Data Evacuation
Data evacuation is the controlled extraction or destruction of sensitive information when an office must be abandoned due to security deterioration, natural disaster, conflict, or forced closure. The procedures in this playbook prioritise preventing data from falling into hostile hands while preserving information critical to ongoing operations and legal obligations. Unlike planned office closures where weeks of preparation are possible, evacuation scenarios compress data handling decisions into hours or days, requiring pre-planned prioritisation and rapid execution.
The core tension in data evacuation lies between competing imperatives: preserving organisational knowledge and evidence, protecting sensitive information from hostile access, complying with data retention obligations, and ensuring staff safety during departure. These procedures establish decision frameworks that balance these concerns under time pressure, recognising that perfect outcomes are impossible and acceptable outcomes require advance preparation.
Activation criteria
Invoke this playbook when any of the following conditions are met. Do not wait for official evacuation orders if security indicators suggest imminent risk.
| Indicator | Activation threshold |
|---|---|
| Security advisory | Evacuation ordered by security team or country director |
| Conflict escalation | Armed conflict within 50km and advancing toward location |
| Civil unrest | Sustained protests or violence within 5km of office |
| Natural disaster | Imminent threat (hurricane landfall within 48 hours, flood waters rising) |
| Infrastructure failure | Power or communications expected offline for more than 72 hours |
| Government action | Credible information of impending office seizure or staff detention |
| Staff safety | Any situation where remaining endangers personnel |
Staff safety priority
Data protection never takes precedence over staff safety. If evacuation timelines conflict with data handling procedures, abandon data procedures and evacuate immediately. Data can be remotely wiped or written off; staff cannot be replaced.
Roles
| Role | Responsibility | Typical assignee | Backup |
|---|---|---|---|
| Evacuation coordinator | Overall evacuation management, timeline decisions | Country director or delegate | Operations manager |
| Data lead | Data inventory, prioritisation decisions, destruction verification | IT manager or most senior IT staff | Programme data manager |
| Security lead | Physical security assessment, destruction witness | Security manager | External security advisor |
| Communications lead | HQ liaison, status updates, coordination | Communications officer | Country director |
In offices without dedicated IT staff, the evacuation coordinator assumes data lead responsibilities. The data lead role requires someone with system access credentials and knowledge of data locations; if no such person is present, contact HQ IT immediately for remote guidance.
Phase 1: Immediate assessment
Objective: Determine available time, connectivity, and resources for data handling Timeframe: 30 minutes maximum
Establish communication with HQ IT and security teams. Use the most secure available channel: encrypted messaging (Signal, Wire) over mobile data if office internet is compromised. Confirm you can reach HQ before proceeding with data handling.
If communications are unavailable, proceed with pre-authorised evacuation procedures. Do not delay evacuation waiting for HQ confirmation.
Assess available evacuation time using security team guidance. Categorise the timeframe:
- Under 2 hours: Destruction-priority mode. Focus on destroying sensitive data; minimal extraction possible.
- 2-12 hours: Selective evacuation. Extract highest-priority data; destroy remainder.
- 12-48 hours: Comprehensive evacuation. Extract priority data, archive secondary data, destroy as needed.
- Over 48 hours: Use standard office closure procedures from the Office Closure IT Checklist.
Assess connectivity for data extraction. Test upload speeds to cloud storage and HQ systems. A 100 Mbps connection uploads approximately 45 GB per hour; a 10 Mbps connection uploads approximately 4.5 GB per hour; a 1 Mbps connection uploads approximately 450 MB per hour.
Calculate maximum extractable data volume:
Extractable volume = (Available hours - 1) × Upload rate × 0.7The formula reserves one hour for other activities and applies a 0.7 efficiency factor for real-world upload conditions.
Inventory destruction resources. Confirm availability of:
- Degausser or physical destruction tools for hard drives
- Cross-cut shredder (P-4 or higher) for documents
- Burn containers if outdoor destruction is safe
- Hammers and drills for emergency drive destruction
Document the assessment. Record time available, connectivity speed, and destruction resources. This documentation supports post-evacuation review and insurance claims.
Decision point: If available time is under 30 minutes, skip to Phase 4 (Destruction) immediately. Destroy the pre-identified critical destruction list and evacuate.
Checkpoint: Assessment complete, HQ notified, time and resources documented.
Phase 2: Data prioritisation
Objective: Categorise all data for extraction, destruction, or abandonment Timeframe: 1 hour maximum
Data prioritisation in evacuation contexts uses a matrix of sensitivity and replaceability. Sensitivity measures the harm caused if data reaches hostile parties. Replaceability measures whether the data exists elsewhere or can be reconstructed.
+-------------------------------------------------------------------------+| DATA PRIORITISATION MATRIX |+-------------------------------------------------------------------------+| || SENSITIVITY || ^ || | || High | DESTROY FIRST | EXTRACT OR DESTROY || | (sensitive, | (sensitive, || | replaceable) | irreplaceable) || | - Cached credentials | - Protection case files || | - Local password stores | - Beneficiary PII || | - Session tokens | - Staff HR files || | | - Financial records || | | - Legal documents || |---------------------------+----------------------------------- || | | || Low | ABANDON | EXTRACT IF TIME || | (not sensitive, | (not sensitive, || | replaceable) | irreplaceable) || | - Published materials | - Programme reports || | - Software installers | - Photos and media || | - Reference docs | - Historical records || | | || +---------------------------+----------------------------------- || Low High || REPLACEABILITY ---> |+-------------------------------------------------------------------------+Figure 1: Data prioritisation matrix for evacuation decisions
Identify data locations across all systems. In a typical field office, data resides in:
Location Typical contents Access method Cloud storage (SharePoint, Google Drive) Documents, spreadsheets, presentations Already backed up; verify sync status Local workstation drives Working files, cached data, downloads Requires local access Shared network drives Team files, archives Requires network access Application databases Case management, beneficiary data, M&E Database export required Email (local cache) Communications, attachments PST/OST files on workstations Mobile devices Field data, photos, messages Device access required Paper files Signed documents, historical records Physical handling Removable media Backup drives, USB devices Physical collection Categorise each data location using the prioritisation matrix. For each location, assign:
- Priority A (Destroy First): High sensitivity, high replaceability. Destroy before evacuation regardless of time available.
- Priority B (Extract or Destroy): High sensitivity, low replaceability. Extract if connectivity and time allow; destroy if extraction impossible.
- Priority C (Extract if Time): Low sensitivity, low replaceability. Extract after Priority B complete; abandon if time insufficient.
- Priority D (Abandon): Low sensitivity, high replaceability. Do not spend evacuation time on these.
Create the extraction list. Document Priority B and C data with:
- Location (system, path)
- Approximate size
- Extraction method (cloud sync, manual copy, database export)
- Responsible person
- Estimated extraction time
Create the destruction list. Document Priority A and B data with:
- Location (system, device, physical location)
- Destruction method (remote wipe, degauss, shred, physical destruction)
- Verification method
- Responsible person
Verify cloud synchronisation status. Data already synchronised to cloud storage does not require local extraction. Check sync status for:
- OneDrive/SharePoint libraries: Look for green checkmarks on all files
- Google Drive: Confirm “Sync complete” status
- Other sync tools: Verify last sync timestamp within 24 hours
Decision point: If Priority B data volume exceeds extractable capacity, escalate to HQ for prioritisation guidance. If HQ unreachable, prioritise protection and safeguarding data, then financial records, then HR files.
Checkpoint: Prioritisation complete, extraction list created, destruction list created, HQ notified of volumes and timeline.
Phase 3: Secure transfer
Objective: Extract Priority B and C data to secure remote storage Timeframe: Variable based on available time minus 2 hours (reserve for destruction and departure)
Establish secure upload channel. Use organisational cloud storage with encryption in transit. If standard channels are compromised or monitored, use pre-arranged alternative upload locations provided by HQ IT.
Do not upload sensitive data to personal cloud accounts, email attachments to external addresses, or file sharing services not approved for organisational use.
Export application databases. For each database system, generate exports in portable formats:
# PostgreSQL database export pg_dump -h localhost -U appuser -d casemgmt -F c -f casemgmt_backup.dump
# MySQL database export mysqldump -u appuser -p casemgmt > casemgmt_backup.sql
# Compress before upload gzip casemgmt_backup.dumpEncrypt database exports before upload:
# Encrypt with GPG using HQ public key gpg --encrypt --recipient hq-recovery@example.org casemgmt_backup.dump.gzUpload Priority B data first. Monitor upload progress and adjust if connectivity degrades. If uploads stall:
- Reduce concurrent upload streams
- Compress files if not already compressed
- Split large files into smaller chunks
- Switch to alternative connectivity (mobile data, satellite)
Document successful uploads. For each uploaded file or archive, record:
- Filename and path
- File size and hash (SHA-256)
- Upload destination
- Upload completion timestamp
- Verification status
Upload Priority C data if time remains. Stop uploads when 2 hours remain before departure to allow destruction and departure procedures.
Verify critical uploads with HQ. Contact HQ IT to confirm receipt of Priority B data. Do not proceed to destruction until HQ confirms successful receipt of irreplaceable sensitive data.
If HQ cannot confirm receipt and connectivity remains, attempt re-upload. If connectivity is lost, carry encrypted copies on devices per Phase 5 procedures.
Decision point: If upload verification fails for Priority B data, retain encrypted local copies for physical evacuation rather than destroying. Update destruction list to exclude unverified data.
Checkpoint: Priority B data uploaded and verified, Priority C data uploaded as time allowed, upload documentation complete.
Phase 4: Destruction
Objective: Destroy sensitive data that cannot be extracted or must not remain Timeframe: 30-60 minutes depending on volume
Data destruction in evacuation must be verifiable and complete. Partial destruction that leaves data recoverable creates false confidence and potential liability.
+--------------------------------------------------------------------------+| DESTRUCTION VERIFICATION FLOW |+--------------------------------------------------------------------------+| || +----------------------+ || | Data to destroy | || +----------+-----------+ || | || +------------------+-----------------+ || | | || v v || +-----------------------+ +-----------------------+ || | Digital media | | Paper documents | || +-----------+-----------+ +-----------+-----------+ || | | || +-----------+-----------+ +-----------+-----------+ || | | | | || v v v v || +----------+ +----------+ +----------+ +----------+ || | Remote | | Physical | | Cross- | | Burn | || | wipe | | destroy | | cut | | | || +----------+ +----------+ | shred | +----------+ || | | +----+-----+ | || v v | v || +----------+ +----------+ | +----------------+ || | Verify | | Verify | v | Verify | || | wipe | | physical | +----------+ | ash | || | status | | damage | | Verify | | dispersal | || +----------+ +----------+ | confetti | +----------------+ || | | +----+-----+ | || | | | | || +---------------------+--------------+---------------------+ || | || v || +-----------------------+ || | Document in | || | destruction | || | log | || +-----------------------+ |+--------------------------------------------------------------------------+Figure 2: Destruction verification flow for all media types
Execute remote wipes for all mobile devices and laptops with MDM capability. Initiate wipes through your MDM console:
- Microsoft Intune: Devices > Select device > Wipe > Confirm
- Jamf Pro: Computers/Devices > Select > Management > Wipe
- Google Workspace: Admin console > Devices > Select > Wipe device
Remote wipe commands queue on the server and execute when devices connect to network. For devices already offline, wipes execute upon next connection.
Destroy Priority A data on local systems. For workstations and servers that cannot be wiped remotely:
# Secure deletion on Linux (run as root) # WARNING: This permanently destroys data shred -vfz -n 3 /path/to/sensitive/file
# Secure deletion of directory find /path/to/sensitive/directory -type f -exec shred -vfz -n 3 {} \;
# For full disk destruction (makes system unbootable) dd if=/dev/urandom of=/dev/sda bs=4M status=progressFor Windows systems without secure deletion tools, use physical destruction.
Physically destroy storage media that cannot be securely wiped. Order of effectiveness:
- Degaussing: Use NSA-approved degausser for magnetic media. Single pass renders data unrecoverable.
- Shredding: Industrial shredder reduces drives to fragments under 2mm.
- Drilling: Three holes through platters at different positions.
- Hammer destruction: Remove platters from case, hammer until warped and cracked.
For SSDs and flash storage, degaussing is ineffective. Use physical shredding or incineration. Drilling is minimally effective due to distributed data storage.
Destroy paper documents using cross-cut shredder (DIN 66399 Level P-4 or higher). P-4 produces particles of maximum 160 mm² with width maximum 6mm, sufficient for confidential documents. For highly sensitive protection data, use P-5 (30 mm² maximum) or burn.
If shredder is unavailable or volume exceeds capacity:
- Burn documents in metal container outdoors
- Stir ash to ensure complete combustion
- Disperse ash after cooling
Document all destruction activities. For each destroyed item, record:
Field Content Item description Device type, serial number, or document description Data classification Sensitivity level of destroyed data Destruction method Remote wipe, physical destruction, shred, burn Destruction time ISO 8601 timestamp Performed by Name of person who performed destruction Witnessed by Name of witness (security lead or second staff member) Verification How destruction was verified Verify destruction before departure. For remote wipes, confirm wipe status in MDM console (may show “Wipe Pending” if device offline). For physical destruction, visually confirm media is unusable. For paper, confirm only ash or confetti remains.
Evidence preservation
If the evacuation relates to a security incident under investigation, consult with HQ before destroying any data. Evidence preservation requirements may override standard destruction procedures. See Evidence Collection for guidance.
Decision point: If destruction cannot be completed before departure, carry remaining Priority A items for destruction en route or at safe location. Do not leave Priority A data behind.
Checkpoint: All Priority A data destroyed and documented, all reachable devices wiped, destruction log complete with witness signatures.
Phase 5: Departure
Objective: Evacuate staff and any data being carried to safety Timeframe: Departure at designated time regardless of procedure completion status
Prepare devices for travel. If carrying devices with data through potentially hostile checkpoints:
- Enable full-disk encryption and verify it is active
- Power off devices completely (not sleep/hibernate)
- Document device serial numbers for recovery
- Consider enabling travel mode if available (removes sensitive data, restores after safe arrival)
For high-risk border crossings, see Data Protection at Borders for additional procedures.
Secure removable media being transported. Encrypted USB drives and backup media:
- Verify encryption is active with strong passphrase
- Keep media on person, not in checked luggage
- Consider distributing copies across multiple staff members
- Document what each person is carrying
Clear personal devices of organisational data. Staff personal phones and tablets:
- Remove organisational email accounts
- Sign out of organisational apps
- Clear browser data for organisational sites
- Remove downloaded files
Staff can restore access after reaching safe location using their credentials.
Final sweep of physical location. Check for:
- Devices in drawers, cabinets, or charging stations
- USB drives in ports or desk drawers
- Paper documents in printers, copiers, or fax machines
- Whiteboards with sensitive information (photograph then erase)
- Sticky notes with passwords or access codes
Depart at scheduled time. If data procedures are incomplete:
- Notify HQ of incomplete items
- Carry Priority A items for later destruction
- Accept that some Priority C data may remain
- Document what was left and why
Staff safety is the absolute priority. Depart on schedule regardless of data procedure status.
Maintain communication during transit. Check in with HQ at pre-arranged intervals. If communications are compromised, use pre-established code words to indicate status:
- Safe and proceeding normally
- Under duress or surveillance
- Require assistance
Checkpoint: All staff departed safely, HQ notified of departure, carried items documented.
Phase 6: Post-evacuation
Objective: Verify data security, restore operations, and document the evacuation Timeframe: 24-72 hours after reaching safe location
Verify remote wipe completion. Check MDM console for wipe confirmation on all devices:
- Wipe Successful: Device confirmed wiped
- Wipe Pending: Device has not connected; monitor for 72 hours
- Wipe Failed: Device may retain data; document for risk assessment
For devices showing “Wipe Pending” after 72 hours, treat as potentially compromised and assess data exposure risk.
Confirm data receipt at HQ. Verify with HQ IT that all uploaded data:
- Arrived intact (file hashes match)
- Is accessible to authorised staff
- Has been incorporated into backup systems
If data is missing or corrupted, restore from any carried copies.
Restore staff access to systems. Once staff reach safe locations:
- Re-provision organisational accounts on new or wiped devices
- Restore email and collaboration access
- Provide access to evacuated data
- Brief staff on any changed security procedures
Assess data exposure. For any data that could not be destroyed or extracted:
- Identify what data types remained
- Assess sensitivity and potential harm
- Determine notification requirements (data subjects, donors, regulators)
- Document risk assessment
If protection or beneficiary data was potentially exposed, activate Protection Data Breach Response procedures.
Complete evacuation documentation. Compile:
- Timeline of evacuation events
- Data extraction summary (what was saved, where)
- Destruction log (what was destroyed, how, witnesses)
- Exposure assessment (what could not be protected)
- Lessons learned and recommendations
Submit documentation to HQ within 7 days of evacuation completion.
Initiate insurance and asset claims if applicable. Document:
- Equipment left behind or destroyed (serial numbers, values)
- Data loss or exposure (for cyber insurance if applicable)
- Business interruption costs
Checkpoint: Remote wipes verified, data receipt confirmed, staff access restored, exposure assessed, documentation complete.
Communications
Communication schedule
| Stakeholder | Timing | Channel | Message owner | Content |
|---|---|---|---|---|
| HQ IT | Immediately on activation | Encrypted messaging | Data lead | Data volumes, timeline, connectivity status |
| HQ Security | Immediately on activation | Encrypted messaging | Evacuation coordinator | Security situation, evacuation timeline |
| HQ Leadership | Within 2 hours | Secure call | Evacuation coordinator | Situation summary, data handling plan |
| Regional office | Within 4 hours | Encrypted messaging | Communications lead | Status update, support needs |
| Staff families | Per security guidance | Personal channels | Individual staff | Safe departure confirmation only |
Communication templates
HQ IT notification (on activation):
EVACUATION ACTIVATED - [Office name]Time: [Current time and timezone]Available time: [Hours until departure]Connectivity: [Speed in Mbps or "No connectivity"]Priority B data volume: [Size in GB]Priority C data volume: [Size in GB]Destruction resources: [Available/Limited/None]Requesting: [Specific support needed]Next update: [Time]Data lead contact: [Name, number, Signal handle]HQ status update (during evacuation):
EVACUATION STATUS - [Office name]Time: [Current time]Phase: [Current phase]Extraction progress: [X of Y GB uploaded]Destruction progress: [Completed/In progress/Not started]Issues: [Any problems encountered]Departure on schedule: [Yes/No - if no, explain]Next update: [Time]Departure notification:
EVACUATION COMPLETE - [Office name]Time: [Departure time]All staff departed: [Yes/Confirm headcount]Data extraction: [Summary - X GB extracted]Data destruction: [Summary - all Priority A destroyed]Data remaining: [Summary - what could not be handled]Carried items: [What staff are transporting]Next contact: [Expected time and channel]Post-evacuation summary:
EVACUATION SUMMARY - [Office name]Evacuation date: [Date]Duration: [Hours from activation to departure]
Data handling:- Extracted: [X GB to cloud storage, verified]- Destroyed: [X devices, Y documents, all witnessed]- Potentially exposed: [Description of any remaining data]
Staff status: [All safe at designated location]Equipment status: [Summary of left/destroyed/carried]
Immediate needs: [Support required for recovery]Full report: [Expected delivery date]Evidence preservation
In evacuations triggered by security incidents, hostile actions, or events requiring investigation, preserve evidence of:
Physical evidence:
- Photographs of office condition before departure
- Photographs of any damage or tampering
- Access logs and visitor records
- Security camera footage (download if accessible)
Digital evidence:
- System logs from servers and network equipment
- Authentication logs showing any suspicious access
- Email headers if spoofing or compromise suspected
- Network traffic captures if attack ongoing
Documentation:
- Timeline of events leading to evacuation
- Communications received (threats, warnings, demands)
- Witness statements from staff
- Destruction logs and verification
Transfer evidence to HQ via secure channel. If physical evidence cannot be transported, photograph and document thoroughly before abandoning.
For detailed evidence handling procedures, see Evidence Collection.
Pre-evacuation preparation
Effective data evacuation depends on preparation completed before any emergency arises. Complete these preparations during normal operations:
Maintain current data inventory. Document all data locations, volumes, and classifications quarterly. Include cloud storage, local systems, application databases, and paper files. Update immediately when new systems are deployed or significant data is created.
Pre-classify data for evacuation priority. Assign Priority A, B, C, or D classifications to all data categories. Document classifications in a readily accessible location that staff can reference during evacuation. Review classifications annually or when data sensitivity changes.
Pre-stage destruction resources. Maintain degausser, cross-cut shredder, and physical destruction tools at each office. Test functionality quarterly. For offices without dedicated destruction tools, document nearest location with appropriate equipment.
Establish HQ upload procedures. Configure and test secure upload channels to HQ. Document upload procedures, credentials, and alternative channels. Test upload speeds quarterly and recalculate extractable volumes.
Conduct evacuation exercises. Run tabletop exercises annually simulating data evacuation scenarios with various time constraints. Test actual procedures (excluding real destruction) to identify gaps and train staff.
Maintain offline copies of this playbook. Store printed copies of evacuation procedures in multiple locations. Digital copies are inaccessible if systems are compromised or connectivity lost.