In my last couple of posts, I've discussed the issue of ethical policies related to data collection and analysis. In the first one, I focused on why there is a need for such policies. The second post focused on ethical elements to include in policies directly involving the end user. Whether or not the customer is actively involved in accepting these policies, any company that collects data should have a strong privacy and protection policy. Unfortunately, based on the sheer number and magnitude of data breaches that have occurred, many companies clearly have not sufficiently implemented the protection element—resulting in the theft of personally identifiable information that can jeopardize an individual's financial well-being. In this post, the last of this series, I look at some best practices that appear in many data policies.
The average person cannot fathom the amount, scope, and velocity of personal data being collected. In fact, the power of big data has led to the origination of a new term. "Newborn data" describes new data created from analyses of multiple databases. While such aggregation can be beneficial in a number of cases—including for marketing, medical research, and fraud detection purposes—it has recently come to light that enemy forces could use data collected from wearable fitness devices worn by military personnel to determine the most likely paths and congregation points of military service personnel. As machine learning technology increases, newborn data will become more common, and it will be used in ways that no one considered when the original data was initially collected.
All this data collecting, sharing, and analyzing has resulted in a plethora of position papers on data policies containing all kinds of best practices, but the elements I see in most policies include the following:
- Data must not be collected in violation of any regulation or statute, or in a deceptive manner.
- The benefits and harms of data collection must be thoroughly evaluated, then how collected data will be used and by whom must be clearly defined.
- Consent from the user should be obtained, when the information comes from direct user interaction, and the user should be given a full disclosure.
- The quality of the data must be constantly and consistently evaluated.
- A neutral party should periodically conduct a review to ensure adherence to the policy.
- Protection of the data, especially data that is individualized, is paramount; there should be stringent protection controls in place to guard against both internal and external risks. An action plan should be developed in case there is a breach.
- The position of data czar—one who has oversight of and accountability for an organization's data collection and usage—should be considered.
- In the event of a compromise, the data breach action plan must be immediately implemented.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed