In an era where the use and abuse of personal data is on the rise and digital trust is going down, academic research must zoom more in on data ethics. Some research institutions and the EU already have developed specific guidelines for data ethics on top of existing research ethics principles.
There are multiple very good existing ‘research ethics principles’ around the world at academic institutions. They focus on topics such as honesty, accountability, professional courtesy, fairness and good stewardship. Data privacy and data ethics are also an integrated or implicit part of these general research ethics principles, and many of us take for granted that scientists comply with any given law, including data protection regulation – and that they are ethically responsible in their usage of personal data. At the same time – fortunately – most of us trust scientists and that they use data for good.
It does, however, seem that the focus on data ethics could be more explicit. When for example the European Code of Conduct for Research Integrity talks of ‘good data practices’ it is mainly about availability and access for other researchers – not data privacy or individual data control. And there a not that many academic institutions who have Ethics Review Boards.
As we live in the beginning of a new ‘data age’ with exponential use and abuse of personal data, we see an increasing concern for lack of privacy, personal data control and human autonomy. Even though this concern is not really pointed at academic research but more towards governments and private companies, this scepticism is already or will be rubbing off.
Therefore it is important to explicitly add data ethics as an independent and vital part of any general research ethics principles.
EU Research Ethics Compliance Kit
One set of guidelines focusing more specifically on personal data ethics is the EU ‘Research Ethics Compliance Kit’ used when assessing Horizon 2020 projects. Horizon 2020 is the biggest EU Research and Innovation program ever. The compliance kit is written by the German philosopher and political scientist Peter Burgess in 2016. It’s based on 4 of the 10 rules in the Nuremberg Code;
- Consent – that objects of research experiments have the right to understand and consent to the procedure to be carried out on them;
- Proportionality – that the scientific intervention does not imply procedures or experiences more invasive than absolutely necessary to obtain the experimental results sought after;
- Necessity that the procedure is absolutely indispensable in order to obtain the results sought after; and
- The right to withdraw that the object may terminate the procedure freely and at any time.
There is also the ‘Horizon2020 Programme Guidance on How to Complete your Ethics Self-assessment’ with an ethics checklist when researching on personal data (and human beings, animals, human embryos and cells and the environment). In case a research project deals with personal data, you need to appoint a DPO (data privacy officer) and provide information on:
- The technical and organisational measures to safeguard the rights of the research participants
- The informed consent procedures
- The security measures to prevent unauthorised access to personal data
- How is all of the processed data relevant and limited to the purposes of the project (data minimisation principle)
- The anonymisation/pseudonymisation techniques
- Justification of why research data will not be anonymised/ pseudonymised
Details of the data transfers (type of data transferred and country to which it is transferred for both EU and non EU countries
It the project involves profiling and systemtic monitoring, following must be provided:
- Details of the methods used for tracking, surveillance or observation of participants
- Details of the methods used for profiling
- Risk assessment for the data processing activities
- Explanation on how harm will be prevented and the rights of the research participants safeguarded
- Details on the procedures for informing the research participants about profiling, its possible consequences and the protection measures.
The Melbourne Report
Another set of in-depth guidelines stems from The University of Melbourne; ‘Ethical Use of Digital Data’ from 2015. It identifies 5 key categories of ethical issues as highly relevant to research using digital data.
Privacy and confidentiality
Ownership and authorship
Data governance and custodianship
Data sharing: assessing the social benefits of research
Consent is not a well-functioning tool in the digital age. With big tech’s small-written privacy policies and EU’s cookie directive demanding pop-ups for cookies acceptance, most people just click yes without reading what they say yes to according to several surveys. But despite the little likelihood that users read the fine print, consent is still the best legal tool available for now. And therefore researchers must of course obtain informed consent and try to invent new ways of doing it where it is likely that users understand what they are consenting to.
Some of the key questions researchers could ask themselves, according to the report from University of Melbourne, are:
- Is an on-going process of informed consent (rather than a one-off consent) more appropriate for this research?
- Have all avenues for gaining informed consent from individuals to use potentially identifiable data been explored?
- Are participants aware that data collected for one research project may be reanalysed in future research projects?
- Is there a need for re-negotiating consent if the data are used by someone other than the researcher who collected it?
Privacy and Confidentiality
Privacy can be defined as the control that individuals have over their data. Confidentiality – in research – refers to the process of keeping information secure, and ensuring that access will be restricted to only authorised users. However, as the Melbourne report notes, the right to privacy is absolute.
“In some circumstances, it must be weighed against the equally justified rights of others and against matters that benefit society as a whole. The conduct of medical research presents one of these circumstances. Medical research is important for providing information to help the community make decisions that impact on the health of individuals and the community. However, it should be carried out in such a way as to minimise the intrusion on people’s privacy.”
If it is not practicable to obtain informed consent and de-identified information cannot be used, then it may be that identified information can to be used in order for the medical research to proceed. It all depends on the balance between public interest and individual privacy, according to the 11 authors of the Melbourne report.
Ownership and authorship
When it comes to individual identifiable data there is – at least according to the EU – no doubt who is the data owner; the individual. All others loan data from individuals. But when it comes to data analysis results based on these data within research it is a different game. The Melbourne report states that the whole arena of authorship and ownership of digital data is one where there is little consensus about who has responsibility for the data and at what point the individual has given up their right to control their personal data. Are data for example owned by the body that funded the research, the principal researcher, the research team, or the data storage service? The report does not conclude on it but guides researcher to ask a series of questions such as;
- Who has authority to access, release and manage this data?
- What processes have been used to anonymise this data
- Who is accountable for data quality, protection and access to data? Who is responsible for providing documentation and meta-data?
- Is data destruction (as a requirement of ethics applications) a relevant approach to digital data?
Data Governance and Data Sharing
Data governance deals with data storage and access to data. There must be processes in place to track and log the use of data. To archive or delete data. And who has the ultimate responsibility for data.
As for data sharing some of following questions must be in place according to the Melbourne report and also ‘GDPR – New Rules on Data Protection’ from Plesner ;
- Does the approval/permission regime for the original data include or preclude the new use of the data?
- Do researchers have a responsibility to assess whether the secondary use of the data is aligned with the original intent for which it was collected?
- Is there a risk that in accessing the data collected by others that research participants will be adversely affected? How can this risk be evaluated?
- Do the benefits outweigh the potential risks and/or unintended consequences of repurposing data?
- Is it possible to withdraw data from a project which may be secondary to the original research?
- Are you in control of your data processors?
- Do you have a plan for how to handle a security breach?
- Do you know if your organization transfers personal data to other parties?
It is always a good idea to develop a set of data ethics guidelines for your project. This is what we are working on with the CHALLENGE platform.
Above questions are good to go through, but there are more questions to be answered. For inspiration see the links below and get the data ethics principles and questions to ask yourself here (full disclosure; this article’s author is co-founder of DataEthics.eu)
The General Data Protection Regulation – New Rules on Data Protection. Plesner.
Read more on DataForGood.Science