Law and best practice require that victim service programs choose a database that protects the privacy and safety of victims and their information. The following is a check-list of characteristics present in a secure and victim-centered database.

1.    The program controls who can see the victim information in the database because:

  • The program owns or controls the server(s) in which the information/data is stored.

  • Or the data is encrypted on someone else’s server and the program holds the ONLY encryption key(s).

    • This encryption system means that the owner of the server technologically CANNOT read the data (which is different from the server vendor having policies that state they WOULD NOT read the data).

  • In addition, the program has a detailed understanding of back-up procedures and has control over access to and routine destruction of back-up copies of readable survivor data.

2.    Access to the database is carefully controlled by the program

  • Each user has her/his own individual password-protected account (versus one account and password that is shared by many).

  • If an employee leaves the program, her/his access is promptly removed.

  • The database can either be opened:

    • only on computers in the program’s network

    • or on the web and the program has strict protocols for ensuring that:

      • Access to the data is only via program-owned devices/computers.

      • Access to the devices/computers is secured with passwords or passcodes.

      • Passwords to the data are never saved on the device or via web browser.

      • A process exists for reclaiming devices when employment/volunteer leaves the program.

      • The program is immediately notified if a device/computer is lost or stolen.

      • The program has the ability to remotely wipe the device of all information.

3.    The program has the ability to change any data field to be hidden, to use different language/wording, to make questions required or optional, or to change the question order to ensure that the database questions do not re-victimize the survivor.

4.    Individual survivor data is routinely destroyed as soon as the program no longer needs it to serve the survivor or satisfy grant/legal requirements. Destruction of data can be completed as follows:

  • The database is programmed to automatically purge (not just delete but permanently remove) certain data types (i.e., detailed narrative notes) on a specific date.

  • Or the program administrator has the power to purge (not just delete) data and routinely purges certain data from the system manually.

  • Moreover, the program should assess the purge schedule policy each year when reviewing the database.

5. The program’s contract with the database vendor should include binding agreements to ensure security of and program control over the data, including:

  • An agreement that the program owns the data in the database.

  • A clear procedure for the program to export all data out of the database at any time.

  • An appropriate back-up system over which the program has control.

  • Specific commitment (by database vendor and any third companies sub-contracting with the vendor) to notify and give the program an opportunity to resist subpoenas, warrants, and any other third party requests for survivor data.

  • Reasonable agreements by the database vendor to be responsible for damages if the vendor’s staff misuses or mishandles survivor data.

  • The right to enforce the contract in a court close to the victim service program (as opposed to a contractual agreement to only bring a lawsuit where the database vendor is located.)