Data ethics are on the agenda in an increasing number of organisations. This means that consideration is given to the ethical justification of how data and personal data are handled. In addition to the legal frameworks, the desirability of data use is called into question.
In practice, the implementation of data ethics is considered to be a major step. This blog is intended to show how, by means of small steps and using existing resources, an ethical assessment can be added to the legal assessments where projects are concerned in which privacy is under discussion. In addition, we will show that the legal assessments also include an ethical component.
Role of the DPIA
A Data Protection Impact Assessment (DPIA) is an instrument used to identify and list the privacy risks of data processing in advance in order to subsequently take measures to reduce these risks. A DPIA is mandatory if data processing is likely to result in a high risk to “the rights and freedoms of natural persons” (Article 35 GDPR).
Under the GDPR, this is in any event the case if an organisation:
- systematically and extensively evaluates personal aspects based on automated processing, including profiling, and bases decisions on this that have consequences for people;
- processes special personal data or personal data on criminal records on a large scale;
- systematically monitors people in a publicly accessible area on a large scale (e.g. camera monitoring).
Furthermore, the Dutch Data Protection Authority has drawn up a non-exhaustive list of processing operations that are subject to the requirement for a DPIA, and you may use the nine criteria that the European data protection agencies (WP29) have drawn up, where a DPIA must be carried out if the processing satisfies two or more criteria.
The carrying out of a DPIA is not a non-recurring action, but a continuous process. It is advisable to carry out a DPIA periodically, for example once every three years. However, there are indicators for doing this earlier. The risks of the processing may change if new choices are made within a project that has already been assessed. For example, if it is decided to use a new technology, or to use the personal data for a different purpose. In those cases, carrying out a DPIA again may even be mandatory. That is why it is important to keep monitoring whether the data processing changes, so that reconsideration of the DPIA can be determined.
Whether a DPIA is required is not clear in all cases. Nevertheless, it is advisable to also – and especially – carry out a DPIA in unclear cases. Firstly, because the DPIA is a useful instrument that helps controllers comply with data protection laws, for example accountability and the obligation to document, which also apply if a DPIA is not required. In that sense, it is a legal tool.
Secondly, it is desirable to do so from an ethical point of view: You encourage those responsible to be aware of the risks involved in the data project to the rights and freedoms of natural persons, and to take responsibility for a careful processing. This way, you focus on the consumer, citizen, ‘data subject’, and you increase privacy awareness within your organisation. In other words, the choice to carry out a DPIA already includes an ethical consideration.
DPIA and Weighing up the Ethical and Other Pros and Cons
A DPIA does not have a fixed format, yet there are fixed elements that must in any case be worked out and weighed against each other:
- the purpose and the legitimate interests pursued by the controller;
- the necessity and proportionality of the processing in relation to the purpose;
- the risks to the rights and freedoms of data subjects;
- the measures envisaged to reduce the risks, taking into account the rights and legitimate interests of data subjects and other persons concerned.
A DPIA roughly balances the purpose and the legitimate interests pursued by the controller against the risks to the rights and freedoms of data subjects. The reference to “the rights and freedoms” of data subjects does not only relate to the rights to data protection and privacy, but may also concern other fundamental rights such as freedom of speech, freedom of movement, a ban on discrimination, and a right to freedom. Taking measures to safeguard the rights to data protection and privacy of data subjects is therefore not by definition sufficient.
Balancing takes place within legal frameworks, but when carrying out a DPIA this balancing will in many cases raise ethical questions. The question of whether an infringement is proportionate will be addressed from the legal framework, but is in itself an ethical question (what is proportionate? How do you measure this?).
There are also ethical questions that may not or less directly emerge from the legal framework, but that you do want to include in the assessment. What impact does the means have on society? Is a certain group not excluded (for example computer illiterates)? When do you actually label a means as effective? The choices that are made are value-driven and never ‘neutral’. As a result, carrying out a DPIA is not a purely legal exercise, but an excellent means of reflecting on the ethical interests involved. But how do you implement these ethical interests in a DPIA or the DPIA procedure?
Expanding DPIAs with Ethical Questions
Because a DPIA does not have a fixed format, the organisation may choose to shape a DPIA and the DPIA procedure in such a manner that it is in line with the organisation’s ethics. We are making a few suggestions below:
- Formulate ‘check’ questions that are in line with the organisation’s core values. To what extent do the risks associated with the processing affect those core values? What can be done to act on the basis of the core values?
- Set up a position or role that can be involved in the ethical assessments, such as an ethicist or data ethicist or an ethics committee. Ensure that the DPIA process includes asking the ethicist or committee for advice in certain cases. For example, include that the ethicist always assesses the selection criteria in case of profiling.
- Ensure accuracy in distinguishing and formulating the necessity, the means (the proposed processing) and the goal that one wishes to achieve with it. This helps to better identify and list the interests, and consequently the balancing of subsidiarity and proportionality.
- (Regularly) discuss with those involved in the DPIA any ethical questions concerning data processing. Any risks arising from such discussions can be included in the DPIA so that the person responsible can take them into account in the final assessment.
- Consult data subjects (whose freedoms and rights are concerned, after all) during the stakeholder analysis, so that risks are not only approached from a technical point of view, but the perceived risk or sense of safety is also well represented. You can do so by means of customer surveys or by consulting interest groups. This possibility is also enshrined in Article 35.9 of the GDPR.
- Regularly reconsider the DPIA carried out. Society is changing, and so are the context, the technology and therefore the risks. Continuously monitor whether a DPIA needs to be reconsidered, and set up processes for this purpose.
Conclusion
An increasing number of organisations is looking for the right ethical assessment for the use of data. A DPIA is an excellent instrument to implement this assessment. After all, this instrument enables organisations to balance the various interests against each other, and if necessary/possible to take mitigating measures. But it is not the be-all and end-all. It is a framework to already be able to give data ethics a place, but it is certainly not the only one that is necessary to arrive at a responsible handling of data.
Authors:
- Menno Verhaar; privacy lawyer at SVB
- Piek Visser-Knijff; data ethicist at Filosofie in actie
This article was originally published in Dutch on Advocatie.nl. The original article is translated by Astrid Amels.
More on DPIAs
WHITE PAPER: DATA ETHICS IN PUBLIC PROCUREMENT
It’s Time for a Data Ethics Impact Assessment