Avoiding Catastrophe: The Importance of Privacy when Leveraging AI and Machine Learning for Disaster Management

Commentary by Leah Kieff

Published November 7, 2025

In developing countries, the impact of significant events such as earthquakes, extreme weather, terrorist attacks, cyber incidents, or health emergencies can be more pronounced given the lack of planning, budget constraints, and weak infrastructure that these countries are confronted with. Leveraging data effectively is fundamental to managing the impact of these disasters. New and emerging technologies, including machine learning (ML) and AI, can be leveraged to process and organize the data into usable information, as well as to support effective collection. But any mass collection of data carries privacy concerns, which must be mitigated from the start. Given the recent devastation of Hurricane Melissa in the Caribbean and with the AI Impact Summit approaching in February 2026, these are timely topics to address.

The type of data that may be useful in a disaster can range from personal health information to satellite imagery of an affected geographic area. Satellite imagery can be invaluable in determining the level of destruction, including baseline and post-disaster comparisons. Census data can help determine the demographic characteristics of a region for logistics for evacuations, and the movement of supplies. Successful intelligence collection and analysis can allow law enforcement to stop a terrorist attack from occurring.

The usefulness of data in disaster management is only increasing in the era of big data. The term "big data" describes massive data sets that are collected from the palms of our hands, via cell phones, wearable technologies, and digital transactions. This data may be actively volunteered by the individual (such as social media postings) or passively provided (such as automated means like credit card usage). While large data sets such as censuses have been collected for thousands of years, the types of data sets, as well as collection methods and speed, have been revolutionized by technological advances.

Despite the promise, the collection and use of data for disaster management is not without risks. Data quality may not be accurate, leading decisionmakers to believe that they have a truthful picture of the disaster, including those impacted, when they may not. And even if the data sourcing and validation are done correctly, the aggregation, synthesis, and analysis must be done well to allow for effective inference-driven decisionmaking. The existence of these huge data repositories without a process to transform them into informed decisions is equivalent to attempting to put crude oil into your car instead of gasoline. Data pipelines can refine raw data into insights. These pipelines can and should be supported by AI and ML to increase efficiency and accuracy.

Guiding Principles to Build Strong Privacy Frameworks for Data in Disasters

Currently, disaster management planners are at a disadvantage in protecting privacy as they are solving extremely complex, often unexpected problems in diverse, changing environments. Furthermore, those tasked with disaster management planning may wear many hats and rely on volunteer or staff support, which is more operationally focused on the immediate loss of life or property, not factoring in the long-term potential harms. On the ground staff with operational focus are often the ones collecting or interacting with the data the most.

Furthermore, the infrastructure needed to develop the bespoke analytical tools, to make sense of the data, and solve problems is the job of data scientists or engineers and cannot be accomplished unless these people are on staff somewhere with the data already at their fingertips. This infrastructure is expensive to maintain and manage. Ensuring privacy is incorporated requires additional expertise and planning.

Remembering that the entire goal of these disaster management efforts is to minimize harm to persons and property highlights the need for privacy fundamentals, such as notice and consent, to be fully integrated into the efforts. Frameworks to support privacy must include a number of core tenets.

First, the framework should include the tenets of the security of the data, internally and externally. Internally, this means only those with a legitimate need to know can access the data, and that there are recorded logs of employees who have done so. Externally, this means that cybersecurity best practices are leveraged to prevent incursions.

Finally, the framework should address the destruction of data following the conclusion of response efforts. This includes ensuring that there are not only timelines in place for the destruction of the data at hand, but also that the systems are built to support this destruction, and users providing this data are informed of the timeline of the data lifecycle. There must also be audits and reviews incorporated into this process to ensure these processes are carried out.

Why Data Helps in Disasters

Data, when processed effectively, allows a better understanding of emergency risks, early action, and quick response. This supports more cost-effective prevention and preparedness, rather than costly reactions during or after the fact. It is estimated that every dollar invested in disaster preparedness saves six dollars in response. Furthermore, it can help support responses to smaller-scale, local events that are often the most devastating disasters in the developing world.

Social media can be a valuable source of existing and newly generated data that can be used in disasters, both by individuals and the government, to help responders. For example, in Kenya, following the 2008 presidential elections, a platform leveraging social posts and eyewitness reporting helped locals avoid areas experiencing violent unrest. During the 2015 Chennai floods in India, social media was leveraged as an effective tool to solicit real-time information via the internet, as other communication channels experienced interruptions. This is a perfect example of why disaster data models must account for damage to critical infrastructure, whether temporarily or longer term, that may affect data available and transmission of data during a disaster.

Private companies can play a key role in helping the government organize and access data during disasters, as in the 2015 Chennai floods example. This can be done through aggregating social media inputs, as in the examples above, but this can also be done through data the company has already collected for another purpose. For example, after the 2010 earthquake in Haiti, Google created an enormous database of people's information to allow them to locate their family members. Questions on data validity and consent are particularly salient when data is used-even in the context of a disaster-for something outside its stated initial purpose. This can be mitigated by the privacy framework previously outlined.

Data collected must be organized in order to be used for inferences. To be effective, these models must be developed to be able to take these disparate data sources from social media postings to video, cellular, and geospatial signals in their individually unstructured formats and combine the data streams to provide useful insights into problems. The engineers who construct modeling infrastructure must do so together with on-the-ground decisionmakers who have experience in how these various emergencies might unfold, and what insights will be most useful in shaping disaster response. The need is further complicated as the sourcing, accessibility, and analytical capabilities needed differ and change with new situations. But effective models can automate the production and delivery of insights to decisionmakers in real-time for response.

For example, Google has built a platform that leverages weather data, spatial mapping, and ML flood modeling to offer earlier warning of floods in flood-prone countries, including India. The Indian government is providing more accurate heat warnings to citizens by leveraging AI to combine satellite imagery and local information. Google also built a tool that uses both AI and ML to predict storms' progress. This model, which combines data on global weather patterns and thousands of historic cyclones, was able to provide early warning about the likelihood that Hurricane Melissa would be a category five.

The United States and countries around the world use ML and AI to predict not only where fires may occur, but also their likely spread, enabling timely evacuations and helpful routes. This pre-collection is helpful not only to predict disaster elements such as changes in temperatures but also to ensure the systems are able to be online and more accurate when deployed. The benefits of data usage in disaster preparedness and response may be especially impactful in the developing world, but there are likely to also be additional challenges in data security as well.

Data Privacy Challenges in Disaster Management: The Case of the Covid-19 Pandemic

Even in static situations, the balance between data use and privacy protection is difficult to strike. In rapidly changing emergencies, where loss of life is at stake, this balance becomes even more challenging. There is a risk of a collector or third party misusing the data, either accidentally or intentionally, before, during, and after the disaster. Misuse can cause significant harm to individuals and undermine public trust in the state. These risks are increased by storage and access gaps, and are generally higher in the developing world, where cybersecurity and privacy protections are generally less developed. Furthermore, disasters themselves have a greater impact in these settings because of existing infrastructure, limited response capacities, and weaker institutions. When not managed effectively, disasters can reverse decades of progress in these least developed countries.

The Covid-19 pandemic provides a recent example of the use of data in responding to a disaster and highlights the importance of frameworks such as the one described earlier in this piece being integrated, as well as the risks and harms when these considerations are not at the forefront. During the pandemic, governments around the world collected and used their citizens' personal data on a large scale. One of the ways this was done was through contract tracing applications installed on smartphones. While in the United States, these applications were available as tools for individuals wishing to leverage them, in other countries, such as China, they were mandatory. Additionally, the designed security of the applications and the access to the data these applications collected varied widely across the globe.

Furthermore, the data collected from these applications was not created equal, either in terms of usefulness for modelling for mitigation or for the potential privacy implications. Contact tracing applications leveraged during the Covid-19 pandemic generally used either GPS or Bluetooth technology to determine their users' location, mapping likely encounters to determine if they had been exposed to someone who was infected with Covid-19. But determining which technology should be used in these applications must consider not only the availability and technological functionality but also the privacy versus data collection abilities of both. In this instance, Bluetooth is more effective than GPS in areas with high concentrations of users. This also means that Bluetooth data exposes more specific individual information to the application.

This inverse relationship between data collection ability and privacy protection increases the need to have specific guidelines-limiting use and directing data destruction-including specific timelines and scope in place before the implementation of these types of applications. For instance, if individual data is collected and then shared, the aggregation of this data must be done in a way that it cannot easily be reversed. If this step is not taken, user data that was not effectively anonymized can be released, exposing the home addresses and daily movements of users. This is what happened in South Korea during the pandemic. While in this instance it was done inadvertently by design flaw, it can also be done intentionally.

In the case of China in 2022, these applications were used to track and police protest movements, which was not their original stated intent. Using the data for purposes other than those originally agreed to by the users means that there was no informed consent present. Informed consent refers to an ethical principle whereby the individual making the decision has the information and capacity to freely agree. Informed consent can be absent even if the use is something the user might have agreed to-such as informing authorities of the spread of fire. This is an important tenet to consider when planning to use data sets collected in advance of a disaster. This might involve de-identifying data, where possible, or, among other options, reengaging users to seek consent.

In another example related to a Covid-19 tracing application, the Polish government announced plans to keep data collected from its application for six years. It is hard to understand how data collected to support contact tracing during a pandemic would be useful for the original purpose six years after the fact. Additionally, the longer the data is retained, the more difficult to ensure there will not be a breach or spill of this sensitive user information.

The potential for misuse of this data, whether by the original collectors or by a third party who may access the data, is greater in places where cyber and data protections are less developed. This may be due to the lack of infrastructure, institutional capacity for data management, or the ability to access and leverage data. The challenges around institutional capacity, from financing to infrastructure to skilled professionals, also impact cybersecurity in these countries, which can compound problems with data security. Using foreign hardware or software can exacerbate the security challenges of systems. All these additional challenges create increased risks for data to be used with limited harm in developing countries.

Conclusion

Balancing data access with privacy protection is a difficult task, especially during disaster preparedness and response situations. When data is used effectively, it has the power to save lives and protect assets with maximum efficiency. AI and ML make it easier to organize this data into information that can support decisionmaking.

But to ensure that data is used correctly, the three high-level principles outlined above (security, methods and storage, and destruction) must be addressed at the onset, in a privacy framework. Creation and incorporation of these frameworks throughout the lifecycle of the data will pay dividends everywhere, including but not limited to the developing world. These privacy considerations maximize the benefits that data can bring in these dire situations while minimizing the potential harm to individuals' privacy.

Leah Kieff is a senior associate (non-resident) with the Project on Prosperity and Development at the Center for Strategic and International Studies in Washington, D.C.

Programs & Projects