A Delicate Balance Between Serving the Vulnerable and Protecting Their Sensitive Data

The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.

By Khalid Al-Nasser
January 10, 2025

Humanitarian nongovernmental organizations (NGOs) face significant challenges in protecting vulnerable populations and their own operations. Operating in conflict zones with limited resources, constrained access and unstable environments, these organizations are particularly susceptible to cyberattacks and data breaches. The majority of these organizations lack the necessary capacity, bandwidth and infrastructure to safeguard their operations and protect the sensitive data of the vulnerable groups they serve, as well as their humanitarian workers (with the exception of large international NGOs). The surge in digital operations (in data collection, programming and outreach) has heightened these risks, necessitating robust data protection measures. The push for data-driven policy and decisionmaking, along with the emphasis on quantifiable monitoring and evaluation, which requires data collection, pressures NGOs to balance fulfilling their mission with protecting the personal data of those being served.

The rapid advancement of technology necessitates that NGOs implement practices to mitigate these challenges. They must prioritize data minimization, privacy education and rigorous risk assessments. By limiting data collection, enhancing staff knowledge and carefully evaluating new technologies, organizations can reduce vulnerabilities significantly. Establishing strong partnerships with third-party service providers and selecting data storage locations with robust privacy frameworks is also crucial. Failure to implement these measures puts both NGOs and those they serve at risk. A comprehensive approach to data protection is essential for the continued effectiveness of humanitarian aid.

The following recommendations aim to guide organizations toward more robust, ethical and compliant data management strategies, ensuring they are better prepared to navigate the complexities of modern data protection challenges. These recommendations also aim to safeguard sensitive information, protect beneficiaries and build trust within their communities.

Recommendation 1: Limiting access to sensitive information, including personally identifiable information, is crucial to preventing unauthorized disclosure. Humanitarian NGOs must make informed, ethical decisions about the location of their data centers and the applicable laws of host countries. For instance, U.S. privacy laws allow the FBI access to any data within its jurisdiction, contrasting sharply with the European Union’s stringent regulations, which protect data from unauthorized access. This disparity should encourage organizations to choose jurisdictions with privacy laws that align with their commitment to data protection and humanitarian principles. For example, the Qatar Personal Data Privacy Protection Law exemplifies legislation that facilitates cross-border data transfer while offering a different perspective on data sovereignty and privacy. This legal environment urges humanitarian organizations to evaluate where their data is hosted carefully, selecting locations that offer legal protections consistent with their ethical standards and the need for data security.

Recommendation 2: Data minimization is a key principle in the data-gathering process. NGOs should only collect information that is essential for delivering their services and avoid unnecessary data collection. Collecting less data reduces the need for extensive security measures and protects the privacy of those being served. Added to that, deleting data when it is no longer needed or when a program is concluded should be a common practice; often data are archived on drives or servers for extended periods of time, susceptible to hacking and exposure.

Recommendation 3: Capacity building within NGOs is critical. This involves not only establishing systems and infrastructure to protect data but also providing education and training for workers. While staff may be prepared to deliver services and interact with the target groups, they often lack preparation in collecting, accessing and using potentially sensitive data. Staff must be equipped with the knowledge they need to make informed, ethical decisions regarding data handling. Comprehensive education on data privacy rights and General Data Protection Regulation (GDPR) principles is particularly important. Additionally, individuals must be aware that their privacy rights are protected, even in conflict zones. Educating vulnerable individuals about their privacy rights, including the right to be informed as stated in GDPR, for example, is essential; obtaining consent before data sharing underscores the importance of respecting the autonomy of data subjects.

Recommendation 4: Humanitarian organizations must rigorously evaluate risks before implementing new technologies, ensuring alignment with their humanitarian principles and the “Do No Harm” principle. Conducting Data Protection Impact Assessments is crucial, especially when handling personal data in conflict-affected areas. DPIAs involve analyzing, identifying and minimizing data protection risks in new projects.

Recommendation 5: Third-party risk management is essential, particularly when sharing information with external entities such as other NGOs, government bodies and service providers who may access highly sensitive data. Humanitarian organizations must establish robust agreements with third parties, clearly defining the purpose and scope of data sharing to protect the integrity and confidentiality of the data.

These recommendations lay the foundation for further exploration and development of data protection guidelines tailored to humanitarian practices and interventions in conflict-prone contexts. These guidelines should be guided by the principles of independence, humanity and neutrality.

---

Author: Khalid Abdulla A A Al-Nasser is a cybersecurity expert interested in new emerging technologies and specialized in governance, riskand compliance. He holds a master’s degree in public policy from Hamad Bin Khalifa University- Qatar. He may be reached at [email protected].

(No Ratings Yet)
Loading...