The COVID-19 pandemic leads governments around the world to resort to tracking technology and other data-driven tools in order to monitor and curb the spread of SARS-CoV-2. Such large-scale incursion into privacy and data protection is unthinkable during times of normalcy. However, in times of a pandemic the use of location data provided by telecom operators and/or technology companies becomes a viable option. Importantly, legal regulations hardly protect people’s privacy against governmental and corporate misuse. Established privacy regimes are focused on individual consent, and most human rights treaties know derogations from privacy and data protection norms for states of emergency. This leaves little safeguards nor remedies to guarantee individual and collective autonomy. However, the challenge of responsible data use during a crisis is not novel. The humanitarian sector has more than a decade of experience to offer. International organisations and humanitarian actors have developed detailed guidelines on how to use data responsibly under extreme circumstances. This article briefly addresses the legal gap of data protection and privacy during this global crisis. Then it outlines the state of the art in humanitarian practice and academia on data protection and data responsibility during crisis.