Data Protection Law and the Ethical Use of Analytics, Privacy and Security Law Report
Author(s): Paul M. Schwartz
Abstract: Organizations now work in a data-rich environment. As the Article 29 Working Group of the EU recently noted, ‘‘[W]e are witnessing a so-called ‘data deluge’ effect, where the amount of personal data that exists, is processed and is further transferred continues to grow.’’From all indications, the data deluge will not only continue, but increase.
In 2003, a study at the UC Berkeley School of Information found that the amount of new information being created every year and stored on media was 5 exabytes. That amount is equal to the information stored in 37,000 libraries the size of the Library of Congress in the United States. By 2007, however, the amount of information stored each year had increased to 161 exabytes a year. This development has continued apace.In 2010, Google CEO Eric Schmidt noted that mankind now creates as much information every two days as it had from the dawn of civilization to 2003.
The turn to analytics is a response to this situation. Analytics involve the use of statistics, algorithms, and other tools of mathematics, harnessed through information technology, to use data to improve decisionmaking. A wide variety of organizations use analytics in their operations. Analytics are used by government, for example, but this white paper concentrates on how private-sector organizations use this technique.It does so because distinctive regulatory and ethical issues are likely to arise for different categories of enterprises. This white paper offers a contextual examination of analytics and develops ethical standards for private organizations using this technique. The term ‘‘contextual’’ is used here in reference to an organization’s need to consider the risks that a specific application of analytics poses to privacy and the kind of responsible processes that should accompany the use of analytics generally. This white paper finds that analytics tend to be applied to four stages of a data life-cycle: (1) collection, (2) integration and analysis, (3) decision-making, and (4) review and revision.
Its ethical standards for private organizations using analytics were developed through a series of interviews and discussions with the leading companies that participated in this project of the Centre of Information Policy
Leadership at Hunton & Williams. The resulting standards acknowledge that analytics can have a negative as well as a beneficial impact on individuals. Thus, the white paper requires implementation of accountable processes that are tailored to the specific, identified risks of analytics used. The guidelines further require development of organizational polices that govern information management and training of personnel. A company should also place responsibility for data processing operations and decision on designated individuals within the company. The following report is an abridged version of the full white paper, which is available online.