Oh, privacy advisers, we hear your pain.
No matter whether you work in government or the private sector, your organisations will no doubt be keen to maximise the benefits from your information assets, in order to gain insights into how best to run your business, or to support evidence-based decision making. However with the increase in the availability and richness of data, the risk of a data breach or privacy breach also rises.
But the rules about secondary use of personal information are not always black and white, and if you also start to throw ethical considerations and customer expectations into the mix… well then, the question becomes: where to start?
A common problem we have seen amongst our clients is this:
- You’ve got a large amount of data, generated from lots of different source systems, with different data owners or data custodians in charge of each dataset
- You’ve got pressure from the senior executives to make better use of data
- You’ve got data requestors, meaning people who want access to data, spread across your organisation too, and they’re pestering the data owners with requests all the time
- But the data owners are busy, or nervous about not complying with privacy law, or concerned about whether a particular data use proposal is going to create reputational risks for the organisation
- The privacy team, or Legal, or Risk & Compliance, can get caught in the middle of a tug of war, with people pulling on all sides
- When privacy advisers are swamped, or suffering from decision paralysis, it creates a bottleneck. Or if risk-averse privacy advisers gain a reputation as “the people who always say ‘no’”, data requestors might start avoiding the privacy advisers entirely, which just makes things worse!
Our observations are this.
Data requestors want:
- to understand what the legal and ethical limitations are around the use of each dataset
- to be briefed about the context and limitations of each dataset or data type, in terms of data quality or ‘fitness for purpose’ for their needs
- clarity about the pathway to follow, who is responsible for assessing data use requests, and what the approval criteria are
- faster approvals, and
- more consistent decision-making.
Data owners and data custodians:
- want guidance to help them make the ‘right’ decision when asked about access to the data for which they are a custodian
- are worried not only about privacy compliance but other legal issues, including not breaching secrecy rules in other legislation, or contracts, confidentiality agreements or MoUs with other stakeholders and partner organisations, and
- are worried about other, non-legal consequences of secondary use, such as public trust, and reputational issues which arise from breaking privacy or confidentiality promises made to data subjects at the time of original data collection.
And everyone wants a structured way to consider data use requests which raise ethical issues, but without going down a formal human research ethics committee route every time.
This is increasingly a challenge for organisations keen to make the most out of their data: how to make decisions about secondary data use, which are legal, ethical, and respectful of your customers?
And how do you build that decision-making capability across your organisation, so it’s not just the privacy officer having to figure out the answer every time?
This common dilemma for organisations – and the privacy advisers caught in the middle who seek our advice – inspired the topic for our free Privacy Awareness Week webinar this year.
We are going to explore what the law says, what some ethical frameworks suggest, what research about community expectations tells us, and then we are going to show you how to pull all of those things together, to build a pragmatic framework for balancing business objectives with legal and ethical concerns about the use of personal information.
If you would like to know more about how to resolve competing demands to protect yet share data, see the video of our Masterclass in Data, Privacy and Ethics.
Photograph © Shutterstock
