Data ethics as a distinct area of deliberation is growing rapidly and has numerous subfields, such as ethics in machine learning; AI ethics; ethics of data governance; and so on. Each raises distinct ethical challenges, the analysis of which requires close attention to the specific circumstantial factors of relevance.
Given the diversity of the challenges that fall under broad umbrella term of ‘data ethics’ and because of the need to treat these with commensurate specificity, it would be easy to assume that, from an organisational perspective, developing processes which can respond to the specific ethical challenges occurring in these discrete domains will be sufficient for ensuring that your organisation can meet its data ethical obligation.
However, for reasons unpacked in what follows, we will see that ensuring ethical practice with respect to data specifically also depends on the culture of your organisation as a whole operating in such a way that it is more likely to reliably promote these practices in its specific functional domains. This requires close, deliberate, detailed engagement with the ethical considerations involved; the issues are fundamentally important and an analysis which is too superficial will not yield success.[1]
Not all professional organisations are businesses in the strict sense – think of schools, charities, schools, government departments, and so on. There are differences between these kinds of institutions, but the line of reasoning laid out in what follows applies equally in spite of other differences between them. As such, in the interests of brevity, here we will use the term ‘business’ to refer to all possible professional organisations.
To begin unpacking the connection between data ethics and business ethics, we first need to have some idea of what data ethics and business ethics are. For an overview of the first of these, you can take a look at the first of this series of articles, here.
What is business ethics?
In one, overly simplified, respect, business ethics is just that domain of moral deliberation which tries to identify, enumerate, and define how professional organisations ought to operate. Doing this requires logical reasoning and the application of ethical theories. However, here we encounter a challenge, since there are numerous ethical theories, which in various important ways can conflict with each other.
The tension between ethical theories and what those theories claim should take priority when deciding what ought to be done therefore creates, or at least can create, uncertainty in being able to stipulate how a business should and should not operate.
For instance, in the context of personal data collected by public or private healthcare institutions for the purposes of research, the more personal data that is collected, used, and reused, the greater the likely population benefits, for more people, in future. On a reading of ethics grounded in the claim that we should do what will benefit the greatest number of people, then, this seems to provide the basis for an argument that each of us, as an individual, ought to allow our data to be collected, used, and reused as widely as possible for these purposes, and crucially, without our consent being sought for doing so on each occasion. You can read more about the ethical implications of this issue here. By contrast, a reading of ethics which holds that priority should be given to individual autonomy produces a conclusion in which there should be constraints on the extent of such unconsented reuse, because this would limit the ability of each individual to have jurisdiction and exert control over their personal information.
Of course, this example relating to consent is an oversimplification of a vast and central issue in ethics about which far more can be said and with greater subtlety, but space here forbids doing so. Nevertheless, it points to a pervasive dilemma across all spheres of human action, which includes business practices; namely: what should we do? The irreconcilability of competing bases of moral justification, and the unavoidable fact that members of society just will disagree about what they, others, governments, institutions and so on should do, present a significant challenge for spelling out unambiguously what would count as ‘business ethics’. Given that theoretical irreconcilability, a different approach is needed in practice when attempting to ensure ethical practice in business in general and with respect to data governance in particular.
Heuristics
Given that any approach to ensuring ethical practice in business in general and with respect to data governance in particular will be non-ideal, in the sense that any course of action will be morally contestable and will generate ethical trade-offs, one possible starting point is to think in terms of using heuristics.
A heuristic is, roughly speaking, a ‘rule of thumb’ for deciding whether to do X or Y. This is to say, it is decision-making grounded in what is likely or will tend to conduce to the aims that we, and our organisation in the business and data ethics case, want to achieve. In that context, a heuristic for what a business ought to do is that which is most likely to promote the success of the business.
This might provide a partial answer, since it will help to provide the justificatory grounds for a business’ operations, on the basis of which information can be provided to its customers or patrons about what the business wants to do and why. For example, this could be information provided to individuals whose data a biobank wants to collect for health research; or people whose personal data a retail company wants to harvest for predicting and targeting future consumer behaviour.
The answer is only partial, however. Although it provides endogenous reasons, or in other words, reasons internal to the business for deciding what it ‘ought’to do, it provides no guarantee that those actions are those which in fact ought to be carried out[2], the relevance of which comes into view if we zoom out to look at the context in which the business operates.
For example, for an organised crime network that engages in identity fraud, what would tend to promote its success is for it to steal as much personal data as it possibly can so it can sell it on the black market for profit. In this instance, even though the heuristic provides, in a limited sense, a rough guide for what the business ‘should’ do, in general and with respect to data, it does not, in fact, provide any ethical justification for those activities. So, taking all this into account, how can we proceed to promote ethical business practice using the advantages of a heuristic in a way that also mitigates its shortcomings?
Better and worse internal reasons
The organised crime case shows us that a business and its employees might have reasons internal to them for engaging in a given practice – fraud via the theft of personal data, for example – which are quite obviously unethical – as well as illegal – once we think beyond the narrow scope of what ‘ought’ to be done if the business is to achieve its aims. Revealing this distinction highlights that business practices are not value-neutral. Although every business will have its own endogenous reasons, and corresponding things that it values, for why it ‘ought’ to do X or Y, whether the practices involved do or do not in fact align with moral behaviour is a contingent matter.
We can also probably assume – but again, this is a heuristic and will not necessarily apply for all individuals, since the reasons why people pursue criminal careers are often complex – that in the organised crime data fraud case, the members or employees of the network are relatively unconcerned about the lack of ethical probity of their business, given that they have chosen this, rather than something else less nefarious, for their profession. Here, then, the personal reasons for the members of the business to do what they do align with the endogenous to the business of doing what it does. In turn, this helps to underline the connection between an organisation’s practices and the individual motivations of its members:[3] individuals make choices based on their own motivations. Employees need to be able to reason independently about whether to do X or Y, why to make the choice that they do, and the ethical adequacy of the reasons for their choice.
The example here is somewhat negative, since it focuses on reasons why individuals choose a profession of which we should not approve. However, the same reflection on why one should make one particular professional choice or another can lead in the opposite direction, towards ends of which we can approve.
Businesses as social entities
The preceding analysis shows the ethical significance of the context in which businesses operate. Businesses do not operate so in a vacuum: they are entities created by humans, and features of society that are answerable to society. Businesses are created for reasons related to a variety of ends of human behaviour and as such they exist to serve a purpose, or to further some human end, whatever that might be. As such, a successful business will be one which delivers on its purpose by benefiting those for whom its services are developed.
Of course, though, much as it does not follow from an organised crime network having its reasons for engaging in data fraud that it should be allowed to, just because it provides a service to those people who are prepared to pay for stolen personal information, so it does not follow that in general all business practices are ethically permissible merely because they serve a purpose or have a market. In the case of organised crime, it would be socially, ethically preferable that those individuals had different motivations and had made different career choices conducing to more beneficial collective ends, not least because any one of us could be a victim of such a crime at any point.
We will expand on the ramifications of the final observation here in the next section. For now, though, it is important to emphasise what the example shows; namely, that engagement and reflection about what one does professionally and why, the outcomes to which those choices tend to conduce, and the value of those outcomes and to whom is a generally valuable practice for everyone to engage in. Of course, to return to a point made at the start, doing so by no means guarantees ethical behaviour or ethical business, not least because there is disagreement about which ethical theory is correct and we should observe. Nevertheless, understanding the connection between our motivations, values, goals, behaviour, and professional choices at all levels, from the personal to the organisational to the societal, better promotes the identification of what ends should and should not be valued and what actions will deliver them.
Since businesses and other professional organisations are social phenomena and parts of society, so the choices that one makes in work are not consequence-free; albeit, of course, that some professional choices are more consequential than others. Here, there is a comparison to be made with the relation between a business’ data governance processes and the business as a whole, since this mirrors the part / whole relation of a business and the society in which it operates.
Trust as essential for data and business ethics
Just as a business’ data governance practices are part of the business’ practices as a whole, so the business is a part of society as a whole. This is significant for several reasons, including the issue flagged briefly in the previous section.
We are aware from reflecting on our own reasons for not engaging in certain kinds of harmful behaviour to others – for example theft, deception, assault, lying, and so on – that even if our doing so would not have any major ramification by itself beyond its consequence for the harmed individual, there are good reasons – beyond any legal consequences, in those cases where they would apply – why we do not and should not engage in them. Part of the reason is that behaviour such as this will tend to undermine the norms of the kind of society in which we want to live; namely, one in which we are unlikely to be harmed by others engaging in the same practices. This relation holds between the reasons for engaging in ethical practice in data governance and the norms that underpin the successful, predictable, functioning of the business as a whole. The relation here is one in which individuals have sufficient grounds to trust each other to behave in certain ways.
Even though businesses will have conditions of employment’ guidelines, protocols, and so on, once employees have signed up to these, a culture of sufficient mutual trust is required for the business to operate in the way that it should. Of course, for the reasons outlined earlier, how a business should operate is a contestable matter, and we cannot necessarily assume that all unethical business practices are legally forbidden. Notwithstanding the contested relation between ethics and the law, however, both operate as governance structures for regulating behaviour in ways which, again, heuristically, aim towards ends that promote some kind of collective good. The strength of engagement across a business among its employees with the ethical and regulatory principles that govern professional activity, then, is key to promoting mutual trust and creating the conditions in which ethical practice can predictably occur. It is vital for any business to try and ensure that its employees not only know in abstraction what they ought to do, but why, on the basis of an interdependence of interests across the organisation, they should be motivated to actually do it.[4]
Crucially, this is true at all organisational levels. Viewed in light of the analysis laid out here, it is risky to assume that apparently robust processes for ensuring ethical practice in data governance will be effective if the operational, motivational principles underlying those processes are not a general feature of the business. Assuming that other relevant institutional conditions have also been met – for example that remuneration is equitable, and graded fairly according to seniority, and so on – the assumption is less risky if the business as a whole has a culture which promotes engagement among employees in thinking about the causal relation between: personal moral motivation; the particular processes for which they are responsible; and what is required for the organisation as a whole to deliver successfully on its purpose.
Finally, here, there is a further reason to make explicit the connection between ethical practice in parts of a business and the business as a whole and emphasise the importance of promoting engagement in what those practices ought to be. As we have seen here and elsewhere, the relation between ethics and the law is imprecise. There are times when the law enforces what is moral and there are times when it fails to do so. Changes to the law, such that they better enforce what is moral can occur, but they occur incrementally. This means that the law, or other institutional regulatory instruments, can never be relied on by themselves as sufficient for guaranteeing to promote the right ethical ends. The law is always incomplete, and it is dynamic. As such, a business is better placed to ensure that it really does do what it ought to, if its culture promotes active engagement and reflection among its employees about what they and it should be doing, and why.
This all sounds a bit vague, doesn’t it?
The analysis presented here is vulnerable to the charge that it is overly idealistic, and insufficiently attuned to actual business practices for ensuring that any given business’ data governance processes are ethical as a microcosm of a wider organisational culture which conduces to it functioning ethically as a whole. Businesses, since they are compromised of humans, are messy, fallible, and can be a collection of competing interests and priorities. Since what is laid out here generates more questions than answers, so it leaves many relevant and important ethical questions unresolved. As such, to make the analysis more effective, the line of argument introduced would need to be applied to a specific business or other professional organisation, and the imperfect, non-ideal, competing interests would need to be negotiated in the heuristic way indicated.
Nevertheless, the kernel of the argument being advanced here is that businesses, both institutionally and at the level of the particular processes governing data handling, should promote engagement among their employees about the connection between their motivations, their actions, the aims of the organisations, and wider social goods. Whatever else business ethics in general and data ethics in particular ought to assist with is providing the tools to derive good reasons to construct these organisations deliberately in one way rather than another.[5] The freedom to debate, discuss, scrutinise, and disagree about a business’ processes and the ends to which they aim promotes the kind of behaviour which is more likely to engender trust and create the conditions in which ethical practice can occur predictably and reliably.
Summary: how can IGS help?
In light of what we have set out here, the solution for ensuring robust practice in data ethics, such as there is one, is primarily procedural[6], rather than pointing to a predetermined and universally applicable set of stipulations which can be straightforwardly applied.
At IGS we have the practical expertise and theoretical knowledge to help with this. We can assist you and your business to become clear about its principles, values, goals, and aims, and in doing so develop the processes required to ensure that these are understood explicitly across your business. This will help to increase your confidence that your business meets the necessary ethical standards of data governance, as a reflection of a wider organisational culture that promotes it.
[1] https://link.springer.com/article/10.1007/s10551-017-3766-1
[2] https://link.springer.com/article/10.1007/s10551-005-4666-3
[3] https://link.springer.com/article/10.1007/BF02388590
[4] https://link.springer.com/article/10.1007/s10551-019-04351-0
[5] https://link.springer.com/article/10.1007/s10551-006-9049-x
