Protection Information Management
Protection information management governs how organisations collect, store, process, share, and dispose of data generated through protection programming. This discipline addresses data types that carry exceptional risk: gender-based violence case records, child protection assessments, trafficking survivor information, and related sensitive categories where disclosure or mishandling can result in physical harm, social ostracism, legal jeopardy, or death. The information management requirements for protection data exceed standard data protection obligations because the consequences of failure are measured in human safety rather than regulatory penalties or reputational damage.
Protection programming generates data across multiple activity types: case management for individual survivors, aggregate reporting for coordination and advocacy, research for programme design, and monitoring for accountability. Each activity type produces distinct data categories with different sensitivity levels, retention requirements, and sharing constraints. A GBV case file contains identifying information, incident details, and service records that require maximum protection. An aggregate report on protection trends contains no individual identifiers but reveals patterns that could identify communities or inform targeting. Managing these different data types requires classification frameworks, technical controls, and operational procedures calibrated to actual risk rather than uniform policies applied without differentiation.
- Protection data
- Information generated through protection programming that relates to individuals who have experienced or are at risk of violence, abuse, exploitation, or neglect. Includes case records, assessments, referrals, and service documentation.
- Gender-based violence data
- Information relating to violence directed at individuals based on gender, including intimate partner violence, sexual violence, harmful practices, and exploitation. Subject to specific handling requirements due to stigma, safety risks, and legal implications in many jurisdictions.
- Child protection data
- Information relating to children who have experienced or are at risk of abuse, neglect, exploitation, or violence. Includes family assessments, best interest determinations, and case management records. Subject to additional safeguards reflecting children’s particular vulnerability and evolving capacity.
- Counter-trafficking data
- Information relating to victims and survivors of human trafficking, including identification records, case documentation, and reintegration support records. Subject to heightened security requirements due to organised criminal involvement and transnational dimensions.
- Aggregate data
- Statistical summaries derived from individual records that do not contain personal identifiers. Used for reporting, coordination, and advocacy while protecting individual privacy.
- Minimum data set
- The smallest collection of data elements required to achieve a specified purpose. Protection programming applies data minimisation through defined minimum data sets for each activity type.
Data Categories in Protection Programming
Protection programmes generate data across a spectrum from highly sensitive individual records to anonymised aggregate statistics. Understanding these categories and their distinct handling requirements forms the foundation for appropriate information management.
Individual case data comprises records created through direct service provision to protection survivors and persons at risk. This category includes intake forms, assessment tools, case notes, service plans, referral records, and outcome documentation. Individual case data contains both direct identifiers (names, identification numbers, contact details) and indirect identifiers (location, demographic characteristics, incident details) that can enable re-identification even when direct identifiers are removed. The combination of incident type, location, date, and demographic characteristics in a GBV case record frequently constitutes a unique fingerprint in small populations. A case record describing sexual violence against a 16-year-old girl in a specific village on a particular date identifies the survivor to anyone with local knowledge regardless of whether her name appears in the record.
Programme operational data encompasses information required to manage protection activities without constituting individual case records. This includes beneficiary lists for distribution activities, attendance records for awareness sessions, community mapping information, and service provider directories. Operational data presents lower individual risk than case data but can reveal protection programme locations, participant identities, and service patterns that create aggregate risk. A list of women attending a GBV awareness session identifies community members engaged with protection services, potentially exposing them to stigma or retaliation even without recording any incident information.
Aggregate and statistical data comprises summaries, counts, and statistical analyses derived from individual records. Aggregate data supports coordination mechanisms, advocacy efforts, donor reporting, and programme monitoring. The transition from individual to aggregate data requires deliberate anonymisation processes because simple removal of names does not prevent re-identification. A report stating “3 cases of intimate partner violence among refugees in Camp X during March” may identify survivors if Camp X has a small population and community members have visibility into who accesses services.
Research and assessment data includes information collected through surveys, focus groups, key informant interviews, and other research methodologies to inform programme design and policy advocacy. Research data requires specific ethical protocols including informed consent, data access agreements, and defined retention periods. Even anonymised research data can enable re-identification when combined with other information sources or published alongside detailed methodology descriptions.
+--------------------------------------------------------------------------+| PROTECTION DATA CATEGORIES |+--------------------------------------------------------------------------+| || INDIVIDUAL CASE DATA Highest Sensitivity || +----------------------------------------------------------+ || | - Intake and registration forms | || | - Assessment tools (safety, risk, needs) | || | - Case notes and session records | || | - Service and action plans | || | - Referral documentation | || | - Outcome and closure records | || | - Consent and release forms | || +----------------------------------------------------------+ || | || v || PROGRAMME OPERATIONAL DATA Medium Sensitivity || +----------------------------------------------------------+ || | - Beneficiary lists (non-case) | || | - Activity attendance records | || | - Service provider directories | || | - Community mapping data | || | - Outreach and awareness records | || +----------------------------------------------------------+ || | || v || AGGREGATE AND STATISTICAL DATA Lower Sensitivity || +----------------------------------------------------------+ || | - Caseload summaries and trends | || | - Service utilisation statistics | || | - Demographic breakdowns | || | - Geographic distribution reports | || | - Outcome and impact indicators | || +----------------------------------------------------------+ || | || v || RESEARCH AND ASSESSMENT DATA Variable Sensitivity || +----------------------------------------------------------+ || | - Survey responses | || | - Focus group transcripts | || | - Key informant interview notes | || | - Secondary data analysis | || +----------------------------------------------------------+ || |+--------------------------------------------------------------------------+Figure 1: Protection data categories with relative sensitivity levels
Gender-Based Violence Data Management
GBV data carries risks beyond standard personal data because disclosure can trigger secondary victimisation, family and community retaliation, legal consequences where survivors face prosecution, and psychological harm from loss of control over personal information. Information management for GBV programmes must address these risks through technical controls, access restrictions, and operational procedures that exceed baseline data protection requirements.
The GBV Information Management System (GBVIMS) establishes sector standards for GBV data handling. GBVIMS defines a standardised incident classification taxonomy, intake and consent forms, case management tools, and aggregate reporting formats. Organisations operating within coordination frameworks use GBVIMS to enable interagency data sharing while protecting individual confidentiality. The system separates individual case data, which remains with service providers, from aggregate statistical data compiled for coordination purposes.
GBVIMS operates through three tiers. The first tier comprises intake and consent documentation that establishes the survivor’s informed agreement to data collection and any data sharing. The second tier contains the incident recorder, a standardised tool capturing incident details using closed classification fields that enable statistical aggregation. The third tier generates aggregate reports stripped of individual identifiers for sharing with coordination mechanisms. No individual-level data flows beyond the service provider without explicit survivor consent for specific purposes.
+------------------------------------------------------------------+| GBVIMS DATA FLOW |+------------------------------------------------------------------+| || SERVICE PROVIDER LEVEL || +----------------------------------------------------------+ || | | || | +----------------+ +----------------+ | || | | Intake and | | Incident | | || | | Consent +---->| Recorder | | || | | (Tier 1) | | (Tier 2) | | || | +----------------+ +-------+--------+ | || | | | || | | Individual data | || | | stays at provider | || | v | || | +-------+--------+ | || | | Case | | || | | Management | | || | | File | | || | +-------+--------+ | || | | | || +----------------------------------------------------------+ || | || +--------------------------+ || | Aggregate only || | No individual identifiers || v || COORDINATION LEVEL || +----------------------------------------------------------+ || | | || | +----------------+ +----------------+ | || | | Aggregate | | Coordination | | || | | Compiler +---->| Reports | | || | | (Tier 3) | | (Tier 3) | | || | +----------------+ +----------------+ | || | | || | - Incident counts by type | || | - Demographic breakdowns | || | - Service utilisation trends | || | - Geographic patterns (aggregated) | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Figure 2: GBVIMS three-tier data flow maintaining individual confidentiality
GBV case data retention requires balancing survivor access to their own information against risks of prolonged data storage. Survivors returning to services after initial contact need access to historical case information to avoid re-traumatising repetition of their account. Legal proceedings, which can span years, require evidence preservation. These legitimate retention needs create extended exposure windows during which data theft, system compromise, or organisational failure could result in disclosure.
Retention periods for GBV data derive from the intersection of survivor need, legal requirement, and risk assessment. A baseline retention period of 7 years from case closure accommodates most legal proceedings while limiting long-term exposure. Organisations extend retention where specific legal obligations require longer periods or where survivors request continued access. Secure destruction occurs through methods that prevent reconstruction: physical destruction for paper records, cryptographic erasure for digital records. Standard file deletion does not constitute secure destruction because deleted data remains recoverable until overwritten.
Survivor-controlled disclosure places decisions about information sharing in the survivor’s hands rather than organisational discretion. Beyond mandatory reporting requirements (which vary by jurisdiction and context), no GBV case information transfers to any party without explicit survivor consent for that specific disclosure. This principle applies regardless of perceived benefit to the survivor: a caseworker’s professional judgment that referral would help does not override the survivor’s right to control her own information. The consent process explains who will receive information, what information will be shared, for what purpose, and what risks may result from disclosure.
Child Protection Data Management
Child protection data encompasses information relating to children who have experienced or are at risk of abuse, neglect, exploitation, or violence. This includes family assessments conducted during case identification, best interest assessments and determinations for decision-making, case management records documenting interventions, and records of alternative care placements. Child protection data management incorporates all protections applicable to protection data generally while addressing additional considerations arising from children’s particular vulnerability and evolving capacity.
Best interest determination records present specific sensitivity because they document decisions affecting children’s lives, including family separation, alternative care placement, and return or reunification. These records contain assessments of parental capacity, family dynamics, and risk factors that could cause harm if disclosed to subjects or accessed by hostile parties. A BID record assessing a parent as unable to provide adequate care could trigger violence against the child or caseworker if accessed by that parent. Storage, access, and transmission of BID records require heightened controls exceeding those for general case management records.
Child identity protection requires managing information about children across their developmental trajectory. Information recorded about a young child will persist into their adolescence and adulthood. A child protection case file created when a child is 3 years old remains sensitive when that person is 18 and seeking employment, education, or relationships. Retention and eventual destruction of child protection records must account for this extended timeline while enabling access for purposes that benefit the subject, such as understanding personal history or accessing records needed for legal purposes.
The Inter-Agency Child Protection Information Management System (CPIMS+) provides a standardised platform for child protection case management. CPIMS+ implements role-based access controls, audit logging, and encryption appropriate for child protection data. The system supports offline functionality for field deployment in low-connectivity environments while maintaining data protection standards through local encryption and synchronisation protocols that protect data in transit.
+------------------------------------------------------------------+| CHILD PROTECTION DATA LIFECYCLE |+------------------------------------------------------------------+| || IDENTIFICATION AND REGISTRATION || +------------------------------------------------------------+ || | Initial contact | Registration | Consent | || | - Referral source | - Child bio data | - Informed | || | - Safety screening | - Family context | - Documented | || | - Immediate needs | - Case opening | - Witnessed | || +------------------------------------------------------------+ || | || v || ASSESSMENT AND PLANNING || +------------------------------------------------------------+ || | Comprehensive | Best Interest | Case Plan | || | Assessment | Assessment | | || | - Risk factors | - Options analysis | - Goals | || | - Protective factors | - Recommendations | - Actions | || | - Child views | - Decision record | - Timeline | || +------------------------------------------------------------+ || | || v || IMPLEMENTATION AND MONITORING || +------------------------------------------------------------+ || | Service Delivery | Follow-up | Review | || | - Direct services | - Home visits | - Progress | || | - Referrals made | - School contact | - Plan | || | - Outcomes tracked | - Health checks | revision | || +------------------------------------------------------------+ || | || v || CASE CLOSURE AND TRANSITION || +------------------------------------------------------------+ || | Closure Assessment | Transition | Archiving | || | - Outcomes achieved | - Handover if any | - Retention | || | - Risks resolved | - Exit interview | period | || | - Child stable | - Follow-up plan | - Secure | || +------------------------------------------------------------+ || | || v || SECURE DESTRUCTION (after retention period) || +------------------------------------------------------------+ || | Physical records: cross-cut shredding, witnessed | || | Digital records: cryptographic erasure, verified | || | Backup media: identified and destroyed | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Figure 3: Child protection data lifecycle from identification through destruction
Unaccompanied and separated children present particular information management challenges. UASC registration collects information to enable family tracing while protecting children from trafficking risks and fraudulent family claims. Tracing requests require verification procedures to confirm claimed relationships before any information disclosure. A person claiming to be a child’s parent must provide corroborating evidence before receiving any information about the child’s location or status. The Inter-agency Guiding Principles on Unaccompanied and Separated Children establish verification standards including photographic evidence, detailed family knowledge tests, and reference contacts.
Data sharing for family tracing operates through the International Committee of the Red Cross (ICRC) and national Red Cross/Red Crescent societies through the Restoring Family Links network. This network implements specific protocols for transmitting tracing queries and responses that protect both seekers and sought individuals from misuse. Information flows through defined channels with verification at multiple points rather than direct transmission between parties.
Counter-Trafficking Data Management
Counter-trafficking programmes generate data subject to the highest security requirements within protection information management. Trafficking involves organised criminal networks with resources, motivation, and demonstrated willingness to harm victims who cooperate with service providers or authorities. Traffickers have infiltrated organisations, compromised staff members, and exploited inadequate information security to locate and re-traffic survivors. Information management for counter-trafficking must assume hostile actors are actively attempting to access data and design controls accordingly.
Trafficking survivor identification data requires protection from the moment of first contact. Initial screening and formal identification generate records establishing an individual’s status as a trafficking victim. These records support access to services and legal protections but also create documentation that traffickers seek to destroy or use for retaliation. Physical storage of identification records requires secured facilities with access logging. Digital storage requires encryption with access limited to specifically authorised personnel through individually assigned credentials rather than shared accounts.
Transnational dimensions introduce jurisdictional complexity into counter-trafficking data management. Trafficking cases frequently span multiple countries with different legal frameworks, law enforcement capabilities, and corruption risks. A survivor trafficked from Country A through Country B to Country C may have service providers, law enforcement contacts, and legal proceedings in multiple jurisdictions. Sharing information across borders creates exposure at each transmission point and within each receiving entity’s systems. Cross-border information sharing occurs only through established protocols with verified recipients, encrypted transmission channels, and explicit survivor consent for international disclosure.
Reintegration and long-term support data documents services provided during a survivor’s recovery and return to community life. This data category extends over years as survivors rebuild their lives and may periodically re-engage with services. Retention of reintegration records enables continuity of support but creates prolonged exposure windows. Survivors who have successfully reintegrated face particular harm from disclosure that resurfaces their trafficking history. Reintegration data receives the same protection as acute-phase case data throughout its retention period.
+----------------------------------------------------------------+| COUNTER-TRAFFICKING DATA SECURITY MODEL |+----------------------------------------------------------------+| || +--------------------------+ || | THREAT ACTORS | || +--------------------------+ || | - Traffickers | || | - Criminal networks | || | - Corrupt officials | || | - Hostile states | || +------------+-------------+ || | || v || +----------------------------------------------------------+ || | SECURITY PERIMETER | || | | || | PHYSICAL CONTROLS TECHNICAL CONTROLS | || | +--------------------+ +--------------------+ | || | | - Secured facility | | - Encryption (At | | || | | - Access logging | | Rest/Transit) | | || | | - Clean desk | | - MFA required | | || | | - Visitor mgmt | | - Audit logging | | || | | - Document control | | - Segmentation | | || | +--------------------+ +--------------------+ | || | | || | PERSONNEL CONTROLS OPERATIONAL CONTROLS | || | +--------------------+ +--------------------+ | || | | - Background check | | - Classification | | || | | - Security training| | - Access review | | || | | - Need-to-know | | - Incident | | || | | - Confidentiality | | response | | || | | - Supervision | +--------------------+ | || | +--------------------+ | || +----------------------------+-----------------------------+ || | || v || +----------------------------------------------------------+ || | PROTECTED DATA | || | | || | +----------------+ +--------------+ +----------------+ | || | | Identification | | Case Mgmt | | Reintegration | | || | | Records | | Records | | Records | | || | +----------------+ +--------------+ +----------------+ | || +----------------------------------------------------------+ || |+----------------------------------------------------------------+Figure 4: Counter-trafficking data security model with layered controls
Data Sharing Frameworks
Protection data sharing operates within a framework that defaults to restriction rather than openness. Unlike general organisational data where sharing supports collaboration and efficiency, protection data sharing creates risk with each transmission. The decision to share protection data requires affirmative justification for why sharing is necessary and appropriate rather than why restriction is warranted.
Internal sharing within an organisation requires role-based access controls that limit data visibility to personnel with operational need. A GBV caseworker requires access to her own cases but not to cases managed by colleagues. A supervisor requires access to cases under her supervision but not to all cases in the programme. A monitoring officer requires access to aggregate data but not to individual case records. These distinctions map to access control configurations in case management systems through role definitions, case assignment, and data classification.
Interagency sharing supports service coordination when a survivor requires services from multiple providers. A GBV survivor may need medical care, legal assistance, psychosocial support, and safe accommodation from different organisations. Coordinating these services without data sharing requires the survivor to repeat her account to each provider, causing re-traumatisation and creating inconsistencies. Interagency sharing through referral mechanisms transmits minimum necessary information with explicit survivor consent for each receiving organisation.
+--------------------------------------------------------------------------+| DATA SHARING DECISION FRAMEWORK |+--------------------------------------------------------------------------+| || Is sharing legally required? || | || +---------------+---------------+ || | | || Yes No || | | || v v || Share per legal Does survivor consent || requirements to sharing? || Document basis | || +--------------+---------------+ || | | || Yes No || | | || v v || Is receiving party Do not share || appropriate? Document || | decision || +--------+-------+ || | | || Yes No || | | || v v || Is minimum data Do not share || set defined? Identify alternative || | receiving party || +-------+-------+ || | | || Yes No || | | || v v || Share minimum data Define minimum || Log transmission data set before || Confirm receipt proceeding || |+--------------------------------------------------------------------------+Figure 5: Data sharing decision framework for protection information
Aggregate data sharing supports coordination mechanisms, advocacy efforts, and accountability requirements without transmitting individual records. However, aggregate data can enable re-identification when combined with other information or when population sizes are small. Before sharing aggregate data, organisations assess re-identification risk through consideration of population size, data granularity, and potential for combination with other data sources.
A GBV coordination report stating “5 cases of intimate partner violence in Location X during Week 23” presents low re-identification risk in a large urban area but significant risk in a small camp or village where community members can identify who accessed services. Suppression rules prevent disclosure of aggregate cells below minimum thresholds. A common threshold requires suppression of any cell containing fewer than 5 individuals, though appropriate thresholds depend on context and should increase for smaller populations or higher-risk data types.
External reporting to donors, coordination bodies, and regulatory authorities requires defined data sets, transmission channels, and access controls at receiving entities. Programme agreements should specify what data donors and coordination mechanisms will receive, in what format, through what channels, and how recipients will protect received data. Organisations retain responsibility for survivor safety regardless of donor pressure for additional data access.
Aggregation and Anonymisation Techniques
Transforming individual protection data into aggregate or anonymised forms enables analysis, reporting, and sharing while reducing individual risk. These transformations require deliberate methodology because naive approaches create false confidence in data protection. Removing names from a data set does not anonymise it when remaining variables enable re-identification.
Aggregation computes summary statistics from individual records: counts, percentages, means, and distributions. Aggregation destroys individual records in the output while preserving patterns useful for analysis. The aggregation process itself requires access to individual data, concentrating risk at the point of computation. Organisations designate specific personnel authorised to perform aggregation operations, implement technical controls limiting data extraction from case management systems, and audit aggregation activities.
Effective aggregation for protection data applies suppression rules, geographic generalisation, and temporal smoothing to prevent re-identification. Suppression rules replace or remove cells below minimum thresholds. When a district reports 3 trafficking cases, the exact count is suppressed and reported as “<5” or combined with adjacent time periods or geographic units to achieve minimum thresholds. Geographic generalisation aggregates to larger administrative units when lower-level units have insufficient population to protect anonymity. A village-level report becomes a district-level report. Temporal smoothing aggregates across longer time periods, converting weekly data to monthly or quarterly reports.
AGGREGATION EXAMPLE: GBV INCIDENT DATA
Original data (individual records - not shareable):+--------+-------+-----------+--------+-----------+| Case | Age | Incident | Location| Date |+--------+-------+-----------+--------+-----------+| GBV001 | 24 | IPV | Camp A | 2024-03-05|| GBV002 | 31 | Sexual | Camp A | 2024-03-08|| GBV003 | 19 | IPV | Camp B | 2024-03-12|| GBV004 | 27 | IPV | Camp A | 2024-03-15|| GBV005 | 22 | Sexual | Camp B | 2024-03-18|+--------+-------+-----------+--------+-----------+
Naive aggregation (re-identification risk):+--------+-----------+-------+| Location| Type | Count |+--------+-----------+-------+| Camp A | IPV | 2 | <- Below threshold| Camp A | Sexual | 1 | <- Below threshold| Camp B | IPV | 1 | <- Below threshold| Camp B | Sexual | 1 | <- Below threshold+--------+-----------+-------+
Protected aggregation (suppression + generalisation):+-----------+-----------+-------+| Location | Type | Count |+-----------+-----------+-------+| District | IPV | 3 || District | Sexual | 2 |+-----------+-----------+-------+| Total | All types | 5 |+-----------+-----------+-------+
Geographic unit elevated from camp to district.All cells now meet minimum threshold of 5 at district levelor are presented as totals without sub-categories.Anonymisation attempts to transform data such that individuals cannot be re-identified while preserving analytical utility. True anonymisation is difficult to achieve for protection data because the richness of case information provides multiple re-identification vectors. A case record describing the circumstances, location, timing, and demographic characteristics of a protection incident contains sufficient detail to identify the individual even without names or identification numbers. Anonymisation techniques include generalisation (replacing specific values with ranges), suppression (removing identifying variables), perturbation (adding noise to data), and data swapping (exchanging values between records).
k-anonymity provides a formal measure of anonymisation: a data set satisfies k-anonymity if each combination of quasi-identifying variables (those that could contribute to re-identification) appears in at least k records. Protection data rarely achieves meaningful k-anonymity because the combination of incident type, location, date, age, and other variables frequently creates unique or near-unique combinations. Organisations should not claim data is anonymised when it merely has direct identifiers removed.
Pseudonymisation replaces direct identifiers with codes while retaining the ability to re-identify through a separate key. Pseudonymised data remains personal data under GDPR and equivalent regulations because re-identification is possible. Pseudonymisation has utility for internal processes requiring linkage across data sets while reducing casual exposure risk, but does not enable data sharing as if anonymous.
Retention and Secure Disposal
Protection data retention balances legitimate needs for historical access against cumulative risk from prolonged storage. Each day that protection data exists creates another day of potential exposure through system compromise, insider threat, legal compulsion, or organisational failure. Retention policies define how long different data categories persist before mandatory destruction.
Retention period determination considers survivor access needs, legal requirements, programmatic utility, and risk exposure. GBV survivors may return to services years after initial contact, requiring historical case access to avoid repetition of their account. Legal proceedings operate on court schedules extending years beyond incident dates. Research and programme evaluation require historical data for longitudinal analysis. These legitimate needs support retention periods extending beyond immediate programme delivery.
A structured approach to retention establishes baseline periods by data category with extensions for specific circumstances:
| Data category | Baseline retention | Extension triggers |
|---|---|---|
| GBV case records | 7 years from closure | Active legal proceedings, survivor request |
| Child protection records | Until child reaches 25 years old | Active legal proceedings, subject request |
| Counter-trafficking records | 10 years from closure | Active criminal proceedings, survivor at continued risk |
| Aggregate reports | Indefinite (no individual data) | N/A |
| Research data | Per ethics approval (typically 5-10 years) | Published research requiring data availability |
Secure disposal destroys data such that reconstruction is not possible through any technical means. For physical records, secure disposal requires cross-cut shredding to particles no larger than 15mm x 4mm (DIN 66399 Level P-4 minimum), witnessed by a second staff member, with destruction certificate retained. Incineration provides an alternative where available. For digital records, secure disposal requires cryptographic erasure (destroying encryption keys rendering data unreadable) or physical destruction of storage media. Standard deletion, formatting, or overwriting does not constitute secure disposal because data recovery techniques can retrieve “deleted” information.
+------------------------------------------------------------------+| SECURE DISPOSAL PROCESS |+------------------------------------------------------------------+| || PHYSICAL RECORDS || +----------------------------------------------------------+ || | 1. Identify records due for destruction | || | - Review retention schedule | || | - Verify no legal holds | || | - Confirm no active proceedings | || | | || | 2. Prepare destruction manifest | || | - List all items by category | || | - Record date range and volume | || | - Assign witness | || | | || | 3. Execute destruction | || | - Cross-cut shred to P-4 standard minimum | || | - Witness present throughout | || | - Dispose of shredded material securely | || | | || | 4. Document completion | || | - Both parties sign destruction certificate | || | - Retain certificate per records schedule | || +----------------------------------------------------------+ || || DIGITAL RECORDS || +----------------------------------------------------------+ || | 1. Identify data due for destruction | || | - Query retention dates in case management system | || | - Verify no legal holds | || | - Export destruction manifest | || | | || | 2. Execute cryptographic erasure | || | - Destroy encryption keys for identified records | || | - Verify key destruction in key management system | || | - Mark records as destroyed in system | || | | || | 3. Address backup media | || | - Identify backup media containing records | || | - Apply retention to backup rotation | || | - Physical destruction for decommissioned media | || | | || | 4. Document completion | || | - Generate system destruction log | || | - IT and programme sign-off | || | - Retain log per records schedule | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Figure 6: Secure disposal process for physical and digital protection records
Backup media retention extends the effective life of data beyond production system retention. If production records are destroyed after 7 years but backup tapes containing those records persist for 10 years, the data remains exposed for the backup retention period. Protection data backup strategies must align backup retention with data retention requirements, destroying backup media containing expired protection data even when other data on the same media remains within retention.
Implementation Considerations
Protection information management implementation varies with organisational resources, operating context, and programme portfolio. Organisations operating multiple protection programmes across different contexts require more sophisticated information management infrastructure than those delivering a single programme type in a stable environment.
For organisations with limited IT capacity
Single-person IT functions or organisations without dedicated IT staff can implement protection information management through selection of appropriate tools, clear procedures, and staff training rather than complex technical infrastructure.
Tool selection prioritises platforms with built-in protection data features rather than general-purpose systems requiring extensive configuration. Primero (CPIMS+) provides purpose-built child protection case management with appropriate access controls, audit logging, and offline capability. The GBV Information Management System tools provide standardised GBV data management. These sector-specific tools implement protection data requirements by design, reducing configuration burden.
Procedural controls compensate for limited technical controls. Written procedures for data handling, sharing decisions, and retention review provide protection when sophisticated technical enforcement is unavailable. Staff training on protection data handling creates human controls where technical controls are limited. A small organisation with well-trained staff following clear procedures can achieve adequate protection data management without complex systems.
Encrypted storage for protection data uses readily available tools. VeraCrypt provides free, open-source encryption for files and folders. Cloud storage services offer encryption options (though with key management limitations). The minimum viable approach stores protection data in encrypted containers on encrypted devices with strong passwords and secure backup.
For organisations with established IT functions
Organisations with dedicated IT staff and existing infrastructure can implement more sophisticated protection information management through system integration, automation, and centralised governance.
Integrated case management connects protection data systems with organisational identity management for consistent access control, with security monitoring for threat detection, and with data governance systems for retention management. Integration enables automated enforcement of access policies, detection of anomalous data access patterns, and systematic retention review rather than manual processes.
Classification automation applies metadata tags and handling rules through system configuration rather than relying on user judgment for each record. Case management systems classify records based on programme type, data fields completed, and case status. Automated classification ensures consistent protection application across all records rather than variable handling based on individual staff decisions.
Audit and monitoring capabilities detect inappropriate access attempts, unusual data export activity, and policy violations. Security information and event management (SIEM) integration enables correlation of protection data system events with broader security monitoring. Automated alerting notifies security and programme staff of suspicious activity requiring investigation.
For organisations operating in high-risk contexts
Organisations delivering protection programmes in conflict zones, under authoritarian governments, or in areas with active trafficking networks require additional security measures reflecting elevated threat levels.
Threat modelling identifies specific adversaries, their capabilities, and likely attack vectors against protection data. Generic security measures may prove inadequate against sophisticated threat actors. A trafficking network with resources to bribe officials, compromise staff, or conduct technical attacks requires different defences than general cybercriminal threats.
Compartmentalisation limits the damage from any single compromise. Different protection programmes maintain separate data systems without cross-access. Staff access is limited to their specific caseload rather than programme-wide data. Network segmentation isolates protection data systems from general organisational infrastructure. These measures ensure that compromise of one component does not expose all protection data.
Operational security extends information management beyond technical systems to encompass physical security, communication security, and personnel security. Protection of case management systems accomplishes little if staff discuss cases on compromised phones, store case notes on personal devices, or work in unsecured locations where screens are visible to passersby.
Technology Options
Protection information management relies on case management platforms, encryption tools, and supporting infrastructure. Selection considers functionality, security, data sovereignty, and sustainability.
Case management platforms
Primero (CPIMS+ for child protection, GBVIMS+ for GBV) provides the sector-standard platform for protection case management. Open source and supported by UNICEF, Primero implements protection data requirements including role-based access, audit logging, and offline functionality. Self-hosting options provide data sovereignty. Cloud hosting through Primero.org reduces operational burden but requires acceptance of hosting jurisdiction.
CommCare offers flexible case management with protection data handling capabilities. HQ hosting by Dimagi (US-based) or self-hosting options. Strong offline functionality suits field deployment. Requires more configuration for protection data handling than purpose-built platforms.
Custom implementations using general-purpose platforms (Salesforce, Microsoft Dynamics) can meet protection data requirements but require significant security configuration and ongoing maintenance. These approaches suit organisations with substantial technical capacity and specific requirements not met by sector platforms.
Encryption and security
Device encryption uses operating system capabilities (BitLocker for Windows, FileVault for macOS, LUKS for Linux) or dedicated tools (VeraCrypt). Full-disk encryption protects data at rest on endpoints.
File and container encryption protects specific data collections. VeraCrypt creates encrypted containers for protection data. 7-Zip provides file-level encryption for data transfer.
Secure communication for protection data transmission uses end-to-end encrypted channels. Signal provides secure messaging. ProtonMail or Tutanota provide secure email. Standard email with PGP/GPG encryption provides an alternative where correspondent capability exists.