Peter Cullen issues New IAF Blog- Evolving Ethical Data Impact Assessments

Last fall, the Information Accountability Foundation (IAF) completed work, commissioned by the Office of the Hong Kong Privacy Commissioner for Personal Data, that explored what Ethical Data Stewardship would consist of  and what an Ethical Data Impact Assessment would look like. As Hong Kong Commissioner Wong so aptly put,

In order to encourage innovation in various global regions, digital information strategies are being adopted that recognize that the Internet and digital technologies are transforming the world, that the needs of business, government, and the general public impact the competitiveness of their country’s economy, and that the protection of personal data and fair data processing are needed for the development of Internet-based economies

This IAF work and in particular, the model Ethical Data Impact Assessment (EDIA), was presented at the 40th International Privacy and Data Protection Commissioners conference, the theme of which was data ethics. IAF’s goal was to help translate sound, implementable business processes into a framework that would enable the economic benefits of technology driven data innovation within a foundation of digital accountability. In other words, ethical data stewardship. Ultimately, the IAF sees this framework being a key part of Fourth Wave Privacy Legislation. Specifically, EDIA’s are demonstrable ways business users of data, data stewards, can achieve ethical or fair data processing.

Since its initial release, we have found enhancements, especially technology related ones, that will facilitate an EDIA’s ability to address a broader range of issues. While other assessment frameworks, such as the Markkula Center for Applied Ethics, have developed toolkits, (see An Ethical Toolkit for Engineering/Design Practice), they are heavily focused on technology and tech design, whereas the IAF’s EDIA was heavily focused on data and data analytics. Given the role technology plays in data driven models, it seemed appropriate to find a marriage between the two. A revised model EDIA and oversight process can be found here . Additional enhancements to the IAF model EDIA are expected as experience with it grows. In addition, as this is a “model” assessment, the IAF fully expects it will be adapted to fit specific organizational needs.

IAF anticipates the demand for “ethical data processing,” and by extension the need for an EDIA as part of an accountable data stewardship program will grow due to several inter-related drivers:

First, data is playing a larger role in powering economic growth. Data is the fundamental “natural resource” of the digital economy and is at the heart of the innovation economy.  Digital technologies transform data into insights that allow business to be more innovative with products and services and compete more effectively in the global market. If done appropriately, these developments provide benefits to all stakeholders including society. However, as Commissioner Wong and others have suggested, this growth cannot be fully optimized without trust, and trust is under assault. Innovative technologies, enhanced data analytics capabilities, and new applications of data are creating some unexpected and surprising insights and new business models. The result is questions relating to data use, concerns regarding the “balance of power” and current “governance” models.

Second, as data impacting activities get more complex, the questions of consequential impacts to individuals (including fairness) increase, and the need to address the lack of trust in organizations being ethical, fair or trustworthy stewards of data are enhanced.  These questions have led to growing calls for an ethical approach to data processing.  These calls are why privacy and privacy compliance programs alone will not be fully satisfactory even as new laws are created or as existing laws evolve.  Absent clarity, many data protection authorities will believe they have all the authority they need to fill the vacuum to enforce ethical or fair behavior. In fact, some have stated this already and believe the General Data Protection Regulation (GDPR) provides this.

Third, the reality of “data matters more” starts to more clearly expose the differences between privacy and data protection.  European Union law links autonomy and data protection to different rights enshrined in the Charter of Fundamental Human Rights of the European Union.  Privacy tracks to Article 7, Respect for Private and Family Life, and data protection tracks to Article 8, Protection of Personal Data, which requires consent or some other legal basis to process.  The GDPR takes a very broad view of Article 8 and interprets it to protect the fundamental rights and freedoms of individuals. This difference is not new, but it is more relevant with the increasingly larger role data is playing in our daily lives.

Fourth, ethical or fair data processing requires a data stewardship approach to governance which is different than compliance. Compliance is responding to externally created requirements, often prescriptive. Data stewardship is the proactive balancing of stakeholder interests and risks.  This balancing is aligned to the goal of the GDPR to protect the fundamental rights and freedoms of the individual and to the requirement of “fair processing” in the GDPR. “Balancing” is a consequences evaluation exercise considering both the beneficial impact of data, the risks, and the mitigation of those risks.  As with almost all risk assessments processes, balancing is not a check-box compliance process.  An EDIA is a process that looks at the full range of rights and interests of all parties in a data processing activity to achieve an outcome that assists an organization in looking at the rights and interests impacted by the data collection, use and disclosure in data-driven activities. The goal of the EDIA is to encourage information, communication and technology (ICT) innovation and competition by demonstrating that an organization has considered the interests of all parties before deciding to pursue an advanced data-processing activity. 

Fifth, EDIAs do not just increase trust. As business is shifting its mix of value creation to be more centered on data, the question they face expand from “can I use data” to “should I use data”, and how should I do so. This decision-making expansion is magnified by the lack of clarity as to how current laws will be interpreted or enforced. For example, despite the impact the GDPR has had on increasing compliance requirements, before the ink was even dry on the GDPR, there were questions relating to whether these compliance requirements even worked relative to technologies like Artificial Intelligence. Increasingly, the internal result is decision-making friction.  EDIA’s do not answer the question “should I use the data in this way”, but they do organize the set of facts to allow for a fair or ethical assessment to be mad, on that balances the interests of all stakeholders.

In conclusion, from a public policy perspective, EDIA’s are a core part of what data stewardship accountability is currently and will be in the future. However, leading organizations are implementing them as they are demonstrable and defensible against evolving regulatory expectations. They also increase the optimization of data and value creation by enabling internal decision-making and, by extension, reducing reticence creating friction. This outcome benefits everyone.

Posted in