Frequently Asked Questions

This section provides an overview on questions that commonly come up concerning confidentiality releases, U.S. Federal Laws on confidentiality, record retention and deletion, mandatory reporting, the use of surveillance cameras, answering subpoenas and much more. For ease, this section is set up in an easy-to-read question and answer format.

Databases & Confidentiality Questions

Waivers are signed for a very specific purpose. They are not to make our lives as advocates easier or to allow us to collect more personally identifying data to analyze or share with others. Each time a victim signs a release of information, s/he is entrusting you with his/her personal information, and it is extremely important to avoid using this data in other forms or in other ways. Some organizations use an internal database to keep track of services provided and a release is not needed when limited information is collected, protected, and not shared with parties outside of the agency.

Do we need a release from survivors to put their personal information in our organization’s database?

Releases are only required when sharing information outside your agency, but your agency should have full ownership of the database and must ensure that it cannot be accessed by anyone else. Additionally, best practice is to always get consent by a survivor, or at least provide notice, for all the ways their personal information may be used. Survivors should be fully informed of the agency's data collection processes and of the risks and the uses of databases.

Organizations should analyze what information is being collected and for what purposes. Some organizations do a periodic assessment of their forms and database to ensure that they are only collecting the minimal information required to provide the requested services. This both minimizes the work for advocates and respects the privacy of survivors.

It is also important for agencies to think through all data collection and maintenance processes. Databases should be maintained by and within individual agencies.  It is important to safeguard computers to protect victims' personally identifiable information. For example, many local programs keep sensitive client-level information on computers that are not connected to the Internet. Programs that need to use cloud-based databases should have the data encrypted (locked) and only the program's staff holds the encryption key.  For more information on databases, see NNEDV's resources on databases and confidentiality at techsafety.org or email This email address is being protected from spambots. You need JavaScript enabled to view it..

What if a government agency is building a database using victim information that is of public record?

If the information entered into the database is only from public records and you are a government agency, it may be possible to enter survivor's personally identifying information without a release of information. However, as a best practice, it is important that survivors are notified that their information will be entered into this database. In addition, provisions should be made for cases where the record is sealed or where the abuser works in the system (courts, law enforcement, etc.) and, if possible, a survivor should be allowed to opt out of having her/his information collected and maintained in this way.

If you are a government entity and a survivor's information is entered erroneously into a database or that database is breached, you could be liable. It is also important to consider that the information in the database could be subject to a request under the state's sunshine laws from the media or any citizen.

Survivors should be informed of all uses of their information, as well as the consequences of that data collection, and should be able to decline. Agencies using survivor information should have policies and procedures to protect the information from intentional or unintentional disclosure. Victims may assume that going to court has some level of public disclosure, but they may not have the same assumption about the compilation of the information made by your government office. Therefore, s/he should be given notice about the information that is being compiled, and you and s/he should both recognize that, depending on what is collected and how it is maintained, it could become even more harmful if it gets released or used in ways that were unintended.

It also is important to ensure that the information going into the database is only information that is of public record and nothing additional. Whenever contemplating the creation of a database you should weigh the benefits of collecting and storing the information with the consequences of having the information being used and accessed in ways that are unanticipated. Whether it is helpful to an agency is not the standard for determining whether confidentiality requires a release of information from or notice to an individual whose information is being used, complied, or shared.

Please speak to the issue of time limits of releases with regard to third-party state reporting databases.

Under VAWA and FVPSA, the only information a program can release to third-party state reporting databases is non-personally identifying information in aggregate form (totals). For example, "We served 15 women and 22 children today." Since aggregate information is not identifying, a waiver from the survivor is not necessary.

Inherently, databases are not time limited. Once information is entered into a database, it is there to stay. Databases offer multiple opportunities for exporting data, creating many backup copies in multiple locations, and merging or rebundling data. Even if a survivor's information is later deleted, chances are that a backup of the database has been created at some point and the information will be stored for as long as that backup is retained by the agency administering the databases. For this reason, a release to input personally identifying information into a shared database cannot be time-limited, and therefore it is not a valid release under VAWA. State confidentiality laws may have additional requirements as well.

Can I enter survivor information into an external database to serve survivor's needs,such as one for victim- notifications, using a time- limited, written and informed release of information?

Where a survivor expresses a need or desire to have identifying information entered into an outside third-party database (such as a victim notification system), the program should work with the survivor to determine the best way to make that information entry. Before an advocate or employee of the program can enter the information into the database for the survivor, you should confirm that: 1) the data is being entered to meet a survivor-defined goal (remember: complying with a program's funding requirements is not a survivor-defined goal); 2) the survivor is fully informed of all pros and cons of participating in the database, alternative methods to meet the need, and the inability to remove or control information once it is entered; 3) the survivor understands that this data entry is not a condition of service, and the survivor can decide exactly what information is entered and what information is not entered. If all of the above are confirmed and the survivor wishes to have the program enter the information, then a written, informed release that time-limits when the information can be entered needs to be completed.

Note: Even the program acknowledging that they know a survivor counts as a release of information. The risks of disclosing the receipt of services from the program need to be discussed with the survivor.

Our state has developed a central database program and requires personally identifying information about our clients such as name, birth date, addresses, types of violence committed, etc. We have a really hard time understanding how we are being confident

No, this is not allowable under VAWA or FVPSA. Entering client information into this database would probably violate VAWA and FVPSA as well as state law provisions in many states. You should contact your grant program manager to discuss this.