The ethics of data is a quickly developing area, and barely a week goes by without some media headline related to data misuse. What exactly did Cambridge Analytica do wrong, and how were Facebook and Trump involved?
What makes it OK for a company you have never been in contact with to market to you because your data was quietly sold on by another company? Why was a charity fined by the Information Commissioner’s Office for a leak of their customer data, when surely the criminals who deliberately hacked their database should be the ones facing charges? How should we work with data ethically, not just legally?
Some helpful ideas from the legal field
At least within Europe, thanks to the General Data Protection Regulation (GDPR) becoming law this year, the barrage of permission boxes now swamping the web give consumers greater control over how we, as businesses, handle their data.
But what the law permits and what our consciences allow aren’t always one and the same. As well as the letter of the law, I think we can take a number of legal concepts and usefully apply them to help structure our thinking when we are facing an ethical data dilemma. Here are some tools that I personally find helpful:
The legal field has the concept of a (fictional) “reasonable person”. This is the idea of a “typical” person in society, someone impartial with what might be regarded as an ordinary level of prudence in their behaviour. A good starting question to ask when you’re thinking if an application of data is ethical, is “what would a reasonable person do if they were involved?”
A follow-up question I sometimes ask myself is, “what would a reasonable person think if they could look in and see what is proposed?” Confidentiality aside, if the same impartial person was asked to assess whether what you are planning to do was reasonable, what would they say? If the worst happened and your actions all became public, could your reasonable motives be misconstrued as something more sinister?
A final question in this vein that might bring this home for some of you is this: Would I be happy telling a close relative what I’m doing, such as my father or wife or son? If you can comfortably answer yes to this, I think that’s a good start.
The concept of “purpose” has been made more prominent in the recent GDPR than in the previous data protection legislation, and in addition the idea that specific permission must have been actively obtained before an organisation may use data for that particular purpose; so for example, the purpose of marketing to you is different from the purpose of delivering a service to you. In certain circumstances “legitimate interest” permissions may also apply whether permission has been given or not. Let’s look at some of this in action and try to apply the “reasonable person” test.
As an example, let’s say that I go to a coffee shop and while I’m enjoying my flat white I want to browse the internet on the coffee chain’s free Wi-Fi. I find their network and try to log on. There is a web page showing their logo and a swirly coffee, and they want my name and contact details. I can’t use the network unless I give them, so I do. There are various tick boxes and I eventually get to the “connect” button.
What might the coffee company do with my data?
They might send me an activation link in an email that I have to click on to get started. It might be their policy to make sure that they have a verified email for everyone using their network. Does that seem reasonable? Well, I think people are probably more likely to behave responsibly if they are known and contactable, and also if there is a genuine problem the coffee company can get in touch with me. So yes, that seems reasonable.
The coffee company might want to send me marketing emails to encourage me to come back. Does that seem reasonable? Well, given that I’m sitting in a coffee shop drinking coffee, it seems reasonable to me to think that I might have some interest in coffee. So as long as I had the opportunity to confirm that I did want to hear about their coffee offers, then yes, that seems reasonable to me.
The coffee chain might want to pass my details to the technology company who run all their infrastructure. Does that seem reasonable? Well, it depends on the purpose. The technology company probably have to process my data for me to get the Wi-Fi service I want, so for that purpose I think it does seem reasonable. But what if the technology company want to market to me about themselves and various other partner companies they also deal with. Does that seem reasonable? At this point my own view is no, this doesn’t seem reasonable. This has now gone beyond the company I’m intentionally buying a coffee from, to their silent partner and beyond to who knows where.
The technology company then start texting me “Win a car when England score a goal, click here…” Does that seem reasonable? No, to me it does not seem reasonable: I never wanted this when I signed up to use the free Wi-Fi. I then find the only way to opt out is through a premium rate text message, does that seem reasonable? No, it really does not seem reasonable, and in fact I start to feel quite angry and that my trust has been betrayed. By the way, this is based on my real, recent experience.
Around ten years ago I dealt with a particular recruitment company because I was considering a job move. At the time, I did want them to tell me if certain job roles came up. A decade later, every so often I receive a mail from them telling me about Head of Analytics roles. I politely tell them I’m not interested and to stop contacting me please. A message that at one time I would have been delighted to receive, is now irritating spam. What has changed?
As members of the data industry we need to recognise that data has a value for a time as well as for a purpose. When someone needs a job, few things in life are more pressing upon them. But contact them one day after they’ve just signed with a new company and suddenly it doesn’t matter to them. The question here is, does the permission that someone has given us to use their data expire? And if so, when?
Some aspects of this are easier than others, for example it’s the law that you have to keep records about the sales you have made for at least 6 years. But what about other data and permission to use it? My experience is that reaching a reasonable outcome requires quite a lot of experience of the practicalities of the situation; you can’t treat the decision as a purely technical one.
To illustrate the point, let’s stay with the example of a new job. Imagine that a recruitment firm has just helped me get a new job and I just started. The recruiter calls me during the first week and asks how it’s going. Does that seem reasonable? Well, I can see that it’s a way to make sure I have turned up and there’s no enormous issue. It comes across to me as caring, and also the recruiter probably needs me to stay for a period of time before they will be paid. So yes, that seems reasonable to me for the purpose of the recruiter delivering a service to my employer and getting paid for it.
The recruiter calls me during my fourth week, does that seem reasonable? That probably needs some knowledge of the recruitment process: maybe the recruiter gets paid as long as I’ve stayed four weeks, in which case yes, it still seems reasonable.
A year later, out of the blue I get a call from the same recruiter asking me how I’m getting on. Does that seem reasonable? Well I doubt that a recruiter would wait 12 months before getting paid, so this is no longer a call for the purpose of delivering the service. If I wasn’t getting on well, I’d probably have resigned by now, so the purpose of the call is probably to tell me about a different job that the recruiter needs to fill – in other words, to market to me. Does that seem reasonable? There may be a contract in place preventing recruiters “poaching” those they’ve placed, in which case the call should not be taking place at all. Assuming not, have I given permission to be marketed to for twelve months after being placed? What about for 3 years, or 5 years? At what point do I really not want to hear from the recruiter anymore?
The attitudes of people are likely to vary, so to avoid irritation and potential prosecution, it’s a good idea to write a data retention policy and make it visible on your web site. The “reasonableness” criteria you write are likely to be best if you include some of your senior business managers in the creation of that document, those who have been on the receiving end of a lot of customer feedback and so have a good idea what a “reasonable” person thinks is an acceptable time period.
Is reasonable really reasonable?
The final consideration is whether “reasonable” always means the same thing, or whether the standard varies? In many fields we see the principle that the degree of protection or leniency we reasonably provide for one person is different from the degree of protection we provide for another.
To illustrate, when someone borrows money on a credit card, that person benefits from certain protections under the Consumer Credit Act. This is because there is an assumption that in the transaction, the consumer is less informed and less experienced in dealing with loans than a company that has made loans many times over – so as a society, we provide more protection for the public than for a business.
I think in time a similar principle will emerge for how we handle data. Let’s say a company that provides loans to individuals has acquired a list of names and addresses. We have already said that the company is not permitted to make contact unless they can demonstrate those people have actively confirmed that they want to receive marketing from them. Society says that is “reasonable” that individuals should be protected from marketing.
Let’s say instead that the lender provides loans to other companies, and someone at the lender uses LinkedIn to collect the names of the finance directors at a range of companies. Is it reasonable for the lender to begin attempting to contact the finance directors and market to them? I believe that is reasonable behaviour on two grounds: because by virtue of their professional role a finance director is likely to need access to money, and also because by posting their professional profile on LinkedIn a finance director is inviting relevant professional contact.
Putting these principles into practice
Red Olive is a data and analytics firm specialising in helping our clients extract value from data. We help by providing sound advice, effective design and rapid implementation, as well as mentoring and training.
We can help demonstrate the pitfalls and benefits of the way your organisation deals with data – to find out how, drop us a line on firstname.lastname@example.org, call us on 01256 831100 or arrange a time to meet with us at 3 Waterhouse Square, 138 Holborn, London EC1N 2SW.