The data outlives the crisis it was gathered for.
We collect a great deal from the people we serve. Names, ages, locations, family structure, what they fled, what they need. We gather it to deliver one response, and then, almost without deciding to, we keep it. The crisis moves on. The record stays. It sits in a database, copied into a report, backed up to a drive, handed to a partner, carried into the next program and the one after that. The person it describes has long since stopped being asked. We have built a sector that treats the data of people in crisis as a permanent asset of the institution, when it was only ever a temporary loan from the person. That is a governance choice, and because we made it, we can remake it.
This is not a story about careless staff or bad actors. Most of us hold this data with real concern for it. The problem is structural. Nothing in our design tells the record to expire, and nothing asks, at the start, whom it is meant to serve.
Why the record never leaves
The instinct to keep everything is easy to understand. More data feels like more preparedness. A funder may ask us to prove who we reached, so we hold the proof. A future program might reuse the list, so we keep the list. Storage is cheap and deletion feels like loss, so the default everywhere is to retain. Each reason is sensible on its own. Together they produce an archive that grows in one direction only, because nothing in the structure pushes the other way. We optimize for our own convenience, and the person who handed us their details has no standing in that calculation at all.
There is a quieter reason too. Data we hold is data we control, and control feels like capacity. Letting any of it expire feels like giving up ground, so the design, left alone, points toward hoarding.
The cost lands on the person least able to carry it. A family fleeing one danger does not know that the details they gave at a registration desk will still exist years later, in systems they cannot see, usable for purposes no one named at the door. A record gathered to deliver food can become, in a changed political season, a list of who belongs to a group. The danger is not the moment of collection. It is the years of retention nobody chose on purpose.
The data of a person in crisis is not our asset. It is their loan to us, and a loan is meant to be returned.
Whom the record actually serves
There is a test we almost never run. For any piece of data we hold, we can ask whether keeping it serves the person it describes or serves us. A nutrition record that lets a family continue care across a move serves the person. A vast file kept only because a future report might want it serves the institution. Most of what we retain past the response fails that test. Data dignity begins with admitting that the convenience of the holder is not the interest of the person, and that when they conflict, the person should win.
A design that returns the loan
None of this requires gathering less of what a response genuinely needs. It requires building the other direction into the system, so data leaves on purpose rather than piling up by default.
Set retention at the start, not the end. Before we collect anything, we can name how long we will hold it and what triggers its deletion, with the default set to expiry rather than permanence. A field with no stated end date is a field we have decided, by silence, to keep forever.
Make deletion a routine act, not a rare one. Most of us have an elaborate process for collecting data and almost none for retiring it. Scheduled deletion of data that has served its purpose should be as ordinary as the backup. What we cannot delete on purpose, we should not have gathered.
Give the data back to the person where we can. The most dignified record is one the person carries and controls, able to take it to the next provider rather than starting cold each time. Portability that belongs to the household, not the agency, turns the data from something done to people into something that serves them.
Let the people who fund the work share the discipline. Funders often drive retention by asking us to prove reach long after the work is done, and they carry the same interest we do in not holding a liability that helps no one. A reporting standard that accepts aggregate proof over permanent personal records is one we can build together.
None of this weakens a response. It strengthens the trust the next response depends on. A person who knows their details were held only as long as they were needed can give them again without fear.
So the standard is plain. We should be able to say, for everything we hold, how long we will keep it and whom it serves, and the honest answer to the second question should be the person, not us. Returning the loan is a build we can begin with the next form we design.