Data breaches and ethical breaches: mere compliance versus doing the right thing
“Ethics in our view is doing the right thing even when no one is watching and even when it costs you more money,” explains Chris Paterson, a privacy solutions engineer with OneTrust, a technology company that supplies privacy, security and trust software.
Speaking as part of a Holyrood webinar on the subject of data breaches versus the ethics breaches, sponsored by OneTrust, Paterson said ethics added a layer of complexity onto the types of breaches that organisation may suffer, such as security breaches or data and privacy breaches.
He summarised the ethical principle in another way as “just because we can, doesn’t mean we should”.
“The key to data ethics is trust and not to abuse that trust,” said Dr Rena Gertz, data protection officer at the University of Edinburgh.
A data ethics breach might not be a notifiable breach, she said, but it is a contravention of data protection law or data processing or a mishandling of data that people might find objectionable.
The fact that it’s not a ‘real’ breach doesn’t make it any less problematic or less dangerous, she added.
“What we’re basically looking at here is mere compliance versus doing the right thing,” said Gertz.
Gertz explained that breaches could be based on carelessness in handing the data, bending the ‘legitimate interest’ requirement of using the data and the reasonable expectation of what data is being used for as well as judgements based on the ‘greater good’ versus the rights of the individual.
On the latter, she said: “What we really should be looking at here is an ethical point of view, so we need to evaluate the short-term gain against the long-term loss of trust and possibly long-term loss of reputation of the organisation. And the outcome of that, well, I don’t know if it would really go in the favour of the greater good.”
Key to preventing data breaches is for everyone to know that it is their responsibility, said Gertz, and she highlighted the importance of awareness and training, as well as having good processes in place.
She noted that the University of Edinburgh has data protection impact assessment (DPIA) procedures in place for all of its researchers.
“Vertrauen ist gut, Kontrolle ist besser” – trust is good, control is better – Gertz quipped, quoting a German saying.
“All ethics breaches are probably a data protection breach, but not all data protection breaches will necessarily be an ethical breach,” said Dr Ken Macdonald, Head of ICO regions at the Information Commissioner’s Office.
Macdonald looked at the overlap between the legal requirements for data protection and the UK Government’s ethics framework for data use, both of which make reference to lawfulness, to clear purpose and as well as proportionality. He also highlighted the need for transparency.
“The clearer it is, the clearer the message is, the clearer the understanding that the individuals have of why their information is being used, the more buy-in organisations will have,” said Macdonald.
In terms of managing data in the current situation where most people are working remotely, Paterson highlighted the need to not neglect training.
He said: “One of the drivers [of data breaches] … is people not being wilfully malicious, but just being uninformed and oftentimes maybe slightly negligent of what they’re doing with data and there’s a lack of oversight now, a lack of accountability, as we’re not in offices and it’s a little bit harder to police.”
Summarising the key point to take away, Gertz said: “Put yourself in the data subject’s shoes. What would you think if this was done to your data and what would you think if people were treating your data in that way?”
This was echoed by Macdonald: “When you’re doing your DPIAs, it’s not just a matter of you thinking ‘how does this affect my organisation’, it’s how does this affect the data subject, and put yourself in their shoes.”
You can listen to the full Holyrood and OneTrust webinar on workcast.com