Data ethics, risk, and privacy

Used well, data is a force for good. However, you need to be aware of ethical and legal issues and make sure you are not putting people at risk of harm. Data ethics is a complex area, but here are some of the more common issues you need to be aware of. For more on your specific responsibilities under Data Protection legislation, see our in-depth information on Data Protection law and practice.

• Informed consent: If you use people’s data, need a ‘lawful basis’ to do this. You need to explain which lawful basis you are using in your privacy policy. The Information Commissioner’s Office (ICO) has a useful guide explaining the six lawful bases you can use.
• Transparency and accountability: You need to be up-front about how you are going to use data, especially with those that could be affected by data-informed decision-making. And you also need to be clear and transparent about the limitations of data you are working with.
• Right to privacy: People have a right to a private life. This means their identity, activities and beliefs should remain private to them unless there is a good reason to share them. If you are asking someone to share some of their details, it should be clear why you are doing this. And sharing some private or personal information does not mean someone has given up their right to privacy. They can choose to request that you delete any personal information you hold in future.
• Bias and discrimination: Data is not neutral. The way it has been collected and processed can bring bias into the system. This bias can, in turn, cause some individuals or groups to be discriminated against down the line. Assess any system and decision-making process - whether informed by quantitative data or not - for bias and discrimination. A good entry point to exploring data ethics questions is the Data Ethics Canvas from the Open Data Institute. This toolkit encourages you to ask important questions about projects that use data, and reflect on the responses.
• Balancing risk: All data sets have their limitations. It might be tempting to wait until you have better data, as this seems less risky. But in some situations, it is harmful to wait. For example, if you are seeing early indications of a spike in demand for a service, the best action could be to take swift action to meet that demand, rather than wait for a definitive prediction of exactly how demand may change in future. Often there is no such thing as a ‘perfect’ dataset, and any data use must be assessed for its risks. On the other hand, if you are trying to spot or interpret a trend, make sure you have enough data to support a reliable conclusion.
• The risk of misinterpreting data: Make sure you don’t use data to support misleading or dubious claims. Data and statistics can be powerful when they are established as facts, so take care when you present them and highlight any assumptions or limitations in your presentation. For example, you should be wary of drawing big conclusions from small sample sizes. See Ten simple rules for responsible big data research for a useful guide.

What to do now

1. See our page on Data Protection for an overview of your responsibilities and links to further guidance.
2. For more on data ethics, see this blog from DataKind UK on ‘Doing data for good right’.
3. For more detail, you can also check out their community reading list on Github.

Take steps to make things secure

If you’re working with data, you need to take steps to make sure the data is securely processed and stored. Here are a few key steps to take:

1. Educate and support team members who are working with data on how to handle it safely and responsibly.
2. Create a data flow map to clarify what data is stored where and where it gets processed. The ICO has useful templates and guides to help you document your data flows.
3. Make a list of users and their permissions, and make sure this is kept up to date.
4. Set up multi-factor authentication and password recovery processes.
5. By law you should have a plan for deleting data after a certain period, so make a retention/destruction schedule and stick to it.
6. Data breaches can happen and may need to be reported to the Information Commissioner’s Office. Make a response plan so you’re ready to act quickly.
7. People whose data you hold have a right to make a subject access request (SAR). Make a response plan so it’s easy to provide this information when asked.