Big Data Ethics: 8 Key Issues to Ponder
There's a lot of gray area when it comes to the ethical collection, use, and analysis of data. Consider these 8 data ethics issues when assessing your data use practices.
![Image of the word 'ethics' over binary code. Image of the word 'ethics' over binary code.](https://eu-images.contentstack.com/v3/assets/blt69509c9116440be8/blt7ad49beebcf5c794/64cb4b213f8e876765a4d88c/1-binary-823336_1280.jpg?width=700&auto=webp&quality=80&disable=upscale)
Geralt / Pixabay
The volume and types of data describing individuals and organizations continue to expand, and this trend will continue as sensors make their way into more of the everyday items we use. There are fine lines that separate the use and misuse of data, and some industry associations are addressing the issue head-on with ethical guidelines. While organizations usually have stated privacy policies, more could be done to ensure the ethical use of data.
Although obvious offenses such as fraud are clearly unethical, there is a lot of gray area when it comes to the collection, use, and analysis of data. Ethical guidelines, laws, statutes, and regulations may draw many lines. Even so, questionable situations can arise at various stages of the data life cycle that can confound reasonable people and expose their organizations to risks. Knowing that, the Data Science Association has established the Data Science Code of Professional Conduct to help data scientists navigate tricky situations.
[Read more about analytics and data visualization.]
"Right now, we're just giving guidance. It's to help you, as a data scientist, do the right thing," said Michael Walker, cofounder and president of the Data Science Association. "Their clients or parent organizations can use them in tricky situations where they're going to hurt people at the macro level and hurt people at the micro level." While the Data Science Association is not enforcing its guidelines, it plans to do so in the future.
Two other examples are the American Statistical Association, which created and has an enforcement mechanism for the Ethical Guidelines for Statistical Practices, and the Digital Analytics Association, which created but does not enforce the Web Analyst's Code of Ethics.
The professional associations' guidelines help promote ethical practices in specific roles. However, ethical behavior is an organizational issue. There's no single type of professional that can have sole responsibility for it. Following are some of the basics that companies should consider when measuring their own data ethics.
Ethical data practices are a means of gaining trust, demonstrating organizational integrity, and reducing risks. However, what is considered ethical can change with time, location, the legal and regulatory climates, sociological changes, and personal opinion, leaving considerable room for interpretation. Meanwhile, technology is moving fast, enabling finer-grained profiling of individuals and companies. While most people may want to do the right thing, what's "right" may not be crystal clear.
"Business has an ethical obligation, which means maintaining the security and integrity of the data. I think integrity is often left out of the discussion because it's more of an amorphous term and taken for granted," said Tara Swaminatha, of counsel at law firm DLA Piper, in an interview. "By integrity I mean it's important that the data you have in the database is what you put into it and it hasn't changed. It's good to have that general premise -- security plus integrity in the way you collect and manage data."
There are a lot of opportunities for ethical transgressions, whether they're intentional or not, ranging from misrepresenting the quality of data, or the limitations of analysis, to using data in harmful ways.
"There are these twin imperatives: insight and trust. Often we've seen companies race to the art of the possible without considering the three pillars of data strategy, data usage, and data governance," said Tim Barker, chief product officer at human data intelligence platform provider Datasift, in an interview. "This isn't about slowing down innovation, but looking at the application of the data, looking at the benefits for consumers and customers as well as organizations."
For some people, the title they associate with responsibility for ethics begins with a "C": the chief data officer, chief ethical officer, CEO, chief privacy officer, COO, CIO, CTO, or CMO. Or it may be the governance committee or the social responsibility team. Regardless of where the buck may stop, ethical behavior is a broader organizational issue.
"Now that everything is electronic, there's a view among many organizations that it's just an IT problem," said Judy Selby, co-leader of the information governance team at law firm BakerHostetler. "Particularly for commercial users now, it's a CMO issue, a marketing issue, and I think that's not the best approach to ensure you're not going to alienate your customers or cause some reputational damage to the company itself."
Not everyone agrees whether ethics is a top-down organizational issue, but many agree that it is an organization-wide issue that requires the involvement of the board, the C-suite, managers, and ultimately employees.
"Particularly as we move into an Internet of Things world, if the ethics of data use is not part of everybody's job description we're making a big mistake," said Becky Burr, deputy general counsel and chief privacy officer at cloud-based information and analytics company Neustar, in an interview. "It certainly is the responsibility of all the inhabitants of the C-suite, because without that kind of leadership from the top you get 'talk-the-talk but not walk-the-walk' kind of commitments. It has to be built into people's performance evaluation, so managers need to understand it."
The professional organizations providing ethical guidelines may or may not enforce them and they may or may not offer certification. For example, a statistician accredited by the American Statistical Association is bound by the Ethical Guidelines for Statistical Practice, but a regular member is not, according to executive director Ronald Wasserstein. Interestingly, what the professional organizations offer -- ethical guidelines, education (certification or accreditation), and enforcement -- are things organizations should also consider.
Like professional associations, companies have a better chance of promoting ethical behavior if they define what ethical behavior is. It is also wise to provide some sort of education or training that put the guidelines in context so they're not just theoretical.
"Education is important because the first step is for employees and management in companies is to realize that dealing with personal data raises ethical questions and can have real-world consequences for individuals," said Omer Tene, VP of research and education at the International Privacy Professionals Association (IAPP), in an interview. "Businesses should account for the data they collect, store, and use and who they share it with or transfer it to, and should have policies and internal enforcement. Otherwise, they might find themselves dealing with external enforcement actions by regulators like the FTC or class actions or individual actions."
Policies and education can help raise awareness about ethical issues, but the most effective way to cultivate ethical behavior throughout an organization is to weave it into the culture.
"Cultures are important because that way people can be on the same path to a common understanding," said Bil Harmer, chief security officer of cloud analytics firm GoodData, in an interview. "You need to have a code of conduct that is communicated to the employees and allow them to give feedback."
When ethics is baked into the culture, there is a higher probability that people will lead and learn by example. However, another important aspect is enabling the workforce to self-regulate so potential issues can be identified and dealt with more expediently.
"The culture that the company tolerates will dictate what people think they can do. If the message is sent from the C-suite down through the management level, it has to be seen as a priority for the company," said Judy Selby, co-leader of the information governance team at law firm Baker Hostetler. "If someone trusts you with their data, you want to take on the responsibility to protect it. You want to ensure your employees are up to speed, updated, and that it's priority for the business."
Employees should be empowered to bring up suspect data-related issues that they observe, which can only happen if the culture encourages, if not rewards, such behavior.
"It's important to say, 'Look, your personal perspective about whether public data collection or use is fair or not fair matters to us.' It is incumbent on you to tell us that," said Becky Burr, deputy general counsel and chief privacy officer at Neustar. "I regularly get calls from folks working on projects where they'll say, 'You know, I was wondering if this is OK because it seems odd to me.'"
The Data Science Association encourages similar interchanges among its members.
The Data Science Association, American Statistical Association, and Digital Analytics Association guidelines were developed with their target audiences in mind. (Visit the individual industry association websites, linked above, to see each organization's guidelines.) Even so, there are some commonalities that merit general consideration.
Protect confidential, personally identifiable, and privileged information.
Prevent the inadvertent or unauthorized disclosure of confidential, personally identifiable, and privileged information.
Do not misrepresent the quality of data.
Do not misrepresent the completeness of data.
Do not misuse data or statistics in a way that misrepresents the truth.
Do not misrepresent the scope of what data science or statistical analysis can do.
Understand (or if you're the expert, communicate) the options available and their associated risks.
Use scientific methods if you're a data scientist or statistician. Understand the importance of scientific methods if you have other responsibilities.
"It's about transparency, disclosure, and fair use," said Jennifer Grygiel, assistant professor at the SI Newhouse School of Public Communications at Syracuse University, in an interview. "When you're using data in a way that it wasn't intended, then you need to stop and evaluate."
We asked the individuals we interviewed what ethical guidelines should apply to business professionals generally. While some declined to comment, others contributed ideas that were substantially similar. Their recommendations include:
The Golden Rule: Don't collect or use personal data in a manner you wouldn't consider acceptable if it were your personal data.
Do no harm (inspired by medical ethics).
Make sure the use of data is consistent with your brand image.
Make sure your customers -- not just your company -- get value from the data they provide you.
Build privacy, security, and respect for the customer into products.
Be transparent about your data policy and notify people when it changes.
Not everyone advocates the idea of enumerated rules or guidelines (or at least as some organizations may be using them). "The companies I've seen that are regulating data lay out things you can (or can't) do with data. It's either a black list or white list and that's too heavy-handed," said Daniel Castro, head of the Center for Data Innovation. "A better way is to give companies more flexibility [by having] a regulatory system that incentivizes them to not hurt consumers or not hurt individuals or let harm come to individuals as a result of their actions."
Individuals and organizations face ethical decisions every day concerning the collection, storage, and use of data. New payment methodologies under the US Affordable Care Act are making it necessary for healthcare providers to use big data and analytics despite Health Insurance Portability and Accountability Act (HIPAA) privacy and security limitations, which is creating conflicts and concerns related to data privacy, according to Mark Pastin, president of Health Ethics Trust, which often addresses privacy and security concerns related to HIPAA.
"The Center for Medicare and Medicaid Services (CMS) has begun a program, which it eventually wishes to extend to all Medicare reimbursement, called value-based purchasing. The idea behind it is that [a healthcare provider or company presents] CMS with data that shows that you are providing services that meet quality requirements -- and the only way you can satisfy the requirements is by using data analytics," said Pastin in an interview.
Most healthcare providers are small businesses, and some of them don't understand data analytics or when they're violating privacy standards, Pastin said. Although HIPAA permits data analytics using data that does not contain personally identifiable information (PII), the details are confusing to small businesses.
"There are a lot of incentives in massaging the numbers," said Pastin. "The healthcare literature is full of inventive ways of using analytics to present you in a favorable light. The big ethical challenge is that the data will be questionable whether it's used for scientific purposes or reimbursement purposes. We've created an incentive for that data to show certain things."
A couple of healthcare quality metrics are telling. For example, hospital-acquired conditions are a negative indicator, but bacterial pneumonia is not, so there is an incentive to misreport actual conditions. Another negative indicator is whether patients have been readmitted with the same diagnosis within 30 days. To avoid that, some patients are being advised to come back a couple of weeks later because the second visit would fall outside the 30-day window.
Individuals and organizations face ethical decisions every day concerning the collection, storage, and use of data. New payment methodologies under the US Affordable Care Act are making it necessary for healthcare providers to use big data and analytics despite Health Insurance Portability and Accountability Act (HIPAA) privacy and security limitations, which is creating conflicts and concerns related to data privacy, according to Mark Pastin, president of Health Ethics Trust, which often addresses privacy and security concerns related to HIPAA.
"The Center for Medicare and Medicaid Services (CMS) has begun a program, which it eventually wishes to extend to all Medicare reimbursement, called value-based purchasing. The idea behind it is that [a healthcare provider or company presents] CMS with data that shows that you are providing services that meet quality requirements -- and the only way you can satisfy the requirements is by using data analytics," said Pastin in an interview.
Most healthcare providers are small businesses, and some of them don't understand data analytics or when they're violating privacy standards, Pastin said. Although HIPAA permits data analytics using data that does not contain personally identifiable information (PII), the details are confusing to small businesses.
"There are a lot of incentives in massaging the numbers," said Pastin. "The healthcare literature is full of inventive ways of using analytics to present you in a favorable light. The big ethical challenge is that the data will be questionable whether it's used for scientific purposes or reimbursement purposes. We've created an incentive for that data to show certain things."
A couple of healthcare quality metrics are telling. For example, hospital-acquired conditions are a negative indicator, but bacterial pneumonia is not, so there is an incentive to misreport actual conditions. Another negative indicator is whether patients have been readmitted with the same diagnosis within 30 days. To avoid that, some patients are being advised to come back a couple of weeks later because the second visit would fall outside the 30-day window.
-
About the Author(s)
You May Also Like