Every day, humanitarian organisations ask people to trust them with deeply personal information.

Names. Phone numbers. Locations. Family composition. Health conditions. Financial details. Stories of loss, displacement and survival.

We collect this information because it helps us deliver assistance, improve programmes and strengthen accountability. But as humanitarian action becomes increasingly digital, one question deserves far more attention than it receives: Are we doing enough to protect the people behind the data?

For many people, providing this information is not simply an administrative process.

It is an act of trust.

Communities trust that humanitarian organisations will use their information responsibly, protect it from harm, and ensure it is never used against them.

That trust has become increasingly fragile.

This is not an isolated incident

The recent reports of data linked to hundreds of thousands of households registered for humanitarian assistance in Gaza being exposed following a cyber attack have brought renewed attention to an uncomfortable reality.

This is not an isolated incident.

It is part of a growing pattern affecting humanitarian organisations worldwide.

In 2022, the International Committee of the Red Cross (ICRC) announced that a sophisticated cyber attack had compromised the personal data of more than 515,000 people receiving services through its Restoring Family Links programme. The breach affected highly vulnerable individuals, including separated families, migrants, detainees, and missing persons.

In 2023, the International Organization for Migration (IOM) confirmed that beneficiary data had been compromised following a cyber incident involving third-party infrastructure, exposing information relating to migrants and displaced populations.

More recently, reports linked to humanitarian operations in Gaza have once again highlighted how beneficiary information itself can become a target during conflict.

These incidents remind us that cyber attacks against humanitarian organisations are no longer simply an IT concern.

They are humanitarian protection concerns.

As humanitarian action becomes increasingly digital, the information we collect can become a target—and, in the wrong hands, a weapon.

Digital Transformation has changed humanitarian action

Over the last decade, humanitarian organisations have embraced digital technologies to improve the way assistance is delivered.

Registration systems have become digital.

Cash assistance increasingly relies on electronic payment platforms.

Feedback and complaints mechanisms are managed through call centres, messaging applications, online portals and databases.

Remote assessments, AI-assisted analysis, digital identity systems and predictive analytics are becoming part of everyday humanitarian programming.

These innovations have brought enormous benefits. We can reach more people, analyse information more quickly, adapt programmes faster and make evidence-informed decisions at a scale that was unimaginable only a decade ago.

But every technological advancement creates new responsibilities.

The more information we collect, the greater our obligation to protect it.

Digital transformation has often progressed faster than our governance systems, data protection practices and organisational culture.

Technology has evolved rapidly.

Our understanding of its humanitarian risks is still catching up.

When a data breach becomes a protection issue

In many industries, a cyber attack primarily results in financial losses or operational disruption.

Humanitarian contexts are different.

The information we hold often relates to people experiencing conflict, displacement, persecution, poverty or social exclusion.

A seemingly ordinary beneficiary database may reveal where displaced families are located.

A phone number may identify a community volunteer.

Household records can expose vulnerabilities that armed actors, criminal networks or political groups could exploit.

Data that appears administrative quickly becomes protection-sensitive information.  This changes the conversation entirely. Protecting beneficiary data is no longer only about privacy or regulatory compliance.

It is about reducing the risk of harm. And reducing harm is one of the fundamental responsibilities of humanitarian action.

Accountability is also about protecting information

Within Community Engagement and Accountability (CEA) and Accountability to Affected Populations (AAP), much of our attention focuses on participation, communication, feedback systems and complaints mechanisms.

These are essential. Communities have the right to be heard. They have the right to influence decisions that affect their lives. They have the right to understand how organisations respond to their concerns.

But accountability does not end once feedback has been collected. It also requires organisations to protect the information that communities entrust to them.

People expect us to explain why information is collected, who will have access to it, how long it will be stored and how it will be protected. When those expectations are not met, trust can be damaged—not only in one organisation, but in humanitarian action more broadly.

Protecting information should therefore be understood as a core component of accountability, not simply a technical function delegated to cybersecurity specialists.

Are we collecting more data than we need?

Perhaps the most important lesson from recent cyber incidents has little to do with encryption, firewalls or sophisticated technology.

It begins with a much simpler question.

Do we actually need all the information we are collecting?

Across the humanitarian sector, forms have a tendency to grow. Additional indicators are added. New demographic variables appear. Extra questions remain because they might become useful one day.

Over time, organisations accumulate vast amounts of information without always asking whether each piece of data serves a clear operational purpose.

Yet every additional field creates additional responsibility.

Before adding another question to a registration form, assessment, survey or feedback mechanism, practitioners should ask:

  • What decision will this information support?
  • Who genuinely needs access to it?
  • How long will it be retained?
  • What harm could occur if it were exposed?
  • Could the same objective be achieved with less sensitive information?

Data minimisation is not simply a compliance principle.

It is one of the most effective protection measures available.

Practical steps for Programme Teams

Although cybersecurity specialists manage technical systems, many important safeguards begin long before information reaches a database.

Programme teams can make a significant difference by adopting a few practical habits.

Know where sensitive information is stored.

Many organisations maintain multiple registration databases, survey platforms, complaint systems, spreadsheets and messaging applications across departments. You cannot protect information that you cannot locate.

Include data risks in programme risk assessments.

Alongside operational and protection risks, teams should ask who could misuse the information they collect and what consequences that could have for different groups.

Strengthen transparency with communities.

People deserve to understand not only why information is collected, but also how it will be used, who can access it, how long it will be stored and what options they have if they wish to raise concerns.

Prepare for breaches before they occur.

Cyber incidents should be treated like any other operational risk. Organisations need clear procedures for responding to breaches, communicating transparently with affected communities and reducing potential harm.

What does this mean for Community Engagement and Accountability Practitioners?

For many CEA practitioners, data protection can feel like a technical issue that sits outside their role. In reality, some of the most sensitive information collected by humanitarian organisations passes through accountability systems every day.

Feedback mechanisms, complaints channels, community meetings, call centres, WhatsApp lines, chatbots and digital surveys are designed to create dialogue with communities.

They also collect deeply personal information.

People report protection concerns, discrimination, allegations of misconduct, financial hardship, health conditions and personal experiences. Sometimes they disclose information they have never shared with anyone else because they believe the organisation can help.

That information deserves the same level of protection as any beneficiary registration database.

Meaningful accountability requires listening. Listening often requires collecting information. Yet every additional piece of information also creates potential risk. The challenge is therefore not whether organisations should collect feedback.

The challenge is how to do so responsibly.

Before designing or expanding a feedback mechanism, practitioners should ask:

  • What information is genuinely necessary?
  • Can anonymous reporting be offered?
  • Who will have access to the information?
  • How will sensitive cases be managed?
  • What happens if devices or databases are compromised?
  • Have communities been clearly informed about how their information will be used?

As organisations increasingly rely on digital engagement channels, accountability must include protecting the people behind the data—not only collecting better information.

Beyond data protection: towards data responsibility

The humanitarian sector often speaks about data protection. Increasingly, we should also be talking about data responsibility. Data protection focuses on securing information. Data responsibility goes further.

It asks whether organisations should collect certain information in the first place, whether communities fully understand how it will be used, whether the benefits outweigh the risks and whether governance systems are strong enough to ensure technology serves people rather than exposing them to harm.

It recognises that every stage of the data lifecycle—from collection and storage to analysis, sharing, retention and deletion—has ethical implications.

This is closely aligned with humanitarian principles. We routinely ask whether an intervention could unintentionally create harm.

We should ask exactly the same question about the information we collect.

Five questions every programme team should ask

Before launching a survey, registration exercise or feedback mechanism, pause and ask:

  1. Do we really need this information?
  2. What harm could occur if this data were exposed?
  3. Have communities understood and agreed to how their information will be used?
  4. Who actually needs access to this information?
  5. How will we safely dispose of this data when it is no longer needed?

These are not simply technical questions. They are accountability questions.

Trust is our most valuable asset

Humanitarian organisations rely on trust. Communities trust us to listen. They trust us to respond. They trust us to act in their best interests.

And increasingly, they trust us with information that can reveal some of the most vulnerable aspects of their lives.

That trust should never be assumed. It must be earned, maintained and protected.

As humanitarian action becomes more digital, our responsibility extends beyond delivering assistance and collecting feedback. It includes understanding the risks that technology creates and taking every reasonable step to reduce them.

Accountability is not only about providing answers.

It is about exercising responsible stewardship over the information, expectations and trust that communities place in us.

Because at its core, humanitarian action is built on a simple promise: that our presence will reduce harm, not create new forms of it.

In a digital world, protecting people means protecting their data too.


Further Reading

If this topic interests you, the following resources provide practical guidance and thought leadership on responsible data practices in humanitarian action:

Leave a comment