Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

A new report by the Privacy Commissioner for Personal Data highlights the need for advanced data processing activities to follow ethical principles and be fair to all stakeholders.

Advanced data processing activities, such as data analytics and artificial intelligence, have brought significant changes to the scale and ways in which personal data is collected, processed and used. The Privacy Commissioner for Personal Data (Privacy Commissioner), Stephen Kai-yi Wong, warns in a recently released report that these developments are challenging the data privacy frameworks of jurisdictions around the world.

The report – Ethical Accountability Framework for Hong Kong China – points out that Hong Kong’s Personal Data (Privacy) Ordinance of Hong Kong (Cap 486) is based on concepts such as ‘notice and consent’, ‘use limitation’, and ‘transparency’, but sophisticated data mining, analytics and profiling techniques mean that, often, individuals are not even aware that their personal data has been collected or shared.

The report is based on a consultancy study, the Legitimacy of Data Processing Project, commissioned by the Privacy Commissioner to look into the issues of ethical and fair processing of personal data in advanced data processing activities. Over 20 organisations in Hong Kong from various sectors, including banking, insurance, telecommunications, healthcare services and transportation, participated in the project by providing comments and feedback on the draft project deliverables, to ensure that the recommendations of the project are relevant and practicable in the business environment and day-to-day operations.

The Ethical Accountability Framework for Hong Kong China report seeks to foster a culture of ethical data governance and address the personal data privacy risks brought about by information and communications technology while balancing the interests of all stakeholders. It emphasises that organisations should ditch the mindset of conducting their operations to meet the minimum regulatory requirements only. ‘They should instead be held to a higher ethical standard that meets stakeholders’ expectations alongside the requirements of laws and regulations. Data ethics can therefore bridge the gap between legal requirements and the stakeholders’ expectations,’ Mr Wong said at the launch of the report.

The findings of the report are summarised below.

Data stewardship accountability

The report outlines a number of ethical data stewardship accountability elements, calling for organisations to:
define data stewardship values, develop them into guiding principles and then translate them into organisational policies and processes for ethical data processing

  • use an ‘ethics by design’ process to translate data stewardship values into data analytics and data use design processes so that society, groups of individuals, or individuals themselves, and not just the organisation, gain value from the data processing activities
  • require Ethical Data Impact Assessments (EDIAs) when advanced data analytics may impact people in a significant manner and/or when data-enabled decisions are being made solely by machines automatically
  • use an internal review process that assesses whether data stewardship accountability elements and EDIAs have been properly conducted
  • be transparent about processes; ensure thorough communications on managing the advanced data processing activities and the rationale behind the decisions; and address and document all societal and individual concerns and design individual accountability systems that provide appropriate opportunities for feedback, relevant explanations and appeal options for impacted individuals, and
  • stand ready to demonstrate the soundness of internal processes to regulatory agencies when data processing is, or may be, impactful on people in a significant manner.

Data stewardship values

The report also recommends three data stewardship values for Hong Kong organisations when carrying out advanced data processing activities: respectful, beneficial and fair.

Respectful

All parties that have interests in the data should be taken into consideration.

  • Organisations are accountable for conducting advanced data processing activities so that the expectations of the individuals to whom the data relate and/or the individuals who are impacted by the data use are considered.
  • Decisions made about an individual and the decision-making process should be explainable and reasonable.
  • Individuals should be provided with appropriate and meaningful engagement and control over advanced data processing activities that impact them.
  • Individuals should always be able to make inquiries, obtain relevant explanations and, if necessary, appeal decisions regarding the advanced data processing activities that impact them.

Beneficial

  • Where advanced data processing activities have a potential impact on individuals, the benefits and potential risks of the advanced data processing activity should be defined, identified and assessed.
  • Once all risks are identified, appropriate ways to mitigate those risks and to balance the interests of different parties should be implemented.

Fair

  • Advanced data processing activities must avoid actions that seem inappropriate or might be considered offensive or causing distress. Unequal treatment or discrimination should also be prohibited.
  • The accuracy and relevancy of algorithms and models used in decision-making should be regularly reviewed to reduce errors and uncertainty, and should be evaluated for any bias and discrimination.
  • Advanced data processing activities should be consistent with the ethical values of the organisation.

Assessment models

In order to help organisations implement the data stewardship recommendations discussed above, two models are recommended.

  1. The Model Ethical Data Impact Assessment. This assesses the impact to all stakeholders’ interests in data collection, use and disclosure, and in data-driven activities.
  2. The Process Oversight Model. This looks at how an organisation translates organisational ethical values into principles and policies and into an ‘ethics by design’ programme. It also considers how the internal review processes, such as conducting EDIAs and establishing effective individual accountability systems, are implemented.

The report sets out the guiding questions of the above two assessment models to help organisations complete the assessment tasks.

Launching the report in October this year, the Privacy Commissioner spoke of his hopes that it would help bring about a cultural change in personal data privacy protection. ‘I hope that in the not-too-distant future, ethical data stewardship will become a well-received norm in personal data protection among organisations in Hong Kong,’ Mr Wong said.

Source: The Office of the Privacy Commissioner for Personal Data
The ‘Ethical Accountability Framework for Hong Kong China’ report is now available on the Office of the Privacy Commissioner for Personal Data website: www.pcpd.org.hk.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone