Cross-posted from Security, Privacy & the Law
January 28 is Data Privacy Day, and on this 14th annual Data Privacy Day, I find myself reflecting on the question of data ethics.
Far from being an academic concept, “data ethics” presents a model for data management with real practical implications for organizations. (I should note that I am focused here on personal data.) To understand what the concept might entail, let’s take a step back and talk about two other models for data management: compliance and governance.
The compliance model of data management looks at an organization’s privacy practices and asks what laws apply to the organization’s practice, and what must be done to be in compliance with those laws. It is a sensible, resource-sensitive model that helps ensure a diligent organization will not run afoul of current laws. It runs certain risks, however: by focusing on compliance, an organization might fail to appreciate other risks connected to their data use. It also can tend to be one step behind the law, being reactive to the latest changes.
The governance model of data management incorporates compliance, but its posture is different: through a governance model, an organization thinks of data as a matter of risk, and treats it holistically. The question is not, what does the law require me to put in my policy (although, you should check); the question is, how can I best manage the risks that come from the data my organization collects and processes? As I have advocated elsewhere, organizations that ask these questions tend to be better equipped not only to manage their day-to-day privacy and data security risks, but also to anticipate changes in the law and demonstrate reasonable diligence in the event of a government investigation, or consumer or counterparty litigation. The drawback, in comparison to the compliance model, is that adopting a governance model is much more resource-intensive, and requires far more work to create a reasonable process. Whether your organization adopts a compliance or governance model may have as much to do with how regulated your industry is as it does with how mature, or how large, the organization is.
There is a third model, however, and one that is growing in salience: an ethics model. An ethics models necessarily incorporates compliance and considers risk, but the questions animating an ethics model are altogether different. At its core, an ethics model of data management begins with the question of what is owed to the individual and the community when collecting and processing data. While an organization must do its business, whatever that business may be, the management problem is at bottom one that is centered on the individual’s needs and expectations, and on the duties that might be owed to an individual. Ethics models have the benefit of “future proofing” an organization from the shocks of regulatory change, as states and countries adopt increasingly strict laws around personal data, biometrics, and the use of personal data in algorithms.
To make this concrete, consider privacy policies. Under a compliance model, the questions an organization might ask are, what does the law require that I do when it comes to privacy policies? What do they have to say, and where do they have to be posted? You would then likely to proceed to adopt a successful template and post it, perhaps auditing the policy regularly against changes in the law and changes within the organization.
Under a governance model, an organization might instead ask, what data do we have and what risks do they pose? How should we handle and manage data in various categories, or for various constituents? This might lead to creating sets of policies that are outward facing, internal employee policies, and other information security and privacy practices; it might also lead to a need to train and educate employees on policies, to emphasize clarity in policy communications, and to think about the ways changes in data flow risks create needs to change policies and protocols. But here the organization’s consideration in the first instance is about forming a strategy for data management, not in creating specific documentation.
Under an ethics model, the organization might instead ask, are we handling data appropriately, and what do the individuals who give us data need to know, or what might they reasonably expect to know, about the data we collect? What control should they reasonably have over their data and how it’s shared? This might lead to policies that give greater transparency than what is legally required about how data is managed; or to contract language with third parties that place heightened requirements over data use and clearly define misuse; or to providing interfaces to individuals to designate how they want their data treated and shared.
As a member of Foley Hoag’s Global Business and Human Rights (formerly, Corporate Social Responsibility) practice group, I see companies increasingly concerned about how to think about the relationship between the data they process and collect, and questions of bias and discrimination. As the uses of artificial intelligence become ubiquitous, there are serious questions about how much data organizations collect, and how they use it. An ethics model of data management considers these questions carefully, going beyond questions of legal permissibility.
This Data Privacy Day, consider what model your organization has adopted. Is it the right one, or is now a good opportunity to reevaluate how you think about data management?