Data is Risky Business: Data Ethics – Meet the New Boss (Same as the Old Boss)

15-SEPCOL03OBRIEN-edMy colleague Katherine and I read with interest David Well’s November blog in Our interest wasn’t just because David was echoing themes and topics we have been discussing and writing about for a while now (and working with clients on for longer), but because many of his examples of questions and issues that need to be raised are (to put it bluntly) among the fundamental questions that data privacy legislation such as the EU’s General Data Protection Regulation force organizations to ask and answer when handling personal data.

Ethics, and ethics in relation to information and how it is handled, is big news recently. It will continue to be, and the questions will continue to get more complex. In a recent article on LinkedIn, Katherine wrote that:

“Whether we’re looking at remarkable failures in ethics like the Wells Fargo scandal or realizing the possible serious ethical implications in Big Data processing, or the ethical and safety implications of self-driving cars, it’s becoming more and more clear that we need to get this right”

This discussion is not new however. In our research, Katherine and I have found one paper from 1999[1] on the topic of ethics in Information management. But in our haste to apply newly rediscovered ethical concepts to Information Management, it is easy to forget that we are already ‘doing ethics’ in data whether we realize it or not. Just as Deming pointed out that organizations were already doing quality management whether they realized it or not, the problem being that organizations were using ‘best efforts’ to deliver their quality (which leads to chaos), and were relying on scrap and rework practices to “fix” defects in the goods that were produced.

We cannot rely on a person with a hammer at the end of the information production line to knock the ethical dents out of our data economy. The risks to people and to society are far too great and potentially irreversible.

For many years at Castlebridge we have promoted the reality that Privacy is a Quality characteristic of information. This allows us to apply a quality systems approach and some of the well proven principles and practices of information quality management to framing the “privacy” discussion for compliance with data privacy laws. Katherine points out in her October LinkedIn article that, while Ethics might seem to be a different beast, Deming’s 14 Points of Transformation provide a good starting point for developing a framework for ethical transformation within your organization, just as they underpin privacy, information quality, and quality in general.

The reason for this is that Deming’s System of Profound Knowledge focuses on identifying the desired/expected outcome or output from a process and then ensuring the consistent delivery of those desired outcomes by internal alignment and optimization of internal systems and through leadership. This same focus on outcomes is the key to operationalizing ethics in our information management practices. In our work with clients we use a variation on Professor Rik Maes’ ‘Amsterdam Information Model’ to explicitly model and illustrate how activities in a variety of areas of the organization affect the consistent delivery of outcomes to stakeholders.

Figure 1. Castlebridge 11 Box Model (based on Amsterdam Information Model by Rik Maes)

Figure 1. Castlebridge 11 Box Model (based on Amsterdam Information Model by Rik Maes)

I’ve written elsewhere about where Information Governance and Information Quality fit in this model and will return to that topic in 2017. To learn more about how this model is extended to explicitly include Ethical issues and the fundamental tests we need to start ‘baking in’ to our governance of information related processes, please read this whitepaper Katherine O’Keefe and I wrote in 2015 (full disclosure: Katherine did most of the work, I just did some editing).

For the rest of this article, I’d like to focus on the profound change that an ethical shift will mean in Information Management practice and to the “data driven” economic models that have sprung up. It is as profound as the quality revolution in manufacturing was or that the ‘green’ revolution in a variety of industries was, but it is a change that must happen.

Luciano Floridi is the Professor of Philosophy and Ethics at Oxford University. In a recent paper[2] he wrote that:

“Data ethics should be developed from the start as a macroethics, that is, as an overall framework that avoids narrow, ad hoc approaches and addresses the ethical impact and implications of data science and its applications within a consistent, holistic and inclusive framework. Only as a macroethics will data ethics provide solutions that can maximize the value of data science for our societies, for all of us and for our environments.”

Or to put it another way, data ethics requires the development and application of a System of Profound Knowledge, to avoid “best efforts” and hoc solutions but which lets people apply a “Theory of Knowledge” to the problem. Just as Deming said about Quality.

“Ethics” is not a one-size fits all proposition. There are three normative theories of ethical conduct we need to consider:

Table 1 Normative Theories of Ethics

Normative Ethic Dominant Traits / Focus
Stockholder/ Shareholder Value
  • Focus on bottom line share value
  • Short term economic focus
  • “Don’t get caught doing bad thing”
  • Compliance with letter of law
Stakeholder Value
  • Identify stakeholders (broad vision)
  • Determine legal/moral rights of each and seek balance
  • Create mechanisms for respecting/balancing stakeholder’ interests
Social Contract Theory
  • Reject fraudulent/deceptive actions or actions that dehumanise people or involve invidious discrimination
  • Eliminate options that reduce welfare of Society
  • Develop mechanisms to identify dehumanising processing
  • Consider tangible and intangible aspects of “well being”

Depending on which of these normative ethical frames you adopt, the perspectives and decision-space that you will apply to ethical decision making in your organisation will be different. And it is possible for organisations (and individuals) to exist on a spectrum of these ethical norms. Often legislation or industry standards will require a particular ethical norm to be adopted.

The problem is that, as Deming pointed out in his Seven Deadly Diseases of Management, the short term focus on the bottom line is all too pervasive. One need only look at the ethical dilemmas faced by companies such as Facebook when seeking to monetise customer data and generate increased traffic and click-throughs. Or consider the ethical issues posed by potential impact on the US Presidential election of fake news stories written by teenagers in Macedonia to make money through Google Adsense.

In The Deming Management Method, W.Edwards Deming is quoted as saying this about the focus on the bottom line:

“Paper profits do not make the pie bigger. They give you a bigger piece. You take it from somebody else. It doesn’t help the society”

As Information Management professionals, we need to evolve our organisations to at least the Stakeholder Value Theory when considering ethical conduct in our organisations. Until we do even those industries such as the automotive manufacturing industry who have recently explicitly adopted standards for consideration of ethical issues in the design and manufacture of products[3] and services, will struggle to make sustainable progress. This is the change that has to happen to help us align the internal business, information, and technology functions of the organisation to consistently deliver ethical outcomes.

As Jack Welch put it: “Shareholder value is the dumbest idea in the world.


[1] Smith, H., and Hasnas, J. 1999. “Ethics and information systems: The corporate domain,” MIS Quarterly (23:1), pp. 109-127.

[2] Floridi L, Taddeo M. 2016, What is data ethics? Phil.Trans.R.Soc.A374:20160360.

[3] IATF 16949:2016 was adopted by the Automotive industry in October 2016. Section of that standard explicitly addresses Ethics.


submit to reddit

About Daragh O Brien

Daragh is the Founder and Managing Director of Castlebridge, a leading Information Governance, Privacy, and Strategy consultancy based in Ireland. He has a degree in Business & Legal Studies from University College Dublin, and is a Fellow of the Irish Computer Society. Prior to founding Castlebridge, Daragh worked for over a decade for a leading Irish telecommunications company in roles as diverse as Call Centre operations, Single View of Customer Programme management, and Regulatory Compliance and Governance. He a regular presenter and trainer at conferences in the UK and worldwide. Apart from his consulting and education work, Daragh is also Data Privacy Officer for DAMA International, a faculty member at the Law Society of Ireland, and a contributing research partner to the Adapt Centre in Trinity College Dublin. He lives in Wexford in the South East of Ireland and can be reached at or on twitter: @daraghobrien. In 2016, he was ranked by Onalytica as the 24th most influential person on Twitter in Information Security (including Data Governance and Data Privacy).