Privacy Advisor

The ethical use of analytics

March 1, 2011

By Paul M. Schwartz

The term “analytics” refers to the use of information technology to harness statistics, algorithms and other tools of mathematics to improve decision-making. A wide variety of organizations use analytics to convert data to actionable knowledge. Analytics represent a change from the long-standing approaches to management that often relied on instinct and were largely unsupported and undocumented. Analytics permit corporate decision-making to be driven, assessed and tested by the use of data.

In a whitepaper prepared for the Hunton & Williams Centre for Information Policy Leadership, I carried out a contextual examination of analytics. The term “contextual” was used in reference to an organization’s need to consider the risks that a specific application of analytics pose to privacy and the kind of responsible processes that should accompany the use of analytics generally. The whitepaper finds that analytics tend to be applied to four stages of a data life-cycle:  (1) collection, (2) integration and analysis, (3) decision-making and (4) review and revision.

The whitepaper further discusses how rules about the collection and processing of  personal information can reflect different legal, social and cultural values in different countries. These disparities raise considerable challenges to international companies that work in a variety of jurisdictions. The differences in background values can also raise challenges to a distributed business strategy that involves partnering with other entities on a global basis.

Finally, the paper proposes ethical standards for private organizations using this technique. These guidelines were developed through a series of interviews and discussions in a workshop with the leading companies that participated in this project. The standards acknowledge that analytics can have a negative as well as a beneficial impact on individuals. Thus, the whitepaper requires implementation of accountable processes that are tailored to the specific, identified risks of analytics used. The guidelines further require development of organizational policies that govern information management and training of personnel. A company should also place responsibility for data processing operations and decisions on designated individuals within the company. The ethical standards, as applied generally and to the different stages of data lifecycle identified in this paper, are as follows:

Overarching requirements

  • A company should comply with legal requirements in its use of analytics.
  • A company should assess, beyond legal requirements, whether its use of analytics reflects cultural and social norms about acceptable activities.
  • A company should assess the impact of its use of analytics on the trust a wide range of stakeholders holds. Relevant stakeholders can include consumers, other businesses, government and non-governmental policymakers.
  • A company should use analytics through accountable processes. Accountability begins with an acknowledgment that analytics can have a negative as well as a beneficial impact on individuals.
  • A company should also develop internal policies that center on forward-looking rules of information management and training of personnel. Accountable processes for analytics should be appropriately tailored to counter the risks raised by specific uses of analytics.
  • A company should implement appropriate safeguards to protect the security of information that it uses in analytics. Data security should be reasonable when measured against the kind of information that is collected and processed and the decisions that are made with it.
  • A company should assess whether its use of analytics involves sensitive areas and, if so, accompany it with reasonable safeguards proportionate to the risk.
  • A company should take into account the special vulnerability of children in placing responsible limits in its use of analytics.

Stage One:  Collection

  • A company should not collect certain information for use in analytics. Its analysis should be based on legal, cultural and social functions. In making this judgment, an ethical company should also consider risks to the company and affected individuals.

Stage Two:  Integration and Analysis

After collection, a company will assess the information at hand and execute the analytics. At this stage, the company faces a different set of ethical obligations.

  • Companies should refrain from use of information once integration and analysis show it to be of insufficient quality for the intended purpose.
  • Companies should anonymize personal information, when appropriate, in their analysis of it.

Stage Three:  Decision-making

The decision-making stage occurs when companies act on the results of the analytics.

  • A company should engage in decision-making based on analytical output that is reasonably accurate, based on the nature and significance of the underlying decision. If it seeks to reach decisions that are more important and of a higher impact for the individual, it should rely on data of greater accuracy.
  • A company should make available reasonable compensatory controls when appropriate.
  • A company should develop reasonable mitigation processes and reasonable remedies as appropriate when analytics lead to decisions that harm individuals.
  • A company should assess whether its decision-making with analytics reflects legal, cultural and social norms about acceptable activities and take steps, when needed, to comply with these norms.

Stage Four:  Review and Revision

Finally, a company should review and revise its analytics as part of developing a process that works not only today but also in the future.

  • Companies should engage in ongoing review and revisions of their use of analytics.
  • Companies should review and revise analytics to make sure that personal information will be reasonably relevant and accurate for the purposes for which it is used.
  • Companies should be responsive to the impact of decisions and unforeseen consequences of analytics that raise ethical questions.
  • Based on the review and revision, companies should only use information that is predictive in analytics and revise procedures, when reasonable and appropriate, to exclude non-predictive information.

Read more by Paul Schwartz:

Managing global data privacy

Paul M. Schwartz is professor of law at the University of California-Berkeley and director of the Berkeley Center for Law & Technology. His whitepaper, “Data Protection Law and the Ethical Use of Analytics,” is available here.