Data ethics: A Nordic perspective

This article is part of a three-piece series DAMA is running on data ethics, during the first quarter of 2021. The themes touched upon in this series are derived from DAMA’s chapter on data handling ethics in DMBoK2, which can be found here. Article number one is aimed at establishing data handling ethics and its connection to data governance. Before arguing why and how morally sound data management should be guided by policies grounded in some universal ethical concepts.

Beyond Compliance
In short, ethics compiles those principles a community recognizes as representative of their idea of right and wrong. Principles which often focus on concepts such as fairness, respect and integrity. Thus, surpassing simply complying with regulations laid down in writing by our governing organs.

Data handling ethics, or simply data ethics, describes how to make informed and responsible decisions in the handling of data. From how the data is procured and stored to how it is managed, utilized and finally disposed of. An organization’s perceived morality has a significant effect on the level of trust it is granted by its stakeholders, but it can also have ramifications beyond purely business-related ones.

Data ethics’ admission onto the stage of mainstream debate is a warranted one, as unethical handling of data can have severe consequences, echoing far beyond the immediacy of its epicenter.

Consequences and a creeping normality
As digitalization’s unstoppable encroachment on society continues, never-before-seen amounts and constellations of data materializes in its wake. Following, are the breachings of stories about gross ethical misconduct, instances where entities have implemented dubious practices to obtain goals varying in nature. Examples of such cases are as recent as they are terrifying.

Leading up to the 2016 presidential election, Cambridge Analytica misused over 50 million facebook users’ personal data to get Trump elected. In China, the government has launched its social credit system, which in 2018 banned the purchase of 23 million airplane tickets, due to insufficient social credit. In 2021, the Norwegian Consumer Council accused the LGBT-oriented dating app Grindr of selling and sharing sensitive personal information about its users to third parties, unbeknownst to the users. Making it possible for LGBT people to be identified and located, non-trivial in countries where LGBT rights are not recognized.

The immediate consequences of these data handling practices are plain to see, and to most of us who share the Nordic perspective, they are unethical. A view which emanates from our valuation of privacy as a society, and what ideas we deem to be acceptable and not. These examples of immoral data handling share more than a potential to affect their immediate surroundings however. They also carry the potential to move the level of acceptance for an idea, all the way from the unthinkable to one day becoming policy. Behaviors such as the one displayed by Grindr, could, if left unchecked, have a signaling effect contributing to a new creeping normality. If and when a sufficient number of harmonious precedents is accompanied by a fitting rhetoric and just the right circumstances, the Overton window will ultimately shift.

Extension of Governance
Even though the last paragraph sports a global outlook, the same mechanics apply on all planes, including the organizational. As organizations aim to modernize by utilizing the ever-evolving array of digital tools available to them, they become the custodians of an increasingly vast amount of data. Data which is as sensitive as it is valuable and thus carries an inherent potential for harm, if mismanaged. Consequently, how this data is governed becomes an integral part of, not only an organization’s capital, but also its responsibility.

How organizations handle this responsibility is reflected by their actions, of course, but also by the policy that guides those actions. As data management matures as a discipline, so too must the policies its professionals adhere to. And just as an organization’s policy is a structured reflection of the perspective and culture shared by its members, so is data ethics an extension of data governance. If an organization lacks fundamental data governance capabilities and a sufficient data management maturity level, it won’t be able to work with data ethics in a focused and meaningful way. One can argue that data ethics is both an evolution and extension of data governance and must be granted the same level of thought and care as data governance itself is.

Universal Concepts
Although the specific needs, considerations and risks regarding data handling ethics will differ to a certain extent between organizations and industries, they must all rely on the same universal concepts. Originally intended for medical research, the Belmont principles are highly relevant for Information Management disciplines as well. Evidenced by their utilization in The United States Department of Homeland Security’s Menlo Report.

The three core Belmont principles are as follows:

• Respect for persons
  People are to be treated in a way that respects their dignity and autonomy as human individuals, with special considerations being afforded those with diminished autonomy.
• Beneficence
  Firstly, do not harm. Secondly, maximize possible benefits and minimize possible harms.
• Justice
  All people are to be treated fairly and equitably.

Asking oneself if any given activity adheres to these three universal principles is a good first step when assessing the morality of one’s data management practices. Examples of activities not adhering to one or more of these principles are common, but not necessarily always intentional. Which the shut-down of NIPH’s original Covid-tracing app ‘Smittestopp’, over privacy concerns, is a testament to. Unfortunately, consequences pay no mind to whether or not any malicious intent is present.

Formalizing and safeguarding
How can we ensure that the Belmont principles are reflected in our data management activities and practices? We have already talked about policy, but policy is worthless without people agreeing with it and most importantly adhering to it. Thus, building awareness, creating ownership and accountability in addition to embedding the principles as values in the organizational culture should be a goal. Even then however, unintended errors aren’t accounted for.

How do we then reduce the risk of potentially harmful mismanagement of data? By creating ways-of-working in the form of frameworks and formalized processes. So, to safeguard the morality of data management practices and facilitate conscious decision-making.

Identify & control principles, practices and risk factors
One such formalized process is that of step by step identifying and aligning a guiding principle with its inherent risks and practices, while the latter’s integrity is actively controlled by a human in the loop, directly or indirectly. See example beneath.

• Guiding principle
  A service’s member giving data under the notion certain information won’t be shared, trusts their anonymity will be upheld.
• Risk
  If mishandled, sensitive information may be shared with the public.
• Practice
  Create a form with content-specific entry boxes, which sends member data directly to CRM.
• Control
  Monthly review of CRM entries, to ensure data is stored correctly and thus shared/not shared according to the individual member’s wishes.

Data ethics Strategy & Roadmap
After a review of an organization’s current state and the development of a set of principles, an organization should formalize a strategy and accompanying roadmap to improve its data handling capabilities. The strategy should include a code of expected behavior and formalized processes, like the one presented above, as well as ethical principles, expressed in value statements.

The component pieces of such a strategy should include:

• Value statements
• Ethical data handling principles
• Compliance framework
• Risk assessments
• Training and communication
• Roadmap
• Approach to auditing and monitoring.

Doing it right
This is where culture makes a definite comeback. All the awareness, frameworks and strategies in the world won’t help, if a willingness to follow through is lacking in the organization. As all new-age business consultants love to proclaim; “Culture eats strategy for breakfast”.

With that being said, a foundation of data governance and data management maturity needs to be in place before one can effectively work with data ethics. Only then can the people and processes work together so that one can deliberately and consistently make morally sound decisions when managing one’s data.

Roles for data ethics
The second article in this series will delve into why and how the proprietary responsibility of data ethics should be delegated to specific entities within an organization. So to create an anchoring point from which ownership and accountability can echo throughout the organization.

Sign up to Data Nugget to get the next article in this series, as well as other great content from DND DAMA Norway, straight in your inbox!