Data Privacy and Ethics: Building Trust in the Information Age
The ongoing shift from manufacturing toward information-based economies has increased the drive for collection, storage, and use of vast quantities of personal data. Entities managing this data must comply with privacy regulations specific to industry and location. However, growing public awareness and concern about misuse of personal data is leading organizations to revisit governance on data privacy and ethics. Data security has expanded beyond the legal realm and is now recognized as a morality issue and key component of stakeholder confidence.
Regulatory versus Ethical Compliance in Data Privacy
Personal information an organization collects falls on a scale between entirely private and entirely public. Views on privacy are not absolute; they vary with geographic location, culture, industry, type of information, and the individual involved.
Governance related to data defines which pieces of data are private and which are public, reflecting the prevailing views within the organization’s ecosystem. In some cases, local jurisdictional bodies enact laws, regulations, or guidelines that organizations must follow.
Regulatory compliance refers to an organization’s practices and procedures put in place, often by a dedicated privacy office, to fulfill these legal obligations in protecting data privacy. It sets the bar for privacy protection requirements, but in many situations such guidance is minimal or absent.
Additionally, as technology becomes more integral to daily life, the general public grows more conscious of the vulnerability of personal information to data breach, cyberattack, and misuse. Stakeholders are nudging organizations to view respect for data privacy as a moral obligation. This raises the issue of ethical compliance, which involves policies and procedures that go beyond legal requirements in addressing data privacy.
Regulatory Compliance in Data Privacy
The EU has become a world leader in recognizing the need for regulation and oversight of the use of private data. In 2018 the EU enacted its General Data Protection Regulation (GDPR), a far-reaching law addressing privacy and security. The regulation extends beyond the EU to entities throughout the world that target or collect data related to people in the EU.
In the US such all-encompassing privacy regulations have yet to be created at the federal level. However, federal regulations do exist to address privacy concerns related to specific situations and organizations.
An example familiar to anyone receiving health care services is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The act imposes nationwide standards for protection of a patient’s health information against disclosure without the individual’s consent. It defines situations in which disclosure does not require the patient’s authorization, and thus strives to balance privacy protection and the need for information to inform and serve public health.
In the absence of comprehensive federal regulations, some US states are enacting their own privacy laws. The California Consumer Privacy Act of 2018 is the first example of comprehensive state legislation addressing data privacy. Colorado and Virginia have followed with similar laws.
Ethical Compliance in Data Privacy
Public demand for data privacy is motivating entities to enact internal measures to address specific needs of their employees, customers, and other stakeholders. For example, through its SmartBlockPH pilot project, the City of Philadelphia is using sensors to collect information on street and pedestrian traffic and environmental conditions. Its goal is to “test ways to collect real-time data accurately and efficiently, while respecting residents' privacy.” To build public support and trust, the website provides detailed information about the technology used and privacy parameters employed in collecting and handling data.
Legal Obligations versus Voluntary Measures
Regulatory compliance is a legal obligation for any entity handling personal data. Violations can result in fines, penalties, time-consuming investigations and legal proceedings, suspension of government contracts, and reputational damage. Ethical compliance is a voluntary undertaking. Nevertheless, failure to enact and follow policies that signal a commitment to data privacy can undermine public trust and put an organization at a competitive disadvantage.
Implementing an Ethical Data Privacy Framework
A practical first step in addressing privacy ethics within an organization is to develop an overarching ethical framework. This framework is a set of principles that guide data collection, use, storage, and destruction. It is a foundation for all policy decisions that impact handling of personally identifiable information.
Crafting the Framework
The process of constructing a useful framework begins with critical evaluation of the organization’s current data privacy protection practices. It requires a clear understanding of the expectations of individuals as to appropriate handling of their data.
Recognizing the need to commit resources to developing a comprehensive framework, many entities have created new executive roles, such as chief privacy officer or chief data ethics officer. An executive-level position signals to stakeholders that the organization prioritizes privacy ethics. Ideally, all C-suite executives collaborate in designing the framework, as it will apply to data governance across the entire organization.
Implementing the Framework
Once a framework is created, leadership should communicate it clearly to all employees and make it publicly available. Wide dissemination helps instill confidence in the organization’s commitment to protecting data privacy. This promotes accountability and provides an avenue for reporting and resolving privacy complaints.
The framework should act as to guide decision-making, so that data privacy is embedded into any new process, product, or infrastructure. Highlighting the framework periodically through training modules, surveys, or displays helps employees embrace data privacy ethics as a part of the culture.
Pitfalls to Avoid
The data privacy framework must be not a rigid set of rules but a general guide. As data collection technologies evolve and potential uses multiply, new policies are needed to deal with emerging challenges to privacy protection. For instance, with machine learning and artificial intelligence, data collected for an original purpose may be employed in ways not foreseen when the subject’s consent was obtained. The framework will ensure that any new policies conform to an organization’s stated ethical values.
An ethical privacy framework is most effective when implemented as early as possible. Addressing issues during the planning and design phase can prevent the need to remediate problems that arise when data security is compromised, or ethical use questioned. Startups have the distinct advantage here—a privacy framework can be part of the business plan from the beginning and applied universally as the organization grows.
Ethical Approaches to Data Privacy Protection
Applying ethics in addressing informational privacy requires a full understanding of the information ecosystem. Organizations should consider types of data (and their associated sensitivity levels), expectations of data subjects, legal requirements, industry standards, and overall cultural attitudes. The privacy framework must encompass the entire life cycle of the data, from collection to deletion.
The Consumer Privacy Bill of Rights identifies key components of an ethical data privacy program. These components include security, transparency, focused collection, respect for context, individual control, access, and accountability.
To enact these principles, an organization can employ a range of technological and procedural methods. For example, technological solutions might involve encryption, authentication, and firewalls. And procedural solutions might include documentation of responsible individuals and communication of data disclosures.
Experts such as Ann Cavoukian recommend a subject-first approach to ethical data privacy protection. Cavoukian’s model prioritizes respect for the individual data subjects as those with the most vested interest in their own data. Organizations can best implement this approach by allowing subjects to play active roles in management of data. This model emphasizes consent, access, mechanisms for complaint and redress, and user-friendly human-machine interfaces. When designing systems and processes, organizations must not compromise privacy for functionality.
There is more than one ethical approach to data privacy, however. With certain types of data, public interest may compete with privacy considerations. For example, governments used contact tracing to protect public health during the COVID-19 pandemic. The Centers for Disease Control and Prevention provided guidance to safeguard the identity of clients and their contacts. The agency understood that tracing was a risk to privacy but considered it necessary during the pandemic.
Scientific research into applications of artificial intelligence is another area where interests compete. Medical imaging, for instance, requires large data sets to train machine learning algorithms designed to improve diagnostic precision and patient care. Personal health information contained in these data sets is at risk for disclosure.
Finding the Best Methods
To ensure that ethical data privacy protection methods are fit for purpose, organizations must conduct thorough assessments of all aspects of the information environment. An external audit or review can help identify weak points and areas of risk. The aim should be to maximize security without sacrificing functionality. Optimal methods will be different for every organization and must be reassessed and revised frequently.
How Organizations Can Ethically Collect, Store, and Use Data
A 2019 Pew Research Center study revealed that about 80 percent of Americans feel they have very little control over the data companies collect about them. They also feel that the potential risks of data collection outweigh the benefits. An ethical data management program can build public trust in an organization.
“Ethical by Design” Data Policies
So what do “ethical by design” policies look like? Cavoukian’s model considers ethical data privacy policies most effective when they are “integral to organizational priorities, project objectives, design processes, and planning operations” and integrated into standards and processes.
In such a paradigm, organizations proactively identify privacy issues and incorporate solutions into system design rather than reactively adding them. Thus, privacy protection is a built-in component of the system.
In general, consumers have limited knowledge of exactly what information is collected from them, who is collecting it, and how it is used. Privacy notices, buried on web pages or included with bank statements, are the typical explanations most consumers encounter. When a data breach occurs, consumers receive written notification, often accompanied by offers to enroll in identity theft protection plans.
Internet service providers and websites track online activity and monetize it for targeted advertising. To discover what information is being collected, consumers can use browser extensions and plugins that report tracking and provide options to block it. To further secure online activity from unwanted data collection, consumers and organizations alike can employ technological solutions including virtual private networks, secure browsers, and encrypted messaging applications.
Prioritizing Ethics in Data Collection, Use, and Storage
Those responsible for safeguarding sensitive data must recognize that privacy concerns are of paramount importance to data subjects whose personal information is entrusted to others. The data can be considered a virtual extension of the person. Whenever possible, maximal privacy should be the default, meaning that data remains private unless the individual subject takes action. Data collection should be for defined purposes, and retention and disclosure should be minimized. Accessibility, transparency, and accountability should be emphasized.
Big data ethics presents additional privacy challenges. Data may be collected with full consent for a specified purpose and even disclosed to the public properly; however, subsequent use for other purposes may be unethical. Organizations cannot assume consent beyond the original intended use. A growing area of concern is the rise of 5G data analytics, which promises to add fuel to the fire given the volume of data collected, the speed of collection and the data’s potentially sensitive nature. These large data sets can enhance the impact of AI in areas such as medicine and public health but also multiply opportunities for privacy breaches.
Respect for privacy has become a crucial component of social responsibility. A holistic and well-communicated data privacy and ethics program can differentiate an organization and position it for success in the information-driven world of the future. And a focus on ethical compliance can even represent a proactive measure for regulatory compliance, as public sentiment eventually shapes regulatory action.
Interested in joining IEEE Digital Privacy? IEEE Digital Privacy is an IEEE-wide effort dedicated to champion the digital privacy needs of the individuals. This initiative strives to bring the voice of technologists to the digital privacy discussion and solutions, incorporating a holistic approach to address privacy that also includes economic, legal, and social perspectives. Join the IEEE Digital Privacy Community to stay involved with the initiative program activities and connect with others in the field.