These are the principles and landmarks of data ethics as detailed by the ThinkDoTank DataEthics.eu. They may be used freely on the understanding that the ThinkDoTank is clearly credited and linked to the website.
- Definition of data ethics
- Principles of data ethics People at the centre / Individual data control / Transparency / Accountability / Equality
- FAQ on principles of data ethics
DEFINITION OF DATA ETHICS
Data ethics concerns the responsible and sustainable use of data. It is considered the ‘correct’ action in regard to people and society. Data processes should be designed as sustainable solutions benefitting humans.
Data ethics is about meeting the principles and values on which human rights and personal data laws are based. It’s about honest and genuine transparency in data management. To actively develop privacy-by-design and privacy-promoting products and infrastructures. To treat someone else’s personal information as you would wish your own, or even your children’s, should be treated.
Data ethics is the step further than compliance with personal data laws: All data processes therefore respect at least the requirements set out in the EU’s General Data Protection Regulations (GDPR), the Charter of Fundamental Rights of the European Union and the European Convention on Human Rights.
PRINCIPLES OF DATA ETHICS
PEOPLE AT THE CENTRE
Human interests always prevail for institutional and commercial interests. People are not computer processes or pieces of software, but unique individuals with empathy, character, unpredictability, intuition and creativity and therefore have a higher status than machines. People are at the center and have the primary benefit of data processing.
INDIVIDUAL DATA CONTROL
Human beings should be in control of their data and empowered by their data. A person’s self-determination should be prioritised in all data processes and take an active interest in the data that is recorded about them. The individual has the primary control over what their data is used for, in what context, and how their data is activated.
Data processes and automated decisions must make sense for the individual. They must be transparent and be explained. The purpose and interests of data processing must be transparent to the individual in terms of understanding risks, as well as social, ethical and societal consequences.
Accountability is an organisation’s conscious, objective and systematic use and protection of personal data. Accountability and co-accountability are an integral part of all aspects of data processing, and efforts are being made to reduce the risks for the individual and to mitigate social and ethical consequences. Third parties and cooperating parties also have shared responsibility for their processing of data. Sustainable personal data processing is embedded throughout the organisation and ensures ethical accountability in the short, medium and long term.
Democratic processing of data is based on data systems helping to support the separation of power in society. When processing data, special attention should be paid to vulnerable people, such as people who due to their financial, social or health related conditions are particularly vulnerable to profiling that may adversely affect their self-determination and control or expose them to discrimination or stigmatisation. Paying attention to the vulnerable also involves working actively to reduce bias in the development of self-learning algorithms.
Check your organisation’s data ethics. With the questions below you can work with the data ethics dilemmas. Use if necessary, your answers as a basis for preparing data ethics guidelines.
People at the centre
- Is your data processing based on the fact that you borrow data from the users?
- Do you ensure that the user’s rights are prioritised, rather than commercial or institutional interests?
- Are you certain that it is the users who primarily get value from their own data – not just the organisation?
- Do you use privacy-by-design principles, and can you describe them clearly and transparently?
Individual data control
- Do you ensure that users’ data – as far as possible – is processed directly on the users’ own device(s)?
- When processing data is necessary other than on the user’s own devices, such as your server or a cloud solution, is the data collected unidentifiable?
- Do you use profiling? If so, do you allow the user to influence and determine the values, rules and input that underlie the profiling?
- Do you use data to predict individual-level behaviour or only patterns?
- In which country is your data stored?
- Where is the storage solutions provider headquartered?
- Does the transmission of data go through countries outside of the EU?
- Do you use machine learning / artificial intelligence? If so, can you explain the algorithms – the criteria and parameters?
- Do you use personal data to influence user behaviour?
- Do you ensure that it is transparent when the use of personal data may influence a user’s behaviour?
- Do you ensure that the design does not create addiction and thus removes the person’s self-determination and empowerment?
- Do you operate with open source software, so others can use it and possibly improve on it?
- When do you anonymise personal data?
- Do you use end-to-end data encryption?
- Do you minimise the use of metadata and explain how metadata is used?
- Do you use zero knowledge as a design and processing principle?
Sales of Data
- Do you sell data to third parties?
- Do you sell data as identifiable data?
- Do you sell data as patterns?
- Do you use third-party cookies?
- Does this include SoMe cookies and SoMe logins?
- Do you use Google Analytics or similar tracking tools?
- If you use third-party cookies, are your users fully aware that your cookie use means you share data about them with third parties and do they agree with it?
- Do you enrich data with external data, such as social media or web scraping?
- Does this enrichment occur in response to, or in cooperation with, your users?
- Do you have an individual or a department responsible for the ethical managing of data?
- How is the work with data ethics embedded in the organisation?
- How do you ensure that your data ethics guidelines are respected?
- Can the processing of data be audited by an independent third party?
- Do you have demands for control of your subcontractors and partners’ data ethics?
- Do you communicate with your users on a public platform?
- Do you have any guidelines for using the platform?
- Do you moderate the platform in order to remove sensitive personal data?
- If you are dealing with children, do you ensure parental consent?
Reuse of data
- Is data used for new purpose, eg. to develop or train an algorithm?
- Do you ensure that the use of data does not lead to discrimination?
- Do you ensure that the use of data does not exhibit the vulnerabilities of individuals?
- Do you ensure that the use of artificial intelligence / machine learning is beneficial to the individual and does not cause physical, psychological, social or finacial harm to the individual?