Context, consent and codes of practice for ethical data sharing

In the ever evolving digital landscape, how can organisations share data in a fair, safe and transparent way? 

The principles for data sharing are as diverse as the concerns that need to be addressed. In public health, for instance, sharing data helps researchers; whose discoveries can then help professionals improve the health of patients. In general, the law suggests that data protection does not prevent data sharing if it is in the public interest or — if the data is being shared for commercial reasons — proportionate.

The lawful basis for sharing personal data can come from either the UK General Data Protection Regulation or the Data Protection Act 2018. This can be a complex area and it’s worth checking the ICO Data Sharing Code of Practice and its lawful basis interactive guidance tool before sharing personal data outside your organisation. 

In short, organisations must be able to identify at least one lawful basis for sharing personal data — and demonstrate that they have fully considered this before data is shared. 

So, before you begin sharing data, have you considered..?

1) Anonymising shared data

Under GDPR rules, businesses are the curators of the data they collect and therefore must work to safeguard it. Provided there is a legal basis for sharing, the biggest threat to consumers from data sharing projects is data re-identification (the ability to piece together select data to find its source). While full data anonymisation is practically impossible to attain, there are a number of steps that can be taken and methods that may help.

Ask yourself: 

• How could data points be combined to directly identify individuals?
• How could data be used as a proxy to identify private information (eg. religion)?
• Is the dataset big enough? When creating statistics, are enough people involved to ensure the data does not correspond to an individual?
• Could you achieve your objective by sharing less personal data?

2) Collective responsibility in data sharing

Organisations might share data with each other to produce new tools or better services for their customers. While companies must meet GDPR’s legal basis for sharing data, there are further ethical questions they should ask.

Ask yourself: 

• How will the end user benefit from the joint data sharing project? 
• What’s the minimum amount of data you could share to achieve your aims?
• How ethical is the data sharing partner? Any history of poor data practice?
• How will you take responsibility for any data breaches?

Data sharing agreements set out the purpose of the data sharing, cover what happens to the data at each stage, set standards and help all the parties involved to be clear about their roles and responsibilities.

3) Communicating data honestly and clearly

Ethical questions around sharing can also include how data is ultimately presented and visualised. Some issues to consider around data visualisation include usability and accessibility, ethics and trustworthiness, attributes of good and bad visualisations, graphical and visual literacy and selection of tools for producing data visualisations. 

Aesthetics must be considered when making any visualisations or charts as accessible as possible, but ethical issues extend further. 

Are you presenting your findings honestly and are you making the insights they contain accessible to everyone? 

Ask yourself: 

• Does your presentation of the data mislead the viewer or obscure the results?
• Is the information you're sharing easily interpretable to everyone? 
• What could you do to improve accessibility?

Case study: exploiting a crisis

In 2021, Politico reported that the non-profit hotline for crisis intervention, Crisis Text Line, was sharing user data with its sister (for-profit) company, Loris.ai, to improve its customer service optimisation software. 

Despite being fully legal, sharing and monetising data from conversations with people in distress was seen as a gross breach of data sharing ethics, prompting a request to cease the activity from the US’s Federal Communications Commission. 

The incident also raised further questions: who would be checking and regulating the use of this data by Loris? Was this data usage made clear at the collection stage? Crisis Text Line suspended data sharing with Loris.ai in 2022. 

Our ethical data sharing tips: 

• Analyse the ethics of any data sharing partners you’re working with. The ODI has produced a guide on risk-assessment.
  
  
• Establish a data sharing agreement with any partner organisations.
  
  
• The Data Visualisation Catalogue and Visual Vocabulary from the Financial Times can help you find the best, most accessible format to present and share the insights from your data.

In the next and final article of this series we’ll examine the ethics of data destruction, explaining what you need to know to manage the full data lifecycle in the long term.