What is data ethics?
Data ethics is a broad, umbrella term covering a range of ethical issues relating to different applications of data. Put most simply, data ethics is concerned with how organisations, as custodians of information, especially where that information is personal or health-related, ought to handle that information.
Often, guidance about how organisations ought to handle information is stipulated in law. However, some ethical dilemmas that your organisation might be faced with when it comes to data handling exist in legal ‘grey areas’, where regulation does not make it clear what you should do. Also, some aspects of data use which raise ethical questions are not covered by the law at all – for example, the sharing, linking, and re-use of anonymised, de-identified health data is not subject to governance under data protection legislation[1]. In instances such as these, your organisation will need to be able to weigh up the relevant ethical issues to decide what to do. Finally, in some cases, the law will permit data handling practices which are not necessarily ethical. Although these cases are rare, they do occur from time to time.
Data ethics is the broad name for the set of skills that you and your organisation need for deciding what data handling processes should be put in place, whatever their relation to relevant legal regulation.
As data ethics is a very broad term, it encompasses several specific areas of practice and applications of data, each of which raise their own particular ethical challenges and dilemmas. Here are two examples of these which might be relevant to your organisation.
Ethics in data governance
Data governance also covers a wide range of practices and processes. For example, it includes how data is collected; handled; kept secure; shared; and linked to other data sets by your organisation. We know that data ethics is concerned with what processes should be put in place, so ethics in data governance tries to identify and become clear about the standards your organisation ought to observe when it comes to collecting, handling, securing, sharing and linking the data that it holds[2].
For each of these processes, ensuring the right ethical standard of data governance will involve identifying numerous issues, including: what your organisation’s professional obligations are; what the risks are to the people whose data you hold from different options for dealing with their data; whether there is a high risk of unpredictable outcomes from a particular practice and whether taking on this risk is proportionate, given the purposes to which your organisation puts the data that it holds.
Ensuring ethical data governance will require you and your organisation to weigh up the various obligations, benefits, and risks involved, and come to a reasoned, rational, balanced judgement about the processes and practices that you decide to implement. Needless to say, in all cases, whatever your organisation decides to do with respect to ensuring it meet the necessary ethical standard, it must ensure that its processes and practices are also within the law.
Ethics in big data, machine learning, and artificial intelligence (AI)
This is an area of data ethics that is developing rapidly, as novel ethical challenges are raised by advances in data science and engineering, in particular when applying artificial intelligence (AI) techniques. If your organisation uses machine learning and AI in large data sets as part of its business, you will need to consider a range of specific ethical issues.
For example, part of the value of big data-driven processes involving machine learning and AI is that these processes can analyse vast amounts of information more quickly than humans could, and in doing so may also be able to make novel, unpredictable associations across the data, which can be used for producing insights and making similarly novel predictions relevant to whatever the goals of your organisation are.
These technologies are proliferating because for certain well-defined tasks they can outstrip what can be achieved by human data analysts using conventional statistical techniques. However, because they may be able to surpass conventional techniques used in data analysis, it can be hard to predict what associations and insights might be produced, what might be revealed from the data, and what options for further uses in future it might be possible to put the data towards.
This unpredictability has ethical implications for the consent processes that your organisation should have in place when relying on consent to process an individual’s personal data, and ask for permission from individuals to collect, hold, and link their data[3]. In the contemporary context, where machine learning and AI are becoming increasingly commonplace, it is similarly vital that your organisation can anticipate, articulate, and navigate these uncertainties when seeking consent from the people whose data it wishes to use. Even where your organisation relies on a different legal standard other than consent, for example something being in the public interest, there remains a question as to whether the original lawful basis according to which the data was collected maintains the same lawful basis throughout the lifecycle of the use of the AI model; and this has both ethical and legal consequences.
Individuals may be uncomfortable with the idea that in some instances you are unable to tell them how their data might be used in future, and what the risk to them is because of this. Being able to help them weigh up these risks to come to an informed decision, and being able as an organisation to manage the risks associated with processes which may have unpredictable outcomes, is a vital aspect of data ethics which your organisation should ensure it understands and can manage.
Why is ethics important?
In short, ethics is important because people matter morally. Everyone has the same moral status. It is moral status which generates rights to particular standards of treatment and generates obligations in other individuals and institutions to ensure that those rights are respected. This means that ethics is important because it places obligations on each of us, and the organisations for which we work, that we are all responsible for observing.
Everyone has asked at some point whether they or others are doing the right thing, and we all have experiences of having come to harm of some kind by something done to us, even if what was done was not a crime. When we are thinking about what the right thing is to do, or what we ought to do, we are thinking about ethics. Given we have all asked ourselves at some point what the right thing to do is and why, we all recognise the importance of acting ethically in the interests of the people close to us and others in society.
Also, we expect others to act ethically towards us so that we do not come to harm, and this applies not only to people close to us, but by institutions and organisations that we are involved with as well. So, ethics is important because if everyone, including us, ensures that they act in an ethical way, we should be less likely to come to harm ourselves.
At IGS we think this matters in the context of data governance. Because people matter morally and deserve certain standards of treatment, the same applies to the data held about them by organisations. For instance, it matters that people’s privacy is protected when it comes to their personal health data; and it matters that organisations holding people’s data are as explicit as possible about the purposes to which the data collected might be put, especially when this involves medical research. Individuals need to be able to trust the organisations that hold data about them[4], and we know from our own lives how ethically important trust is.
So, without even considering what the law allows or prohibits, we know from thinking about our own lives why ethics matters. We know how we would want to be treated by an organisation which holds information about us and why, so in the context of data governance, for this reason it is important that those responsible for managing our data ensure that their practices meet those ethical expectations.
Ethics and the law
We are all expected to follow laws. Laws are used to govern behaviour, by imposing rules and defining limits to what people and organisations can do without punishment or sanction. Although it is a somewhat simplified picture, laws exist to: protect social order; enforce property rights; prevent harm; ensure that the individuals and institutions of a society can co-exist harmoniously; provide recourse for people when harm is caused to them by others not observing those laws so that those others can be held to account; and so on. We are also all familiar, to varying degrees, with what ethics is, and it can sound very similar to the law: if we act ethically, we assume that we promote each other’s mutual wellbeing and observe a standard to which we can hold others if they do not treat us as they should. If that is the case, then presumably if we act within the law, we are also doing what is ethical.
Unfortunately, though, the relation between ethics and the law is not this simple[5]. Some practices that are unethical are allowed in law, and some are prohibited for which there are grounds to argue that they should be permitted. The law can change over time in response to challenges that it should be otherwise and can lead to unfair legal judgements. However, this is a slow process.
When we apply this to the context of data use by your organisation, it implies a choice about what your organisation should do when considering what data governance processes and practices to implement. Should your organisation ensure only that what it does with data is within the law, without giving further attention to the ethical dimensions of its practices? Or should it also consider whether what it is legally permitted to do is also ethical and seek to ensure ethical practice, even if the law does not demand it?
According to the first view, in the context of data governance, if an organisation observes the law, there is no reason to expect it to meet any further, higher, ethical standard claimed to be beyond what the law permits and forbids. This view takes a neutral stance on the ethical adequacy of the law. Applied to the context of data governance, adopting an approach to an organisation’s practices based on this view would mean that an organisation need not feel obliged to go beyond ensuring that its practices and processes are legal. At IGS, we believe that this is not sufficient, and organisations should not be satisfied only with whether what they do is within the law.
A competing view, which we endorse at IGS, is that there is scope for legitimate criticism of laws and regulations, where these fail to meet appropriate ethical standards. Although ethics has features in common with the law, and although in many cases the law does permit what is ethical and forbid what is unethical, this is not always the case. For instance, just because slavery was once legal in UK law it does not mean that slavery was ethical; and, indeed, it was in part because slavery is unethical – or immoral – that it was eventually abolished. As such, if we think that it matters whether or not laws are fair or just, we should not assume that the boundary between legal and illegal also necessarily distinguishes ethical actions from unethical ones: whether it does or not requires scrutiny based on expertise in ethical analysis and reasoning.
At IGS we think that this is important because it matters if people come to harm through unethical practices engaged in by the organisations holding their data, even if those practices are within the law. It is vital that organisations who want to collect, store, and use personal data are trustworthy, such that individuals can have peace of mind in allowing organisations to do so. This is ethically important at the individual level and at the societal level[6]: it is important to ensure individuals do not come to harm; and if society, as a whole, wants to reap the benefits offered by contemporary data science, and particularly in the field of healthcare, it is important that individuals are content for their data to be used.
Our view at IGS is that all organisations should think carefully about their data governance processes and give close attention not only to whether what they do is legal, but whether it also meets standards of ethical practice that are important independently of their legal status. If organisations can think about their data governance decisions in this way, they will be better able to identify risks, evaluate whether or not the law covers those risks, and develop the best possible processes and practices for ensuring that they meet the standard expected of them by those whose data they hold. IGS can offer high level expertise to your organisation to help you to do this.
Why should your organisation practice ethical data governance?
In summary, you and your organisation should ensure is not only that it is legally compliant but acting in an ethical way, for several reasons. Our view at IGS is that responsible practice requires explicit adherence to the appropriate ethical standards as well as observance of the law, even if you are legally permitted to conduct your business by observing only the latter.
First, your organisation should practice ethical data governance because data is about people, and people matter morally. Whether you are dealing directly with people or just handling information about them, insofar as you are providing a service to them, they are entitled to be treated with the same degree of respect that we would expect, were we the client.
Second, because the law does not always necessarily enforce what is ethical, being able to ensure ethical data governance practices, rather than assuming it, depends on explicit engagement with the relevant ethical dimensions of what your organisation wishes to do. Ethical practice cannot be guaranteed without doing this, so it is a necessary step for your organisation to take.
Third, ensuring your organisation is trustworthy is good business sense. Your organisation can help to protect its revenue by making sure that those whose data you hold can have confidence in allowing you to do so. We are all familiar with the idea that an organisation can operate legally but engage in practices that are questionable. This is an undesirable perception for people to have of yours.
How IGS can help
IGS offers a comprehensive suite of services in all aspects of data ethics, including but not limited to:
- Analysis of any existing data governance guidelines, processes, protocols for ethical best practice that your organisation already has in place. We can assess the adequacy of these and make recommendations about how to improve them where necessary.
- Your organisation may have no guidelines in place to ensure ethical best practice in data governance. If so, we can help you to develop these in accordance with the goals of your organisation and the uses to which the data it holds is put.
- Assessment of your organisation’s legal compliance with data governance regulations in terms of ethical risks that might arise in the context of your particular business activities. Having identified any risks, we can provide advice about how you can mitigate them.
- If your organisation recognises that it wants to ensure it meets the necessary ethical standards in data governance, but you need clarity about how its values and principles can assist in this, we can help you to better understand what those values and principles are.
- We can deliver training in data ethics to your organisation according to your specific requirements. This could be general and broad training in data ethics; specific training in areas such as consent or AI; or any combination required, tailored to your requirements.
If your organisation has data ethics needs not listed here, contact us so that we can discuss this and provide a tailored service according to your requirements.
[1]https://gdpr-info.eu/recitals/no-26/
[2]https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/923108/Data_Ethics_Framework_2020.pdf
[3] https://link.springer.com/article/10.1007/s11948-021-00282-0
[4] https://jme.bmj.com/content/medethics/47/12/e26.full.pdf
[5] https://tinyurl.com/643jfwhc
[6] https://www.sciencedirect.com/science/article/pii/S2452310017300264
