Guides: Data Management: Privacy and Ethics in Data Management

Ethical Considerations for Data Creation and Reuse

Data can be a check-in, a story, an experience or set of experiences, and a resource to begin and continue dialogue. It can - and should always - resist reduction. Data is a thing, a process, and a relationship we make and put to use.

We can make it and use it differently.

from the Feminist Data Manifest-NO

When embarking on any kind of research project, it is critical to consider the social and ethical implications of data, as well as the power and impact data can hold/have. Whether working with highly sensitive data, utilizing new ethical ideas in the realm of data-intensive research, or ensuring that your research complies with local and international data collection and privacy laws, the following information provides a few examples of data principles, guidance from respected data organizations, and more to help inform your work.

Existing Principles and Guidance

FAIR Principles

In 2016, the ‘FAIR Guiding Principles for scientific data management and stewardship’ were published in Scientific Data. The authors intended to provide guidelines to improve the Findability, Accessibility, Interoperability, and Reuse of digital assets.

The principles emphasize machine-actionability because humans increasingly rely on computational support to deal with data as a result of the increase in volume, complexity, and creation speed of data.

Image via Medium

CARE Principles

The current movement toward open data and open science does not fully engage with Indigenous Peoples rights and interests. Existing principles within the open data movement (e.g. FAIR: findable, accessible, interoperable, reusable) primarily focus on characteristics of data that will facilitate increased data sharing among entities while ignoring power differentials and historical contexts. The emphasis on greater data sharing alone creates a tension for Indigenous Peoples who are also asserting greater control over the application and use of Indigenous data and Indigenous Knowledge for collective benefit.

This includes the right to create value from Indigenous data in ways that are grounded in Indigenous worldviews and realise opportunities within the knowledge economy. The CARE Principles for Indigenous Data Governance are people and purpose-oriented, reflecting the crucial role of data in advancing Indigenous innovation and self-determination. These principles complement the existing FAIR principles encouraging open and other data movements to consider both people and purpose in their advocacy and pursuits.

C: Collective Benefit

A: Authority to Control

R: Responsibility

E: Ethics

(CARE Principles for Indigenous Data Governance via GIDA Global)

Image via GIDA

D4BL (Data 4 Black Lives)

Image via Medium

Data for Black Lives is a movement of activists, organizers, and scientists committed to the mission of using data to create concrete and measurable change in the lives of Black people.

#NoMoreDataWeapons is about increasing public awareness of the usage of Data Weapons and building collective momentum around policy fights against Data Weapons. Data for Black Lives is committed to a world where no more Data Weapons exist.

#NoMoreDataWeapons goals:

Promote Black Self Determination: Public education on what the various Data Weapons are and how to organize against them
Shift the National Narrative: Document and promote storytelling by Black communities and individuals directly impacted by data weapons
Data Consolidation and Collection: Establish a dataset of carceral and surveillance technologies in use based on US location. Inform and Support Policy Innovation: Cultivate and support targeted campaigns to move policy concerning the use of data weapons

Privacy Laws and the Future of Data Collection

In addition to data protection and consumer privacy laws like HIPPA and FERPA, there are new international and California State privacy laws that currently and will continue to impact data research and business-related data collection.

GDPR

What is GDPR, the EU’s new data protection law?

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

Data protection principles under GDPR

If you process data, you have to do so according to seven protection and accountability principles outlined in Article 5.1-2:

Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
Accuracy — You must keep personal data accurate and up to date.
Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

CCPA

What is CCPA?

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including:

The right to know about the personal information a business collects about them and how it is used and shared;
The right to delete personal information collected from them (with some exceptions);
The right to opt-out of the sale of their personal information; and
The right to non-discrimination for exercising their CCPA rights.

Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.