What are IFI disclosures?
An IFI disclosure refers to the process by which an International Financial Institution – an IFI, shared information about its operations, decisions, and projects with stakeholders, including the public. IFIs, such as the World Bank or IFC typically have disclosure policies related to the projects they finance to promote transparency, accountability and trust in their activities.
Why does it matter?
I will not go into too much details on why disclosures facilitate transparency because that’s not what I want to talk about. What is a lot more interesting for me, is that IFI disclosures are actually an incredibly rich source of information on country level investments, sectoral trends, but they also highlight client level issues and gaps. While pre-internet, this information was internal to the institutions with a few hard copies in municipalities, as technology evolved we have access to most of it on our mobile phones. The way we access and consume data and information changed significantly over the past decade, which paved the way for controversial situations such as this one.
Ever since I started building the E&S Solutions knowledge base, the importance and value of this rich data has become even more evident to me. As a reminder, there are private companies who make a living on harvesting and repackaging public information. Whether it is related to mergers, project acquisition or other financial transactions. What’s even more relevant for us: ESG ratings also use publicly disclosed annual sustainability reports and sustainability related policies. The information that is publicly available to collect is shocking! I can’t wait to see some of the new disclosures under CSRD that will include information on supply chain due diligence and management systems.
So what?
Have you ever worked on a project where only a few people were affected by land acquisition? Or projects where you disclosed photos of people’s houses and livelihoods? Where you disclosed their annual income and that some of that was informal? Well, you might have breached GDPR! I know I am opening Pandora’s box where transparency means privacy and we can’t win, but hear me out: Sometimes, no matter how much you anonymise the project information, people or businesses are still recognisable.
GDPR – General Data Protection Regulation (EU, 2016) and its country level variations globally were introduced to protect your data from corporations who use it for marketing or to sell it to other companies. It is not a surprise then that Article 4(1) defines personal data as:
“..any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
I don’t know about you, but this sounds like anyone I named Farmer 1 for Project X living in City Y in Country Z..You get the picture. Where things get even worse for the most SIAs, RAPs and LRPs is Recital 26 that provides clarification on the Notion on Identifiability. Let me quote this:
“To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.”
While transparency is a key principle for IFIs, it can sometimes unintentionally expose individuals to risks. This is particularly problematic when IFIs publish project documents such as Resettlement Action Plans, Environmental and Social Impact Assessments, and Stakeholder Engagement Plans. These reports, meant to ensure accountability, often contain highly specific details about affected communities, making it possible to re-identify individuals even when names are omitted.
Take, for example, a rural infrastructure project in Sub-Saharan Africa. A public IFI disclosure document mentions:
A small farming community of 12 families in Village X being displaced due to a road expansion.
Affected farmers were given compensation based on their land size, and the report detailed that one household owned 8 hectares, which is significantly more than the others.
The report also mentioned that community representatives were consulted and raised concerns about loss of agricultural productivity.
Although no names were published, in a small community with only a handful of landowners, anyone with local knowledge could easily find out which household received higher compensation and who the representatives were. This can lead to land speculation, with local buyers and even government officials targeting the landowner before compensation is finalised, significantly undermining the individual’s negotiating power.
You can’t just assume data is pseudonymised or anonymised because you think people can’t be identified. How do you know that the information has been properly protected? What measures have been put in place to ensure that it is truly anonymised? Has there been a Data Protection Impact Assessment (DPIA) to evaluate re-identification risks? If not, how can you be confident that affected people are not being put at risk?
This is precisely what Recital 26 of GDPR warns against: even if data is pseudonymised, if it can be combined with other available information to single out a person, it is still considered personal data. Anonymised data is only anonymous if there is no chance that anyone could identify the individual.
A new Framework for Transparency & Privacy Balance?
How can we consolidate privacy with the stringent disclosure requirements of development finance institutions? Is there a way to disclose enough information following the transparency principles without compromising privacy of affected people (sorry data subjects)? Maybe, but we need to incorporate data protection or pirvacy risk assessments and data minimisation strategies.
1. Data Protection Privacy Impact Assessments (DPIAs) for Disclosures
Before publishing any project-related documents, IFIs should conduct DPIAs to evaluate the risk of re-identification. Key considerations include: Could the disclosed data, even without names, lead to the identification of individuals? What additional data sources exist that could be used to piece together identities? Are there alternative ways to present the information without revealing personal details?
Example: Instead of stating that "10 farmers in Village X received compensation," an IFI could aggregate data across multiple villages or express figures as percentages rather than exact numbers.
2. Tiered Disclosure Approach: Full Transparency ≠ Full Public Access
Not all information needs to be fully public. Instead, IFIs should adopt a tiered access model:
Public Disclosure (General Audience) → High-level summaries with anonymised and aggregated data.
Stakeholder-Specific Access (Regulators, NGOs, Researchers) → More detailed reports available under controlled access agreements.
Restricted Internal Access (IFI & Project Implementers) → Full datasets with identifiable information, but not for public release.
Example:Instead of publishing household-level income data, IFIs could provide a community-wide income range or percentage of affected households falling within specific income brackets.
3. Strengthening Anonymisation & Data Aggregation Techniques
Current IFI disclosure practices often rely on simple pseudonymisation (e.g., "Farmer 1" or "Community Member A"), which is not sufficient under GDPR. Instead, IFIs should: Use true anonymisation where re-identification is mathematically impossible. Broaden geographic references to prevent pinpointing specific locations. Cluster affected individuals into groups rather than listing individual compensation details.
Example:Instead of publishing "Household A received $10,000 in compensation and owns 5 hectares," an IFI could report "Compensation ranged from $8,000 to $12,000 for households owning 3-6 hectares in Region Y."
4. Establishing Ethical Review Panels for Disclosures
IFIs should establish independent review panels composed of privacy experts, human rights advocates, and local community representatives to assess:
Whether disclosures strike the right balance between transparency and privacy.
If additional safeguards (such as consent mechanisms) are necessary before publishing reports.
Example:Before publishing a Resettlement Action Plan, an IFI could seek feedback from affected communities to ensure that disclosed information does not put them at risk.
Transparency with Responsibility
Whilst many privacy laws and principles globally are based on or very similar to the GDPR, this is not just about data protection and privacy legislation, it is not just about countries where these laws exist to protect individuals, it is about fundamental human rights, ethics, and responsible governance. The right to privacy is not just a regulatory requirement; it is a core human right, enshrined in the Universal Declaration of Human Rights (Article 12) and recognised across various international human rights frameworks.
As IFIs strive to uphold transparency and public trust, they must also take serious responsibility for protecting the privacy and dignity of affected individuals. While GDPR originated in Europe, its principles of privacy protection—including data minimisation, purpose limitation, and accountability—apply globally. Whether or not a country has specific privacy laws, IFIs have an ethical duty to ensure that disclosure practices do not expose individuals to harm, discrimination, or undue risks.
The implementation of DPIAs, tiered access models, stronger anonymisation techniques and ethical review processes ensures that IFIs and impact assessments are keeping up with the times in terms of technology, availbility of information and the accompanying legislations/best practices. Transparency doesn't have to come at the cost of privacy, security or dignity!
The future of IFI disclosures must not be a trade-off between accountability and fundamental rights. Instead, it must be an approach that upholds both transparency and the ethical responsibility to protect communities affected by development projects. True sustainable development is not just about financial investments—it is about ensuring that the rights, privacy, and well-being of the people at the centre of these projects are safeguarded.
To recap, here’s a summary of the main policies and what each IFI discloses for their projects (yes I used myESRA):
1. World Bank (WB)
Relevant Policies:
- Environmental and Social Framework (ESF)
- Access to Information Policy
Typical E&S Documents Disclosed:
- Environmental and Social Impact Assessments (ESIAs)
- Environmental and Social Management Frameworks (ESMFs)
- Environmental and Social Commitment Plans (ESCPs)
- Resettlement Action Plans (RAPs)
- Stakeholder Engagement Plans (SEPs)
- Indigenous Peoples Plans (IPPs)
- Gender Action Plans (GAPs)
- Environmental and Social Management Plans (ESMPs)
- Cumulative Impact Assessments (CIAs)
2. International Finance Corporation (IFC)
Relevant Policies:
- IFC Performance Standards
- Access to Information Policy
Typical E&S Documents Disclosed:
- Environmental and Social Review Summaries (ESRS)
- Environmental and Social Action Plans (ESAPs)
- Environmental and Social Impact Assessments (ESIAs)
- Environmental and Social Management Plan (ESMP)
- Resettlement Action Plans (RAPs)
- Stakeholder Engagement Plans (SEPs)
- Indigenous Peoples Plans (IPPs)
- Biodiversity Action Plans (BAPs)
3. Asian Infrastructure Investment Bank (AIIB)
Relevant Policies:
- Environmental and Social Framework (ESF)
- Public Information Policy (PIP)
Typical E&S Documents Disclosed:
- Environmental and Social Impact Assessments (ESIAs)
- Environmental and Social Management Plans (ESMPs)
- Resettlement Plans (RPs)
- Stakeholder Engagement Plans (SEPs)
- Indigenous Peoples Plans (IPPs)
- Cumulative Impact Assessments (CIAs)
- Environmental and Social Due Diligence (ESDD) reports
4. Asian Development Bank (ADB)
Relevant Policies:
- Safeguard Policy Statement (SPS)
- Public Communications Policy (PCP)
Typical E&S Documents Disclosed:
- Environmental Impact Assessments (EIAs)
- Initial Environmental Examinations (IEEs)
- Resettlement Plans (RPs)
- Indigenous Peoples Plans (IPPs)
- Environmental and Social Management Plans (ESMPs)
- Stakeholder Engagement Plans (SEPs)
- Environmental and Social Monitoring Reports
- Social Compliance Audits (SCAs)
- Procurement Plans (PPs)
5. African Development Bank (AfDB)
Relevant Policies:
- Integrated Safeguards System (ISS)
- Disclosure and Access to Information Policy
Typical E&S Documents Disclosed:
- Environmental and Social Impact Assessments (ESIAs)
- Environmental and Social Management Plans (ESMPs)
- Resettlement Action Plans (RAPs)
- Stakeholder Engagement Plans (SEPs)
- Indigenous Peoples Plans (IPPs)
- Environmental and Social Audits
- Strategic Environmental and Social Assessments (SESAs)
6. Multilateral Investment Guarantee Agency (MIGA)
Relevant Policies:
- Environmental and Social Review Procedures (ESRP)
- Access to Information Policy
Typical E&S Documents Disclosed:
- Environmental and Social Review Summaries (ESRS)
- Environmental and Social Impact Assessments (ESIAs) and annexes
- Environmental and Social Action Plans (ESAPs)
- Stakeholder Engagement Plans (SEPs)
- Resettlement Action Plans (RAPs)
7. European Bank for Reconstruction and Development (EBRD)
Relevant Policies
- Environmental and Social Policy (ESP)
- Public Information Policy (PIP)
Typical E&S Documents Disclosed:
- Environmental and Social Impact Assessments (ESIAs) and annexes
- Stakeholder Engagement Plans (SEPs)
- Resettlement Action Plans (RAPs)
- Non-Technical Summaries (NTSs)
8.European Investment Bank (EIB)
Relevant Policies:
- Environmental and Social Standards
- Transparency Policy
Typical E&S Documents Disclosed:
- Environmental and Social Impact Assessments (ESIAs) and annexes
- Stakeholder Engagement Plans (SEPs)
- Resettlement Action Plans (RAPs)
- Environmental and Social Data Sheets (ESDS)
9. Inter-American Development Bank (IDB)
Relevant Policies:
- Environmental and Social Policy Framework (ESPF)
- Access to Information Policy
Typical E&S Documents Disclosed:
- Environmental and Social Impact Assessments (ESIAs) and annexes
- Resettlement Plans (RPs)
- Indigenous Peoples Plans (IPPs)
- Stakeholder Engagement Plans (SEPs)
Comments