Why is the protection file itself a risk?
A protection file is built from exactly the information a hostile actor wants. To qualify someone for relocation, hosting, or emergency support, an organisation records their identity, the grounds of their persecution, their movements, and often their networks. The better the casework, the more complete the dossier, and the more complete the dossier, the more valuable it is to the wrong reader. This is not a hypothetical inversion. Registries compiled to administer populations have been repurposed for persecution when political conditions changed, a pattern documented across the historiography. The organising principle that follows is uncomfortable but simple: the safest data is the data never collected, and the second safest is the data that does not persist.
Who holds a defender's file after placement?
Protection work moves files across organisational boundaries by design. An assessment file travels from the referring organisation to the assessing organisation, onward to a funder, a host institution, or a partner in another jurisdiction, and sometimes through state agencies along the way. Each hop has its own security practices, its own retention habits, and its own legal exposure, and the person the file describes can audit none of them. The question worth asking of any protection pipeline is not whether the file was handled carefully at each step. It is: once the person is placed, who still holds a copy, and does anyone's job description include making those copies disappear?
Does data protection law apply to protection work?
There is no civil-society exemption in the GDPR. A file recording someone's sexual orientation, health condition, religion, or political activity is special category data under Article 9 whether it sits in a corporation's HRIS or a small organisation's casework drive, and the default is prohibition, with narrow exceptions construed strictly. Consent, the exception most organisations assume covers them, is weakest exactly here: a person seeking protection from the organisation holding the file is not well placed to refuse, and consent that cannot be freely refused is not consent in the regulation's sense. Donor compliance frameworks add their own audit and data-handling obligations on top. The result is a real tension: casework needs depth, while both the law and the person's own safety counsel minimisation.
What does the organisational threat model look like?
Four documented pressure points. Compelled disclosure, where a court or state demands what the organisation holds. Border exposure, where a staff member's device carries the caseload across a checkpoint; warrantless device searches at borders have grown several-fold within a decade. Breach or infiltration, where the file leaves without permission. And political change in a jurisdiction where the organisation or its partners operate, the oldest pattern of the four. There is also a quieter mechanism that operates without any adversary: aggregation. Individually harmless attributes combine into identification, and a casework record that names no one can still single someone out.
Can you protect someone without registering them?
Yes, because the two halves of a protection assessment live on opposite sides of a line. The risk layer is public: which jurisdictions criminalise which characteristics, which routes and carriers present which hazards, which environments impose which exposures. None of that is personal data, and all of it can be held, maintained, and audited freely. The attribute layer is personal, and it is needed only at the moment of assessment. An architecture that holds the risk layer permanently, lets the person's attributes meet it transiently, and retains only proof that an assessment occurred gives the organisation its accountability evidence while the register of protected people never comes into existence. Populations can remain visible in aggregate for advocacy and reporting while individuals remain unrecorded; the techniques for that separation are established.
What survives an audit without endangering anyone?
Boards and donors need evidence that duty of care was discharged. Evidence is not the same object as a warehouse. A date-stamped record that an assessment occurred, against a stated methodology, within a defined scope, satisfies an auditor without containing a single attribute of the person assessed. The organisation keeps the attestation; the person keeps the substance. Verifiable, not asserted, and nothing in the audit trail worth stealing.
The question to ask your own casework
Where, today, is the list of the people your organisation protects, who can read it, and whose job is its deletion? If the answer is a named system with documented access, retention, and a deletion owner, you are ahead of most of the sector. If the answer is a spreadsheet, a shared drive, or a coordinator's inbox, the exposure is already on foot, and it is carried by the people with the least power to object.