“In our work with vulnerable people, every question we ask is a doorway—to trust, to dignity, or to harm.“ [i] The People-First Intake Charter
Canadian nonprofits take advocating on behalf of clients very seriously; we now need to take protecting our clients and their data just as seriously.
Nonprofits need a digital data container that keeps sensitive information secure, compliant with privacy law, and protected from misuse by generative AI systems (eg. ChatGPT, Gemini, CoPilot, Claude). For organizations working with First Nations’ communities, they must also respect Indigenous data sovereignty and associated governance principles. While data containers may sound like high-tech jargon, they are simple processes to understand what data is, how you collect it and use it, and where you store it.
5 areas of a digital data container
A digital data container is the combination of 5 areas that together keep data inside protected systems and out of public or uncontrolled tools like GenAI.
- Secure storage (cloud or on‑premise, like external hard drives)
- Permissions and Access Controls
- Encryption
- Backups
- Policies
For Indigenous‑related data, the container is also a governance space where Indigenous partners hold or share ownership, control, access, and possession of their data. This is called OCAP [ii]. Nonprofits need to learn about OCAP and to collaborate with First Nations’ organizations to ensure their data is being treated appropriately.
Designing the container
Think of it like a sheep pen and sheep. Data is the sheep. You don’t want them wandering around, exposed to wolves; you want to move them into the pen and then close the gate.
Sheep pen = data container.
You already have a great deal of ‘data’. So, start by identifying it – donors, clients, staff, financial, program data. Where do you keep it? Who has access? Who should have access? Note that very little client data should be accessible to everyone. While nonprofits may desire ‘open’ information for all, it is not a good process when it comes to clients’ personal data. If everyone in the organization can identify clients and access their personal information, it places the people you serve at risk of exposure outside the organization, especially when staff are using ‘Shadow AI’ (Generative AI being used personally to support their work at the agency). Consider the stories of people accidentally finding their work content and emails available on the internet through an unintended search. The risk to clients is too great to allow this to happen.
The next step is to classify the data as a) highly sensitive, b) confidential, c) internal, or d) public. In the case of public sharing (website, reports, evaluations), ensure the data is anonymized. If funders are looking for stats on service delivery, randomize the data. It won’t change the results. Once you set up these systems, you won’t have to redo them. Client data will be treated respectfully and carefully going forward.
Now you can construct the actual ‘container’. In reality, it’s just cleaning up your processes with a better understanding of data handling.
- Use a primary email and a system for sorting the emails/information received.
- Turn on safety features in your CRM for all inputting or exporting of data.
- Have a password manager with multi‑factor authentication, and encryption.
- Schedule regular automatic backups.
- Special handling should be done for Indigenous‑related data as determined with the relevant communities.
Learning more about data privacy
Canadian nonprofits can draw on support from organizations that provide discounted software, security tools, and training, such as TechSoup. Community Manager, Eli van der Giessen, strongly urges nonprofits to attend the free webinars to gain information. There is also a $200 membership that provides training, mentorship, and guidance. $200 is a small price to protect clients from accidental AI intrusions.
There are also nonprofit data initiatives from the Canadian Centre for Nonprofit Digital Resilience. Jason Shim, Chief Digital Officer, and other staff have worked hard to create the Nonprofit AI Impact Hub that offers guidance on cybersecurity, cloud choices (storage and backups), and governance for small organizations.
Heather Cayouette, workshop facilitator and consultant with newpact, typically works with small nonprofits to help with operational and cultural change, especially regarding data. In her article, “Why Privacy Matters More Than Ever”, she speaks about how expectations have changed for nonprofits.
- Funders want proof you’re handling data responsibly
- Clients and communities assume their information is safe
- Staff want clarity, consistency, and protection—but they also need ways to do this that are simple and fast
- And governments are introducing stricter privacy laws with real penalties
Nonprofits need to use a risk lens to set policies that work with their data, to support clients and protect their organization’s Mission and Values. You don’t have to do it all at once, and you don’t have to do it alone.
Indigenous data sovereignty at the core. Not to be overlooked.
Indigenous data sovereignty in Canada affirms that Indigenous Nations have the right to govern data about their peoples, communities, and territories, including how it is collected, stored, accessed, and used in digital systems. Nonprofits working with Indigenous partners should co‑design data governance agreements that specify where data is housed, who can access it, how long it is kept, how it may be shared, and whether AI tools can be used at all, aligning with Indigenous‑defined frameworks and free, prior, and informed consent.
You already have the data; close the gate
The same principles for Indigenous data sovereignty can be applied to your clients’ data. They are good reminders that inside your container, you hold sensitive client information. These principles require you to be transparent and mindful of what you have collected, how you are storing it and for how long, and that you have asked for and been given consent. You are now the protector of that data. Shield it from potential harm, including from AI and other risks, as you work confidently to support your clients’ interests. Take care of your sheep and close the pen!
Further reading and resources
- Canadian Centre for Nonprofit Digital Resilience – Programs, guides, and sector‑wide work on nonprofit digital resilience and secure technology adoption.
- TechSoup Canada – Discounted software, security tools, and articles on nonprofit IT and cybersecurity (including recent security‑focused pieces).
- Community Foundations of Canada, “Cybersecurity and Privacy” fact sheet – Practical overview of baseline cyber hygiene for small organizations.
- SFU Library, “Indigenous Data Sovereignty” – Introductory guide linking Indigenous data sovereignty to UNDRIP, OCAP, and related principles in a Canadian context.
- OCAP resources and fact sheets (e.g., Indigitize OCAP fact sheet) – Plain‑language explanations of Ownership, Control, Access, and Possession, and their implications for digital data governance.
[i] “The People-First Intake Charter” Islamic Family Association islamicfamily.ca/datacharter
[ii] “The First Nations Principles of OCAP” First Nations Information governance Centre https://fnigc.ca/ocap-training/
Tina Crouse is an AI Ethics & Strategy Specialist; a ResponsibleAI Practitioner; a Management Consultant and the Creator of the Grant Gauge™. She is a member of Women in AI Canada; Women Defining AI; Women in AI Ethics; The AI Collective; Ottawa Responsible AI Hub.
Article: This article was written with editing and accuracy checking by Perplexity.ai and Gemini.ai. All interviews were conducted in-person by the author.
The views expressed in this article are the author’s alone and do not necessarily represent those of CharityVillage.com or any other individual or entity with whom the authors or website may be affiliated. CharityVillage.com is not liable for any content that may be considered offensive, inappropriate, defamatory, or inaccurate or in breach of third-party rights of privacy, copyright, or trademark.
