The thinkdotank DataEthics.eu has developed a set of data ethics principles and guidelines that may help the integration of data ethics in your data processing activities. Here, we present the principles, a detailed questionnaire and a FAQ on data ethics. They may be reproduced freely as long as DataEthics.eu is clearly credited with a link to our website. It is all below, but you can also download them as a pdf: Dataethics-uk
- Definition of data ethics
- Principles of data ethics The Human Being at the Centre / Individual Data Control / Transparency / Accountability / Equality
- FAQ on principles of data ethics
DEFINITION OF DATA ETHICS
Data ethics is about responsible and sustainable use of data. It is about doing the right thing for people and society. Data processes should be designed as sustainable solutions benefitting first and foremost humans.
Data ethics refer and adhere to the principles and values on which human rights and personal data protection laws are based. It’s about honest and genuine transparency in data management. To actively develop privacy-by-design and privacy-enhancing products and infrastructures. To treat someone else’s personal information as you wish your own, or your children’s, treated.
Data ethics is the step further than mere compliance with personal data protection laws: All data processing therefore respects as a minimum the requirements set out in the EU’s General Data Protection Regulation (GDPR), the Charter of Fundamental Rights of the European Union and the European Convention on Human Rights.
PRINCIPLES OF DATA ETHICS
THE HUMAN BEING AT THE CENTRE
Human interests always prevail for institutional and commercial interests. People are not computer processes or pieces of software, but unique with empathy, self- determination , unpredictability, intuition and creativity and therefore have a higher status than machines. The human being is at the centre and have the primary benefit of data processing.
INDIVIDUAL DATA CONTROL
Humans should be in control of their data and empowered by their data. A person’s self-determination should be prioritised in all data processes and the person should be actively involved in regards to the data recorded about them. The individual has the primary control over the usage of their data, the context in which his/her data is processed and how it is activated.
Data processing activities and automated decisions must make sense for the individual. They must be truly transparent and explainable. The purpose and interests of data processing must be clearly understood by the individual in terms of understanding risks, as well as social, ethical and societal consequences.
Accountability is an organisation’s reflective, reasonable and systematic use and protection of personal data. Accountability is an integral part of all aspects of data processing, and efforts are being made to reduce the risks for the individual and to mitigate social and ethical implications. Sustainable personal data processing is embedded throughout the organisation and ensures ethical accountability in the short, medium and long term. An organisation’s accountability should also apply to subcontractor’s and partners’ processing of data.
Democratic data processing is based on an awareness of the societal power relations that data systems sustain, reproduce or create. When processing data, special attention should be paid to vulnerable people, who are are particularly vulnerable to profiling that may adversely affect their self-determination and control or expose them to discrimination or stigmatisation, for example due to their financial, social or health related conditions. Paying attention to vulnerable people also involves working actively to reduce bias in the development of self-learning algorithms.
These questions can be used in combination with the FaQ to work with data ethics dilemmas in your organisation. You can for example use your discussion of the questions as a basis for preparing data ethics guidelines.
The Human Being at the Centre
- Is your data processing based on the fact that you borrow data from the users (not owner of their data)?
- Do you ensure that the user’s rights are prioritised, rather than commercial or institutional interests?
- Do you ensure that primarily users benefit from their own data – not just the organisation?
- Do you use privacy-by-design principles, and can you describe them clearly and transparently?
Individual Data Control
- Do you ensure that users’ data – as far as possible – is processed directly on the users’ own device(s)?
- When the processing of data is necessary other than on the user’s own devices, such as your server or a cloud solution, is collected data not related to an identifiable person?
- Do you use profiling? If so, do you allow the user to influence and determine the values, rules and input that underlie the profiling?
- Do you use data to predict individual-level behaviour or only patterns?
- In which country is your data stored?
- Where is the storage solutions provider headquartered?
- Does the transmission of data go through countries outside of the EU?
- Do you use machine learning / artificial intelligence? If so, can you explain the algorithms – the criteria and parameters?
- Do you use personal data to influence user behaviour?
- Do you ensure that it is transparent when the use of personal data may influence a user’s behaviour?
- Do you ensure that the design does not create addiction and thus influences the person’s self-determination and empowerment?
- Do you operate with open source software, so others can use it and possibly develop it further ?
- When do you anonymise personal data?
- Do you use end-to-end encryption of data?
- Do you minimise the use of metadata and explain how it is done?
- Do you use zero knowledge as a design principle?
Sales of Data
- Do you sell data to third parties?
- Do you sell data as personal identifiable data?
- Do you sell data as patterns on an aggregated level?
- If you sell data, are you making sure that it is fully anonymised information only describing patterns, not individuals?
- Do you use third-party cookies?
- Does this include SoMe (social media) cookies and SoMe logins?
- Do you use Google Analytics or similar tracking tools?
- If you use third-party cookies, are your users fully aware that your cookie use leads to sharing of data about your users with third parties and do they agree with it?
- Do you enrich data with external data, such as social media data, bought data or web scraping?
- Does this enrichment occur in response to, or in cooperation with, your users?
- Do you have an individual or a department responsible for the ethical managing of data?
- How is the work with data ethics embedded in the organisation?
- How do you ensure that your data ethics guidelines are respected?
- Can the processing of data be audited by an independent third party?
- Do you require and and control the data ethics of your subcontractors and partners?
- Do you engage in dialogue with your users on a public platform?
- Do you have guidelines for using the platform?
- Do you moderate the platform in order to remove sensitive personal data?
- If your services are offered to children, do you ensure parental consent?
Reuse of data
- Is data used to develop or train an algorithm?
- Do you ensure that the use of data does not lead to discrimination?
- Do you ensure that the use of data does not expose the vulnerabilities of individuals?
- Do you ensure that the use of artificial intelligence / machine learning is to the benefit of the individual and does not cause physical, psychological, social or financial harm to the individual?