Privacy and Ethics in Data Governance

With the proliferation of IoT sensors, social media, and other big data sources, people today are revealing very personal information daily, often without their knowledge or consent. This is known as Passive Data Generation. In some cases, individual consumers may have granted permission for their information to be gathered, but it is not possible to accurately determine how their information may be used once it is included in big data sets and shared with companies and research institutions. The very essence of big data requires that it contain significant amounts of data for analysis, which is often contains quite a bit of personal data. Informed Consent becomes almost impossible to obtain, since no one can clearly identify what exactly they are looking for until they perform the analysis. Thus, in recent years the concept of broad consent has been introduced, with the ultimate effect of simply removing the requirement for consent at all. Consent has become the big data analytics equivalent of a blank check.

One common response to this challenge is simply to deidentify the data so it is no longer covered by privacy laws. Information that has been deidentified no longer falls under the restrictions of the privacy laws, and thus does not require consent by the individual since the data technically does not contain protected information.Unfortunately, this logic breaks down very quickly due to the ease with which individuals can be reidentified by combining disparate data sources. A 2019 study found that 99.98% of Americans could be re-identified with any data set with as few as 15 demographic data elements. There are also several examples of disparate public deidentified data sets being combined to reconstitute the private information, such as when public data aboutNew York Taxi cab rides was combined with other sources to identify private information about specific cab drivers, their religious practices, and even to track celebrities that used the cabs in question.All of this now calls into question the perception that has been applied to consumer data privacy since the 1970’s that consumers provide informed, rational consent for their data to be used by the organization to whom they are providing access to their data. Consent and anonymity are both myths in today’s big data world. The onus of acting in an ethical manner with regard to consumer privacy now falls upon the data scientists rather than the legal and compliance departments.

Because of the ubiquitous nature of passive data generation, and the ease with which deidentified data can be rehydrated, big data can take on surveillance like qualities and can easily cross a constitutionally protected line regarding individuals right to privacy. Thus, the primary ethical issue is not whether to collect the information, but how and when it is ethically responsible to analyze that information. This is the key ethical decision for companies to address. For too long the sentiment has been that companies are able to analyze any information that they have been able to gather. It is time for data scientists to help their organizations to change their thought process. In the famous words of the fictional Dr. Ian Malcom, portrayed by Jeff Goldblum in Jurassic Park, “Your scientists were so preoccupied with whether they could, they didn’t stop to think if they should.” It is time for our data scientists to stop and think about whether they SHOULD.