Ethical and Legal Issues in Data Management
Ethical and Legal Issues in Data Management
Presented by: Richard Holowczak, Baruch College, CUNY
Contact: Richard.Holowczak@baruch.cuny.edu
Adaptations: Portions of this presentation were adapted from
Textbook: Business Database Systems by Connolly, Begg, and Holowczak, Addison-Wesley Publishing Company, USA, 2008.
Article: “Database Administrator’s Code of Ethics” by Brian Carr, RMOUG SQL UPDATE, Vol 56, Fall 2009.
Copyright: © Richard Holowczak 2017-2025
Data Flow in Organizations
Stages of Data Flow:
Data Collection: Gathering of data from various sources.
Data Sharing: Distribution of data across different stakeholders.
Data Storage: Safe-keeping of data for future access and use.
Data Processing: Transformation of raw data into actionable insights.
Objectives of Data Processing:
Provide products or services.
Comply with regulatory mandates.
Present data in detailed and summary forms.
Responsibilities in Data Management
Key Roles and Responsibilities:
Chief Information Officer (CIO): Oversees information technology strategy and implementation.
Chief Data/Digital Officer (CDO): Focuses on data management and digital transformation.
Database Administrator (DBA): Manages database systems, ensuring integrity, security, and availability.
Users: Must adhere to established user policies.
Organizational Policies: Include security, backup, and retention policies.
Ethical Context in the Business Environment
Challenges: Organizations must address questions regarding employee conduct and data management practices.
Industries to Consider:
eCommerce
Social Media
Telecommunications
Finance
Government
Professional vs Non-Professional Behavior: Developing knowledge on ethical standards is crucial.
Trends in Data Collection
Consumer Data Exchange: The “Grand Bargain” concept allows consumers to trade personal data for free or reduced-cost services (e.g., Google, Facebook).
Internet of Things (IoT): Generates extensive amounts of data, referred to as the “Data of Things.”
Data Control: A small number of organizations wield significant data control, impacting consumer privacy and practices.
Definitions of Ethics
Ethics: A collection of principles of right conduct or a moral system.
Ethical behavior is defined as “doing what is right” according to societal standards.
Cross-cultural considerations: Ethical norms vary by culture (country, religion, ethnicity).
Ethical and Legal Behavior
Relationship between Ethics and Laws: Laws serve to enforce certain ethical behaviors.
Common perception:
What is ethical is usually legal.
What is unethical is often illegal.
Questions for contemplation:
Is all unethical behavior illegal?
Is all ethical behavior legal?
Role of Ethical Codes: Help guide the introduction of relevant laws.
Technology and Ethics: Ethics bridge the gap between technological advancements and legal frameworks.
Examples of Ethics in Data Management
Scenarios for consideration:
Legal vs Ethical:
Legal: Professor reviewing student grades, students researching professors' salaries.
Ethical: Photocopying a business textbook, admin accessing user data, DBA querying customer data for personal interest.
Ethical Behavior in IT
Access and Control: Systems Administrators and DBAs typically have the capability to access and manage data extensively.
Unethical Requests: A significant number of IT workers report being asked to perform unethical tasks (e.g., installing unauthorized software).
Survey Data: TechRepublic revealed that 57% of IT professionals were asked to engage in unethical behavior by superiors.
Relevant Legislation Impacting IT
Major legislation affecting data management consists of:
HIPAA: Health Insurance Portability and Accountability Act.
FERPA: Family Educational Rights and Privacy Act.
CCPA: California Consumer Privacy Act.
UK DPA: United Kingdom’s Data Protection Act.
GDPR: European Union General Data Protection Regulation.
Other relevant regulations: Sarbanes-Oxley Act, COBIT, COSO, BASEL II/BASEL III Accords.
Health Insurance Portability and Accountability Act (HIPAA)
Administered By: Health and Human Services in the US.
Affected Parties: Healthcare providers and insurers.
Five Provisions:
Protection of patient privacy.
Standardization of electronic health records and transactions.
National identifier system for employees in health plans.
Security standards for patient data.
National identifier for healthcare organizations.
General Data Protection Regulation (GDPR)
Fundamental Right: Protection of personal data is classified as a fundamental right in the EU.
Data Subject Rights:
Consent must be clearly obtained for data processing.
Right to rectification and to be forgotten.
Enforcement: Imposition of penalties for non-compliance is included in the regulation.
Culture of Legal and Ethical Data Stewardship
Liability: Senior executives are increasingly held accountable for data management violations.
Recommended Steps:
Creation of an organization-wide policy emphasizing legal and ethical behavior.
Adoption of codes of ethics from professional organizations.
Developing a Code of Ethics
Ethical Frameworks:
Common Good: Focus on community welfare.
Utilitarianism: Aim for maximum benefit with minimal harm; similar to the Hippocratic oath.
Rights-based Ethics: Respecting others' fundamental rights.
Equality: Commitment to fairness.
Virtue Ethics: Based on Aristotle’s cardinal virtues: Prudence, Courage, Temperance, Justice.
Brian Carr's Suggestions: Utilize Aristotle's virtues to create a DBA Code of Ethics.
Ethical Principles in Data Stewardship
Key Ethical Principles Include:
Privacy
Autonomy
Fairness
Transparency
Accountability
Data Minimization
Purpose Limitation
Avoiding Bias and Discriminatory Outcomes
Privacy in Data Stewardship
Definition of Privacy: Individuals’ control over their personal information.
Requirements:
Only collect data with justifiable purposes.
Protect against unauthorized access.
Ensure clarity in data usage.
Ethical Obligation: Misuse leads to a breakdown of trust and potential harm to individuals.
Autonomy in Data Stewardship
Meaning of Autonomy: Individuals' right to make informed data decisions.
Elements:
Meaningful consent (clear and revocable).
Options to opt-out from certain uses.
Avoid manipulation through unclear practices.
Ethical Stewardship: Recognizes users as decision-makers.
Fairness in Data Stewardship
Fairness Definition: Data practices must not reinforce inequities.
Areas of Focus:
Avoiding exploitative data collection.
Ensuring algorithmic equity.
Mitigating systematic disadvantages for any group.
Fairness Evaluation: Requires checking for unintended consequences.
Transparency in Data Stewardship
Transparency Concept: Understanding of data usage processes.
Involves:
Clear communication of data practices.
Openness about algorithms and decision-making.
Documentation for auditability.
Impact of Transparency: Builds accountability and fosters trust among users.
Accountability in Data Stewardship
Definition of Accountability: Organizations must take responsibility for data governance.
Key Elements:
Clear roles within data governance frameworks.
Maintenance of documented audit trails.
Preparedness to justify decisions and respond to complaints.
Active oversight to ensure compliance and accountability beyond policy statements.
Data Minimization Principle
Concept: Collect only data essential for specified purposes.
Advantages:
Reduces risks associated with privacy.
Prevents accidental data misuse.
Assists in regulatory compliance.
Ethical Stance: Avoids over-collection practices that can lead to abuse.
Purpose Limitation Principle
Definition: Collecting data should be for specific, declared purposes.
Restrictions: Data should not be repurposed without lawful justification.
Prevention of Function Creep: Avoiding the unintended expansion of data usage beyond initial consent.
Avoiding Bias and Discriminatory Outcomes
Concerns: Data systems may embed or heighten societal biases.
Ethical Actions Include:
Identifying biases in available datasets.
Evaluating models for disparate impacts.
Adjustments in algorithms or data decision protocols to minimize harm.
Intensive monitoring post-deployment to catch any unintended negative effects.
Objective: Not only remove individual biases but prevent perpetuation of structural inequalities.
Summary of Key Points
Key Concepts:
Organizations must manage data collection, storage, processing, and distribution effectively.
Government regulations and industry best practices shape data policies.
Major regulatory frameworks include HIPAA, FERPA, GDPR, and CCPA.
Ethical stewardship principles are crucial: Privacy, Autonomy, Fairness, Transparency, Accountability, Data Minimization, Purpose Limitation, and Avoiding Bias and Discrimination.