The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

This consultation has closed

This consultation is part of a suite of resources where we are looking for a wide range of views from organisations and individuals, across all sectors and organisational sizes. We want to hear from those who have responsibility for data protection, and particularly would like to hear about:

  • Your current or future plans regarding policies, processes and written procedures on data ethics and how they relate to the policies, processes and written procedures you have implemented to discharge your obligations under the GDPR’s ‘accountability’ principle
  • What publicly available data ethical frameworks you use as a reference point?
  • If you use publicly available ethical frameworks, how easy you found to translate them into meaningful practical steps and decision points within your organisation’s decision-making processes?
  • Whether data ethics is a concept integrated into existing decision-making steps/documents (like data protection impact and/or legitimate impact assessments) or whether they have their own additional standalone process flow?
  • Whether your organisation has an established ‘Data Ethics Board’?

The GDPR’s principles are implicitly ethical – refracting legal compliance questions through an ethical lens can help guide individuals to make better decisions about how to comply with data protection law. One aspect which can be helpful to organisations when designing and implementing their GDPR governance processes is a structured consideration of the ethical implications of any proposed processing of personal data. Data ethics seeks to help data controllers to determine what is a right (or wrong) purpose or means of processing personal data.

Using data ethics can be helpful to controllers when they are considering their GDPR obligations, particularly in complex situations where they may need to undertake a data protection impact assessment (DPIA) or legitimate interest assessment (LIA). These challenges may be most acute where artificial intelligence or machine learning is beginning to make solely automated decisions (which may be partly based on sensitive or inferred data) which impact peoples’ lives in a significant way. The language of ethics and ethical impact assessments to identify ‘right and wrong’ can aid organisations, particularly start-ups and small and medium sized enterprises, to make better decisions about how to adhere to data protection law and make it ‘live and breathe’ in a meaningful way within their business.

You can respond to this consultation via our online survey or you can download the document and email it to ellis.parry@ico.org.uk.

NB: Your responses to this survey will be used to help us with our work on data ethics only. The information will not be used to consider any regulatory action. However, you may respond anonymously should you wish.