Data is Risky Business: Situational Modifiers and the Myth of “Data Governance Ethics”

COL03x - feature image for obrien - 300x300In this column, I want to address two topics that have recently popped up that I believe are essential to an effective understanding of ethical information management. They may appear unrelated but, hopefully, I’ll be able to illustrate how they are connected by the end of this piece.

The first topic I want to comment on is the emerging discussion of “Data Governance Ethics.” My request in this context is simple. Please stop this now. There is no such thing as “Data Governance Ethics.”

Ethics is a fundamental foundation on which businesses, organization culture, society, and interactions in society are built. Ethics define the principles which are put into effect in organizations through governance structures. And some of those governance structures relate to the oversight of the management of and utilization of information in the form of what we refer to as Data Governance.

If we consider the fundamental practices of data governance, whether you are following an approach influenced by John Ladley or one aligned with Bob Seiner’s framework, or any of the other frameworks that have emerged in recent years, a critical element of data governance is defining the principles which will underpin the governance structures and the decision making around data. This is not “data governance ethics.” This is the opportunity for organizations to bake ethical principles into their approach to data governance and provide mechanisms in the design of the governance structures to give effect to those ethical principles. To focus on “data governance ethics” is to put the cart before the horse.

The ethical principles embedded in the design of your data governance model, and how they operate in practice, are a manifestation and expression of the Ethic of the Organization. Whether they are any good or are fit for purpose is a function of how well aligned the Ethic of the Organization, and the individuals in the organization, are with the Ethic of Society. Much of that depends on the normative ethical frame that the organization operates in. In our book, Katherine O’Keefe and I explore the three dominant normative ethical frames that exist in business. Each of these has an effect on how well an organization can implement ethical information management practices. If the organization is predominantly driven by a Shareholder Theory frame, then anything that is beyond the bare minimum to tick a compliance box will not be done. If the organization espouses a Stakeholder Theory frame, then there will be more chance to create discussion on trade-offs and the balance that needs to be struck.

But trying to implement a Data Governance model that espouses a “balance of interests” ethos in an organization that is rigidly focused on the bottom line will not work. Either the Ethic of the Organization needs to be evolved to provide the appropriate ‘situational modifiers’ for people or the ethos espoused by the data governance principles will simply be ignored. This is not dissimilar to the challenges developing a quality systems culture in organizations, particularly in relation to data.

Figure 1 below is taken from Chapter 9 of Ethical Data and Information Management, the book I wrote with my colleague Katherine O’Keefe. It’s based on work by Linda Trevino on ethical decision making in business, but we extended the model to include elements of our E2IM framework. It is clear from this that the normative structure and role model behaviours of the organization are essential to ensuring that individuals act in the manner that is expected of them when making ethical decisions. Of course, it is just one factor. The “individual moderators” that are available to people in an organization are also important, and we’ll discuss them in a moment.

If Data Governance is just one of the situational modifiers that influences ethical information management in an organization, it should be clear that building a “Data Governance Ethics” perspective is the wrong approach to take. It is more important for organizations to adopt clear ethical principles (The Ethic of the Organization), express them in the context of a normative structure (for example stakeholder theory), and ensure that there are role model behaviors, controls, and defined responsibilities and accountabilities. In that way, Data Governance does what it is supposed to do as an enabler of good information management practices.


Figure 1 Understanding Ethical Decision Making in the E2IM Framework

Some Real-World Context

To put this in a real-world context, we need to look at recent developments in Facebook, Google, and Apple in respect of the ethics of decisions that have been taken by those organizations in respect to the management of information by their organizations.

Buzzfeed carried a story on the 24th of July about a memo sent around Facebook by their former Chief Security Officer Alex Stamos, addressing the root causes of many of the issues that have plagued the social network in recent years. In this memo, Stamos did not talk about the need to pursue “data governance ethics.” Rather he highlighted the need to consider the perspective of the customer (Ethic of Society) and “build a user experience that conveys honesty and respect, not one optimized to get people to click yes to giving us more access.” Given that this flies in the face of Facebook’s historic business model, this represents a call to action to change the Ethic of the Organization.

Stamos continued to set out things that he felt need to change in Facebook:

“We need to listen to people (including internally) when they tell us a feature is creepy or point out a negative impact we are having in the world,” and “We need to deprioritize short-term growth and revenue and to explain to Wall Street why that is ok.” This speaks to two further aspects of the model in Figure 1 above.:

  1. Facebook need to implement structures to react to feedback (Responsibility/Accountability and Job Context factor in here).
  2. Facebook need to move from a shareholder theory view of the world to a more stakeholder theory based normative frame for ethical decision making.

While these require a shift in data governance functions and controls to achieve ethical outcomes, this is not “data governance ethics.” Rather it is the use of data governance (and other internal governance) to achieve an ethical shift in the organization but only where the organization is shifting in that way through a change in the Ethic of the Organization.

Without addressing this, any tinkering with the structures of data governance will not result in sustainable change. Just as Deming wrote in the context of the Quality revolution, “Management must adopt the new philosophy.”

In the context of Google we have seen hundreds of Google staff (out of many thousands) sign a petition criticizing Google’s decision to provide a censored search engine to the Chinese market, and many thousands against the use of Google technology in lethal autonomous weapons systems (LAWS). In these cases, staff have attempted to exercise the Ethic of the Individual with the petition to management being the tool to provide an Individual moderator to give them some locus of control (there is a thing they can do) and a measure of support – by being one signatory among dozens they gain strength in numbers. It also provides a Situational modifier as there is reinforcement.

Google has always provided mechanisms for staff to speak up and challenge management. However, quite often letters like this from staff to management get ignored in most companies, particularly where the contracts involved will be highly valuable. This is a situational modifier in which a shareholder theory based view of ethics dominates (a Situational Modifier). No amount of tinkering with the mechanisms of data governance in an organization faced with an ethical question that goes to the core of their business model will result in “data governance ethics.” What happens in these cases is that staff who attempt to express their personal ethical view (Ethic of the Individual) find that the Individual Modifiers are insufficient to overcome the Situational Modifiers they are faced with.

So, they quit. Like Alex Stamos did, and many Google staff are reported to have done.

Finally, Apple are often held out as a bastion of good data privacy and ethics governance and famously held their ground on providing device decryption capabilities to US law enforcement. However, they have had a number of challenges in living up to their hype in China where they have removed VPN clients and other apps from the AppStore to meet the requirements of Chinese laws.

We actually look at this in the book in Chapter 6 where we include “ethics” in the Zachman Framework “Motivation” column. In the book we highlight that, at the Executive level of the Zachman Framework, Apple are struggling with the challenge of being a trusted device manufacturer and information management services provider to consumers while at the same time being able to actually manufacture devices. In that context, they are somewhat beholden to the desires of the government that controls their access to the means of production.

No amount of focus on the “data governance ethics” addresses this as it is a macro level ethical question for Apple (and its customers). We could describe this as an Information Architecture Ethics problem, and the fact that we analyzed it through the lens of the Zachman Framework in the book would hint that that might be a valid option. But that would be wrong.

Data Governance, Information Architecture, and any of the other disciplines of information management are tools that can be put to the service of ethical information management. But it is important to define the ethics of the organization and ensure that the governance and other structures you put in place are designed to support people making ethical choices around information management that they are comfortable with and which will meet the expectations of the Ethic of Society.

Get it wrong and staff and customers will leave.


Share this post

Daragh O Brien

Daragh O Brien

Daragh O Brien is a data management consultant and educator based in Ireland. He’s the founder and managing director of Castlebridge. He also lectures on data protection and data governance at UCD Sutherland School of Law, the Smurfit Graduate School of Business, and at the Law Society of Ireland. He is a Fellow of the Irish Computer Society, a Fellow of Information Privacy with the IAPP, and has previously served on the boards of two international professional bodies. He also is a volunteer contributor to the Leaders’ Data Group ( and a member of the Strategic Advisory Council to the School of Business in NUI Maynooth. He is the co-author of Ethical Data & Information Management: Concepts, Tools, and Methods, published in 2018 by Kogan Page, as well as contributing to works such as the DAMA DMBOK and other books on various data management topics.

scroll to top