Introduction

With the rapid advancement of technology, ethically engaging with data is more imperative than ever, particularly in the realm of quantitative research. This is especially true for nonprofits, given the significant trust they are afforded due to the nature of their work. The Nonprofit Alliance highlights the gravity of nonprofit organizations’ responsibility to ensure data privacy, stating that “it is important to ensure that nonprofit organizations are ethical custodians of the data with which they are entrusted, and also have access to the information to enable them to further their missions.”[1] In quantitative research, this responsibility becomes even more pronounced, as the data collected and analyzed often form the backbone of strategic decisions and program evaluations.

Part of data ethics in quantitative research involves ensuring the confidentiality of the data collected, a principle many nonprofits are already familiar with. The National Council of Nonprofits emphasizes the importance of airtight data privacy for any nonprofit organization that engages in activities like e-commerce, electronically storing or transferring personally identifiable information (PII), or collecting data from website interactions.[2] The Council explains, “Many nonprofits collect and store sensitive personal information that is protected by [HIPAA] as confidential. When there is a breach of the confidentiality of those data, that poses a risk for the individuals whose data was disclosed, AND for the nonprofit that will now potentially be subject to liability for the breach.”[3]

Non-compliant organizations unwisely put their funding, resources, and even entire programs at risk, jeopardizing their relationships with beneficiaries and their overall impact.[4] For instance, Nonprofit Quarterly recounts how the well-respected Hospice of North Idaho faced a $50,000 HIPAA breach settlement after an unencrypted laptop containing ePHI was stolen, a seemingly small but costly infraction.[5] Beyond the financial loss, this breach likely damaged the organization’s hard-earned reputation, underscoring the critical importance of ethical data handling in all aspects of nonprofit work, including quantitative research.

How to Handle Data Ethically in Nonprofits

Given how much is at stake for nonprofit data and how imperative the need for ethical data practices, we have identified 5 strategies for ensuring ethical data handling in nonprofit quantitative research. These strategies consist of: Data Minimization, Protect What You Collect, Informed Consent and Transparency, Privacy Policy Maintenance, and Continuous Data Education.

Data Minimization

Data minimization is defined as “the idea that one should only collect and retain that personal data which is necessary.”[6] By collecting less information from potential donors and other individuals with whom they interact, nonprofit organizations are more likely to effectively engage their target demographic; people may prefer to share less information about themselves and therefore are less likely to interact with the nonprofit when more information is requested.[7] Furthermore, the less data is collected the less data organizations will have to protect from any potential breaches. The essence of data minimization is efficiency: nonprofits only need enough information to make data-driven decisions that promote the mission of the organization.

Protect What You Collect 

Nonprofit organizations have a responsibility to “protect what [they] collect”: any data they do deem necessary to collect must be securely protected from prying eyes. An organization cannot claim to engage in ethical data handling without sufficient security. This is especially the case for nonprofits given that they often harbor copious amounts of PPI; the breach of nonprofit data carries impactful risks for individuals whose sensitive information may be leaked. As such, nonprofits must double down on security measures for their collected data.[8] Failing to do so not only compromise the safety of the people whose data is leaked but also the organization’s image as a trustworthy entity.

Informed Consent and Transparency 

No data collection should take place without receiving informed, freely-given consent from the people providing information to the nonprofit. Organizations also have the responsibility to be transparent about how collected data will be used (and protected). While it may be true that companies and organizations regularly provide individuals with an endless deluge of terms and acknowledgements, a key aspect of consent is being informed; the sheer volume of terms often presented to website users effectively coerce users to consent just to access to the services provided by the organization or company.[9] According to the Electronic Frontier Foundation (EFF), “[The key] to keeping your visitors’ data safe is letting them know what information you are collecting, in clear and certain terms…[and] how you’re protecting their privacy.” The EFF also offers clear direction on what ethical consent collection looks like and what it does not look like ethical consent collection: this includes “dark patterns” or efforts to trick users into “consenting.” Dark Patterns include practices such as making it difficult to unsubscribe from emails or cancel a membership/free trial (e.g., having extra hoops to jump through to accomplish this).[10]

Privacy Policy Maintenance 

Nonprofits also have the responsibility to both create and regularly update a privacy policy. Given the frequency of data breaches, the average user needs additional evidence that a given organization can, in fact, be trusted. Beyond simply having a privacy policy, nonprofit organizations must also illustrate that they are committed to the interests and privacy of every user that visits their website; these policies must be written with the average user in mind. This includes being transparent, specific and comprehensive when writing out a privacy policy for a nonprofit website.[11] Privacy policies not only should be transparent in regards to which data they are collecting and what they do with it, the policy should also be easily visible on the site. Transparency also involves writing these policies in language accessible to the lay person. As the Nonprofit Hub website puts it, “drop the legalese.” While it may be wise to have an attorney review the policy once written, the average user should not have to have their own lawyer to understand what the privacy policy is saying. Furthermore, a privacy policy is an opportunity to discuss the specific ways in which one particular organization guards the data of its website’s users – this invokes the image of integrity that a copied and pasted privacy policy does not.

Continuous Data Education 

Of course, in order to effectively implement these other four strategies, continued data education for nonprofit employees is necessary. While a nonprofit may have some designated security specialists, all employees and volunteers who come in contact with user data must be well-versed in data ethics; one nonprofit resource refers to this as a “data ethics culture”.[12] The commitment to data ethics should be reflected in both the organization’s core objectives and all interactions with data. Any investment of resources in continued data ethics education is sure to be worth the effort; according to the U.S. Office of Government Ethics, “An agency’s ethics education program increases employees’ awareness of their ethical obligations, helps them identify ethics issues that may arise in the work they perform, and provides employees guidance and support for making ethical decisions.”[13] Indeed, ethics education efforts are sure to pay dividends to nonprofit organizations who invest.

Conclusion

In conclusion, ethical data handling is critical in every aspect of nonprofit work, including quantitative research. As Billie Joe Rogers of Reciprocal Consulting stated, “Data [are] an extension of a person or groups of people, and therefore should be treated as you would treat people—respectfully, data are the words, thoughts, feelings, expressions, interactions, and contributions from individual people, it is not abstract.”[14] In quantitative research, this principle is especially important, as large datasets can easily reduce individuals to mere numbers, risking the loss of their human context. Upholding ethical standards in research ensures that the people behind the data are treated with the dignity they deserve.

To this end, nonprofits must integrate key ethical strategies into their research practices. Data minimization involves collecting only what is necessary, which reduces the risk of breaches and makes data protection more manageable. Protecting collected data is paramount, especially when research involves sensitive personal information; robust security measures are essential to maintaining data integrity and participant trust.

Informed consent and transparency are vital, ensuring participants fully understand how their data will be used and safeguarded. A comprehensive and clear privacy policy further demonstrates a nonprofit’s commitment to ethical research practices. Continuous data education ensures that all staff involved in research understand the ethical implications of their work and adhere to best practices.

By embedding these principles into every stage of quantitative research, nonprofits can conduct studies that respect the individuals behind the data, uphold trust, and advance their missions with integrity.

Take Away

Large datasets can easily reduce individuals to mere numbers, risking the loss of their human context. Upholding ethical standards in research ensures that the people behind the data are treated with the dignity they deserve.

[1] The Nonprofit Alliance. Data Privacy. https://tnpa.org/get-involved/privacy/

[2] National Council of Nonprofits. Cybersecurity for Nonprofits. https://www.councilofnonprofits.org/running-nonprofit/administration-and-financial-management/cybersecurity-nonprofits

[3] National Council of Nonprofits. Cybersecurity for Nonprofits. https://www.councilofnonprofits.org/running-nonprofit/administration-and-financial-management/cybersecurity-nonprofits

[4] Bryan, S. Why Nonprofits Must Be Especially Careful with Their ePHI Data Security. Nonprofit Quarterly. https://nonprofitquarterly.org/nonprofits-must-especially-careful-ephi-data-security/

[5] McNamara, P. For the first time, a small data breach draws a big fine ($50k). Network World. https://www.networkworld.com/article/743718/security-for-the-first-time-a-small-data-breach-draws-a-big-fine-50k.html

[6] International Association of Privacy Professionals. Glossary of Privacy Terms. https://iapp.org/resources/glossary/#dark-patterns

[7] Cohen, R. Earning trust: the imperative of data privacy for nonprofits. National Council of Nonprofits. https://www.councilofnonprofits.org/articles/earning-trust-imperative-data-privacy-nonprofits

[8] Snyder, K. & Whaley, R. Building Data Ethics into Data Management – The Bright Side of Scary. Nonprofit Resource Hub. https://nonprofitresourcehub.org/building-data-ethics-into-data-management-the-bright-side-of-scary/

[9] Electronic Frontier Foundation. Online Privacy for Nonprofits: A Guide to Better Practices. https://www.eff.org/pages/online-privacy-nonprofits

[10] Dark Patterns Tip Line. Harms of Dark Patterns. https://darkpatternstipline.org/harms/

[11] Nonprofit Hub. Why Your Nonprofit Website Needs a Privacy Policy (And What to Include). https://nonprofithub.org/nonprofit-website-needs-privacy-policy-include/

[12] Snyder, K. & Whaley, R. Building Data Ethics into Data Management – The Bright Side of Scary. Nonprofit Resource Hub. https://nonprofitresourcehub.org/building-data-ethics-into-data-management-the-bright-side-of-scary/

[13] U.S. Office of Government Ethics. Education through Training & Advice. https://www.oge.gov/web/oge.nsf/ethicsofficials_education-through-training

[14] The David & Lucile Packard Foundation. New Resources: The Data Ethics Guidebook and Toolkit. https://www.packard.org/insights/publication/new-resources-the-data-ethics-guidebook-and-toolkit/