1 of 25

Ethical Implications of Data Management

Brendan Tierney & Damian Gordon

Your boss calls you in and tells you that your organisation

has been "slightly breaking" GDPR, but it's not big deal.

You might have to tell a white lie if you are asked about

it, but heck, GDPR is just a box ticking exercise anyway.

Get people to vote, and them hand out half of the audience

this modifier card:

+--------------------------------------------------------------------------+

| Your organisation will close down and 100s of people |

| will lose their jobs if you don't lie, and it was only a tiny |

| breach that din't effect anyone. |

+--------------------------------------------------------------------------+�

and the other half:

+--------------------------------------------------------------------------+

| The breach meant that 75 people were kicked out of |

| their homes. |

+--------------------------------------------------------------------------+

�but don't tell them that the modifier is different

2 of 25

Workshop Agenda

Introduction to Ethics

What is Ethics
How is Ethics different to legal/laws.

Data Management & Ethics
Multifaceted Approach to Ethics

Captain America, Ironman and Thor of data ethics

Ethical Case Studies

Accessing Data
Anonymize data – does that really work
Cloud and data leaks
ML in the High Street

Workshop

Explore different issues on Ethics & Outputs
How to teach Ethics guidelines

Workshop Feedback& Key Takeaways

10 minutes

20 minutes

10 minutes

3 of 25

Ethics

Ethics are principles of behaviour based on ideas of right and wrong. Ethical principles often focus on ideas such as fairness, respect, responsibility, integrity, quality, reliability, transparency, and trust.

(are subjective rules that a person sets themselves about what is right or wrong)

Data handling ethics are concerned with how to procure, store, manage, use and dispose of data in ways that are aligned with ethical principles.

Handling data in an ethical manner is necessary to the long-term success of any organisation that wants to get value from its data.

Unethical data handling can result in the loss of reputation and customers, because it puts at risk individuals whose data is exposed. In some cases, unethical practices are also illegal.

Ultimately for data management professionals and the organisations for which they work, data ethics are a matter of social responsibility.

4 of 25

Ethical Position

Many organisations fail to recognise and respond to the ethical obligations inherent in data management. Organisations are using data in ways not previously imagined and while laws codify some ethical principles, legislation cannot keep up to date with the risks associated with this.

5 of 25

Ethics vs Legal/Laws

6 of 25

Ethics vs Legal/Laws

	Legal	Not Legal
Ethical	It is both legal and ethical to protect privacy when a customer makes online purchases from your website	It is not legal, but could be considered ethical to leak information that appeared on your employer’s intranet to the media to stop an illegal activity that is occurring in your company
Not Ethical	It is legal but not considered ethical to call in sick to work when you are not really sick. Or to accept gifts from people in return for awarding a contract	It is neither legal nor ethical to sell e-mail address or your customer details without their permissions

7 of 25

Ethics vs Legal/Laws

Country	Description
Brazil	Brazil’s Lei Geral de Proteçao de Dados (LGPD) was modeled directly after GDPR and is nearly identical in terms of scope, applicability, and financial penalties for non-compliance. Companies wishing to do business with Latin America’s largest economy will have to comply with LGPD by February 2020
Australia	Australia’s Privacy Act came into effect in February 2018. Organizations with an annual turnover of over 3 million AUD will have to disclose data breaches that pose a “real threat of serious harm” within 30 days
USA (California, New York, etc)	There is currently no data privacy law applicable to all industries on the federal level, every state in the Union has their own data privacy laws. California Consumer Privacy Act (CCPA), which has many provisions that overlap with GDPR. New York Privacy Act, 2019, other States to follow
Japan	Japan's Act on Protection of Personal Information was amended in May 2017 and now applies to both foreign and domestic companies that process the data of Japanese citizens. Japan and the EU reached an agreement on "reciprocal adequacy" of their respective data protection laws.
South Korea	South Korea's Personal Information Protection Act has been in effect since September of 2011 and from the outset has included many GDPR-like provisions, including requirements for gaining consent, the scope of applicable data, appointment of a Chief Privacy Officer, and limitation and justification of data retention periods.
Thailand	Thailand Personal Data Protection Act (PDPA) was published May 2019 and will come into effect exactly a year later on 27 May 2020. The PDPA is similar to GDPR in a number of ways, including the broad definition of personal data, the requirement to establish a legal basis for collection and use of personal data, extraterritorial applicability, and potentially harsh penalties for non-compliance.

8 of 25

Data Management

9 of 25

Core Concepts

The ethics of data handling are complex, but they centre on several core concepts:

Impact on People: Because data represents characteristics of individuals and is used to make decisions that affect people’s lives, there is an imperative to manage its quality and reliability.
Potential for Misuse: Misusing data can negatively affect people and organisations, so there is an ethical imperative to prevent the misuse of data.
Economic Value of Data: Data has economic value. Ethics of data ownership should determine how that value can be accessed and by whom.

10 of 25

Ethics in Data Analytics

11 of 25

Ethics with Managing Data

13 of 25

Ethical Case Studies

Accessing Data - Should I be doing this?

Anonymize data – does that really work?

Cloud and Data Leaks

AI and ML in the High Street

14 of 25

Ethical Case Studies – Accessing Data

Have you

Seen data you shouldn’t have seen?
Used someone else login? (computer/network/application)
Gone looking for data or other things you know you shouldn’t have?

IT professionals are exposed to this every day
Software developers are exposed to this every day

Development vs Test vs Production

15 of 25

Ethical Case Studies - Anonymizing data

In Massachusetts, a government agency called the Group Insurance Commission (GIC) purchased health insurance for state employees. At some point in the mid-1990s, GIC decided to release records summarizing every state employee’s hospital visits at no cost to any researcher who requested them.

They removed:

name,
address,
social security number, and
other “explicit identifiers”

They did not remove:

ZIP code,
birth date, and
sex.

Latanya Sweeney

Purchased for $20

Voter rolls for Cambridge:

name,
address,
ZIP code,
birth date, and
sex

of every voter.

Identified the State Governor

William Weld

16 of 25

Ethical Case Studies - Cloud and Data Leaks

Who?	When?	What?	How?
Microsoft	2010	Non-authorized users were able to access employee info	Configuration issues
DropBox	2012	68 million user accounts	Password Issue
LinkedIn	2012	6 million user passwords	Password Issue
Yahoo	2013	One billion user accounts	“State sponsored attack” !?
Home Depot	2014	At least records of sales of hundred million dollars	Flaw in point-of-sale terminals
National Electoral Institute of Mexico	2016	93 million voter registration records	Poorly configured database
Apple iCloud	On-going?	Lots of celebrity pics.	Password Issue

17 of 25

Ethical Case Studies - AI & ML in the High Street

18 of 25

Ethical Case Studies - AI & ML in the High Street

20 of 25

Workshop – Groups of 3-4 people

Think about the ethical issues associated with the Case Studies

List the ethical issues for each case study, are there any common ethical issues?

List what can be done to avoid these issues and what are the challenges. (max 5 for each)

By the Company
By the individual employees
By the customers

21 of 25

Workshop – Groups of 3-4 people

List (up to ten) tenets of good ethical behavior, code for good ethical behavior in the workplace.

List (between 5-8) recommendations for teaching Ethics to (under-graduate and post-graduate) students

Based on your experiences, what recommendations would you give to new or early career Technology professionals

List between 5-8 recommendations
These should be different to those listed for teaching Ethics in previous point.

22 of 25

Here’s one FROM ACM

You should not use a computer to harm other people.
You should not interfere with other people's computer work.
You should not snoop around in other people's computer files.
You should not use a computer to steal.
You should not use a computer to bear false witness.
You should not copy or use proprietary software for which you have not paid without permission.
You should not use other people's computer resources without authorization or proper compensation.
You should not appropriate other people's intellectual output.
You should think about the social consequences of the program you are writing or the system you are designing.
You should always use a computer in ways that ensure consideration and respect for your fellow humans.

1 of 25

2 of 25

3 of 25

4 of 25

5 of 25

6 of 25

7 of 25

8 of 25

9 of 25

10 of 25

11 of 25

12 of 25

13 of 25

14 of 25

15 of 25

16 of 25

17 of 25

18 of 25

19 of 25

20 of 25

21 of 25

22 of 25

23 of 25

24 of 25

25 of 25