In my last article, I focused on the ethical significance of one of the most prominent failure of data governance in recent times; namely, the Post Office / Fujitsu Horizon scandal, some of the harms of which are belatedly being redressed via compensation secured through the courts. The article is available here, should you wish to read it.
For this article I’ll continue the same general line of analysis, focusing next on the ethical significance of a concept central to data governance and which is often put at risk by data breaches; namely, confidentiality. In what follows I’ll explain why confidentiality matters, outline some organisational risks that can undermine it, and conclude with some suggestions about what can be done to prevent breaches of confidential personal data in whatever sector or industry we are considering, and how IGS might be able to help you or your organisation to achieve this.
To begin, then, let’s think about confidentiality and why, from first principles, it might matter from an ethical point of view.
Why does data confidentiality matter ethically?
Data confidentiality and an organisation’s ability to guarantee that it is protected in relevant circumstances is a perennial, central concern of data governance. The reason for its prominence can be seen relatively straightforwardly when we reflect on our own preferences for how we do and do not want data about ourselves to be treated, once we have handed it over to an organisation in the service of receiving whatever benefit it is that we want from using its services.
It is a generalisation, of course, but on the whole, if and when we entrust information about ourselves to an organisation, we expect and assume that it will treat that information confidentially. Broadly speaking, this means ensuring that it is protected such that it is invulnerable to internal breaches or external attacks which might make that information unlawfully available to third parties or the public; and ensuring that access is only given to those people who would need to see it for us to receive whatever the benefit is that we’re seeking from the organisation.
This is a heuristic which applies for whatever kind of organisation we’re engaging with – whether it’s a healthcare provider, a retailer, an insurance company, a bank, and so on. In each case, we want to be able to trust that what we disclose in our data when we hand it over is kept confidential; and we might want to be able to scrutinise how and with whom our data could be shared, if doing so is necessary for us to receive whatever the benefit is that we’re seeking.
When we reflect on what could be at stake for any of us, were there a confidentiality breach involving our own data, we see quickly why such breaches are so serious, and this reminds us why they are big news when they do occur. Large scale data breaches over recent years include: Easyjet – 2019/20 – records of nine million customers and details of 2200 credit cards; Virgin Media – 2020 – personal information collected for marketing purposes of 900,00 customers; Marriott International – 2018 – personal information about 500 million customers in their hotels; NHS – 2011/12 – 16 breaches in different UK sites involving over 1.8 million health and employee records.
It is in virtue of its significance that confidentiality is a central feature of data governance, and therefore why legal regulations exist to compel organisations to take measures to protect it. Indeed, the legal stipulation to ensure confidentiality is responsive to an underlying ethical imperative that it ought to be protected, given the kinds of basic rights that we take human beings to have. Pertinent to the context at hand, this includes the right to privacy protected under Article 8 of the Human Rights Act.
Taking these introductory remarks into account, the ethical significance of confidentiality, which is the central anchoring point for this article, can be summarised quite succinctly. As free agents with the autonomous decision-making capacity to direct our lives as we choose according to our preferences (within parameters of harm to others and so on which make reasonable prohibitions on certain kinds of behaviour), we have the right to, among other things, choose what information we do and do not disclose to others, and who those others are. As such, within the parameters of behaviour we can agree as ethically permissible permissible – after all, we should not make murder legal just because deliberate killing is something that certain individuals want to do, for example – we should default to respecting each other’s preferences, and therefore acting in such a way that those preferences are realised, and this extends to their preferences for how information about them is handled.
What technical organisational challenges pose risks for data confidentiality?
So, we have some idea about why confidentiality matters ethically. By extension, then, we also have some idea about why it’s so important that it can be protected, and therefore why breaches of confidentiality are serious matters. With that in mind, next we’re going to look at some of the technical challenges that increase the risk of breaches of confidentiality.
The three that I have picked out here – complexity, access rights, and data infrastructure overhaul – do not exhaust the range of technical challenges that might arise for an organisation in meeting the demands of confidentiality; nevertheless, they should give some idea of how confidentiality can be put at risk. As I said at the start of the article, these challenges are likely to be found in all sectors and industries where personal data is held and used, and as such are not limited in relevance to one particular setting or another.
Complexity
Complexity is a challenge for ensuring confidentiality, and for several reasons, the scale of the challenge increases in proportion to the complexity of the organisation.
First, in simple terms, the more complex the organisation, the more complex the task of data governance is for preventing breaches. This is fairly straightforward to grasp, since, clearly, in an organisation of one, where only that person has access to personal data held by the organisation, identifying how, where, and why a data breach occurred is a much easier task than in an organisation with numerous interrelated data flows.
The number of data flows is relevant here because the risks following from an organisation’s complexity are likely to be partly a function of the risks following from its size. In a larger organisation, it is not only that are there more individuals who could pose a risk to client data confidentiality if they do not observe the necessary standards of governance. Given also that data often needs to be shared between employees, so the risk of breaches increases if data sharing itself is not done sufficiently securely. We can see in several settings how this can constitute a concrete risk to data confidentiality.
For instance, the NHS aims increasingly to provide an integrated service of care to patients, across the various specialist domains required for their individual needs, so that no patient falls through a ‘gap’ in the particular configuration of care that they need and comes to harm as a result. To achieve integration, there must be a presumption of the need for data sharing, as its necessity is obviated by the underlying imperative to ensure that there are no gaps in care through which a patient might come to harm. If healthcare professionals in the relevant specialist domains are not able to access the same data about a given patient, it will not be possible to comprehensively identify what gaps there might be. Given the size and complexity of the NHS and its services, and the necessity of some degree of data sharing, the risk of breaches to confidentiality are evident.
Or, consider the context of companies providing global consumer services of different kinds. For example, to ensure that they can provide high standards of service to repeat customers, companies such as global hotel chains or airlines must share personal information – some of which could be sensitive in nature – about their customers with whoever in the organisation needs to provide the relevant service to them wherever they are going. Here, again, the need to provide the service in question obviates the necessity of sharing data with numerous employees. However, each instance of sharing increases the complexity of the system and the number of potential points of weakness where a breach could occur.
There are many other instances in any large and complex organisation where data sharing might be necessary for the provision of services – insurance or mortgage broking, banking, retail, utilities, and so on. Irrespective of the service or sector, though, in each case it is a function of complexity and size that there are also many points at which a breach of confidentiality could occur. For any and all of these instances, the robustness of the data governance procedures must be commensurate with the risk posed by the size and complexity of the organisation.
Access Rights
Intersecting with the risk of breaches that follow from size and complexity, there are risks associated with the demands of ensuring that access to data is given on a need-to-know basis only to relevant individuals within an organisation where it is necessary for delivery of the service in question.
In any organisation which handles personal data, irrespective of whether the organisation is large or small, it is likely to be necessary to ensure that only some employees have access to all data either about fellow employees or the organisation’s clients. For example, although employees working in payroll and HR functions will need access to the addresses and tax information of their colleagues, there is no obvious reason for colleagues beyond payroll and HR to have access to it. Similarly, information which line managers require about those whom they manage, in virtue of the demands of the management roles they perform which follow from their relative seniority, does not need to, and therefore should not be, accessible more widely to other colleagues. Likewise, it does not follow from it being necessary and appropriate for some employees in an organisation to have access to all of the information that it holds about one of its clients, that it is necessary and appropriate for all employees to have the same degree of access to the information. As such, errors in the granting of access – which can include failures to prevent unwarranted access – represent a risk for breaches of confidentiality.
These examples remind us that organisational data governance procedures must be not only adequate to the challenges posed by a large and complex organisation, but scrupulous even in relatively small organisations. The demands of this in practical terms can be formidable, irrespective of whether an organisation has many or few employees, given the ease by which, for example, confidential information could be inadvertently made accessible to a colleague being copied into an email who should not have been; or in instances where confidential data is not made secure before circulation and is then subject to a cyber-attack, such that it can be accessed by the attacker.
It is important to emphasise that these risks are not only theoretical, but a salient day-to-day practical concern in organisational data governance, as instances of breaches such as the examples listed earlier indicate. In all these instances, the individuals whose confidential data was leaked have not only a legal right but an underlying moral right to claim injury and seek redress. The case for objecting in such foundational moral terms is grounded in the moral status of the individuals whose confidentiality has been breached. Since, as I sketched out earlier, the right to request and expect confidentiality in handling one’s data follows from one’s capacity for autonomy and self-determination – which is to say, a capacity in which the right to confidentiality is grounded – so custodians of an individual’s data should treat it with the same degree of moral respect as they would treat the actual individual.
Software and Data Infrastructure Overhaul
The final example that I will give of an organisational risk for breaches of data confidentiality relates to challenges associated with overhauling or updating computer software and data management protocols and systems.
All software systems eventually need updating, upgrading, overhauling, or replacement, due to obsolescence as new and better solutions are invented, or because an organisation identifies a competitor product superior to the one it is using, which could help it increase the efficiency and reliability of its processes. There is nothing remarkable about this, nor is it something that should be resisted. However, the process of replacement poses a challenge for data governance with respect to protecting confidentiality. And here, again, the size and complexity of an organisation might amplify the seriousness of the challenge.
In practical terms, replacing systems in a way that successfully protects confidentiality requires the achievement of several tasks. For example, the correct access permissions must be preserved in transferring to the new system from the old one; the training delivered in using the new system must be of an appropriately high standard to reduce as far as possible the risk of inadvertent data breaches; and in organisations that use several systems for handling data, governance processes must include the oversight necessary for ensuring that data is kept secure through those interactions. There are other tasks that will be required in practice, but these give an idea of how and why updates or overhauls of data handling systems can present opportunities for data breaches if governance is inadequate.
The importance of collective action for upholding data confidentiality
By now you can, I’m sure, anticipate why I flag these as not only situations which organisations should seek to avoid for legal reasons (although, of course, it is vitally important that all organisations are legally compliant, in the interests of both the people whose data are held and the viability of the organisation holding it) but for ethical reasons as well.
The ethical significance of confidentiality is grounded in what all individuals are fundamentally entitled to by virtue of being free, autonomous, self-determining agents with the ability to make decisions about what they do and how they wish to be treated. There is, therefore, a case to be made for each of us to act in ways that protect the confidentiality of others, because if we do so, such that the action is collective, there is a greater chance that our own confidentiality is more likely to be protected as we would wish.
For instance, imagine that you or I work for organisation A and have access to personal data about one of its clients, person X, because the role requires their data to be processed in a particular way. Even if, personally, you or I are are neutral or unconcerned about the interests of person X, and therefore indifferent about the confidentiality of their data, in the contemporary context, our own data is likely to be held by other organisations where our own confidentiality could be at stake. So, let’s imagine that personal data about you or me is held by organisation B, which is at greater or less risk of breaches of confidential data, including our own, depending on the adequacy of its governance processes. Given that is the case, we should hope that employees of organisation B don’t adopt the same position of indifference towards you or me as either of us could do as an employee of organisation A towards person X.
Moreover, even if we don’t find the collective action argument persuasive, we should consider the non-negligible likelihood of a scenario in which we are in the same boat as person X, whose data our organisation holds, and about whose confidentiality we are unconcerned. There is a significant possibility, given the world in which we live, that personal data about person X and ourselves and which we would both like to remain confidential is held by another organisation. For instance, there is a strong chance that Google holds a range of information, based on internet use, about not only both you and me, but either or both of us and more or less anyone picked out at random from the street. As such, even if you or I happen to be indifferent about the confidentiality of person X’s data, it is worth reflecting on why we care about the confidentiality of our own data. When we see what our reasons are for caring about the confidentiality of our own data, it also becomes clear why it’s a matter of personal significance for anyone who has an interest in living in a society in which they can have reasonable confidence that their data is kept confidential once they hand it over in return for a service.
On the basis of the preceding analysis, then, I will conclude by suggesting some solutions for reducing risks of breaches of, and how IGS can help your organisation with this.
Conclusions and how IGS can help
What Is the Solution?
The first and most obvious solution is to ensure that sufficient attention is given to the ethical significance of confidentiality, and by extension, the ethical significance of breaches of confidentiality. If we can see why this should be ensured, we also see why it is so important that the governance processes put in place to prevent such breaches are adequately robust. The problem with this solution, of course, is that achieving it is easier said than done. Nevertheless, it can be achieved.
The aim of this article has been to give some sense of why, from ethical first principles that go beyond the need for legal compliance only, confidentiality occupies the central place that it does in data governance. If that aim has been met, I hope it will be clear that IGS has the depth of theoretical and applied expertise in data ethics to help your organisation ensure that it can develop solutions to reduce or eliminate the risk of data breaches.
Understanding Reputational Risk and the Bottom Line
I hope it is also clear from reading this article that IGS understands in practical terms what risks follow from breaches of data confidentiality. A failure to engage properly with the foundational ethical reasons why confidentiality matters risks increases the probability that a data breach might occur in your or any other organisation. The material consequences of this for an organisation can be serious, for the straightforward reason that reputational risk can harm the bottom line.
Given that we have good reasons to be wary of organisations with lax standards of data confidentiality, so breaches of confidential data, or even just the risk of them, can undermine confidence in an organisation. And, of course, if clients or customers cease using an organisation’s services, or if potential new customers are sufficiently discouraged that they use a competitor instead, the ethical failure to protect confidentiality will impede organisational success.
Trust and Trustworthiness, and Why They Matter
Finally, what follows from the previous point is that organisations handling data must, in their own interests and those of the people whose data they hold, demonstrate that they are trustworthy. Trust, of course, is irreducibly a concept that is ethical in nature. An organisation cannot, and should not, simply assume that individuals will trust them with their data. Trust must be earned, and as custodians of data, it is the obligation of the organisation which wants to collect and use the data to demonstrate that it can be entrusted with it.
Trustworthiness is, by definition, promoted by – among many other things – reducing the risk and occurrence of data breaches. And the demonstration of trustworthiness in turn conduces to organisational success. Ensuring that your data governance procedures and policies are robust is a vital component in being a trustworthy organisation, and IGS is ideally equipped to help you and your organisation to achieve this.
