CSOs and Data Protection
Civil society organizations are just as accountable as government agencies and businesses when it comes to data protection. Should there be any data breach or misuse on their part, the impact on people of could be just as severe, given the sensitivity of the information some of them regularly hold and manage.
CSOs might be smaller in size compared to a typical government agency or private company, but most of them cater to vulnerable groups like victims of abuse, confessed drug users, migrant workers, persons with disabilities, indigenous people, senior citizens, and members of the LGBTQI+ community. Any incident involving the unlawful processing of their personal information could worsen their already precarious state. They may suffer loss of access to basic services, further discrimination, violence, and even death. On the part of CSOs, they may lose the trust of the people they seek to serve, taint their overall reputation, and eventually lose funding support.
Fortunately, some organizations are already shoring up their own privacy management programs, while others go so far as to establish standards for their peers to adopt or emulate. Take, for example, the Code of Ethics and Conduct for NGOs, which was developed by the Caucus of Development NGO Networks (CODE-NGO), a coalition of NGOs here in the Philippines. The need to protect stakeholder privacy is fully recognized in the said Code. Unfortunately, though, it is a non-binding document. On top of that, the numerous challenges that CSOs encounter in their work usually make data protection a secondary priority, if at all.
The result is a CSO sector with a significant knowledge gap in data protection. Many groups are still not aware of the Data Privacy Act of 2012, or at least fail to grasp it fully. Awareness-raising seminars and trainings are often expensive and frequently target those in the financial, health, education, and public sectors. Worse, many self-proclaimed experts who speak on these events are actually quite new to the field themselves. Combine these with insufficiency of resources—a perennial problem for CSOs—and data protection ends up becomes an overwhelming challenge.
Fortunately, the core principles behind data protection does not need to be expensive or too technical to implement. Simple security measures could already go a long way. Here are some tips to consider:
- Stop relying on practices and start writing down policies. Procedures or protocols for the collection and use of personal data should be enshrined in clear and simple written policies. It may be hard for some to follow or keep to formal processes, but policies make sure that data processing is done in a lawful and fair manner. They also lessen the risk of data breaches and other security incidents. Together, they can be developed into an organization’s privacy manual.
- Provide well-defined roles in relation to data protection. Everybody needs to know their respective responsibilities when it comes to data protection to avoid having people pointing fingers when a data breach or some other violation of the data protection law happens. Remember that data protection is not a job for one person. Even if a CSO has a DPO, everyone in the organization has a role to play to keep personal data safe and secure.
- Be careful when divulging information to others. People are often willing to entrust their information to CSOs because they need help. Every organization needs to appreciate this and avoid bringing more misery to people’s lives by recklessly disclosing or sharing their personal data with other persons or organizations—even if done with good intentions. There has to be a policy in place. One that features a criteria every request for data will be checked against. If the criteria is not met, data sharing will not be permitted.
- Make the most out of simple but effective security measures. An organization with no budget for data protection doesn’t have to give up on it. Even simple measures that cost very little (or nothing at all) can offer some degree of security. Locking drawers and cabinets, using strong passwords in electronic devices, and limiting access to data on a need-to-know basis, are just a few of the tricks that haven’t been completely rendered useless by modern technologies. Sadly, many people take this fact for granted.
- Use free online references and other resources. Since data protection laws adhere to common data protection principles, it is quite easy to refer to online materials (even those from other countries and international organizations) to jumpstart one’s deep dive into data protection. There are also plenty of free security tools available for download that offer protection like their paid counterparts.
- Include data protection in project and budget proposals. As more funders also become aware of the value of data protection, it may not also be a bad idea to try allocating a budget for this item in project proposals and implementation plans, and see how funders react. If anything, it may at least start a valuable dialogue regarding a common concern. Whenever possible, consider those measures that can be utilized by the organization even beyond specific projects or programs.
People need to keep in mind that data privacy is not a novel idea. Most CSOs may already be implementing many of its principles without them knowing it. In many cases, the only thing lacking is a basic understanding of the data protection law and how its provisions translate to actual measures and processes. Then, there’s the greater challenge of sustainability, which can only be achieved by making data protection an integral part of the culture of an organization.
It’s all part of the job, though. CSOs defend human rights, empower the weak, and give voice to the oppressed. With such big responsibilities, they, of all people, should appreciate the value of data privacy as a right; one that should not be dispensed with in one’s pursuit of justice and social development.
Maris Miranda is a Certified Information Privacy Manager. A former member of the Privacy Policy Office of the National Privacy Commission, she now serves as a resource speaker and consultant on privacy and data protection.