Chapter 2: Data Handling Ethics Flashcards

To master concepts and content from DMBoK 2 Chapter 2: Data Handling Ethics toward CDMP certification

1
Q

What is the DMBoK definition of ethics?

A

Ethics are principles of behavior based on ideas of right and wrong.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Name at least four of the eight example ideas on which ethical principles are focused.

A

Ethical principles often focus on ideas such as fairness, respect, responsibility, integrity, quality, reliability, transparency, and trust.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the DMBoK definition of data handling ethics?

A

Data handling ethics are concerned with how to procure, store, manage, use, and dispose of data in ways that are aligned with ethical principles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are four reasons that DAMA says that data handling ethics are important?

A

1) Handling data in an ethical manner is necessary to the long-term success of any organization that wants to get value from its data. 2) Unethical data handling can result in the loss of reputation and customers, because it puts at risk people whose data is exposed. 3) In some cases, unethical practices are also illegal. 4) Ultimately, for data management professionals and the organizations for which they work, data ethics are a matter of social responsibility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

List three core concepts of data handling ethics from the DMBoK.

A

1) Impact on people: Because data represents characteristics of individuals and is used to make decisions that affect people’s lives, there is an imperative to manage its quality and reliability. 2) Potential for misuse: Misusing data can negatively affect people and organizations, so there is an ethical imperative to prevent the misuse of data. 3) Economic value of data: Data has economic value. Ethics of data ownership should determine how that value can be accessed and by whom.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which one of these five goals is NOT in the DMBoK as a business driver for data handling ethics?

A

1) To define ethical handling of data in the organization
2) To educate staff on the organizational risks of improper data handling
3) To change/instill preferred culture and behavior on handling data
4) To streamline and automate data handling in accordance with data ethics
5) To monitor regulatory environment, measure, monitor, and adjust organizational approaches

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Name at least three of the six inputs needed to define data handling ethics for an organization.

A

1) Existing and preferred organizational ethics 2) Business Strategy and Goals 3) Organizational Structure 4) Business Culture 5) Regulations 6) Existing Corporate Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the six core activities of data handling ethics?

A

1) Review Data Handling Practices
2) Identify Principles, Practices, and Risk Factors
3) Create an Ethical Data Handling Strategy
4) Address Practice Gaps
5) Communicate and Educate Staff
6) Monitor and Maintain Alignment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Name at least five of the nine deliverables that the DMBoK recommends for a data handling ethics program.

A

1) Current Practices and Gaps 2) Ethical Data Handling Strategy 3) Communication Plan 4) Ethics Training Program 5) Ethical Corporate Statements 6) Awareness of Ethical Data Issues 7) Aligned Incentives, KPIs, and Targets 8) Updated Policies 9) Ethical Data Handling Reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Name at least three of the six key stakeholders needed to supply the inputs to an ethical data handling program

A

1) Executives 2) Data Stewards 3) Executive Data Stewards 4) IT Executives 5) Data Providers 6) Regulators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Name at least four of the seven key stakeholders needed to conduct the activities of an ethical data handling program

A

1) Data Governance Bodies 2) CDO/CIO 3) Executives 4) Coordinating Data Stewards 5) Subject Matter Experts 6) Change Managers 7) Data Management Services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Name the three key stakeholders recommended as consumers of an ethical data handling program

A

1) Employees 2) Executives 3) Regulators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

List four core techniques and tools used as technical drivers for a data handling ethics program

A

TECHNIQUES Communication Plan Checklists Annual Ethics Statement Affirmation TOOLS Wikis, knowledgebases, intranet sites Microblogs, other internal communications tools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

List three key metrics of a successful ethical data handling program

A

1) Number of employees trained
2) Compliance/noncompliance incidents
3) Corporate executive involvement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are two assumptions that lead organizations to fail at data ethics, and two trends that make it important to succeed?

A

Unfortunately, many organizations fail to recognize and respond to the ethical obligations inherent in data management. They may adopt a traditional technical perspective and profess not to understand the data; or they assume that if they follow the letter of the law, they have no risk related to data handling. This is a dangerous assumption. The data environment is evolving rapidly. Organizations are using data in ways they would not have imagined even a few years ago. While laws codify some ethical principles, legislation cannot keep up with the risks associated with evolution of the data environment. Organizations must recognize and respond to their ethical obligation to protect data entrusted to them by fostering and sustaining a culture that values the ethical handling of information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are five key business drivers (opportunities and threats) that motivate an organization toward a data ethics program?

A

OPPORTUNITIES Like W. Edward Deming’s statements on quality, ethics means “doing it right when no one is looking.” An ethical approach to data use is increasingly being recognized as a competitive business advantage (Hasselbalch and Tranberg, 2016). Ethical data handling can increase the trustworthiness of an organization and the organization’s data and process outcomes. This can create better relationships between the organization and its stakeholders. THREATS Data handling doesn’t happen in a vacuum, and customers and stakeholders expect ethical behavior and outcomes from businesses and their data processes. Reducing the risk that data for which the organization is responsible will be misused by employees, customers, or partners is a primary reason for an organization to cultivate ethical principles for data handling. There is also an ethical responsibility to secure data from criminals (i.e., to protect against hacking and potential data breaches).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is entailed in creating an ethical culture for data handling?

A

Creating an ethical culture entails introducing proper governance, including institution of controls to ensure that both intended and resulting outcomes of data processing are ethical and do not violate trust or infringe on human dignity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How does data ownership influence data handling ethics?

A

Different models of data ownership influence the ethics of data handling. For example, technology has improved the ability of organizations to share data with each other. This ability means organizations need to make ethical decisions about their responsibility for sharing data that does not belong to them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Name five emerging roles and responsibilities for data handling ethics

A

The emerging roles of Chief Data Officer, Chief Risk Officer, Chief Privacy Officer, and Chief Analytics Officer are focused on controlling risk by establishing acceptable practices for data handling. But responsibility extends beyond people in these roles. Handling data ethically requires organization-wide recognition of the risks associated with misuse of data and organizational commitment to handling data based on principles that protect individuals and respect the imperatives related to data ownership.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Name and define three tenets of bioethics that provide a starting point for principles of data ethics

A

Respect for Persons: This principle reflects the fundamental ethical requirement that people be treated in a way that respects their dignity and autonomy as human individuals. It also requires that in cases where people have ‘diminished autonomy’, extra care be taken to protect their dignity and rights. Beneficence: This principle has two elements: first, do not harm; second, maximize possible benefits and minimize possible harms. Justice: This principle considers the fair and equitable treatment of people.

21
Q

List the European Data Protection Supervisor’s four pillars required for an information ecosystem that ensures ethical treatment of data

A
  1. Future-oriented regulation of data processing and respect for the rights to privacy and to data protection
  2. Accountable controllers who determine personal information processing
  3. Privacy-conscious engineering and design of data processing products and services
  4. Empowered individuals
22
Q

What are the seven principles of the General Data Protection Regulation of the EU (GDPR)?

A

1) Lawfulness, fairness, and transparency 2) Purpose limitation 3) Data minimization 4) Accuracy 5) Storage limitation 6) Integrity and confidentiality (security) 7) Accountability

23
Q

Name at least five of the ten statutory obligations of the Canadian privacy law PIPEDA (Personal Information Protection and Electronic Documents Act)

A

1) Accountability 2) Identifying purposes 3) Consent 4) Limiting collection 5) Limiting Use, Disclosure, and Retention 6) Accuracy 7) Safeguards 8) Openness 9) Individual access 10) Challenging compliance

24
Q

What are the five Fair Information Processing Principles recommended by the US Federal Trade Commission (FTC)?

A

1) Notice/Awareness 2) Choice/Consent 3) Access/Participation 4) Integrity/Security 5) Enforcement/Redress

25
Q

Name at least four of eight additional FTC focus areas for fair information practices

A

Simplified consumer choice to reduce the burden placed on consumers The recommendation to maintain comprehensive data management procedure throughout the information lifecycle Do Not Track option Requirements for affirmative express consent Concerns regarding the data collection capabilities of large platform providers; transparency and clear privacy notices and policies Individuals’ access to data Educating consumers about data privacy practices Privacy by Design

26
Q

Identify a global trend affecting information privacy and risk

A

There is a global trend towards increasing legislative protection of individuals’ information privacy, following the standards set by EU legislation. Laws around the world place different kinds of restrictions on the movement of data across international boundaries. Even within a multinational organization, there will be legal limits to sharing information globally. It is therefore important that organizations have policies and guidelines that enable staff to follow legal requirements as well as use data within the risk appetite of the organization.

27
Q

List four principles that inform ethical behaviors online as context for online data

A

1) Ownership of data: The rights to control one’s personal data in relation to social media sites and data brokers. Downstream aggregators of personal data can embed data into deep profiles that individuals are not aware of. 2) The Right to be Forgotten: To have information about an individual be erased from the web, particularly to adjust online reputation. This topic is part of data retention practices in general. 3) Identity: Having the right to expect one identity and a correct identity, and to opt for a private identity. 4) Freedom of speech online: Expressing one’s opinions versus bullying, terror inciting, ‘trolling,’ or insulting.

28
Q

Identify six unethical data handling practices or challenges

A

1) Timing 2) Misleading Visualizations 3) Unclear Definitions or Invalid Comparisons 4) Bias 5) Transforming and Integrating Data 6) Obfuscation / Redaction of Data

29
Q

How does timing create risk of ethical data handling?

A

It is possible to lie through omission or inclusion of certain data points in a report or activity based on timing. Equity market manipulation through ‘end of day’ stock trades can artificially raise a stock price at closing of the market giving an artificial view of the stock’s worth. This is called market timing and is illegal. Business Intelligence staff may be the first to notice anomalies. In fact, they are now seen as valuable players in the stock trading centers of the world recreating trading patterns looking for such problems as well as analyzing reports and reviewing and monitoring rules and alerts. Ethical Business Intelligence staff may need to alert appropriate governance or management functions to such anomalies.

30
Q

How do misleading visualizations create risk of ethical data handling?

A

Charts and graphs can be used to present data in a misleading manner. For instance, changing scale can make a trend line look better or worse. Leaving data points out, comparing two facts without clarifying their relationship, or ignoring accepted visual conventions (such as that the numbers in a pie chart representing percentages must add up to 100 and only 100), can also be used to trick people into interpreting visualizations in ways that are not supported by the data itself.

31
Q

What are two ways that unclear definitions or invalid comparisons create risk of ethical data handling?

A

A US news outlet reported, based on 2011 US Census Bureau data, that 108.6 million people in the US were on welfare yet only 101.7 million people had full time jobs, making it seem that a disproportionate percentage of the overall population was on welfare.21 Media Matters explained the discrepancy: The 108.6 million figure for the number of “people on welfare” comes from a Census Bureau’s account … of participation in means-tested programs, which include “anyone residing in a household in which one or more people received benefits” in the fourth quarter of 2011, thus including individuals who did not themselves receive government benefits. On the other hand, the “people with a full time job” figure … included only individuals who worked, not individuals residing in a household where at least one person works. The ethical thing to do, in presenting information, is to provide context that informs its meaning, such as a clear, unambiguous definition of the population being measured and what it means to be “on welfare.” When required context is left out, the surface of the presentation may imply meaning that the data does not support. Whether this effect is gained through the intent to deceive or through simply clumsiness, it is an unethical use of data. It is also simply necessary, from an ethical perspective, not to misuse statistics. Statistical ‘smoothing’ of numbers over a period could completely change perception of the number. ‘Data mining snooping’ is a recently coined term for a phenomenon in data mining statistical investigations where exhaustive correlations are performed on a data set, essentially over training a statistical model. Because of the behavior of ‘statistical significance’, it is reasonable to expect some statistically significant-looking results that are actually random results. The untrained can be misled. This is common in the financial and medical sectors (Jensen, 2000; ma.utexas.edu, 2012).

32
Q

List at least three of five types of bias that create risk of unethical data handling

A

Data Collection for pre-defined result: The analyst is pressured to collect data and produce results in order to reach a pre-defined conclusion, rather than as an effort to draw an objective conclusion. Biased use of data collected: Data may be collected with limited bias, but an analyst is pressured to use it to confirm a pre-determined approach. Data may even be manipulated to this end (i.e., some data may be discarded if it does not confirm the approach). Hunch and search: The analyst has a hunch and wants to satisfy that hunch, but uses only the data that confirms the hunch and does not account for other possibilities that the data may surface. Biased sampling methodology: Sampling is often a necessary part of data collection. But bias can be introduced by the method used to select the sample set. It is virtually impossible for humans to sample without bias of some sort. To limit bias, use statistical tools to select samples and establish adequate sample sizes. Awareness of bias in data sets used for training is particularly important. Context and Culture: Biases are often culturally or contextually based, so stepping outside that culture or context is required for a neutral look at the situation.

33
Q

List four data integration practices that create risk of unethical data handling

A

Limited knowledge of data’s origin and lineage: If an organization does not know where data came from and how it has changed as it has moved between systems, then the organization cannot prove that the data represents what they claim it represents. Data of poor quality: Organizations should have clear, measurable standards for data quality, and should measure their data to confirm that it meets standards for quality. Without this confirmation, an organization cannot vouch for the data and data consumers may be at risk or put others at risk when they use the data. Unreliable Metadata: Data consumers depend on reliable Metadata, including consistent definitions of individual data elements, documentation of data’s origin, and documentation of lineage (e.g., rules by which data is integrated). Without reliable Metadata, data may be misunderstood and potentially misused. In cases where data may move between organizations and especially where it may move across borders, Metadata should include tags that indicate its provenance, who owns it, and if it requires specific protection. No documentation of data remediation history: Organizations should also have auditable information related to the ways data has been changed. Even if the intention of data remediation is to improve the quality of data, doing so may be illegal. Data remediation should always follow a formal, auditable change control process

34
Q

List three instances of data obfuscation / redaction practices that create risk of ethical data handling

A

Data aggregation: When aggregating data across some set of dimensions, and removing identifying data, a dataset can still serve an analytic purpose without concern for disclosing personal identifying information (PII). Aggregations into geographic areas are a common practice (see Chapters 7 and 14). Data marking: Data marking is used to classify data sensitivity (secret, confidential, personal, etc.) and to control release to appropriate communities such as the public or vendors, or even vendors from certain countries or other community considerations. Data masking: Data masking is a practice where only appropriate submitted data will unlock processes. Operators cannot see what the appropriate data might be; they simply type in responses given to them, and if those responses are correct, further activities are permitted. Business processes using data masking include outsourced call centers, or sub-contractors who should only have partial access to information.

35
Q

How do large data sets and data lakes raise practical data ethics concerns in data science and analytics?

A

The use of extremely large data sets in Data Science analyses raises practical rather than merely theoretical concerns about the effectiveness of anonymization. Within large data sets, it is possible to combine data in ways enable individuals to be specifically identified, even if input data sets have been anonymized. The first concern when data lands in a data lake is to analyze it for sensitive data and apply accepted protection methods. These alone may not offer enough safeguard, however; this is why it is vital that organizations have strong governance and a commitment to ethical data handling.

36
Q

Define a process that moves an organization toward establishing an ethical data culture

A

Review Current State Data Handling Practices Identify Principles, Practices, and Risk Factors Create an Ethical Data Handling Strategy and Roadmap Adopt a Socially Responsible Ethical Risk Model

37
Q

What is the first step toward establishing an ethical data culture and what are its outcomes?

A

The first step to improvement is understanding the current state. The purpose of reviewing existing data handling practices is to understand the degree to which they are directly and explicitly connected to ethical and compliance drivers. This review should also identify how well employees understand the ethical implications of existing practices in building and preserving the trust of customers, partners, and other stakeholders. The deliverable from the review should document ethical principles that underlie the organization’s collection, use, and oversight of data, throughout the data lifecycle, including data sharing activities.

38
Q

Give at least two of four examples of ethical data handling practices supported by controls.

A

Guiding principle: People have a right to privacy with respect to information about their health. Therefore, the personal health data of patients should not be accessed except by people who are authorized to access it as part of caring for patients. Risk: If there is wide access to the personal health data of patients, then information about individuals could become public knowledge, thereby jeopardizing their right to privacy. Practice: Only nurses and doctors will be allowed to access the personal health data of patients and only for purposes of providing care. Control: There will be an annual review of all users of the systems that contain personal health information of patients to ensure that only those people who need to have access do have access.

39
Q

Give at least four of seven components of an ethical data handling strategy.

A
  1. Values statements: Values statements describe what the organization believes in. Examples might include truth, fairness, or justice. These statements provide a framework for ethical handling of data and decision-making.
  2. Ethical data handling principles: Ethical data handling principles describe how an organization approaches challenges presented by data; for example, how to respect the right of individuals to privacy. Principles and expected behaviors can be summarized in a code of ethics and supported through an ethics policy. Socialization of the code and policy should be included in the training and communications plan.
  3. Compliance framework: A compliance framework includes factors that drive organizational obligations. Ethical behaviors should enable the organization to meet compliance requirements. Compliance requirements are influenced by geographic and sector concerns.
  4. Risk assessments: Risk assessments identify the likelihood and the implications of specific problems arising within the organization. These should be used to prioritize actions related to mitigation, including employee compliance with ethical principles.
  5. Training and communications: Training should include review of the code of ethics. Employee must sign off that they are familiar with the code and the implications of unethical handling of data. Training needs to be ongoing; for example, through a requirement for an annual ethics statement affirmation. Communications should reach all employees.
  6. Roadmap: The roadmap should include a timeline with activities that can be approved by management. Activities will include execution of the training and communications plan, identification and remediation of gaps in existing practices, risk mitigation, and monitoring plans. Develop detailed statements that reflect the target position of the organization on the appropriate handling of data, include roles, responsibilities, and processes, and references to experts for more information. The roadmap should cover all applicable laws, and cultural factors.
  7. Approach to auditing and monitoring: Ethical ideas and the code of ethics can be reinforced through training. It is also advisable to monitor specific activities to ensure that they are being executed in compliance with ethical principles
40
Q

List and define four risk areas of an ethical data sampling project that uses personal data

A

Identification: How they select their populations for study Behavior capture: How data will be captured BI/Analytics/Data Science: What activities analytics will focus on Results: How the results will be made accessible

41
Q

What ethical risks of the identification of a population for data science analysis may require ethical and legal review?

A

Demographic required Selection method

42
Q

What ethical risks of behavior capture for data science analysis may require ethical and legal review?

A
  1. Content required
  2. Capture Method
  3. Activities
  4. Sentiment
  5. Location
  6. Date/Time
  7. Combination datasets
43
Q

What ethical risks of BI/Data Science/Analytics may require ethical and legal review?

A

Profiling prospects Actual and forecast activities

44
Q

What ethical risks of distributing the results of data science analysis may require ethical and legal review?

A

Privileges granted or denied Further engagement or not Relationship removal Benefit or sanction Trust or lack of trust Biased treatment

45
Q

Give at least two of four examples of how to use a risk model to execute a data handling project ethically

A

A risk model can be used to determine whether to execute the project. It will also influence how to execute the project. For example, the data will be made anonymous, the private information removed from the file, the security on the files tightened or confirmed, and a review of the local and other applicable privacy law reviewed with legal. Dropping customers may not be permitted under law if the organization is a monopoly in a jurisdiction, and citizens have no other provider options such as energy or water.

46
Q

What are the roles and responsibilities for oversight of ethical data handing?

A

Oversight for the appropriate handling of data falls under both data governance and legal counsel. Together they are required to keep up-to-date on legal changes and reduce the risk of ethical impropriety by ensuring employees are aware of their obligations. Data Governance must set standards and policies and provide oversight of data handling practices. Employees must expect fair handling, protection from reporting possible breaches, and non-interference in their personal lives. Data Governance has a particular oversight requirement to review plans and decisions proposed by BI, analytics and Data Science studies.

47
Q

Give at least three of five ethical obligations for members of DAMA as included in the DAMA Code of Ethics.

A

Observe the precepts of DAMA International as set forth in the bylaws, guidelines and policies of DAMA International; Understand the ethics and values DAMA-I has chosen to adopt and to conduct all matters concerning my membership in DAMA-I in the spirit and actions of these ethics and values; Preserve and actively promote the ideals and mission of DAMA International through active involvement in professional and educational events and encourage others to pursue life-long learning in data management; Refrain from all behaviors that would constitute harassment or bullying of any other individual, whether in person or via electronic means. Harassment includes: making offensive verbal/electronic comments related to personal characteristics or choices, posting sexual images or comments in public or online spaces, displaying deliberate intimidating behavior in person or in online environments, bullying, stalking, sustained disruption of conversations or other intrusions of electronic meetings or physical meetings or other events, inappropriate physical contact with others, or unwelcome sexual / personal attention; Promote the image of DAMA International by refraining from: Engaging in any sales activity, including direct or indirect solicitation, or conducting any other activity contrary to the purpose or policies of DAMA International or its affiliates, as is appropriate to a non-profit professional organization; Distributing any materials or posting displays of any kind at DAMA International, direct chapter, affiliated chapter, or affiliated strategic partner sponsored activities without prior approval and express written consent of the event organizer, DAMA International, direct chapter, affiliated chapter, or strategic partner as appropriate; Using the DAMA International, the direct chapter, the affiliated chapter or the affiliated strategic partner name or logo other than to conduct DAMA International, direct chapter, affiliated chapter or affiliated strategic partner business as determined by the Board of Directors of DAMA International, the direct chapter, the affiliated chapter and/or the affiliated strategic partner; Making unwarranted negative or disparaging comments about any vendor, product, service, other organization or individual either orally or in writing.

48
Q

Give at least three of five additional ethical obligations for officers and advisors of DAMA as included in the DAMA Code of Ethics.

A

Actively Support the programs of DAMA International and its affiliates; I recognize my acceptance of a position as an officer or advisor of DAMA International, direct chapter, affiliated chapter, or affiliated strategic partner as a commitment to perform certain tasks in pursuit of goals stated for the position and the DAMA International community and to agree to perform those responsibilities to the best of my ability throughout my term; Accept my commitment to fulfill my DAMA International obligations so that I shall not profit personally as a direct result of my performance as an officer or advisor; Bring to the attention of the DAMA International Ethics Officer any concerns over possible conflicts of interest that may arise from the performance of my role as an officer or advisor; Conduct all business on behalf of DAMA International and its affiliates according to the values and ethical practices adopted by DAMA International; Protect positively the reputation, credibility and effectiveness of DAMA International and its affiliates as well as their mission in all contact with others, regardless of their affiliation with DAMA; Refrain from communication or discussion, oral or written, concerning DAMA International matters with any person not directly involved in the matter, both during my term as an officer or advisor and after my term has been completed; Regard any communication (oral or in writing) I make concerning DAMA International to be official and on-the-record to avoid any misunderstanding of intent or action and ensure that all my communications concerning DAMA International be made carefully and in accordance with the ethics and values adopted by DAMA International; Protect closely any member or prospective member personal contact information under my control for use only while conducting DAMA International business activities. Refrain from the distribution or sale of any membership information to any organization for any purpose.

49
Q

What are the six essential concepts that the DMBoK gives for data handling ethics?

A

3.1 Ethical Principles for Data 3.2 Principles Behind Data Privacy Law 3.3 Online Data in an Ethical Context 3.4 Risks of Unethical Data Handling Practices 3.5 Establishing an Ethical Data Culture 3.6 Data Ethics and Governance