• Articles
• 0

WHY MANY NGOS IN GHANA ARE STILL NOT COMPLIANT WITH DATA PROTECTION LAWS

1.1 INTRODUCTION

Non-governmental organisations (NGOs) play a vital role in Ghana’s social and economic development landscape. Across the country, they support education, public health, child protection, gender equality, humanitarian response, environmental protection, and community development initiatives. Many of these organisations operate at the grassroots level, working directly with children, women, persons with disabilities, displaced populations, and other vulnerable groups who rely on NGOs for essential services and advocacy.

In carrying out this work, NGOs routinely collect, store, and share large volumes of personal data. This includes names, contact details, photographs, identification information, health and medical records, financial details, monitoring and evaluation data, and sensitive case files linked to safeguarding and protection programmes. Much of this data is highly sensitive and, if mishandled, can expose individuals to stigma, discrimination, exploitation, or physical harm.

Despite the central role of data in NGO operations, a significant number of NGOs in Ghana remain non-compliant with the Data Protection Act, 2012 (Act 843). This gap is rarely the result of intentional disregard for the law. Rather, it reflects structural challenges within the sector, including limited awareness of legal obligations, weak internal data governance systems, high staff and volunteer turnover, and an enforcement environment that has not fully adapted to the realities of NGO operations.

As NGOs increasingly rely on digital tools, mobile devices, cloud platforms, and cross-border partnerships, the risks associated with poor data protection practices continue to grow. Without deliberate action to strengthen compliance, the personal data of beneficiaries, staff, and partners remains exposed, undermining trust, accountability, and the long-term sustainability of the NGO sector in Ghana.

1.2 STRUCTURAL DRIVERS OF NON-COMPLIANCE IN THE NGO SECTOR

1.2.1      Low Registration Levels With The Data Protection Commission

One of the most visible indicators of data protection non-compliance within the NGO sector is the low level of registration with the Data Protection Commission of Ghana. The Data Protection Act, 2012 (Act 843) requires every data controller to register with the Commission before collecting, processing, or storing personal data. This obligation applies to all organisations, regardless of size, funding structure, or non-profit status.

In practice, many NGOs, particularly small, community-based, and volunteer-led organisations, remain unregistered. Some are unaware that the law applies to them at all, while others mistakenly believe that data protection requirements are intended only for banks, telecom companies, and large commercial entities. This misunderstanding is widespread and is often reinforced by limited access to targeted guidance for the NGO sector.

As a result, number of NGOs continue to operate without registering, renewing, or updating their data protection status, even as they manage extensive databases of beneficiaries, donors, staff, and partners. In some cases, organisations that initially registered fail to renew annually or to update their records when their data processing activities expand or change.

This gap in registration has broader implications. Without registration, the Data Protection Commission lacks visibility into how NGOs process personal data, and NGOs themselves miss an important opportunity to formalise internal accountability for data protection. Over time, this creates a compliance culture where legal obligations are overlooked until a breach, donor audit, or public complaint brings them into focus.

1.2.2      Weak Internal Data Governance Practices

Beyond the issue of registration, many NGOs in Ghana struggle with weak or informal internal data governance structures. Data protection responsibilities are often not clearly assigned within organisations. In many cases, there is no designated data protection or privacy focal person, and staff are left to manage personal data based on individual judgment rather than organisational policy.

Written data protection or privacy policies are frequently absent, outdated, or copied from templates that are not applied in practice. Clear rules on data retention, access control, data sharing, and secure disposal are often missing. Most NGOs also lack documented procedures for detecting, reporting, and responding to data breaches, making it difficult to act quickly when incidents occur.

In day-to-day operations, personal data is commonly stored across multiple uncoordinated platforms. Beneficiary and staff information may sit on personal laptops, mobile phones, WhatsApp chats, shared email inboxes, and cloud folders with little or no access restriction. Password sharing is common, devices are rarely encrypted, and backups are inconsistent.

High staff and volunteer turnover further compounds the problem. When individuals leave an organisation, access to email accounts, cloud storage, and shared platforms is often not formally revoked. Data stored on personal devices is rarely retrieved or deleted, creating long-term risks of loss, unauthorised access, or misuse. Over time, this fragmented approach to data management significantly increases exposure to breaches and undermines accountability.

1.3 HOW DATA BREACHES OCCUR DAILY IN THE NGO SPACE

Data breaches within NGOs are rarely the result of sophisticated cyberattacks or targeted hacking. In most cases, they occur quietly and repeatedly through routine operational practices that have become normalised over time. These breaches often go unnoticed or unreported, not because they are insignificant, but because they are not recognised as data protection incidents.

A common source of daily breaches is the use of personal mobile phones and laptops for official work. Field officers, volunteers, and programme staff frequently collect and store beneficiary data on personal devices that lack basic security controls such as passwords, encryption, or remote wipe capabilities. When devices are lost, stolen, or shared with others, sensitive information including photographs, health records, and case notes can be exposed without the organisation’s knowledge.

Informal communication platforms, particularly WhatsApp, also play a major role. NGOs routinely use messaging groups to coordinate activities, share reports, and follow up on cases. In many instances, sensitive personal data is shared in these groups, including names of beneficiaries, images of children, medical details, and safeguarding information. Once shared, this data can be forwarded, downloaded, or accessed by individuals who are no longer affiliated with the organisation, creating ongoing privacy risks.

Human error is another frequent cause of breaches. Emails containing sensitive attachments are sent to the wrong recipients, mailing lists are misused, and personal data is shared without verifying access permissions. Because many NGOs rely on free or personal email accounts, there are often no technical safeguards to prevent or detect these mistakes.

Online data collection tools also present risks when poorly configured. Forms used for registrations, surveys, or needs assessments are often deployed without privacy notices or access restrictions. Public sharing links remain active long after projects end, exposing stored data to unauthorised access.

Staff turnover further increases exposure. When employees or volunteers leave, access to email accounts, cloud storage, and shared platforms is rarely reviewed or revoked promptly. Former staff may retain sensitive data indefinitely on personal devices or accounts.

Finally, data breaches are not limited to digital systems. Physical records containing personal information are frequently stored in unlocked cabinets, open offices, or shared spaces. Files may be misplaced, accessed by unauthorised individuals, or disposed of without proper shredding or secure handling.

Taken together, these everyday practices mean that data breaches in the NGO sector are not isolated events. They are a daily operational reality, exposing vulnerable individuals to harm and organisations to reputational, legal, and ethical risks.

1.4 HIGH-RISK OPERATIONAL PRACTICES DRIVING DATA EXPOSURE

1.4.1      Unsecured Mobile Phones and Laptops

Field officers, volunteers, and programme staff in many NGOs routinely rely on personal mobile phones and laptops to collect, store, and transmit beneficiary data. In most cases, organisations do not provide dedicated work devices, leaving staff to use personal equipment for official activities.

These devices are frequently:

·       Not protected by strong passwords, biometric locks, or encryption

·       Used for both personal and work-related activities

·       Shared with family members or colleagues

·       Lost, stolen, or damaged during fieldwork or travel

As a result, sensitive personal data including beneficiary databases, photographs of children, health records, safeg4.uarding reports, and case notes are often stored on unsecured devices. When such a device is lost or compromised, the organisation may not even be aware that a data breach has occurred, particularly in the absence of incident reporting or monitoring procedures.

This practice exposes vulnerable individuals to significant risk and places NGOs in breach of their legal and ethical obligations to protect personal data under Ghana’s data protection framework.

1.4.2      WhatsApp and Informal Messaging Groups

WhatsApp is widely used by NGOs for daily coordination, reporting, and communication, particularly in field-based operations. While the platform offers convenience and speed, it is frequently used in ways that expose sensitive personal data to unauthorised access.

In many cases, NGO staff and volunteers share sensitive information in WhatsApp group chats, including:

• Names and contact details of beneficiaries
• Photographs of children and other vulnerable individuals
• Health, medical, and safeguarding information
• Case follow-up notes and internal assessments

Once shared in a group, this information is difficult to control. Messages, images, and documents can be forwarded, downloaded, or saved outside the organisation’s oversight. Group members may exit the organisation but still retain access to historical messages and files, including sensitive data collected over long periods.

In addition, WhatsApp groups are often created informally, without clear rules on membership, data sharing, or retention. Phones are shared, accounts are linked to personal numbers, and backups may be stored on personal cloud accounts. As a result, personal data can remain accessible long after its original purpose has ended.

These practices create ongoing data protection risks and make it difficult for NGOs to meet their legal obligations to limit access, control sharing, and protect the confidentiality of personal data.

1.4.3      Email Misdelivery and Open Mailing Lists

Simple human errors account for a significant number of daily data breaches within NGOs. These incidents are rarely malicious. They occur during routine communication and reporting activities and are often overlooked or normalised.

Common examples include:

• Sending reports, spreadsheets, or beneficiary lists to the wrong email address
• Using the CC field instead of BCC when emailing large groups, thereby exposing recipients’ contact details
• Forwarding sensitive attachments without confirming who has access to the information

Many NGOs rely on free or personal email accounts for official communication, particularly where organisational email systems are unavailable. In such cases, there are often no technical safeguards such as access controls, data loss prevention tools, or delivery warnings to prevent or detect misdirected emails.

Once an email is sent to the wrong recipient, the organisation loses control over the information. Sensitive data may be downloaded, shared further, or stored indefinitely outside the NGO’s oversight. In the absence of clear breach reporting procedures, these incidents frequently go unreported, increasing both legal and reputational risk.

1.4.4      Insecure Online Forms and Surveys

NGOs frequently rely on online forms and survey tools to collect personal data for registrations, needs assessments, baseline studies, and monitoring and evaluation activities. While these tools are convenient and cost-effective, they are often deployed without adequate data protection safeguards.

In many cases, online forms are used:

·       Without clear privacy notices explaining how data will be used, stored, or shared

·       Without access restrictions or authentication controls

·       With public or unrestricted sharing links

As a result, anyone with the link may access, view, edit, or download the collected data. In some instances, forms remain active long after projects have ended, leaving historical beneficiary data exposed to unauthorised access or accidental disclosure.

Because these platforms are often managed by individual staff members rather than the organisation, access credentials are rarely transferred or revoked when staff leave. This further increases the risk of long-term data exposure and makes it difficult for NGOs to track where data is stored and who has access to it.

1.4.5      Staff Turnover and Volunteer Exit

High staff and volunteer turnover is a common reality in the NGO sector, particularly for project-based and field-driven organisations. However, many NGOs do not have structured exit procedures to manage access to personal data when individuals leave.

In practice, when staff members, interns, or volunteers exit an organisation:

• Email accounts often remain active
• Access to cloud storage, shared drives, and collaboration platforms is not reviewed or revoked
• Personal data stored on individual laptops, mobile phones, or external drives is not retrieved or securely deleted

As a result, former staff and volunteers may continue to have access to sensitive information long after their engagement has ended. This includes beneficiary records, safeguarding files, donor reports, and internal assessments.

Over time, this creates persistent data leakage risks that are difficult to detect or control. Without clear offboarding processes and accountability, NGOs may unknowingly retain exposure to breaches, misuse, or unauthorised disclosure of personal data.

1.4.6      Uncontrolled Data Sharing With Partners and Donors

To meet reporting, monitoring, and accountability requirements, NGOs routinely share personal data with partners, consultants, and donors. This may include beneficiary lists, survey datasets, case records, photographs, and monitoring reports. While data sharing is often necessary for programme delivery and funding compliance, it is frequently done without adequate safeguards.

In many cases, data is shared:

·       Without formal data sharing or data processing agreements

·       Without applying data minimisation, resulting in the transfer of more information than is necessary

·       Without clear limits on how long the receiving party may retain the data

Once personal data is shared in this way, the NGO loses visibility and control over how that data is stored, reused, or further transferred. The receiving party may store the data on unsecured systems, share it with additional third parties, or retain it indefinitely for purposes beyond the original project.

This lack of control creates significant legal and ethical risks, particularly where sensitive data relating to children, health, or vulnerable populations is involved. It also exposes NGOs to reputational damage and potential liability, even when the breach occurs outside their direct systems. 

1.4.7      Physical Files and Paper Records

Data breaches within NGOs are not limited to digital systems. Many organisations continue to rely heavily on physical files and paper records, particularly for case management, safeguarding, beneficiary registration, and financial documentation. These records often contain highly sensitive personal information.

In practice, physical files are frequently stored in:

• Unlocked cabinets or drawers
• Open offices accessible to multiple staff or visitors
• Shared spaces used by different programmes or organisations

As a result, files may be accessed by unauthorised persons, misplaced during routine office activities, or removed without proper tracking. In some cases, old records are discarded in general waste without shredding or secure disposal, exposing personal data to unintended disclosure.

Because physical records are often overlooked in data protection discussions, breaches involving paper files may go unnoticed or unreported. Yet the risks are just as serious as digital breaches, particularly where records involve children, health information, or safeguarding cases.

1.4.8      Informal Use of Digital Tools and Platforms

These daily practices point to a broader structural challenge within the NGO sector. NGOs understandably rely on low-cost, easily accessible digital tools to deliver programmes, coordinate teams, and report to partners. However, when these tools are used without basic data protection awareness or controls, operational convenience quickly turns into risk.

Personal devices, free cloud services, messaging apps, and online forms often become de facto organisational systems without clear ownership, oversight, or security standards. Over time, this informal approach normalises unsafe data handling practices and makes it difficult for organisations to track where personal data is stored, who has access to it, and how long it is retained.

Most data breaches in the NGO space go unreported, not because they are minor, but because they are not recognised as breaches under the law. Without clear incident reporting procedures or staff training, accidental disclosures, lost devices, and unauthorised access are often treated as routine operational issues rather than legal and safeguarding incidents.

This gap between everyday practice and legal responsibility leaves NGOs exposed to repeated, unnoticed breaches and undermines their ability to protect the people they serve.

1.5 UNDERLYING KNOWLEDGE AND CAPACITY GAPS

1.5.1      Limited Understanding of Sensitive Personal Data

A recurring challenge within the NGO sector is the limited understanding of what constitutes sensitive personal data and the level of protection it requires. Under Ghana’s data protection framework, information relating to children, health status, survivors of abuse, persons with disabilities, and economically vulnerable individuals is considered highly sensitive and demands enhanced safeguards.

In practice, this distinction is often poorly understood. Sensitive data is frequently collected and handled in the same way as ordinary contact information. During field activities, photographs of children and vulnerable individuals are taken and shared without adequate consent or safeguards. Case details and health information are included in reports, presentations, and donor submissions without anonymisation. In some instances, sensitive data is transferred to partners or stored on unsecured platforms without any additional protections.

These practices significantly increase the risk of harm to affected individuals, including stigma, discrimination, exploitation, or re-identification. They also expose NGOs to serious legal, ethical, and reputational risks. Without a clear understanding of sensitive personal data and how it should be handled, organisations may inadvertently undermine the very communities they seek to protect.

1.5.2      Cross-Border Data Transfers Without Adequate Safeguards

Many NGOs in Ghana work closely with international donors, implementing partners, consultants, and technology service providers. As part of these relationships, personal data is frequently transferred outside Ghana for reporting, monitoring, analysis, storage, or technical support purposes. These transfers often involve sensitive information relating to beneficiaries, staff, and volunteers.

In practice, cross-border data transfers are commonly carried out without assessing whether the receiving country provides adequate data protection safeguards. Data is shared without formal data processing or data transfer agreements, and affected individuals are often not informed that their personal data will be transferred outside Ghana.

Once personal data leaves Ghana, NGOs typically have limited visibility or control over how that data is stored, accessed, reused, or further transferred. This significantly increases the risk of unauthorised access, secondary use, or indefinite retention, particularly where sensitive data relating to children, health, or vulnerable populations is involved.

The experience of the European Union offers an important reference point. Under the EU’s data protection framework, cross-border data transfers are permitted only where adequate safeguards exist. Organisations remain accountable for personal data even after it is transferred, and individuals must be informed about where their data is going and how it will be used.

This approach highlights a key principle that is highly relevant for NGOs in Ghana: international collaboration does not justify uncontrolled data sharing. Responsibility for personal data does not end once it is sent to a foreign partner or donor. Clear agreements, transparency to beneficiaries, and enforceable safeguards must accompany the data wherever it goes.

While Ghana does not need to replicate the EU model in full, the underlying principles are instructive. Cross-border data transfers should be treated as high-risk activities that require deliberate controls, not routine administrative actions. Without such safeguards, NGOs expose themselves and the communities they serve to significant legal, ethical, and reputational risks.

1.5.3      The Way Forward: Institutional Collaboration as a Compliance Lever

Improving data protection compliance within the NGO sector requires a system-level response rather than isolated awareness efforts. A practical and sustainable solution lies in formal institutional collaboration between the Data Protection Commission of Ghana, the Department of Social Welfare, Office of the Registrar of Companies  and Non-Profit Organisation Secretariat.

Most NGOs in Ghana already interact with one or more of these institutions as part of their licensing, registration, accreditation, or sector recognition processes. This existing oversight framework presents a clear opportunity to embed data protection compliance into processes that NGOs already understand and comply with.

Linking NGO registration, renewal, or certification to proof of valid Data Protection Commission registration would significantly raise compliance levels. In addition, NGOs could be required to identify a basic privacy or data protection contact person and confirm the existence of minimum data handling practices, such as secure storage and controlled data sharing. These requirements can be implemented without creating complex or costly compliance burdens.

Beyond enforcement, collaboration should prioritise support. Joint guidance notes, sector-specific training, and coordinated capacity-building initiatives would help NGOs understand what compliance looks like in practice. Time-bound and incentive-based compliance windows would further encourage voluntary regularisation, particularly for small and community-based organisations with limited resources.

By embedding data protection into existing NGO governance and oversight structures, compliance becomes a normal operational requirement rather than a separate regulatory burden. This approach strengthens accountability, protects vulnerable populations, and supports the long-term credibility and sustainability of Ghana’s NGO sector.

1.6 Conclusion

Data protection breaches within the NGO sector are not rare or exceptional incidents. They occur daily through routine practices that have become normalised across operations, fieldwork, reporting, and communication. For organisations that work closely with children, survivors of abuse, persons with disabilities, and other vulnerable populations, these breaches carry real and lasting risks, including harm to individuals, loss of public trust, and growing legal exposure.

Data protection compliance must therefore be understood as more than a regulatory obligation. It is a core safeguarding responsibility and an ethical duty that directly aligns with the values and missions of NGOs. Protecting personal data is inseparable from protecting people.

By strengthening awareness, improving internal data governance practices, and embedding compliance through collaboration between regulatory authorities and NGO sector bodies, Ghana can move toward a more accountable and resilient NGO ecosystem. In an increasingly digital environment, safeguarding personal data is essential to maintaining trust, protecting vulnerable communities, and ensuring the long-term sustainability of the sector.