Data Ethics – General
Open Banking enabled services facilitate the transfer of high-quality datasets from the consumer to the TPP. How you collect, collate, draw insight and inference from the data, and how you store it, use it and share it and for what purpose, all have ethical implications.
- Data is a company asset which requires proper and effective handling to create value. It also something which must be handled ethically with regards to individual consumers the company is there to serve and the wider society to which it contributes. Therefore, data governance should ensure value creation for the company and risk minimisation for consumers and society.
- Data governance is important in ensuring all aspects of the asset is well managed for the company.
- Data ethics ensure the decisions you make about how to manage your data are in keeping with your overall purpose and social responsibilities.
- Data governance and ethics are closely linked. Data governance requires fulfilment of the law and regulatory requirements. However, data may also create new ethical or moral dilemmas which you address through appropriate data governance mechanisms. The way in which you govern data will be a direct expression of your ethical norms as a group of people and an organisation.
For any TPP, it is essential to understand:
(1) The data you collect, collate, draw insight and inference from, how you use it, for what purpose and how it is shared. It is important to have a clear approach to personal data, including data which may be considered personal, sensitive, commercial, as well as, data that may be pseudonymised and/or anonymised.
(2) How the data interplays with the algorithmic system and the models you use, particularly in regard to how data is weighted or attributed in the algorithmic system to produce the outcomes.
(3) What impact the combination of the data and the algorithmic system has on your end result.
(4) What outcomes your data-driven service is achieving for your customers and wider society.
(5) What consequences (both intended and unintended) will this have on customers and society in the short, medium and long term?
Your evaluation of the above will help you identify not only legal and PR risk, but also potential ethical risks.
To help you consider how to ‘operationalise’ data ethics, we recommend you start with an existing framework. Readers can refer to Ethical Data and Information Management, O’Keefe & O Brien, 2018. You will also find useful links in the box at the foot of this section.
Data Ethics Framework
An ethical framework ensures that you have provided for the consideration of ethics within and across your organisation at all levels and functions.
A data ethics framework provides principles for the acquisition, collection and collation, accuracy, cleansing, analysis, use, and sharing of personal data. It would also provide for a consistent process and document procedures through which an organisation decides, documents and verifies that its data processing activities are (1) lawful and (2) generating fair and good outcomes for both the individual and wider society.”
Having a data ethics framework in place can, therefore, be a powerful risk mitigator and value creator.
Your approach to implementing a data ethics framework and operationalising data ethics in your organisation should be one which is collaborative, diverse, and transparent.
This walkthrough of a hypothetical (industry agnostic) Data Ethics Framework will introduce you to the concept and key components of a framework.
Key framework components
Although the entirety of this framework is specific and intentional, there are three distinct components worth noting:
- Data Governance
- Social Preferability Testing, and
- Independent Auditing
Data Governance and Oversight
Data Governance sets an information strategy, whilst effectively identifying and managing information risks. Your board or organisational governance body must become accountable for this function and should have a representation of the appropriate expertise. This matters because boards have to sponsor the authorising environment for action, and this may result in uncertainty and new risks. By explicitly incorporating an operational Data Ethics Framework into information strategy, boards create the environment for Data Ethics to become an integral function of their enterprise.
Oversight (including Decision Making Authority and Accountability)
- This will depend on the size and requirement of the firm, but consider implementing an ethics oversight mechanism for this purpose.
- An ethics advisory board, committee or panel (EAB) should ideally combine representative views of both internal and external stakeholders. It is feasible to have a wholly external EAB, a wholly internal EAB, or a combination of the two. It will depend on what the purpose and role of the EAB are, and what structure best suits the firm. Size, culture, values, transparency, and cost, are factors playing a determining role so the approach should be proportionate to the size of the TPP.
- Conducting “social preferability testing” with existing customers and other potentially impacted stakeholders may be a way of gaining that all-important external viewpoint insight into your EAB, as well as engaging societal dialogue before implementing new and improved TPPs services;
- The constitution of the EAB should be (so far as possible) be interdisciplinary, and align with your governance processes and procedures to further embed oversight touchpoints in your existing ways of working.
- Those involved in the EAB should represent diverse thinking and a diverse group of people (particularly including representation of the protected characteristics).
- Consider how the views of representatives from wider society (such as through social preferability testing) are included in the oversight mechanism.
- The authority and decision-making ability of the EAB should be clear. You need to be clear on each parties’ role and responsibility. This will determine to what degree the EAB functions in an advisory or active decision-making capacity.
- The oversight mechanism should (so far as possible) be transparent, demonstrating how the ethical risks were identified, abated and/or mitigated.
- Accountability and responsibility for the ethical decisions ultimately responded to by the firm ( whether by action or inaction) needs to be clear.
- Consider how ethical decisions will be communicated to the TPP’s end users.
- Consider what redress for the impact of ethical decisions looks like for end-users and whether this falls within the current remit of the Financial Ombudsman Service.
Social Preferability Testing
Social Preferability Testing challenges what is ‘normal’ today by proposing those data processing activities, the intent behind them and the real-life impacts, are ‘socially preferable’ rather than merely ‘socially acceptable’. This is an important distinction. It’s about finding ways to make what is good for people and society at large great for modern information businesses. For a firm wanting to consider itself as operating at a best practice level, it should be doing this kind of analysis.
Social Preferability Testing helps organisations collaborate directly with their key stakeholder groups, from independent advocacy groups through to regulators and of course, customers. The general process for Social Preferability Testing is outlined in the steps below. These can be adapted, depending on the size and maturity of your business or organisation, in the context of your customer base and the nature of the personal data in your possession.
The steps for Social Preferability Testing:
- Develop a proposal, i.e. a new outcome-focused product or service that relies on data sharing.
- Put the proposal to the test internally, against predefined Data Ethics Principles and criteria. If it is a clear pass, continue. If it fails, go back to first principles and ask, “just because we can, should we?”.
- An external Data Ethics Committee reviews the proposal. This should shed light on the principles in a variety of new ways.
- Design a prototype that simulates your data processing by stakeholders and customers.
- Design and execute a tightly defined research program. For example, unimpeded outcome-focused usability testing within a simulated context, supported by contextual inquiry and scoring methods.
- Synthesise the outcomes of the research and present the findings to key stakeholders.
- Have your process independently audited.
These practices should be embedded into existing workflows so they augment ways of work.
The inclusion of independent audits in the workflow of an operational Data Ethics Framework is important to mitigate risk, both of potential customer harm, and to the organisation. It could also expose new value opportunities.
- The Information Commissioner; ico.org.uk
Information about the importance of Data Ethics and considering ethics in the context of AI:
- The ethical and societal implications of AI Nuffield report
- UK Finance Data Ethics White Paper produced in conjunction with KPMG
- IAPP article on establishing Data Review Boards
Principles and Guidelines:
- DataEthicsEU principles: https://dataethics.eu/data-ethics-principles/
- UK Government National Data Strategy has published principles and supporting workbooks.
- OECD Data Ethics Principles
- The ICO draft AI Auditing Framework (there is a generic link to the ICO but this is more useful)
- Dot Everyone provides a range of possible different tools
- The European Commission High-Level Expert Group produced AI Assessment Toolkit
- The Personal Data Protection Commission of Singapore Second Edition of their Model AI Governance Framework (published January 2020)
Other sources of information and guidance:
- The Alan Turing Institute for more information on data ethics and data science
- The Centre for Data Ethics and Innovation
- The Open Data Institute (ODI) Data Ethics Canvas and supporting materials.
- DEON command line tool that supports ‘ethics checklists’
- Data for Democracy’s, ‘The Global Data Ethics Project’