Frequently Asked Questions

This section provides an overview on questions that commonly come up concerning confidentiality releases, U.S. Federal Laws on confidentiality, record retention and deletion, mandatory reporting, the use of surveillance cameras, answering subpoenas and much more. For ease, this section is set up in an easy-to-read question and answer format.

Databases & Confidentiality Questions

Our state has developed a central database program and requires personally identifying information about our clients such as name, birth date, addresses, types of violence committed, etc. We have a really hard time understanding how we are being confidential while we are transmitting all of this identifying data to people outside of our office. Does this fit with VAWA?

No, this does not fit with VAWA. Entering client information into this database would probably violate VAWA as well as state law provisions in many states. You should contact your OVW program manager to discuss this.

Please speak to the issue of time limits of releases with regard to third-party state reporting databases.

Under VAWA, the only information a program can release to third-party state reporting databases is non-personally identifying information in aggregate form (totals). For example, “We served 15 women and 22 children today.” Since aggregate information is not identifying, a waiver from the survivor is not necessary.

Inherently, databases are not time limited. Once information is entered into a database, it is there to stay. Databases offer multiple opportunities for exporting data, creating many backup copies in multiple locations, and merging or rebundling data. Even if a survivor’s information is later deleted, chances are that a backup of the database has been created at some point and the information will be stored for as long as that backup is retained by the agency administering the databases. For this reason, a release to input personally identifying information into a shared database cannot be time-limited, and therefore it is not a valid release under VAWA. State confidentiality laws may have additional requirements as well.

What if a government agency is building a database using victim information that is of public record?

If the information is only from public records and you are a government agency, it may be possible to enter survivor’s personally identifying information without a release of information. However, as a best practice, it is important that survivors are notified that their information will be entered into this database. In addition, provisions should be made for cases where the record is sealed or where the abuser works in the system (courts, law enforcement, etc.) and, if possible, a survivor should be allowed to opt out of having her/his information collected and maintained in this way.

If you are a government entity and a survivor’s information is entered erroneously into a database or that database is breached, you could be liable. It is also important to consider that the information in the database could be subject to a request under the state’s sunshine laws from the media or any citizen.

Survivors should be informed of all uses of their information, as well as the consequences of that data collection, and should be able to decline. Agencies using survivor information should have policies and procedures to protect the information from intentional or unintentional disclosure. Victims may assume that going to court has some level of public disclosure, but they may not have the same assumption about the compilation of the information made by your government office. Therefore, s/he should be given notice about the information that is being compiled, and you and s/he should both recognize that, depending on what is collected and how it is maintained, it could become even more harmful if it gets released or used in ways that were unintended.

It also is important to ensure that the information going into the database is only the information that is of public record and nothing additional. Whenever contemplating the creation of a database you should weigh the benefits of collecting and storing the information with the consequences of having the information being used and accessed in ways that are unanticipated. Whether it is helpful to an agency is not the standard for determining whether confidentiality requires a release of information from or notice to an individual whose information is being used, complied or shared.

Do we need a release from survivors to put their personal information in our organization’s database?

Releases are only required when sharing information outside your agency, but your agency should have full ownership of the database and must ensure that it cannot be accessed by anyone else.  Additionally, best practice is to always get consent by a survivor, or at least provide notice, for all the ways their personal information may be used. Survivors should be fully informed of the agency’s data collection processes and of the risks and the uses of databases.

Organizations should analyze what information is being collected and for what purposes. Some organizations do a periodic assessment of their forms and database to ensure that they are only collecting the minimal information required to provide the requested services. This both minimizes the work for advocates and respects the privacy of survivors.

It is also important for agencies to think through all data collection and maintenance processes. Databases should be maintained by and within individual agencies. It is important to safeguard computers to protect victims’ personally identifiable information. For example, many local programs keep sensitive client-level information on computers that are not connected to the Internet. For more information on databases, see NNEDV’s resources on databases and confidentiality or email tcip[at]nnedv.org.