Non-governmental organisations (NGOs) play a vital role in Ghana’s social and economic development landscape. Across the country, they support education, public health, child protection, gender equality, humanitarian response, environmental protection, and community development initiatives.
Many of these organisations operate at the grassroots level, working directly with children, women, persons with disabilities, displaced populations, and other vulnerable groups who rely on NGOs for essential services and advocacy.
In carrying out this work, NGOs routinely collect, store, and share large volumes of personal data. This includes names, contact details, photographs, identification information, health and medical records, financial details, monitoring and evaluation data, and sensitive case files linked to safeguarding and protection programmes. Much of this data is highly sensitive and, if mishandled, can expose individuals to stigma, discrimination, exploitation, or physical harm.
Despite the central role of data in NGO operations, a significant number of NGOs in Ghana remain non-compliant with the Data Protection Act, 2012 (Act 843). This gap is rarely the result of intentional disregard for the law. Rather, it reflects structural challenges within the sector, including limited awareness of legal obligations, weak internal data governance systems, high staff and volunteer turnover, and an enforcement environment that has not fully adapted to the realities of NGO operations.
As NGOs increasingly rely on digital tools, mobile devices, cloud platforms, and cross-border partnerships, the risks associated with poor data protection practices continue to grow. Without deliberate action to strengthen compliance, the personal data of beneficiaries, staff, and partners remains exposed, undermining trust, accountability, and the long-term sustainability of the NGO sector in Ghana.
STRUCTURAL DRIVERS OF NON-COMPLIANCE IN THE NGO SECTOR
Low Registration Levels With The Data Protection Commission
One of the most visible indicators of data protection non-compliance within the NGO sector is the low level of registration with the Data Protection Commission of Ghana. The Data Protection Act, 2012 (Act 843) requires every data controller to register with the Commission before collecting, processing, or storing personal data. This obligation applies to all organisations, regardless of size, funding structure, or non-profit status.
In practice, many NGOs, particularly small, community-based, and volunteer-led organisations, remain unregistered. Some are unaware that the law applies to them at all, while others mistakenly believe that data protection requirements are intended only for banks, telecom companies, and large commercial entities. This misunderstanding is widespread and is often reinforced by limited access to targeted guidance for the NGO sector. As a result, number of NGOs continue to operate without registering, renewing, or updating their data protection status, even as they manage extensive databases of beneficiaries, donors, staff, and partners. In some cases, organisations that initially registered fail to renew annually or to update their records when their data processing activities expand or change.
This gap in registration has broader implications. Without registration, the Data Protection Commission lacks visibility into how NGOs process personal data, and NGOs themselves miss an important opportunity to formalise internal accountability for data protection. Over time, this creates a compliance culture where legal obligations are overlooked until a breach, donor audit, or public complaint brings them into focus.
Weak Internal Data Governance Practices
Beyond the issue of registration, many NGOs in Ghana struggle with weak or informal internal data governance structures. Data protection responsibilities are often not clearly assigned within organisations. In many cases, there is no designated data protection or privacy focal person, and staff are left to manage personal data based on individual judgment rather than organisational policy.
Written data protection or privacy policies are frequently absent, outdated, or copied from templates that are not applied in practice. Clear rules on data retention, access control, data sharing, and secure disposal are often missing. Most NGOs also lack documented procedures for detecting, reporting, and responding to data breaches, making it difficult to act quickly when incidents occur.
In day-to-day operations, personal data is commonly stored across multiple uncoordinated platforms. Beneficiary and staff information may sit on personal laptops, mobile phones, WhatsApp chats, shared email inboxes, and cloud folders with little or no access restriction. Password sharing is common, devices are rarely encrypted, and backups are inconsistent.
High staff and volunteer turnover further compounds the problem. When individuals leave an organisation, access to email accounts, cloud storage, and shared platforms is often not formally revoked. Data stored on personal devices is rarely retrieved or deleted, creating long-term risks of loss, unauthorised access, or misuse. Over time, this fragmented approach to data management significantly increases exposure to breaches and undermines accountability.
HOW DATA BREACHES OCCUR DAILY IN THE NGO SPACE
Data breaches within NGOs are rarely the result of sophisticated cyberattacks or targeted hacking. In most cases, they occur quietly and repeatedly through routine operational practices that have become normalised over time. These breaches often go unnoticed or unreported, not because they are insignificant, but because they are not recognised as data protection incidents.
A common source of daily breaches is the use of personal mobile phones and laptops for official work. Field officers, volunteers, and programme staff frequently collect and store beneficiary data on personal devices that lack basic security controls such as passwords, encryption, or remote wipe capabilities. When devices are lost, stolen, or shared with others, sensitive information including photographs, health records, and case notes can be exposed without the organisation’s knowledge.
Informal communication platforms, particularly WhatsApp, also play a major role. NGOs routinely use messaging groups to coordinate activities, share reports, and follow up on cases. In many instances, sensitive personal data is shared in these groups, including names of beneficiaries, images of children, medical details, and safeguarding information. Once shared, this data can be forwarded, downloaded, or accessed by individuals who are no longer affiliated with the organisation, creating ongoing privacy risks.
Human error is another frequent cause of breaches. Emails containing sensitive attachments are sent to the wrong recipients, mailing lists are misused, and personal data is shared without verifying access permissions. Because many NGOs rely on free or personal email accounts, there are often no technical safeguards to prevent or detect these mistakes.
Online data collection tools also present risks when poorly configured. Forms used for registrations, surveys, or needs assessments are often deployed without privacy notices or access restrictions. Public sharing links remain active long after projects end, exposing stored data to unauthorised access. Staff turnover further increases exposure. When employees or volunteers leave, access to email accounts, cloud storage, and shared platforms is rarely reviewed or revoked promptly. Former staff may retain sensitive data indefinitely on personal devices or accounts.
Finally, data breaches are not limited to digital systems. Physical records containing personal information are frequently stored in unlocked cabinets, open offices, or shared spaces. Files may be misplaced, accessed by unauthorised individuals, or disposed of without proper shredding or secure handling.
Taken together, these everyday practices mean that data breaches in the NGO sector are not isolated events. They are a daily operational reality, exposing vulnerable individuals to harm and organisations to reputational, legal, and ethical risks.
HIGH-RISK OPERATIONAL PRACTICES DRIVING DATA EXPOSURE
Unsecured Mobile Phones and Laptops Field officers, volunteers, and programme staff in many NGOs routinely rely on personal mobile phones and laptops to collect, store, and transmit beneficiary data. In most cases, organisations do not provide dedicated work devices, leaving staff to use personal equipment for official activities.
These devices are frequently:
• Not protected by strong passwords, biometric locks, or encryption
• Used for both personal and work-related activities
• Shared with family members or colleagues
• Lost, stolen, or damaged during fieldwork or travel.
As a result, sensitive personal data including beneficiary databases, photographs of children, health records, safeg4.uarding reports, and case notes are often stored on unsecured devices. When such a device is lost or compromised, the organisation may not even be aware that a data breach has occurred, particularly in the absence of incident reporting or monitoring procedures.
This practice exposes vulnerable individuals to significant risk and places NGOs in breach of their legal and ethical obligations to protect personal data under Ghana’s data protection framework.
WhatsApp and Informal Messaging Groups
WhatsApp is widely used by NGOs for daily coordination, reporting, and communication, particularly in field-based operations. While the platform offers convenience and speed, it is frequently used in ways that expose sensitive personal data to unauthorised access.
In many cases, NGO staff and volunteers share sensitive information in WhatsApp group chats, including:
• Names and contact details of beneficiaries
• Photographs of children and other vulnerable individuals
• Health, medical, and safeguarding information
• Case follow-up notes and internal assessments.
Once shared in a group, this information is difficult to control. Messages, images, and documents can be forwarded, downloaded, or saved outside the organisation’s oversight. Group members may exit the organisation but still retain access to historical messages and files, including sensitive data collected over long periods. In addition, WhatsApp groups are often created informally, without clear rules on membership, data sharing, or retention. Phones are shared, accounts are linked to personal numbers, and backups may be stored on personal cloud accounts. As a result, personal data can remain accessible long after its original purpose has ended.
These practices create ongoing data protection risks and make it difficult for NGOs to meet their legal obligations to limit access, control sharing, and protect the confidentiality of personal data.
Email Misdelivery and Open Mailing Lists
Simple human errors account for a significant number of daily data breaches within NGOs. These incidents are rarely malicious. They occur during routine communication and reporting activities and are often overlooked or normalised.
Common examples include:
• Sending reports, spreadsheets, or beneficiary lists to the wrong email address
• Using the CC field instead of BCC when emailing large groups, thereby exposing recipients’ contact details
• Forwarding sensitive attachments without confirming who has access to the information
Many NGOs rely on free or personal email accounts for official communication, particularly where organisational email systems are unavailable. In such cases, there are often no technical safeguards such as access controls, data loss prevention tools, or delivery warnings to prevent or detect misdirected emails.
Once an email is sent to the wrong recipient, the organisation loses control over the information. Sensitive data may be downloaded, shared further, or stored indefinitely outside the NGO’s oversight. In the absence of clear breach reporting procedures, these incidents frequently go unreported, increasing both legal and reputational risk.
End of Part 1
Leave A Comment