1.2 IM & Data Responsibility Principles

Humanitarian Information Management is fundamentally about ensuring that the right information is available to the right people, at the right time, to inform operations, advocacy, and decision-making, which points towards a few key principles of information management:

• Relevance – focusing only on data that meets operational and decision-making needs

• Accuracy – ensuring data is accurate, reliable and suitable for its purpose

• Timeliness – ensuring information is up to date and delivered when it matters

• Accessibility – making information easy to access, understand and use

• Interoperability – enabling data to be shared and combined across actors

• Good Governance – clarifying roles, responsibilities, and accountability for data use

While few people would argue with these basic principles, there is currently no universally established framework of IM principles for the humanitarian sector. However, there is useful guidance on responsible data management, notably form Inter-Agency Standing Committee (IASC), which overlaps but is not completely identical with the principles outlined above.

This chapter, will outline the data responsibility principles defined by IASC and apply them to the context of IM, illustrating how they help ensure that information serves humanitarian action ethically and effectively.

1.2.1 Data Responsibility Principles

IASC has defined 12 Data Responsibility Principles. These principles are not just abstract ideals but they serve as the ethical, operational, and legal backbone for managing programme data throughout its lifecycle. In this section, you will find a clear definition of each principle as well as examples for putting these principles into practice. The indicated "good practices" highlight some of the main things to consider in relation to each principles but do not aim to be exhaustive.

Before diving into each principle, here is a quick overview:

Principle	What to Ask	Practical Tools
Defined Purpose, Necessity & Proportionality	What is the exact purpose of collecting this data? Is it necessary and proportionate?	Data Workflow Mapping
Fairness & Legitimacy	Is the data collection fair and respectful to affected populations?	Ethical Review Checklist
Human Rights-Based Approach	Does this data activity uphold the rights to privacy, participation, and non-discrimination?
People-Centred & Inclusive	Is data collection representative, paying attention to marginalized groups?	Disaggregation Framework
Personal Data Protection	Are we applying appropriate safeguards for personal or sensitive data?	Data Protection Guide (HI)
Data Quality	Is the data accurate, timely, and fit for its intended use?	Data Quality Guidelines
Accountability	Can affected people access and challenge how their data is used?	Accountability SOP
Confidentiality	Who has access to this data? Is the 'need-to-know' principle respected?	Access Control Matrix, Encryption SOP
Coordination & Collaboration	Is data shared with other actors to facilitate coordination and avoid over-assessment?	Data Sharing Agreement Template (IASC), Information Sharing Protocol (IASC), Data Sharing Checklist, Data Sharing Situations
Transparency	Do participants understand how their data will be used and shared?
Data Security	Are systems and platforms secure, and is access controlled?	Data Incidence Management SOP (IASC), Security Protocols, Access Control Matrix
Retention & Destruction	Do we have a plan for how long data will be retained and when and how it will be destroyed?	Data Management Registry (IASC)

1. Defined Purpose, Necessity & Proportionality

Data collection, and IM more broadly, should be purpose-driven. That is, every data point collected or managed must support a clear operational or strategic objective. In other words, data should only be collected when it is clearly needed, not "just in case". In addition to that, the level of detail must be proportionate to that purpose.

Good practice:

• Define data use cases before designing tools and collecting data

• Verify whether the data already exists (internally or externally)

• Avoid speculative or duplicative data collection

• Conduct a Data Needs Assessment

2. Fairness and Legitimacy

Information Management processes must be fair — treating people with dignity and ensuring they are not harmed or exploited — and legitimate, meaning they are based on a clear humanitarian mandate, lawful processing, and respect for affected populations’ agency.

Good practice:

• Ensure affected communities understand and are consulted on data collection

• Validate tools with local partners or field staff to remove bias

• Avoid collecting or using data in ways that reinforce exclusion or unequal access

• Respect community dynamics and sensitivities when designing IM systems

3. Human Rights-Based Approach

All IM practices must uphold international human rights, including the rights to privacy, non-discrimination, and participation. This principle ensures that data is never used in ways that harm or stigmatise vulnerable populations.

Good practice:

• Identify groups that may be at increased risk due to data misuse (e.g., survivors of violence, minorities, displaced persons)

• Provide options to opt-out or decline participation in data collection without penalty

• Monitor for unintended consequences of how data is shared or visualised

4. People-Centred and Inclusive

IM systems must be inclusive and reflective of the diversity within affected communities. That means not only collecting disaggregated data, but also enabling different groups to participate in and benefit from information processes.

Good practice:

• Where relevant and justified, disaggregate data by gender, age, disability, and displacement status (based on information needs and potential programmatic use)

• Identify who may be underrepresented in data collection and analysis, and explore why gaps exist

• Design questions and indicators with input from diverse groups to ensure cultural appropriateness and inclusivity

• Ensure accessibility of tools and formats for people with different abilities, languages, and literacy levels

5. Personal Data Protection

When handling personal data — any data that can identify an individual directly or indirectly — humanitarians must apply robust safeguards to ensure confidentiality, lawful processing, and ethical use.

Good practice:

• Secure informed and meaningful consent, tailored to the context and literacy levels

• Anonymise or pseudonymise datasets where possible

• Store data securely, with access restricted to authorised personnel

The General Data Protection Regulation (GDPR) is widely regarded as one of the most comprehensive data protection frameworks, and many organisations — especially those based in the EU — align their practices with it.

In humanitarian contexts, however, applying GDPR-aligned safeguards is just the starting point. Ethical data management requires not only legal compliance but also a commitment to contextual, meaningful, and people-centred data practices. Some questions to consider in practice:

• Is consent genuinely informed, contextual, and ongoing — or is it a one-time formality?

• Can individuals still access services if they choose not to share personal data?

• Are we able to provide people with access to the data we hold on them — or delete it if they request?

• Do staff understand how to uphold data rights on the ground?

6. Data Quality

Poor quality data leads to poor decisions, inefficiencies, and risks to accountability. Hence, data should be relevant, accurate, timely, complete, standardized, interoperable, well-documented, up-to-date and interpretable.

Good practice:

• Apply validation checks during and after data collection

• Document sources, limitations, and update frequency for all datasets

• Conduct regular Data Quality Assessments

7. Accountability

IM must enable affected people and communities to understand and influence how their data is used. This includes being able to provide feedback, access their data, or request corrections.

Good practice:

• Inform communities on how their data will be used and with whom it may be shared

• Ensure there are processes for complaints, corrections, and questions

• Reflect back findings in an accessible format

8. Confidentiality

Sensitive data — whether personal, contextual, or community-level — must be protected from unauthorised access, accidental sharing, or re-identification. This is particularly relevant for humanitarian organisations, since they are sometimes exempt from national data privacy laws. This elevates the ethical responsibility to safeguard data beyond legal compliance.

Good practice:

• Label sensitive datasets and apply appropriate storage and encryption measures

• Limit access to data on a strict “need-to-know” basis

• Use unique identifiers instead of names or direct attributes

• Avoid displaying granular or location-specific data that could lead to targeting

9. Coordination and Collaboration

IM systems work best when they support collective action. Data should be harmonised and shared across agencies and stakeholders, such as national and local authorities, where relevant and appropriate.

Good practice:

• Participate in IMWGs and share 5W or needs data through clusters

• Align indicators with sector and inter-agency standards

• Use open data tags (e.g., HXL) and interoperable formats

• Co-develop analysis with other organisations where relevant

10. Transparency

Communities and partners have a right to know how data about them is collected, used, shared, and protected. Transparency builds trust and supports informed participation.

Good practice:

• Provide simple, visual information on data use (e.g., posters, info sheets)

• Clearly communicate who will access the data and how it may influence programming

• Share key findings and limitations in plain language

11. Data Security

Information systems must protect data against loss, misuse, unauthorised access, or corruption — through both digital and physical safeguards.

Good practice:

• Encrypt files and secure user access through two-factor authentication

• Back up key data regularly and store it in approved systems

• Apply device-level protection (e.g., locked laptops, password access)

12. Retention and Destruction

Data must not be held longer than necessary. Once the purpose for which it was collected has been fulfilled, it should be securely deleted or archived following policy and donor rules.

Good practice:

• Define retention periods at the start of the project

• Include data archiving and deletion in exit strategies

• Securely destroy physical records (e.g., shredding) and digital files (e.g., wiping)

---

REFERENCES & FURTHER READINGS:

• OCHA (2025). Data Responsibility Guidelines.

• IASC (2023). Operational Guidance on Data Responsibility in Humanitarian Action.

  • Data Responsibility Diagnostic Template

  • Data Management Registry

  • Data Impact Assessment Template

  • Designing for Data Responsibility

  • Standard Operating Procedure for Data Management Activity

  • Information Sharing Protocol Template (including a Data Sensitivity Classification)

  • Data Sharing Agreement Template

  • Standard Operating Procedure for Data Incident Management

• CHS Alliance (2014). Core Humanitarian Standard on Quality and Accountability.

• ICRC (2020). Handbook on Data Protection in Humanitarian Action (2nd edition)

• HI (2022). Operational Information Management at HI: Policy Paper.

• IFRC (2022). IM Technical Competency Framework.