In the wake of the Hayne Royal Commission we are hearing about multiple examples of basic governance failures. If we couple this with the requirements of the European Union Global Data Protection Regulation which are impacting organisations dealing with European companies or individuals, the governance of information is an increasing issue for businesses.
While medical, and health and research organisations have long been familiar with ethics committees, the advent of Artificial Intelligence (AI) and the sheer complexity of data analytics means that an area that has not previously been a focus now needs management attention and buy in, and resources to train and implement staff across the organisation.
We consider at the end of this article some questions businesses can ask themselves about their use of big data to ensure legal risks are mitigated.
In October 2018, the flagship innovation initiative of the United Nations Secretary-General on big data 'Global Pulse', together with the International Association of Privacy Professionals issued a whitepaper 'Building ethics into privacy frameworks for big data and AI'. The whitepaper can be found here.
What are the benefits and risks of big data?
Using big data can guide decision making, manage risks, measure social impact, increase access to services, and advance technology. However, if big data isn't gathered, stored and dealt with correctly, this could lead to breaches in privacy and issues regarding fairness and equality.
How does big data and artificial intelligence impact companies?
When coupled with AI, big data can have an even larger impact on companies and society. AI can be used to analyse large volumes of data to help improve predictions and consequent business decisions. These benefits, however, must be balanced with the drawbacks of using AI which include cybersecurity concerns, human rights and privacy impacts, and impacts on the labour market. Additionally, AI can also be used to target sensitive population groups and cause individual harm.
While big data and AI can pose a risk to companies when handled incorrectly, failing to utilise them may have even greater consequences. Therefore it is essential that companies and institutions have effective frameworks in place to assess data ethics issues when dealing with big data and AI. Privacy protection that was previously relied on to regulate data use is not enough to ensure responsible and accountable use of big data and AI.
How can data ethics be implemented in the workplace?
In order to effectively integrate data ethics in the workplace, companies can implement internal or external frameworks. Internally, companies can establish a privacy working group or an ethics board or task their existing privacy working group with data ethics issues. It is worth noting that these groups are most effective when they are multidisciplinary, as it is important to assess data ethics issues at the different stages and areas where data is used.
External frameworks which can be used to implement data ethics include review boards. External review boards may be beneficial for small and medium-sized businesses that lack capacity for an internal board. Review boards can assist in developing ethical standards and best practice using their specialised knowledge.
What should companies consider when implementing an ethics framework?
When implementing an ethics framework, companies must tailor the framework to their mission, structure and management style. For data ethics to be effectively implemented, the framework must have buy in from management and effective leadership. As data ethics affects multiple business units within a company, adequate training would be required for all staff that use data.
What do companies need to consider from a governance perspective?
In many ways the consideration of ethics and ethics committees is an extension of information governance frameworks and where they are not robust, the deficiencies will be exposed. Some questions for businesses to consider are as follows:
- who is currently charged with leading data use and analytics in your organisation, and is governance one of the metrics against which they are judged, or is it solely about commercialising data?
- is there a formal structure for governance and legal oversight of data analytics within the organisation?
- do you have people with sufficient skills in oversight roles, or do you engage external resources to assist?
In our experience many of the relevant areas are somewhat siloed and the governance challenge is breaking down these silos and coordinating governance goals within business units.
In our next few articles we will explore how organisations can approach information governance challenges.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.