By Pieter le Roux – There’s no shortage of content around a business’s responsibility when collecting and using data. Indeed, this is why the POPI Act came into force, while the obligation to backup and protect data is fairly well-known. However, the discussion needs to move towards the ethical considerations of data privacy.
In other words, I know I must collect data but am I consciously doing the right thing or am I just collecting data for the sake of it? Similarly, as an individual, I may be aware of people gathering my data at numerous touchpoints but am I really aware of what my rights are?
Let’s start with individual users. Many people just don’t know the extent of their rights. How often have you been told that an organisation received your data from another party? Did you, as an individual user know that you have a right to ask for proof of your written consent for the data to have been shared?
Every individual has the right to control how their information is being collected, used and shared. Obviously, there are difficult situations that we will discuss a little further down, but even within the context of a compromise, there are still steps and rights that you enjoy.
Many people simply go about their lives and fill in customer satisfaction surveys, for example, without paying attention to the little check box at the bottom of the terms and conditions which refers to their information being shared.
Then we have corporates and businesses. Once they have the information and have invested in backup and protection, there are also ethical aspects to consider. Why are you collecting the information? How do you plan to use the information? What can’t you do with this data? What is your responsibility with regard to the processing of this data?
A good example here is an organisation that collects CVs from interns or contract workers and then shares them with third-party organisations. Think about the information generally found on a CV, and especially the CV of a young, eager person: name, surname, email address, telephone number, ID number, university education, high school and primary school, hobbies, a photo, and more.
Just imagine how easy it would be to impersonate someone just with access to their CV. Now, the organisation handling this CV has the responsibility to sanitise this CV, and make it appropriate for corporate use by minimising the amount of personal information to the absolute minimum.
This is an ethical decision.
If we take this discussion into the realm of the everyday world, consider a business park, office park, housing estate or complex. Very often these venues require the individual user to sign in to gain access to the property. They have a right to deny access to someone who refuses to sign in, but similarly, the individual user has the right to minimise the amount of personal information being shared.
From an ethical point of view, the business park would do well to consider the purpose of their information gathering. Is there really a need to get the full first name, surname, email address, car registration number, license disk barcode and ID number? Beyond that, how many times have you seen a register lying outside, ready to be stolen with all the details inside? Who can stop another person from photographing the pages?
Business park and complex managers should ask: What do I absolutely need while minimising the risk I place onto the shoulders of the users? If there is a physical register, what happens to it when it is full, what steps are being taken to protect the data?
From the individual point of view, you absolutely have the right to minimise the amount of data you hand over. A key point here is that in submitting the information, you are implying permission for your information to be used. It is important to remember that.
Organisations that place ethics at the forefront of their engagement with people’s personal information are finding innovative ways to solve the same problems. For example, recently while travelling I received a PIN upon booking the unit. The requirement was that I entered the pin at the entrance to the complex, which verified my identity instantly.
In this instance, the business did not extract unnecessary data from me, with the resulting effect being that there is less chance my personal information can be breached.
A spin-off from this conversation is crime. Criminals steal personal data to commit various types of crime, and the more businesses and individual users place not just full awareness of their rights and responsibilities, but also ethics, front and centre, the more chance we have of keeping our data safe from criminals.
Another consideration, which is often written about, is the need to continually educate business users and customers about the basics of digital hygiene, about when to click on links and about never handing over personal information.
Circling back to the need for businesses to limit the amount of data they capture to what’s absolutely necessary and then ensuring they protect it, criminals who get people to hand over banking PINS need volume. The more they steal, the more likely they are to find that one person who hands over the keys to their bank account.
In summary, a discussion around ethics and data privacy centres on the following: From a personal perspective, always ask: What am I doing? Why am I handing over this information? What am I handing over and I am aware I am giving implicit permission for my data to be used? Is there an option for me to explicitly deny the right for my information to be shared? How can I safely minimise the information I share to protect myself? Am I sure that the information being requested is relevant to the purpose of the interaction?
Pieter le Roux is the modern platform lead at Altron Karabina