Non-Governmental Organisations (NGOs) working in the development and humanitarian aid sectors want to be sure their projects are making an impact. In order to track these impacts, NGOs rely on data collected through a variety of methods. By ‘data’, we mean everything from names, addresses, and question responses, to testing results and scientific measurements.
Different projects will require and result in a variety of types of information (aka, ‘data’) being collected and stored. Data is not only crucial for informed decision-making when it comes to determining actions to take during a project’s life cycle and monitoring, it is also important for the evaluation and closure stages of a project.
But how much data is ‘enough’, and when does an organisation cross the line and accumulate ‘too much’ data about the beneficiaries of their project?
NGOs must be aware of the dangers that come with the collection and storage of data, and they need to respect the very real privacy concerns of their beneficiaries – no matter where in the world they are. Before we look at the solutions that aim to help NGOs collect and store data, here are some issues that project teams need to be aware of and think about in the project planning stage.
Issues Regarding Data Collection and Storage
Some Data Requests Are Politically Motivated
In the humanitarian sector, we all need to collect data – especially data about the beneficiaries. In some countries (such as Syria or Yemen), the government wants to see those lists. Their argument for this is that they want to avoid the duplication of support to individuals, but many people think it’s because the government does not want the opposition to receive support.
Some donors (including USAID) can request beneficiary lists to fight the global war on terror, or because the donor’s country prohibits funding of certain types of organisations – such as NGOs that provide abortion counselling or referrals. In the U.S., the FBI used spy planes flying over a protest in Washington, DC, to collect cell phone numbers and location data of the participants.
Privacy Is in the Eye of the Beholder
The amount of data protection required can vary greatly, depending on your country, the country (rules) of the donor, or that of your beneficiary. You will need to be aware of a variety of rules and regulations when it comes to data collection, transferral, and storage.
For example, the General Data Protection Regulation (GDPR) aims to give individuals control over the handling of their own data within the European Union (EU). The GDPR also covers the transfer of personal data outside the EU and the European Economic Area (EEA).
In the United States, data security regulations have primarily been dependent on an organisation’s or institution’s industry. Recently, however, there have been debates over the use of location tracking apps to help stop the spread of COVID-19. While many people have been fine with location tracking for mobile GPS systems, Facebook, Netflix, and other such apps, there is growing concern over governments using location data.
Nigeria and China, on the other hand, are countries with very different approaches to personal data. In Nigeria, a company called Social Lending will track an individual’s mobile, online, and social media platforms and use the results to determine how much money the person can borrow.
China’s Social Credit System is a government program to create centralised records for individuals and businesses, to track and evaluate them for trustworthiness. People with low credit scores can be put on a blacklist, and children of people on the blacklist can be barred from attending private schools or universities. People with high credit scores are rewarded with shorter waiting times at hospitals, discounts at hotels, and even a better chance of getting a job.
Data Is Everywhere
Another issue you will face is the fact that there is so much data to worry about, and there are an abundance of ways to have to secure it. First, you have to be concerned with the security of data collection. Second, you need to ensure the privacy of data while it’s stored. Third, you must secure the data as it is being transferred – whether digitally or offline.
You will not only need to be aware of the data protection regulations in the industry and country you and your beneficiary are in, you will also need to be aware of the different regulations depending on whether the data is being collected, stored, or transferred. These are our specific recommendations for NGOs when it comes to data collection and storage:
- Follow GDPR, even if you are located outside of Europe. Your default stance should be to protect the beneficiary or stakeholder.
- Collect as little data as possible, and be sure to pseudonymise the data. When in doubt, it is always a good idea to err on the side of caution when handling data for a project.
- Password protect access to files that have identifiable details for beneficiaries.
- Have access plans that specify who can access which forms of the data.
- Accept people’s right to be forgotten.
- Make sure you receive informed consent, ESPECIALLY for photos (and, even more strongly here, photos of children).
- Use only legally manufactured and acquired programs and up-to-date anti-virus software.
- Avoid sending data via email whenever possible; if you do, ask the sender to delete the email after they download it and then delete it from your sent emails.
Of course, of utmost importance is the safe storage of the data – including paper-based information. Since donors require NGOs to keep things for five to seven years for accountability reasons, you will also need to think about how you will safely store hard copies of forms, such as attendance lists that include phone numbers and email/physical addresses. If you cannot just scan documents to digitize them and then shred the originals (due to requirements of your donor), we recommend the following:
- Invest in a lockable filing cabinet in a secure room, where you can ensure the safety of stored paper documents.
- Use a secure offsite storage facility, where you can retain archives, but still keep access to those files.
Basically, follow the ‘do no harm’ principle when it comes to collecting, storing, or transferring information.
Oftentimes, people who need something or who are poor are seen as having fewer rights than others. Individuals and communities that are in underserved and low-income areas need to have their information protected the same as individuals and communities in privileged areas who enjoy the privacy afforded by strong data security regulations.