In order to encourage innovation in their regions, digital information strategies are being adopted which recognize that the internet and digital technologies are transforming the world. These strategies address the needs of business, government and the public to impact the competitiveness of their country’s economy, while recognizing the protection of personal data and fair data processing are necessary for the development of Internet-based economies. If individuals do not trust how organizations are using their data and how organizations are transforming data into information and information into knowledge, and the law is challenged to keep up with the technology, the full value and beneficial consequences to individual and groups of individuals will not be fully realized. As the complexity of internet and digital economies continue to grow, a key building block to addressing these goals will be how accountable data stewards act in a trustworthy and accountable manner.
In 2015, the IAF questioned What Does Information Accountability 2.0 Look Like in a 21st Century Data World? Since that time, terms such as data ethics and ethical processing are increasingly being used. The popularity of these concepts stems from the rapid growth of innovative data-driven technologies and the application of these innovations to areas that can have a material impact on people’s daily lives. The sheer volume of data that is observable and where inferences can be made as the product of analytics has and will continue to impact many facets of people’s lives, including new health solutions, business models, personalization for individuals and tangible benefits for society. Yet these same data and technologies can have an inappropriate impact and even harm on individuals and groups of individuals and cause negative impact on societal goals and values. An evolved form of accountability, ethical processing, applicable to advanced data driven technology, is needed to help enable the realization of the benefits of this use of data but address resulting risks.
We are witnessing several trends. First, as technological and data impacting activities continue to challenge existing privacy laws, wave four privacy laws will take the positive innovations in the GDPR and add processes that let society benefit from the data driven fourth industrial revolution. We are seeing some of this tension play out in the United States as it is in the initial stages of creating a privacy framework to govern data for the next generation. These developments will require starting with a framework such as the IAF put forward that preserves thinking and learning with data so key to prosperity and innovation and that is interoperable with other regimes. However, these new privacy laws will take some time to fully mature.
Second, and perhaps more current, as data impacting activities get more complex and the questions of consequential impacts to individuals get larger, there are growing calls for an ethical approach to data processing. There is also a growing trust deficit as to how organizations can be viewed as ethical, fair or trustworthy stewards of data. In short, calls for ethical data processing are responses to the need to address the broader fairness issues to an individual or impacts to an individual. These calls are why Privacy and Privacy Compliance will lessen in their ability to be fully satisfactory.
Wave four frameworks will consist of new ways to address individual rights and participation in data ecosystems. But, they will also reframe the expectations and obligation on organizations that act as data stewards.
Acting ethically means organizations need to understand and evaluate advanced data processing activities and their positive and negative impacts on all parties. This approach means organizations will need to be effective data stewards and not just data custodians. Data custodians manage obligations that are largely created externally and for them. Data stewards consider the interests of all parties and use data in ways that create maximum benefits for all parties while minimizing risks to individuals and other parties. They ask whether the outcomes of their advanced data processing activities are legal, fair and just. In other words, they operate from the belief that “just because you can does not mean you should”.
This approach is similar to corporate social responsibility which encompasses the economic, legal and ethical expectations that society has of organizations at a given point in time. Like corporate social responsibility, organizations have a corporate data responsibility which encompasses the economic, legal and ethical responsibilities they have with respect to the data they collect, create, transfer and disclose. These responsibilities form the basis for data stewardship.
Like corporate social responsibility, ultimately, data stewardship is predominantly driven by organizational defined values or principles, policies, culture and conduct and not just technological controls. Thus, the core question is: what does an appropriate trustworthy and accountable framework look like for a data steward?
Enhanced Data Stewardship Accountability Elements
In 2009, the accountability principle in the OECD Privacy Principles formed the basis for the Essential Elements of Accountability (Essential Elements). In 2010, the EU Article 29 Data Protection Working Party issued opinion 3/2010 on the principle of accountability. The Office of the Privacy Commissioner of Canada and provincial commissioners in Alberta and British Colombia adopted accountability guidance in 2012. Hong Kong issued accountability guidance in 2014 and updated it in August 2018, and Colombia issued accountability guidance in 2015. Now, accountability is the foundation of the GDPR. The guidance and the adoption of the GDPR has elevated accountability from check-box compliance to a risk-based approach but has not fully kept up with the advanced data processing activities, such as AI and ML, that may be impactful on people in a significant manner. To be able to transform data into information and information into knowledge and insight and knowledge into competitive advantage, for individuals to be able to trust data processing activities that might not be within their expectations, enhanced data stewardship accountability (Enhanced Accountability) is needed.
The IAF, under a project commissioned by the Hong Kong Privacy Commissionaire, worked with approximately 20 Hong Kong organizations, to create the Ethical Data Stewardship Accountability Elements. These Enhanced Elements call for organizations to:
- Define data stewardship values that are reduced to guiding principles and then translated into organizational policies and processes for ethical data processing.
- Use an “ethics by design” process to translate their data stewardship values into their data analytics and data use design processes so that society, groups of individuals, or individuals themselves, and not just the organization, gain value from the advanced data processing activities, such as AI and ML.
- Require Ethical Data Impact Assessments (EDIAs) when advanced data analytics may be impactful on people in a significant manner or when data enabled decisions are being made without the intervention of people.
- Use an internal review process that assesses whether EDIAs have been conducted with integrity and competency, if the issues raised as part of the EDIA have been resolved and if the advanced data processing activities are conducted as planned.
- Be transparent about processes and – where possible – enhance societal, groups of individual or individual interests; communicate the data stewardship values that govern the advanced data processing activities, such as AI or ML systems developed, and that underpin decisions widely; address and document all societal and individual concerns as part of the EDIA process and design individual accountability systems that provide appropriate opportunities for feedback, relevant explanations and appeal options for impacted individuals.
- Stand ready to demonstrate the soundness of internal processes to the regulatory agencies that have authority over advanced data processing activities, including AI or ML processes, as well as certifying bodies to which they are subject, when data processing is or may be impactful on people in a significant manner.
The full Ethical Data Stewardship Accountability elements (link to full version) underpin or are the foundation to an ethical data processing business framework that includes Data Stewardship Values and an ethical assessment process.
The IAF believes these enhanced Ethical Data Stewardship elements will play a significant role in wave four privacy laws but, more impactfully, for organizations to demonstrate trustworthy data stewardship. This will be key for the success of digital strategies whether they be for an individual company or for an economy’s overall growth.
Ethical Data Stewardship is but one key part of the Hong Kong project. Please join us in Brussels 23 October at 14:30 at The Hotel, Room 23.5, for a side event on the Hong Kong project and its outputs. To register, please use the link below.