📅Annex 2: Privacy and Confidentiality practices for GBV survivors

Best Practices: Privacy & Confidentiality

🔮Transparent Communication with Survivors

  • At the beginning of the session, inform clients if the session is being recorded or not, and for what purpose. It is good to offer the survivor the option to decline to have specific or all information recorded. If the session is recorded, the survivor should also know how the information will be stored and recorded, and for what duration of time.

  • Prior to sharing their information, survivors should be informed about the potential consequences, both positive and negative, as well as the limits on confidentiality. This includes situations where mandatory reporting requirements apply or when there are serious safety concerns. This transparency enables survivors to make informed decisions about what information to disclose.

  • In exceptional cases involving children, there may be situations where information shared by the child could be revealed against their wishes but in their best interest, particularly when the child is at risk of harm. In these circumstances, it is imperative to provide a clear explanation for sharing the disclosed data.

💂Protecting Hard Copies of Confidential Information

  • Each survivor should have an individual file where all case-related forms and paperwork are stored, clearly labelled with a unique case code on the outside of the file. The survivor’s name should not appear on the outside of the file.

  • Paper files and folders should be kept in a secure place, accessible only to the caseworkers responsible for the information. This requires a lockable steel filing cabinet, with arrangements for the keys to be kept with the person with responsibility for the information.

  • Paper files should be transferred by hand between the people responsible for the information (e.g., for case review meetings).

  • Maintain records of files being checked out and returned.

  • During transit and transfer, files should be stored in a sealed box or sealed envelope.

  • Do not keep original documents such as identity cards, passports or medical reports. Original documents must either be photographed or scanned, then returned to survivors.

  • Printing, photocopying or scanning of data related to survivors should be done in-house to prevent third parties from viewing the information. This requires a copy machine.

  • Extra copies of documents should be fully destroyed using an electronic shredder so that they are illegible and disposed of confidentially.

☁️Protecting Electronic Data

  • All staff members and decision-makers should carefully consider the applications and software used for electronic case management, documentation and communications.

  • Strong passwords should be used, i.e. containing at least 8 characters including one number, one capital letter, one letter and one special character that cannot be easily guessed.

  • Default shared network drives should be disabled.

  • Data that contains sensitive information must be encrypted, password protected, or both.

  • Devices, such as smartphones, tablets, laptops, and desktops, must be password-protected, and each staff member should ensure that they do not share their passwords.

  • All electronic files, including those in formats like Microsoft Word and Excel, must be password-protected. When emailing documents containing sensitive case management data, the password should be sent separately.

  • Passwords for documents and computers must be changed at least every 6 months and whenever an authorized user leaves their position.

Adapted from: UNHCR Malaysia Partner Referral Network. Guiding Principles and Data Protection and Information Sharing Protocol. (2023)

PreviousAnnex 1: Risk assessment guiding questionsNextAnnex 3: Removing/Rescuing a Survivor from a Violent Situation

Last updated

Was this helpful?