Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 4
Data Ethics

Defined simply, ethics are principles of behavior based on ideas of right and wrong. Ethical principles often focus on ideas such as fairness, respect, responsibility, integrity, justice, quality, reliability, transparency, and trust. Data handling ethics are concerned with how to procure, store, manage, use, and dispose of data in ways that are aligned with ethical principles. In other words, they are concerned with doing the right things with data and preventing the wrong things from being done with data, even when no one is looking.

Handling data – not only managing it, but using it and sharing it with other entities – in an ethical manner is necessary to the long-term success of any organization that wants to get value from its data. Unethical data handling can result in the loss of reputation and customers, because it puts at risk people whose data is exposed. In some cases, unethical practices are also illegal.12 Given the connection between the right to privacy and other human rights, data ethics are also a matter of social responsibility.13

This chapter will discuss the importance of the ethical handling of data. It will cover:

Why it is important to manage data ethically
The principles underlying ethical data handling
The benefits of taking an ethical approach to data management
How to establish an ethical approach to data management

Ethics and data management

The ethics of data handling center on several core concepts:

Impact on people: Data often represents characteristics of individual people (customers, employees, patients, vendors, etc.) and is used to make decisions that affect people’s lives. Ethics demands that data should be used only in ways that preserve human dignity.14
Potential for misuse: Misusing data can negatively affect people and organizations. This leads to an ethical imperative to prevent the misuse of data, especially through actions that do harm to the greater good.
Economic value of data: Data has economic value. Ethics of data ownership should determine how that value can be accessed and by whom.

Organizations protect data based largely on laws and regulatory requirements. Nevertheless, because data has an effect on people, data management professionals should recognize that there are ethical (as well as legal) reasons to protect data and ensure it is not misused. Even data that does not directly represent individuals, for example, data about the accessibility or distribution of resources, can still be used to make decisions that affect people’s lives.

There is an ethical imperative not only to protect data, but also to manage its quality. People making decisions, as well as those impacted by decisions, expect data to be complete and accurate so that they have a sound basis for decisions. From both a business and a technical perspective, data management professionals have an ethical responsibility to manage data in a way that reduces the risk that it may misrepresent, be misused, or be misunderstood. This responsibility extends across the data lifecycle, from creation to destruction of data.

Unfortunately, many organizations fail to recognize and respond to the ethical obligations inherent in data management. They may adopt a traditional technical perspective and profess not to understand the data. Or they assume that if they follow the letter of the law, they have no risk related to data handling. This is a dangerous assumption. The data environment is evolving rapidly. Organizations are using data in ways they would not have imagined even a few years ago. Analytics can learn things from data that many people still would not think possible.15

While laws codify some ethical principles, legislation cannot keep up with the risks associated with evolution of the data environment. Organizations must recognize and respond to their ethical obligation to protect data entrusted to them by fostering and sustaining a culture that values the ethical handling of information.

Ethical principles underlying privacy regulation

Public policy and law try to codify right and wrong based on ethical principles. But they cannot codify every circumstance. For example, privacy laws in the European Union, Canada, and the United States show different approaches to codifying data ethics. These principles can also provide a framework for organizational policy. The principles underlying the General Data Protection Regulation (GDPR) of the EU include:

Fairness, Lawfulness, Transparency: Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes, and not processed in a manner that is incompatible with those purposes.
Data Minimization: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy: Personal data must be accurate, and where necessary, kept up-to-date. Every reasonable step must be taken to ensure that personal data that are inaccurate … are erased or rectified without delay.
Storage Limitation: Data must be kept in a form that permits identification of data subjects [individuals] for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and Confidentiality: Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Accountability: Data Controllers shall be responsible for, and be able to demonstrate compliance with these principles.

GDPR principles are balanced by and support certain qualified rights individuals have to their data, including the rights to access, rectification of inaccurate data, portability, the right to object to processing of personal data that may cause damage or distress, and erasure. When personal data is processed based on consent, that consent must be an affirmative action that is freely given, specific, informed, and unambiguous. The GDPR requires effective governance and documentation to enable and demonstrate compliance and mandates Privacy by Design.

Canadian privacy law combines a comprehensive regime of privacy protection with industry self-regulation. PIPEDA (Personal Information Protection and Electronic Documents Act) applies to every organization that collects, uses, and disseminates personal information in the course of commercial activities. It stipulates rules, with exceptions, that organizations must follow in their use of consumers’ personal information. Statutory obligations based on PIPEDA include:16

Accountability: An organization is responsible for personal information under its control and must designate an individual to be accountable for the organization’s compliance with the principle.
Identifying Purposes: An organization must identify the purposes for which personal information is collected at or before the time the information is collected.
Consent: An organization must obtain the knowledge and consent of the individual for the collection, use, or disclosure of personal information, except where inappropriate.
Limiting Collection, Use, Disclosure, and Retention: The collection of personal information must be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
Accuracy: Personal information must be as accurate, complete, and as up-to-date as is necessary for the purposes for which it is to be used.
Safeguards: Personal information must be protected by security safeguards appropriate to the sensitivity of the information.
Openness: An organization must make specific information about its policies and practices relating to the management of their personal information readily available to individuals.
Individual Access: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information, and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Compliance Challenges: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.

In March 2012, the US Federal Trade Commission (FTC) issued a report recommending organizations design and implement their own privacy programs based on best practices described in the report (i.e., Privacy by Design). The report reaffirms the FTC’s focus on Fair Information Processing Principles, which include:

Notice / Awareness: Data collectors must disclose their information practices before collecting personal information from consumers.
Choice / Consent: Consumers must be given options with respect to whether and how personal information collected from them may be used for purposes beyond those for which the information was provided.
Access / Participation: Consumers should be able to view and contest the accuracy and completeness of data collected about them.
Integrity / Security: Data collectors must take reasonable steps to assure that information collected from consumers is accurate and secure from unauthorized use.
Enforcement / Redress: The use of a reliable mechanism to impose sanctions for noncompliance with these fair information practices.

There is a global trend towards increasing legislative protection of individuals’ information privacy, following the standards set by EU legislation. Laws around the world place different kinds of restrictions on the movement of data across international boundaries. Even within a multinational organization, there will be legal limits to sharing information globally. It is therefore important that organizations have policies and guidelines that enable staff to follow legal requirements as well as use data within the risk appetite of the organization.

Ethics and competitive advantage

Organizations are increasingly recognizing that an ethical approach to data use is a competitive business advantage.17 Ethical data handling can increase the trustworthiness of an organization and the organization’s data and process outcomes. This can create better relationships between the organization and its stakeholders. Creating an ethical culture entails introducing proper governance, including institution of controls to ensure that both intended and resulting outcomes of data processing are ethical and do not violate trust or infringe on human dignity.

Data handling doesn’t happen in a vacuum. There are strong business reasons to handle data ethically:

Stakeholder expectations: Customers and other stakeholders expect ethical behavior and outcomes from businesses and their data processes.
Managing risk: Reducing the risk that data for which the organization is responsible will be misused by employees, customers, or partners is a primary reason to cultivate ethical principles for data handling.
Preventing misuse: There is also an ethical responsibility to secure data from criminals (i.e., to protect against hacking and potential data beaches).
Respecting ownership: Different models of data ownership influence the ethics of data handling. For example, technology has improved the ability of organizations to share data with each other. This ability means organizations need to make ethical decisions about their responsibility for sharing data that does not belong to them.

The emerging roles of Chief Data Officer, Chief Risk Officer, Chief Privacy Officer, and Chief Analytics Officer are focused on controlling risk by establishing acceptable practices for data handling. But responsibility extends beyond people in these roles. Handling data ethically requires organization-wide recognition of the risks associated with misuse of data, and organizational commitment to handling data based on principles that protect individuals and respect the imperatives related to data ownership.

Data governance can help ensure that ethical principles are followed for critical processes, such as deciding who can use data, as well as how they can use data. Data governance practitioners must consider the ethical risks of certain uses of data on stakeholders. They should manage these risks in a similar to how they manage data quality.

Establish a culture of ethical data handling

Establishing a culture of ethical data handling requires understanding existing practices, defining expected behaviors, codifying these in policies and a code of ethics, and providing training and oversight to enforce expected behaviors. As with other initiatives related to governing data and to changing culture, this process requires strong leadership.

Ethical handling of data obviously includes following the law. It also influences how data is analyzed, interpreted, and leveraged internally and externally. An organizational culture that values ethical behavior will not only have a code of conduct, it will also ensure that clear communication and governance controls are in place to support employees who become aware of unethical practices or risks. Employees need to be able to report such circumstances without fear of retaliation. Improving an organization’s ethical behavior regarding data often requires a formal Organizational Change Management (OCM) process (see Chapter 12).

Steps to establishing a culture of ethical data handling include:

Review current state data handling practices: Understand the degree to which current practices are directly and explicitly connected to ethical and compliance drivers; identify how well employees understand the ethical implications of existing practices in building and preserving the trust of customers, partners, and other stakeholders.
Identify principles, practices, and risk factors: Understand the risk that data might be misused and cause harm to customers, employees, vendors, other stakeholders, or the organization as a whole. In addition to industry-related risks, most organizations have specific risks, which may be related to their technology footprint, their rate of employee turnover, the means by which they collect customer data, or other factors. Principles should be aligned with risks (bad things that can happen if the principles are not adhered to) and practices (the right ways of doing things so that risks are avoided). Practices should be supported by controls.
Adopt a socially responsible ethical risk model: Executing business intelligence, analytics, and data science activities fairly requires an ethical perspective that looks beyond the boundaries of the organization and accounts for implications to the wider community. An ethical perspective is necessary not only because data can easily be misused but also because organizations have a social responsibility not to do harm with their data. A risk model can be used to determine whether to execute a project. It will also influence how to execute the project. Because data analytics projects are complex, people may not see the ethical challenges. Organizations need to actively identify potential risks. A risk model can help them do so (see Figure 7).
Create an ethical data handling strategy & roadmap: After a review of current state and the development of a set of principles, an organization can formalize a strategy to improve its data handling practices. This strategy must express both ethical principles and expected behavior related to data, expressed in values statements and a code of ethical behavior.

What you need to know

Organizations need to handle data ethically or they risk losing the good will of customers, employees, partners, and other stakeholders.
Data ethics are grounded in fundamental principles and ethical imperatives.
Data-related regulation is grounded in these same principles and imperatives, but regulation cannot cover every contingency. As such, organizations must account for the ethics of their own behavior.
Organizations should cultivate a culture of ethical responsibility for the data they handle, not only to ensure they comply with regulations, but also because it is the right thing to do.
Ultimately, ethical data handling provides a competitive advantage because it is the foundation for trust.

Numerous recent books describe the degree to which data science techniques have been used to influence political and economic processes in potentially unethical ways. See, for example, Stephens-Davidowitz, Seth. Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are. (Harper Collins, 2017.) O’Neil, Cathy. Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy. (Random House, 2016.) And Schneier, Bruce. Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. (Norton, 2015.) The potential to misuse data has always existed. See Darell Huff’s 1954 classic How to Lie with Statistics. But in today’s world, the capacity to collect and analyze data has significantly increased the risk of misuse with significant social implications.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 4 Data Ethics

Create new playlist

Sign In

Sign Up

Chapter 4 Data Ethics

Table of Contents for
Chapter 4 Data Ethics

Chapter 4
Data Ethics