Robert Bond and Hannah Crowther
Whilst there has been much attention to data protection as a result of the EU General Data Protection Regulation as well as the recent flurry of similar legislation in other parts of the world including California, Brazil, Bahrain, Kenya and South Africa, the focus for the most part has been on compliance with law and regulation.
Ethics as been a central issue for many sectors for a while but the increasing use of technology, raises concerns about not only compliance with law and professional standards, but also ethics and personal data.
The 40th International Conference of Data Protection and Privacy Commissioners has released a Declaration on Ethics and Protection in Artificial Intelligence. In it, the Conference endorsed several guiding principles as "core values" to protect human rights as the development of artificial intelligence continues apace. The Conference called for the establishment of international common governance principles on AI in line with these concepts. As an initial step toward that goal, the Conference announced a permanent working group on Ethics and Data Protection in Artificial Intelligence.
Recently the well-known analyst Gartner named digital ethics and privacy as one of Gartner’s top 10 strategic technology trends for 2019. In addition the UK Department for Media, Culture and Sport updated the Data Ethics Framework aimed at public sector saying, “Ethics and innovation are not mutually exclusive. Thinking carefully about how we use our data can help us be better at innovating when we use it.”
As businesses become more used to concepts such as Privacy by Design and make effective use of Privacy Impact Assessments so the notion that, “just because we can, doesn’t always mean we should” is becoming a norm.
The recent flurry of well publicised data breaches and fines are having an impact on those organisations as regards damage to their brand and their position of trust in the eyes of both shareholders and consumers. In October 2018, Anthem, Inc. agreed to pay $16 million to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest health data breach in history and exposed the electronic protected health information of almost 79 million people.
The OCR press release at the time stated that “in addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.”
The European Data Protection Supervisor (EDPS) recently published a summary of outcomes from its public consultation on digital ethics and the topic was also discussed at length at the 2018 International Conference of Data Protection and Privacy Commissioners.
The EDPS publication indicated that more than 80% of respondents to their survey affirmed that ethics relating to new technologies is, or will soon be, on the agenda of their organisation, many of them considering it “important”, “extremely relevant”, or even “mandatory” and “a priority”.
Many of the respondents to the survey acknowledged that ethics is more than a tick box exercise and goes beyond merely complying with the law and that “failing in the transparent and fair processing of data can have disruptive effects on the business”.
The Gartner report says that, “any discussion on privacy must be grounded in the broader topic of digital ethics and the trust of your customers, constituents and employees. While privacy and security are foundational components in building trust, trust is actually more than just these components. Trust is the acceptance of the truth of a statement without evidence or investigation. Ultimately in organisations position on privacy must be driven by its broader positon on ethics and trust. Shifting from privacy to ethics moves the conversation beyond, “are we compliant” toward “are we doing the right thing””.
Even if Scott McNealy was right in 1999 (when he reportedly said, “You have zero privacy anyway – Get over it.”), individuals deserve respect for their privacy. This respect does not always have to be imposed by law, but should be a matter of integrity and ethics.