FEATURE25 June 2020

Giving values a voice

x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.

Features GDPR Impact Privacy UK

Ellis Parry joined the Information Commissioner’s Office (ICO) as its first data ethics adviser at the end of 2019. Impact caught up with him to discuss how organisations can build a more ethical approach to data.

Privacy_data_secure_crop

What are your responsibilities, and what is the ICO’s role in this space?

My role is to articulate the interplay between the data protection principles over which the ICO has regulatory oversight and the emerging field of data ethics, and communicate and consult on those views, raising awareness and buy-in to the mutually reinforcing nature of the concepts underpinning each discipline.

The majority of people feel it’s important that companies use their data ethically, but few trust organisations to do this, according to Open Data Institute research. What needs to be done to build trust?

The ICO’s mission is to uphold information rights for the UK public in the digital age. The number one goal of the ICO’s Information Rights Strategic Plan is to increase the public’s trust and confidence in how personal data is used and made available, by creating a culture of transparency and accountability.

What are the key ethical blind spots for businesses and organisations?

These are quite context specific. Articulating their values, the principles that enable those values, and building those into their decision-making processes can help organisations identify and deal appropriately with the ethics raised by their proposed personal-data processing.

What practical steps can companies take towards a more ethical approach to data?

As part of establishing and building a culture of transparency, fairness and accountability, organisations should share their values and behaviours, and make suitably senior people responsible for ensuring they are considered and subject to continuing review at the appropriate stages of their process-based governance frameworks.

Are organisations too focused on consent at the expense of data ethics?

Much has been said on the limitations of consent as a lawful processing ground, given the novel possibilities for processing personal data that technology is now making possible. I view robust, structured and recorded deliberations on the ethics of any given proposed processing as a tangible step towards organisations showing a culture of accountability. For public authorities, those deliberations could be made public – private organisations should consider whether that level of transparency would be appropriate, too.  

How does data ethics overlap with data protection? Do organisations need to reframe how they think about data to place more focus on people?

Many of the publicly available data ethics frameworks have a human-centric approach as their foundation. So we will be talking to stakeholders about what, in their view, is the intersection between the data protection principles and data ethics, and how a conversation based on society’s collective morality can promote adherence to the GDPR’s inherently ethical principles.  

What’s the biggest challenge in balancing the rights of individuals with what’s best for society – for example, in the case of facial-recognition technology?

The question encapsulates the answer! The challenge is striking the right balance between those two potentially competing and yet allied interests.

Framing the debate in ethics can help organisations apply the GDPR’s principles appropriately, in particular, as part of any legitimate-interest impact assessment.

In relation to facial-recognition technology, the ICO is considering how the private sector uses this technology for locating and identifying people, including when it’s used with law enforcement.

The law is different for the police, and the ICO has already published a Commissioner’s Opinion, which gives clear instructions on how police forces should be using live facial-recognition technology.

How is it possible to reach a consensus on the ethical use of data?

Each scenario will be quite context specific, but this illustrates one of the benefits of organisations stating their values and principles.

Ethical considerations ‘move with the times’ as society’s prevailing attitudes change. Adhering to a code of conduct or being a member of a certification scheme can help organisations prove they are accountable for how they are processing personal data within agreed boundaries.

The ICO has recently published guidance for organisations wanting to develop GDPR codes of conduct or certification schemes. Organisations can submit their proposals for these to the ICO for approval, which will be an asset to businesses, helping data controllers and processors demonstrate compliance with the GDPR.

Can ethics be regulated?

The ICO does not regulate purely ethical considerations, but given the inherently ethical nature and language of the GDPR – in particular, I’m thinking about fairness, transparency and accountability here – the supervisory authorities can take steps when they see breaches of the law.

What is your biggest concern over approaches or technologies not designed with data ethics in mind?

That they may, by design or inadvertently, entrench discrimination against sections of society, having a negative impact on mankind’s freedom to grow in a diverse and pluralistic environment.

How can discussions about ethical data use keep up with technological innovation and new applications of data?

It may be that the black-and-white letter of the law could be perceived as not moving quickly enough to regulate, with surety, rapidly evolving technology. By and large, organisations want to do ‘the right thing’, but may not have a clear view of how to successfully apply the GDPR’s principles in novel situations where there is no precedent.

This is exactly where I think viewing a proposal through an ethical lens can help illustrate the legal issues more clearly, as social mores are more agile than black-and-white letter law and, therefore, more adept at keeping up with the rate of technological innovation, and signposting how it should be governed for the benefit of the whole of society.

This article was originally published in the April 2020 issue of Impact.

0 Comments