DATA ETHICS

MORAL PRINCIPLES AND VALUES THAT GUIDE THE

COLLECTION, USE, SHARING AND PROTECTION OF
DATA
WHY IS DATA ETHICS IMPORTANT
• Being transparent about how the data is collected, used,
and shared.
• Being accountable for how the organization collects and
handles the data. If something goes wrong, the
organization takes responsibility for the incident and takes
corrective action.
• Safeguarding personal information against data breaches,
unauthorized access, and misuse.
• Respecting the trust that the data owners place in the
organization when they share their data.
DATA ETHICS PRINCIPLES
• FAIRNESS
• PRIVACY
• OWNERSHIP
• ACCOUNTABILITY
FAIRNESS
ENSURING THAT DATA HANDLING PROCESS DO NOT
DISCRIMINATE AGAINST OR UNFAIRLY IMPACT CERTAIN
INDIVIDUALS AND GROUPS.
The principle of fairness in the use of data, artificial intelligence, and
machine learning focuses on data-driven decisions that can, either
intentionally or unintentionally, result in unfairness because of the way the
systems have been developed.
Artificial intelligence systems use algorithms applied to historical data. The
algorithms are used to detect patterns in the historical data, and those
patterns are used to make predictions based on current or future data.
If the historical data are flawed by biases that were operational in the
past, those biases will be replicated in the predictions made by the AI
system even though they are not desirable for decision making. Using the
example given previously, a bias against job candidates of a particular
gender or ethnic background can cause not only unfairness, but it can
also lead to the recommendation of less qualified candidates.
PRIVACY
• The two most important aspects of privacy are
anonymization and protection of the data from
unauthorized access.
ANONYMIZATION
DIFFERENTIAL PRIVACY
PROTECTION OF DATA
LINKAGE ATTACK
The process of tracing anonymous data to individuals
using other available data is called a linkage attack, and it
is a serious threat to data privacy.
• DIFFERENTIAL PRIVACY : Differential privacy has been
developed in an attempt to counter the threat of linkage
attacks. An algorithm is used to add a predetermined
amount of “noise,” or error, to the dataset. The data
scientists using the algorithm know how the error was
introduced and they can work backwards to roughly
calculate the true results of the computations made from
the data, but information about any individual would not
be easily detected from the data.
• Differential privacy will afffect the accuracy of data
• PROTECTION OF DATA from unauthorized access,
breaches, and leaks is another critical aspect of privacy.
Organizations that maintain data must have strong
security in place to prevent unauthorized access. Data
should be kept secure when in storage and should always
be transmitted securely. Encryption and access controls
should be used. Organizations should have policies in
place that limit access to data to those who have a need
for it, and the policies should include the limited
circumstances under which authorized people are able to
access the data.
TRANSPARENCY
Transparency means communicating to the owners of the
data what information will be gathered from them, whether
and how it will be stored, how it will be secured, how it will
be used, and who it might be shared with.
OWNERSHIP
Regardless of where the data originates, the
owners of the data are the individuals who have provided their
personal information, and they should have the right to control
their data. They should have the ability to access it, correct it,
and delete it.
Because the individuals who have provided their personal
information own it, it is unethical to collect a person’s personal
data without their consent. Doing that is stealing. Therefore,
consent should always be obtained. It can be obtained through
a signed agreement, by asking users to agree to terms and
conditions in the company’s privacy policy, or by asking visitors
to the company’s website whether the website may
track their online behavior with cookies.
ACCOUNTABILITY
Accountability means that organizations that collect and
use people’s personal data must be answerable for the
consequences of their actions. If any ethical violations
occur, they must ensure that proper actions are taken to
correct the violation.
PERSONAL IDENTIFICATION INFORMATION
Personally identifiable information, or PII, is information
that can be used to identify a person, whether it is used
alone or with other information.
MISUSE OF PERSONAL IDENTIFIABLE
INFORMATION
• STEALING PII TO OPEN CREDIT ACCOUNTS
• USING PII TO ACCESS FINANCIAL ACCOUNTS
• MEDICAL IDENTITY
• CREATING FAKE IDENTITY
• UNAUTHORIZED MARKETING
DATA PROTECTION LAW
Data protection laws address both data privacy (how to
control the collection, use, and dissemination of personal
information) and data security (how to protect personal
information from unauthorized access or use and how to
respond to unauthorized access or use).
PRINCIPLES IN DATA PROTECTION LAW
• WHAT TYPE OF INFORMATION IS COLLECTED
• DATA HAS TO BE DELETED WHEN IT IS NO LONGER
NEE
• PROHIBITIONS AGAINST SHARING DATAS
DUMPSTER DIVING
Practice of searching through commercial and residential
trash to find valuable or sensitive information
SOCIAL ENGINEERING
Social engineering involves deceiving company
employees into divulging information such as pass-
words, usually through a fraudulent email but it may be
through something as simple as a telephone
call.
PHISHING
Phishing uses spam email to deceive consumers into
disclosing their credit card numbers, bank account
information, Social Security numbers, passwords, or other
sensitive personal information.
DATA PROTECTION LAWS IN US
Federal trade commission act 1914:
This act was signed to prohibit unfair practices that affect
commerce , commiting acts that cause harm to customer etc
The federal trade commission has interpreted that to include
enforcement against unfair or

Deceptive practices in privacy and data protection matters. Its

position is that companies are bound by their Data privacy and
data security promises. The FTC maintains that companies act
deceptively when they Handle personal information in a way that
does not match their posted privacy policies. The FTC also
maintains that companies’ practices are unfair when they have
default privacy settings that are difficult to change Or when they
retroactively apply revised privacy policies.
• The Communications Act of 1934 includes data protection provisions for
communications entities, which now include common carriers, cable operators,
and satellite carriers.
• The Fair Credit Reporting Act, passed in 1970, covers the collection and use of
information in consumer credit reports.
• The Cable Communications Policy Act of 1984 includes protections of
subscriber privacy.
• The Computer Fraud and Abuse Act of 1986 prohibits unauthorized access of
protected computers.
• The Electronic Communications Privacy Act of 1986 prohibits unauthorized
access to or interception of electronic communications, whether in storage or in
transit.
• The Video Privacy Protection Act of 1988 provides for privacy protections
related to video rental and streaming.
• The Driver’s Privacy Protection Act of 1994 (DPPA) governs the privacy and
disclosure of personal information collected by state Departments of Motor
Vehicles.
• The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
regulates the collection and disclosure of protected health information by health
care providers.
• The Children’s Online Privacy Protection Act (COPPA) of
1998 prohibits collection of any information from a child under
the age of 13 online or from any digitally connected device
and requires publication of privacy notices and collection of
verifiable parental consent when information from children is
being collected
• The Gramm-Leach-Bliley Act, also known as the Financial
Services Modernization Act of 1999, regulates the use of
nonpublic personal information by financial institutions.
• The Consumer Financial Protection Act of 2010 regulates
unfair, deceptive, or abusive behavior in connection with
consumer financial services.
• Federal Securities Laws in some cases include requirements
for data security controls and data breach reporting
GENERAL DATA PROTECTION REGULATION
(EUROPEAN UNION)
The General Data Protection Regulation (GDPR), is one of the
world’s strictest consumer privacy and data security
laws. It requires any company or organization in the world,
regardless of its location, to comply with its data protection
standards and privacy rights if it processes the personal data of
anyone in the EU.
The philosophy in Europe is that data privacy is a fundamental
human right: people own their personal information, and it is for
the individual to decide who can use it.
The misuse of people’s data by Nazi’s and followed by a similar
collection and usage by secret police in East Germany resulted
in a strict regulation in EU. Some of the world’s first specific data
protection laws were enacted in Germany in the 1970s.
RIGHTS IN GDPR
• • Access: Individuals have the right to request access to
inspect their personal information.
• • Correction: Individuals have the right to request the
correction of errors in their personal information.
• • Portability: Individuals have the right to request transfer of
their personal information to another entity.
• • Erasure: Individuals have the right to request their
personal information to be deleted.
• • Consent: Individuals have the right to consent to the
selling of their personal information and to whether it may
be used for purposes of receiving advertising.
• • Appeal: Individuals have the right to appeal a business’s
denial of their request.
In Australia, personal information is protected by the
Privacy Act of 1988, which regulates the collection, storage,
use, and disclosure of personal information. The Privacy
Act applies to the federal government and to private
entities. Later amendments to the Privacy Act regulate the
use of healthcare information and the obligations of entities
that experience a data breach.

In Canada, the Personal Information Protection and

Electronic Documents Act regulates companies’ and other
organizations’ use of personal information for commercial
purposes.