Nonprofits and philanthropy organizations need to embrace digital age and engage more with digital and data in their activities. However, they must also be careful to avoid the ‘dark side’ of data and digitization, and uphold respect for the privacy and security of individuals’ data.
These threats are not merely theoretical. There are plenty of real-life examples that nonprofits and philanthropists should be aware of. Below I highlight three aspects of the dark side of data for civil society organizations to consider and plan for.
The first aspect of the dark side is data breaches, situations in which data is accessed or disclosed in an unauthorized fashion. These breaches can happen for a number of reasons: as a result of external hacking, insider threats, or incompetent data handling. There have been a number of prominent data breaches with an international scope, including the notorious Ashley Madison hack. Many have involved non-profit organizations. For example, in 2016, what was described as ‘Australia’s largest security breach’ involved the NGO Australian Red Cross inadvertently publishing the personal data of 550,000 blood donors, including information about ‘at-risk sexual behavior’ to a public website.
The second ‘dark’ issue is that of data use and sharing. Organizations should make sure they are clear to individuals about why they are collecting their data and what they are using it for, at the time when that data is collected. In the UK, a recent controversy has concerned the relationship between Google’s DeepMind and the British public National Health Service Royal Free Foundation Trust. The Trust provided details of 1.6 million patients to Google’s DeepMind division for the early testing stages of an app which was designed to help doctors identify patients at risk of acute kidney injury. However, the patients were not properly informed that their data would be used in this way, and the UK Information Commissioner found that the deal breached the Data Protection Act. In both the UK and Australia, there is concern that charities are not handling donors’ personal information properly, including passing on personal details to other organizations without explicit permission.
Thirdly, nonprofits need to be aware of government surveillance of their data – including in liberal democracies. Right now, a group of NGOs including the ACLU, Liberty and Amnesty International, have initiated proceedings against the UK and US governments in the European Court of Human Rights for conducting surveillance on Amnesty International’s activities, and for other illegitimate surveillance practices as revealed by whistleblower Edward Snowden in 2013. International charity Save the Children, which provided services to Australia’s offshore detention centre in the Pacific Island nation of Nauru, had its offices there raided in 2015 and computer equipment seized by police, in what appeared to be an attempt to identify a whistleblower in the organization leaking details about conditions in the detention centre to The Guardian.
To minimize the risk of the dark side of data, nonprofits must exercise good data practices which comply with relevant laws and ethical requirements. Many countries have privacy and data protection laws which govern how organizations can collect and handle individuals’ data. There are also mandatory data breach notification laws in a growing number of countries, which occasionally, as in Australia, are intertwined with privacy and data protection laws. In some countries, nonprofits can benefit from constitutional and human rights protections against surveillance to enable them to carry out their work free from illegitimate government interference.
An important legal development for civil society organizations around the world is the introduction of the EU’s new General Data Protection Regulation, whose provisions aim to represent global best practice standards in data protection and data security. The GDPR has an extra-territorial reach, so organizations handling EU citizens’ data, even if they are not based geographically within the EU, may technically be bound by its provisions.
In any event, for many privacy scholars and advocates, existing laws – including the GDPR – and their enforcement do not go far enough in securing data privacy and security. Legal compliance should not be the only objective of data organizations. Aside from legal penalties, organizations may suffer much more serious reputational damage if they mismanage the data they hold and collect. In addition, nonprofits may be held by the public to higher standards – with respect to data governance as in other realms – than public or private for-profit organizations, because of the broad perception that nonprofits should be more ethical in their activities and actions than other kinds of organizations.
This may well entail that nonprofits in the process of becoming ‘data organizations’ will need to go beyond the minimum privacy and data security requirements to ensure they don’t stray into the dark side of the digital environment. One way they can start to do this is by partnering with privacy advocates and digital rights organizations to design exemplary legal and ethical data practices.