INGOs must share data and power with local partners – but that doesn’t mean dumping privacy risks onto them

Lori Roussey Governance, Power Shifts

In the future, more smaller, local aid organisations will be involved in collecting data – but their international partners must not forget they still have important ethical and legal duties when it comes to privacy, says Lori Roussey

A workshop held by Oxfam partner Adara, which works on women’s economic empowerment in Indonesia. Partners in Indonesia and elsewhere increasingly collect and manage data about their communities (Picture: M. Nugie and Andito Wasi/Oxfam)

Like many other international NGOs, Oxfam aims to become partner-led, sharing power and resources to support local organisations to deliver the humanitarian and development programmes that are best suited to their communities. Today, operating such programmes involves a huge amount of data collection and analysis to manage programmes, improve their effectiveness and monitor progress.

So, should we abandon our data collection and management responsibilities and leave them entirely to partners? Such a hands-off approach would, we argue, be both ethically and legally wrong. In this blog, we examine an important aspect of being partner-led that we think merits more attention in the sector: how INGOs manage data in partnerships with local organisations in ways that fulfil their ethical and legal data protection responsibilities.

Why we have an ethical duty to support partners in managing data

Oxfam and other INGOs often work with some of the most vulnerable and marginalised communities. This comes with considerable responsibility as it means we collect and process sensitive personal information that might be used to discriminate against certain groups or even put their lives at risk. For instance, data on people about their religion might be used to target violent attacks against them. Managing this data is therefore extremely high risk. Accountability is key here.

‘An ethical approach to being  partner-led cannot lead to INGOs exposing grassroots organisations to enormous human rights risks’

Being partner-led could mean simply withdrawing from managing sensitive information and leaving that entirely to our local partners. That would be the wrong approach. Partners often operate in precarious environments, with less resources than us. Suddenly withdrawing data handling support for such small organisations would in effect dump the data management risks onto them: exposing them to the highest data protection and human harm challenges.

At the same time, we should be aware that communities might ultimately want to have their data handled by people that fully understand the context they live in. The solution, therefore, is not to withdraw but to actively support organisations to manage data from their communities, minimising the risks while enabling communities to have their data handled by organisations they know and trust.

How GDPR leaves partners with unavoidable data responsibilities

Aside from the ethical concerns about giving up data management responsibilities, INGOs in many parts of the world cannot escape legal accountability for data collected, even if that is done in practice by partners.

Thanks to many countries’ privacy rules reforms (such as in Kenya, Nigeria, the European Union (EU) and recently, Thailand) the legal standard preventing human harm via the processing of personal information, is high. As Oxfam’s biggest affiliates are European and Oxfam International is a Dutch entity, that means we have to adhere to the EU General Data Protection Regulation (GDPR).

‘GDPR means that, if I am involved in a project that collects sensitive data about people, I am accountable for upholding high data management standards’

Central to the EU’s privacy framework is the notion of data controller. If I participate in setting the purpose and means of a project, I am a data controller.

Importantly, that means that if I am involved in a project that collects personal data about people, I am accountable for upholding high data management standards. Therefore, as a data controller I must invest resources in data protection and cybersecurity competences of whoever will manage people’s data, even if I do not directly access the data myself, in line with consistent EU case law (see for instance the highest EU court ruling C-40/17 Fashion ID). I must ensure that whoever handles individuals’ data for the project upholds the highest data standards. This is particularly crucial for sensitive data such as religious beliefs, as with GDPR the more sensitive the data is, the more rigorous data management is expected to be.

Oxfam therefore must reshape its operations to ensure we continue to operate as accountable data controller while importantly, empowering partners to uphold the high standards required by the GDPR. That will also help maximise the protection of the people we work with and the quality of partners’ support. For instance, we must ensure that when we provide resources to, say, a local organisation in Bombay to support communities of women to make a living out of their crafts, we must support the local organisation to secure the data, handle it responsibly and inform women properly about how, why, to whom and until when their personal data will be handled.

An ethical approach to being partner-led cannot lead to INGOs exposing grassroots organisations to enormous human rights risks, nor should it open the INGOs themselves to legal challenges and fines for breaching human rights laws. We must shape a partner-led future where we support partners across all aspects of data collection, security and management, making sure we do not leave them and the people they work with open to unnecessary risks or distress. 


Lori Roussey

Lori Roussey is Data Protection Officer for Oxfam International and Oxfam Great Britain