Empowering Civil Society Organizations to be better Data Guardians

Aapti Institute
Aapti Institute
Published in
9 min readMay 4, 2021


By Suha Mohamed

The need for Responsible Data Governance for Impact

Accelerated by the pandemic, civil society organisations (CSOs) are increasingly capturing data or partnering with other entities to unlock relevant information for societal benefit. Data-led efforts are critical, particularly in times of crisis when the lack of access to reliable administrative data can result in threats to individual and community livelihood, rights and dignity. For instance, Jan Sahas, a community-based organization that focuses on workers’ protection and safe migration in India, stores and manages massive volumes of data through their new initiative, the Migrants Resilience Collaborative, which includes a database of over 1.5 million migrant workers to facilitate relief, help them find employment and enable access to government services.

In contrast to past resistance and distrust of technology and data, the value of data is increasingly recognized by CSOs — whether it is to guide decision-making, act as an auditor for upward and downward accountability, help assess gaps or identify needs in service delivery, or be used to measure impact. This change in approach has in part been bolstered not just by the ubiquity of data, but also the vast data requirements for accessing any goods and services, made available by the government and private sector.

The increasing burden and demand on CSOs to be more data-led assumes that CSOs already possess technical skill sets and capabilities, when in fact, many are just starting their ‘digitization’ journeys — moving offline or analog systems online is a challenge in it of itself. Furthermore, without a focus on building foundational technical architecture or creating principles for collecting and governing data or investing in capacity, data efforts by CSOs often land up being “bandaid solutions”, at best.

As data becomes more ubiquitous to the work of CSOs, it’s important to ensure that these processes do not de-link data from the experiences and realities in which they are produced. In the face of rapid datafication, this also means being cognizant that vulnerable groups are most threatened by the lack of agency, transparency, and accountability around data which has often been used for further exclusion, surveillance, and exploitation. These concerns are amplified by data security risks. Even for larger international institutions, being able to securely manage data and enforce governance measures has been a challenge. For instance, in 2019, as a result of a data breach on a UNICEF learning portal, data on 8000 learners was released.

Taking note of these realities, a responsible data steward could preempt these risks and create necessary safeguards to protect users/beneficiaries against malicious attacks. More broadly, a steward’s responsibility would also be to ensure principles of data minimization are applied to prevent the overcollection of sensitive data, impose access controls or restrictions and demand transparency around data use and sharing — all elements that currently remain obscured. However, without a complete understanding of their role in the data economy and capacity to operationalize the role of a responsible data steward, CSOs may end up reinforcing data extractivism, instead of leading the resistance against it.

Imagining non-profits & community-based organizations as Good Data Stewards

Existing regulations like GDPR initially have already required civil society organizations to rehaul their systems for the purpose of compliance. Establishing data storage and handling policies were previously seen as a way to maintain ‘organizational resilience’ against potential threats or attacks by adversaries. Now, emerging policies are taking this a step further. NGOs and non-profits may be expected to play a more active role as ‘data custodians’. The proposed Non-Personal Data Protection Governance Framework in India, for example, suggests that communities must organize, and exercise their data rights through a non-profit organization.

A few organizations have started to demonstrate an interest in being responsible stewards of their community data, but the instantiation of protocol and governance practices still prove to be complex. The World Food Programme published a set of practices on data management/handling but were called out when an audit revealed glaring gaps in protection and safeguards when assessed for their own implementation.

Examples like these indicate a few areas of concern, particularly around capacity. To begin with, many smaller nonprofits often work in remote areas with limited bandwidth and maybe early in their stages of engaging with online systems for data collection. They also often do not have dedicated technical resources or may not be able to divert significant funding into building/adopting technical infrastructures that are human-centric. As a result, they tend to rely on outsourcing technical solutions or products — where possible.

There is little doubt that leveraging existing design tools for data collection, storage and management can prevent organizations from needing to recreate the wheel, save costs and most often increase efficiency. However, commercial tools and products that tend to be readily adopted by civil society, are often not designed to maximize privacy by design. In other cases, even where data collection tools are customized for nonprofits requirements and needs, our emerging research indicates that the ability to collect consent, govern data decision-making, facilitate agency of data generators are not typical services these platforms offer. These data governance aspects are usually left to the will and control of the end-user (in this case, CSOs) who may not prioritize or commit to these responsibilities — especially if they have limited resources or are in their early stages of operations.

While it has been observed that some non-profits are more readily understanding the potential value data can hold and are increasingly engaging in its collection — it is still often treated as an abstract or unused asset. A study carried out by Everyaction showed that 60% of don’t use data for decision making. Another major finding from this research showed that in organizations that do collect and use data, 49% of employees were unaware of its collection or governance. This is telling of organizations ability to fully take advantage of data but also sheds importance on how these processes may not be transparent and accessible to understand for stakeholders within and outside of the organization.

Although these concerns are important to surface, CSOs are still well placed to commit to a ‘duty of care’ on data rights — as an extension of their existing commitment to the individuals, communities and groups they serve. Recent writing is beginning to realise this role and argue that non-profits must play a bigger role in data rights as most organizations in this space are well embedded in communities and have established long-standing relationships of trust — a critical foundation for responsible and representative data governance.

If we are to envision the contours of this new role, CSOs could potentially also act as effective bulwarks against the range of private, profit-driven companies whose motivations lie in data extraction and unconsented brokerage. Similarly, CSOs could lead the way for individuals and communities to access and exercise their digital rights and strengthen their collective bargaining position when interacting with the State.

CSOs can also play a critical role in creating opportunities for greater representation or participation in data decision-making. This proposition also raises the concern of imposing an additional burden, similar to ‘consent fatigue’ around data governance on individuals and communities, particularly those from disenfranchised or vulnerable groups. It also remains to be seen whether individuals and communities would be motivated to engage in these affairs of data governance — particularly where a clear value proposition may not exist.

In thinking about these questions and how to collaboratively build solutions to enable a greater degree of transparency, accountability, participation, and security around data captured or unlocked by civil society we believe a layered approach to data stewardship is necessary.

Our emerging research and conversations with civil society organizations across the globe have helped us identify potential best practices that are useful to draw from. We’ve spotlighted these case studies by categorizing them as two broad, initial steps in the process of transforming into a data guardian:

STEP 1: Data literacy & community-building

Build communities of concern to equip them with knowledge, skills and power to reclaim control over their digital present and futures.

“Data Weapons aggressively expand state surveillance efforts, exponentially increase the ability of law enforcement and state actors to relentlessly punish and criminalize Black communities, limit the movements of Black people, and effectively transform Black neighborhoods into zones of heightened patrol and policing, mirroring the prisons and detention facilities that hold millions of our people captive everyday” — Data for Black Lives

  • Conversations with social enterprises like Abalobi, which empowers fishing communities across countries in Africa, revealed the importance of closely engaging with their beneficiary communities to both enrich data collected and assess data needs through Monthly Data Discussions. This inclusive fora allows individuals from the fishing community to take control of their own data narratives and better understand how it can reflect their needs and interests.
  • Organizations like Data Refuge work to surface narratives and use storytelling as a method to ensure their methods of data collection are community-driven, collaborative and reflect on-ground realities often obscured by mainstream data collection mechanisms.
  • Citizen-science projects like DECODE or TULIP Smart City bring together individuals to play an active role in collecting data on their neighbourhood and broader environment and helps them understand how they can use its insights to lobby and enact change in their own communities. Encouraging active participation can build trust and awareness around data and its collection which can be critical grounding necessary for engaging in further dialogue on issues like privacy and governance.

STEP 2: Leverage or transform existing community infrastructure

Facilitate participation in data governance and strengthen digital collectivization opportunities.

What needs to be unblocked?

In addition to our evolving research and analysis, there is already work being done to further support this journey for non-profits and social enterprises. Based on workshops and conversations with various civil society organizations, Stanford PACs has outlined how an organization’s operational values can define technical choices and legal considerations for non-profits.

Due consideration must also be taken of the earlier mentioned challenges around capacity, technical infrastructure/tools and funding.

Recently, the McGovern Foundation has called for philanthropies to prioritize support to non-profits in order that they can develop stewardship capabilities necessary for data empowerment. Their recent merge with the Cloudera Foundation and the new ‘Data and Society program’ also holds promise for CSOs and helps them gain access to grants, ‘technical expertise, short accelerator programs, and multiyear partnerships’.

Similarly, the Wellcom Trust has partnered with Sage BioNetworks to launch the ‘Wellcome Data Re-use Prizes’ to encourage innovation around data re-use. Sage Bionetworks is also engaged in piloting a global mental health databank.

Institutions, philanthropic foundations, and impact ventures like Omidyar Network and Rockefeller Foundation are also key stakeholders in this ecosystem, who have recognized barriers to responsible data governance for CSOs and are exploring funding pathways to promote research, pilot use-cases, and scale efforts.

However, questions remain that we should continue to discuss:

  • Do CSOs have the power and mechanisms to hold private and public stakeholders accountable for data decisions?
  • What are the responsibilities and mechanisms that might need to be put in place to both empower and safeguard individuals/communities?
  • What are the technical capacity requirements and skillsets required to transform this into an operational reality for CSOs?