Migrant Data Management and Protection

Home » Toolkits » Humanitarian Service Points Toolkit » HSP Implementation: Getting Started » Migrant Data Management and Protection

Being aware of our responsibilities in terms of data management and protection is incredibly important.

HSPs can be particularly sensitive because migrants’ information may be particularly targeted by authorities, traffickers, and people from their past that may wish them harm. Even general data from an HSP can potentially be used by authorities to better target their initiatives to reduce the movement of migrants. It can also be used as, or in misinformation or in communications campaigns by anti-migrant groups. 

There is considerable information available within the Movement about collection, storage, management and protection of data. Below are three main areas to particularly consider when establishing and operating an HSP.

Screenshot 2021-06-04 123014

Ongoing collection and analysis of data, including sex, age and disability disaggregated data

Migration situations often evolve very quickly, and experience in different contexts has shown that the situation of people using services or their demographics can change very rapidly. 

This kind of demographic change can have an important impact on the type of services offered and how they are organised and delivered.

Conversely, changes in uptake of services may indicate a change in the kind of issues that migrants are facing, which may be important to understand in order to respond appropriately.

Ongoing collection and analysis of general data about service users – including gender, age, nationality, and disability – can help ensure the HSP remains relevant, continually adapting to the needs of the people using it. 

Screenshot 2021-06-04 122928

The collection of personal data, including sensitive data, should strictly adhere to IFRC policy

Building and maintaining trust and ensuring the safety of people using the HSP’s services means ensuring that their data is collected responsibly and in line with ethics and good practice. The following are some relevant principles – full guidance is provided in the IFRC Data Protection Policy. 

Fairness and legitimacy

Learn more.

Only process personal data where a legitimate basis exists. People should be provided with easily understandable information related to the collection and processing of their data and ideally asked to provide free and fully informed consent.


Learn more.

Information that provides the basis for informed consent includes why the data is being collected, what it will be used for, who will have access to it, how it will be stored and protected, and who to contact with concerns or complaints about data. 

Data quality and minimisation

Learn more.

Personal data collected should be adequate, relevant, accurate, and not excessive considering the specified purpose for which the data was collected. This means that data should only be collected if it is strictly needed for the delivery of the service.

Data retention and disposal

Learn more.

Personal data, whether stored on paper or electronically, should be kept no longer than necessary to fulfill the specified purpose for which the data are processed.

The collection of personal data, including sensitive data, should strictly adhere to IFRC policy

Any personal data, such as medical or legal records,  – must be adequately protected. This includes technical measures to protect data from hackers but also includes good data hygiene and discipline in the HSP itself. 

If data is collected on paper, documents should be encoded and names kept separately from any sensitive information

Paper files should not be left where anyone can see them, and any computers used to access personal or sensitive data should be password protected and in a location where they cannot easily be seen by people passing by.

Ensure that sensitive personal information is never shared through insecure or open systems.

Note that data related to separated and unaccompanied children should be dealt with in accordance with the principle of the best interest of the child.

Social media can be an invaluable tool for helping alert migrants to the existence of services, share information, and answer questions.

However, the use of social media comes with risks as well. The Movement, and other humanitarian service providers, have no control over the privacy policies of social media sites.

It can be difficult to control who accesses these sites, even when they appear to be private, notably on platforms like WhatsApp, and Zoom, for example. As the Facebook-Cambridge Analytica scandal highlighted, social media companies may track behaviour of users, including non-users of their services.

Meta data may also be extracted and shared from these sites that can be used to map migration routes and behaviour and risk vulnerable people being profiled for surveillance and may result in harm or exploitation for commercial purposes.

Key Steps in Data managment and protection


Think about data

as soon as you start setting up an HSP. What will/won’t you collect? How will you store it? Assess risk for both personal and general data.

Do no Harm

Consider carefully who might have an interest in using this data and for what purposes. Can it be used against individual migrants’ interest by authorities or as part of anti-migration campaigns? 


for tools, training, and ongoing data collection, management, analysis and protection. It all has a cost. 

Train staff and volunteers

in data protocols and policies and ensure they are reinforced. It is common, particularly when turnover is high, for people to get sloppy about how personal information is managed. 

Help migrants protect themselves

by understanding risk and taking care about what information they share and with whom, particularly on social media. 

Referral partners share the same policies and principles

Remember to check that referral partners share the same policies and principles with relation to data management and protection that you do. If you are referring people to other services, ensure that they are aware that their information may be treated differently by those partners, and that the RCRC cannot guarantee protection of any information that is provided to third parties. Do not transmit information to other organisations through insecure means. 

Data related to protection incidents, especially disclosure of SGBV, should not be kept.

In case of disclosure of SGBV, staff and volunteers should provide protection from abuse and information about services, but not document or retain notes.  

Key Resources

WhatsApp Image 2021-05-11 at 1.36.07 PM (1)


Tools and Guidance:

Help us improve this toolkit!

Share your feedback with the team.

Scroll to Top