When we implement e-transfer programs, we collect a lot of information about program participants, some of which is highly sensitive. So, we have a responsibility to utilize, share, store and dispose of it securely.

Many industries are governed by clear data protection standards. This is not yet the case for ours. Very few humanitarian organizations have a comprehensive set of policies, practices and tools to responsibly manage and protect the data they hold.
So we put together some tips to get you started. (You’re welcome.)

Building upon the Cash Learning Partnership’s (CaLP’s) foundational Protecting Beneficiary Privacy, this Starter Kit provides concrete tips to help you assess, plan and improve your data management practices. The seven Tip Sheets align with the project and data management lifecycles, so you’ll know exactly when to think about RAD, PIAs and E2EE.

We developed this Starter Kit for field staff implementing e-transfer programs, but there’s no reason to keep it secret. If you think other teams – or other programs entirely – may find the guidance useful, pass them on!


Assess the risks associated with your program data plans and design strategies to mitigate them.

Sometimes less really is more. Learn why and how to be intentional in your approach to data collection, use and storage.



What are national Know Your Customer (KYC) regulations, and why should you care? Learn how to comply with KYC regulations and when you might want to advocate for KYC changes.

Are you registering program participants, or are you working off a partner-generated list? Different data privacy considerations apply to each. Make this essential step of program implementation as smooth as possible.



Is your data secure at rest and in transit? Start by learning what these terms mean and then see simple tips to protect sensitive data and find links to products to assist you.

E-transfer programs depend upon partnerships, and program partners need information. We teach you how to responsibly share data within and outside your organization.



So you are closing out your program. Congratulations! Now what happens to all the data you collected? Plan early for secure data retention, archiving and disposal. And learn a new acronym along the way.


Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin sed ligula eu metus lacinia venenatis. Donec non lorem in eros ultrices malesuada sed quis dui.



The Starter Kit was produced with support from:

The Starter Kit was produced with technical input from:

Danna Ingleton
Amnesty International

Kate Castenson
Mercy Corps

Lily Frey
Mercy Corps

Lili Mohiddin
Independent Consultant

Sara Murray
Mercy Corps

Jay Narhan

Bree Oswill
Mercy Corps

Zara Rahman
the engine room

Norman Shamas
Independent Consultant


  • A
  • B
  • C
  • D
  • E
  • F
  • G
  • H
  • I
  • J
  • K
  • L
  • M
  • N
  • O
  • P
  • Q
  • R
  • S
  • T
  • U
  • V
  • W
  • X
  • Y
  • Z
  • Archiving

    Archiving is a general term for the range of practices and decisions that support the long-term preservation, use, and accessibility of content with enduring value; intentionally preserving data in a way that makes it easy for collaborators to refer back to it. (Responsible Data Forum)

  • Biometrics

    Biometrics refers to the measurement of unique and distinctive physical, biological and behavioral characteristics used to confirm the identity of individuals (Privacy International). Examples include fingerprints, iris scans and voice recognition.

  • Cloud Hosting

    Cloud Hosting refers to the on-demand delivery of IT resources and applications via the Internet with pay-as-you-go pricing. Cloud Hosting provides a simple way to access servers, storage, databases and a broad set of application services over the Internet. (Amazon Web Services.)

  • Data Controller

    The agency or person who determines the purposes for which and the manner in which any personal data are, or are to be, processed. (CaLP)

  • Data Provenance

    Data provenance refers to the source and history of a data set, including how it was collected and manipulated.

  • Data Processor

    The affiliate/ service provider; a person who processes personal data on behalf of the data controller over the course of rendering the services. (CaLP)

  • Data Subject

    A living individual who is the subject of the personal data, i.e. to whom the date relates either directly or indirectly.

  • De-identification

    The a process of taking identifying information that can connect data with an individual out of a data set. (Responsible Data Forum.)

  • Data Disposal

    Deleting data in a safe and responsible way; organisations should not hold beneficiary data for longer than is required unless they have clear, justifiable and documented reasons for doing so. (CaLP)

  • Data Retention

    The length of time that data is kept by the organization that gathered it.

  • E-cash

    Any electronic substitute for cash that provides full flexibility for purchases. It may be stored, spent, and/or received through a mobile phone, prepaid debit/ATM card or other electronic transfer. (ELAN)

  • Encryption

    Encryption is a way to protect sensitive information by scrambling it, so that it is unreadable by anyone without the specific decryption method required. It is possible to encrypt an email, specific files, or the content on an entire computer.

  • End to end encryption (E2EE)

    End to end encryption (E2EE) systems are digital systems that facilitate secure, encrypted communication over untrusted networks.

  • E-Transfer

    A digital transfer of money or vouchers from the implementing agency to a program participant. E-transfers provide access to cash, goods and/or services through mobile devices, electronic vouchers, or cards (e.g., prepaid, ATM, credit or debit cards). (ELAN)

  • E-voucher

    A card or code that is electronically redeemed at a participating distribution point. E-vouchers can represent cash or commodity value and are redeemed using a range of electronic devices. (ELAN)

  • Financial service provider (FSP)

    An entity that provides financial services, which may include e-transfer services. Depending upon your context, financial service providers may include e-voucher companies, financial institutions (such as banks and microfinance institutions) or mobile network operators (MNOs). Financial service providers include many entities (such as investment funds, insurance companies, accountancy firms) beyond those that offer humanitarian e-transfers. (ELAN)

  • Know Your Customer (KYC)

    ‘Know Your Customer’ refers to the information that the local regulator requires banks to collect about any potential new customer in order to discourage financial products being used for money laundering or other crimes. (CaLP)
    *Note: KYC is also known as Customer Due Diligence

  • Personally Identifiable Information (PII)

    Any data that directly or indirectly identifies or can be used to identify a living individual. (Examples include names, phone numbers, bank record details, and biometric data such as fingerprints or iris scanning) Note that PII can be also be any combination of data sets (sometimes seemingly innocuous ones) that would allow for individual identification.

  • Privacy Impact Assessment (PIA)

    A Privacy Impact Assessment (PIA) is a tool to analyze and mitigate the potential privacy risks to individuals as well as privacy and data protection compliance liabilities for the organization for any program or activity.

  • Short Message Service (SMS)

    Short Message Service (SMS) commonly known as ‘text messages’, SMS is a way to send short messages using an alphabet, numbers, and symbols. SMS messages are digital information that can be transmitted over mobile networks, without Internet signal. (FrontlineSMS)

  • Secure Sockets Layer (SSL)

    Secure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers. (ssl.com)

  • Sensitive Personal Data

    Sensitive personal data is a particular category of personal data, relating to the following:
    Racial or ethnic origin,
    Political opinions,
    Religious, ideological or philosophical beliefs,
    Trade Union membership,
    Information relating to mental or physical health,
    Information in relation to one’s sexual orientation,
    Information in relation to commission of a crime and information relating to conviction for a criminal offense
    (Innovation Value Institute)

  • Standard Operating Procedures (SOPs)

    Standard operating procedures (SOPs) are written instructions intended to document how to perform a routine activity. Many companies and organizations rely on standard operating procedures to help ensure consistency and quality in their products. Standard operating procedures are also useful tools to communicate important corporate policies, government regulations, and best practices. (Study.com.)

  • Two factor authentication (2FA)

    Two factor authentication (2FA), also known as two step verification, is an account security layer that requires a user to provide a password (something they know) and an additional code (something they have), such as an SMS code sent to a phone or a token.

  • A unique identifier (UID)

    A unique identifier (UID) is a numeric or alphanumeric code that is unique to an entity  within a given system. (e.g., a national ID number for an individual)

  • Voice over Internet Protocol (VOIP)

    Voice over Internet Protocol (VoIP) is a technology that allows people to make voice calls using a broadband Internet connection instead of a regular (or analog) phone line. (Federal Communications Commission.)



We want to hear from you! Let us know how you used this Starter Kit. If something was missing or should be changed, let us know that, too! Want to stay in touch with ELAN?
Sign up for updates.



The Electronic Cash Transfer Learning Action Network is convened by Mercy Corps, with support from the MasterCard Center for Inclusive Growth.


The Starter Kit was produced with technical input from:

We are also greatful for the drafting, editing, or technical inputs from:

Danna Ingleton
Amnesty International

Kate Castenson
Mercy Corps

Lily Frey
Mercy Corps

Lili Mohiddin
Independent Consultant

Sara Murray
Mercy Corps

Jay Narhan

Bree Oswill
Mercy Corps

Zara Rahman
The Engine Room

Norman Shamas
Independent Consultant

Lisa Levy
Mercy Corps