and measures

• Create an effective reporting and response system for confidentiality and privacy breaches

• Vet partners or potential receivers of information for information protection and ability to uphold confidentiality

• Contact and communicate with survivors remotely or in person to uphold confidentiality, privacy and discretion

• Discuss privacy and confidentiality, information protection with survivors, including honestly describing any limitations or risks 

• Implement measures effectively to protect survivor information, privacy and safety

• Maximise privacy and confidential protections before, during and after information collection [MC 7.8, 9.4]

• Accurately record informed consent to ensure all future handling and use is based on that consent

• Conducting interviews in IDP camps in tents, rooms or other locations where they can be overheard

• Not taking measures to prevent colleagues or others walking into the interview/meeting room

• Taking photos of survivors on mobile phone cameras or recording or saving statements on their personal phone

• Not separating personal from work content on their personal devices

• Sending confidential information in unprotected email attachments

• Collecting information without or before protection protocols and systems are in place

• Breaching confidentiality and privacy of a survivor

Associated Values

Examples of attitudes or approaches which indicate need for further development

Core Values: Commitment and Responsibility

Other Values: Integrity, Honesty

Approach:

• Takes confidentiality and privacy extremely seriously and takes care to comply with and implement information protection, confidentiality and privacy protocols and measures

• Forgoes the intended collection, sharing or use of information, if risks are too high, and adequate mechanisms are lacking to manage the information safely and confidentially (paraphrased from the ICRC Protection Framework) 

• Complacency about information management and communication protocols.

• Sharing confidential information without considering informed consent.

• Taking no action on suspected breach of protection measures/system or leak of confidential information