1.7 Ethics, Risk, and Responsibility in IM
Information management activities in humanitarian and development contexts must be grounded in ethical principles that prioritize the dignity, rights, and safety of individuals and communities. It's important to remember you're not just dealing with numbers or systems, you're handling information about real people, often in vulnerable situations. The ethics of IM are not just about compliance but about fostering trust, ensuring accountability, and actively preventing harm. As such, all programme data processesβfrom design to collection, use, sharing, and disposalβmust be approached with an awareness of their potential impact on peopleβs lives.
1.7.1 Responsible Data Management
Responsible data management means using data in ways that respect people's rights and support better outcomes, without causing harm. You'll need to think about these core areas:
Data Privacy and Protection
Data collected must be handled in accordance with privacy laws (e.g., GDPR where applicable) and protection frameworks. Humanitarian actors have a duty to protect individuals from harm resulting from data exposureβintentional or accidental. Protect people's data as if it were your own. This includes:
Only storing sensitive data in secure, password-protected systems
Limiting access to those who really need it
Avoiding collecting personal data unless you absolutely need it
Thinking about how data could be misused if it got into the wrong hands
Data Quality and Integrity
Bad data leads to bad decisions. Risks arise from:
Inaccurate, incomplete, or biased data collection; ensure data is accurate and up to date
Inconsistent methodologies across sectors or locations; collect data in a consistent way across your project
Lack of metadata or documentation for secondary use; document data clearly so others can understand it and use it later
Ethics and Consent
People have a right to know what you're collecting about them and why. Informed and voluntary consent should be prioritized wherever feasible, especially for data that could expose individuals to protection risks. This includes:
Explaining the purpose, use, and storage of data in locally appropriate formats
Providing opt-out mechanisms; respect people's right to say no or change their minds
Recognizing power dynamics that may limit true consent; make sure consent is voluntary, not forced
Transparency
Be upfront with communities, partners and your own team. Data subjects and partners should know:
What data is being collected
Why it is being collected
Who has access to it
How long it will be retained and under what safeguards
Accountability
You're accountable for the data you manage and organizations must be answerable for how they manage data. This means:
Following your organisation's data policies
Keeping records of key decisions about data
Raising red flags if something doesn't feel right
Data Minimization
Don't collect more than you need. Only collect the data that is necessary, proportionate, and relevant. Avoid βjust-in-caseβ data collection, which increases risk and often lacks operational value. If you can do your work without collecting a certain data point, don't ask for it. Every piece of data adds risk.
1.7.2 Ethical Considerations Across the IM Lifecycle
You'll face ethical choices at every step of the data process. Risk-awareness and mitigation measures must be embedded from the start.
Collection
Coerced or uninformed consent; exclusion of vulnerable populations; overcollection. Are people being pressured to share info? Are you asking too much?
Storage
Data breaches; insecure cloud storage; lack of access controls. Is the data secure? Who has access?
Usage
Ensure that data is used in a way that directly supports quality and equitable service delivery. Avoid misuse or overreach beyond the original purpose. Use must remain aligned with what participants were informed about and consented to. Monitor for unintended consequences and ensure data use does not reinforce exclusion or create harm.
Analysis
Biased interpretation; profiling; decontextualized conclusions. Could your findings reinforce bias or stigma? Are you drawing fair conclusions?
Sharing
Unverified third-party use; donor pressures; lack of community feedback mechanisms. Are you clear on who will receive the data? Could sharing put people at risk?
Retention/Deletion
Retaining sensitive data without purpose; unclear data exit strategies. Do you have a plan for when and how to delete data securely?
Remember: just because you can collect or share data, it doesn't mean you should.
1.7.3 Key IM Risks
Managing data comes with risks, especially in complex environments. You need to stay alert to the following:
Data Privacy and Protection Risks
Unauthorized access or leaks of sensitive information (e.g., GBV cases, refugee data)
Cross-border data storage with unclear jurisdiction
Inadequate anonymization processes
Data Misuse Risks
Political manipulation or surveillance
Use of registration data for social control
Donor or government misuse of data for non-humanitarian ends
Data Quality Concerns
Use of outdated or inconsistent indicators
Survey fatigue affecting accuracy
Misaligned datasets between partners
Think about how these risks could affect the people you're working with, and plan how to reduce them.
1.7.4 Sustainable Information Management Practices
Sustainable IM isn't just about getting through this month's reporting cycle, it's about building practices that will still make sense, and do no harm, years from now. This involves:
Building local partner and community capacity in data literacy
Reducing dependency on proprietary platforms with high exit costs, choose tools that work even in low-connectivity or low-resource settings
Ensuring interoperable and reusable data systems, document your processes so others can build on what you've done
Planning how data will be handed over or retired when the programme ends
1.7.5 Data Responsibility
Data responsibility refers to the collective duty of humanitarian actors to manage data safely, ethically, and effectively throughout its lifecycle. Being 'data responsible' is about asking yourself:
Are we respecting people's rights and dignity?
Are we doing what we said we'd do with the data?
Are we ready to explain our decisions if someone asks?
To support this you should consider:
Institutional policies and SOPs
Dedicated focal points or data governance structures
Contingency planning for data incidents (e.g., breaches, loss)
Sectoral coordination (e.g., with Clusters, OCHA, REACH)
It's not about being perfect - it's about being thoughtful, transparent and proactive.
1.7.6 Field Assessment Checklist for Ethical IM
Use this quick checklist during programme design, M&E planning, or field data activities:
β
Question
β
Have you defined the specific purpose and necessity of each data element collected?
β
Have affected populations been informed about how their data will be used?
β
Is there a plan for secure storage, access controls, and regular audits?
β
Are you minimizing the collection of sensitive and personally identifiable data?
β
Is the data collection inclusive of marginalized or hard-to-reach groups?
β
Are third parties (e.g., donors, partners) informed of their data protection responsibilities?
β
Are there clear data retention and deletion protocols?
β
Have potential ethical or protection risks been documented and mitigated?
β
Are the tools used compliant with relevant laws and sectoral guidance?
β
Are you able to explain and justify your IM approach to affected people if asked?
If you're answering 'no' to any of these, it's worth pausing and making a plan to fix it.
REFERENCES & FURTHER READINGS:
ALNAP: Ethics in Evidence
Last updated