Recent events such as the Facebook and Cambridge Analytica scandal shine a light on the dark things that people do with data. Data protection methods are important and have long been a data governance concern, yet we regularly experience data breaches and they are occurring at an accelerating rate. According to breachlevelindex.com nearly 5 million data records are lost or stolen every day—roughly 60 records per second. But data protection is only the tip of the iceberg. Data ethics is the huge and hazardous mass hidden beneath the surface. We need clear, non-ambiguous principles and practices that drive honest, honorable, and appropriate behaviors when working with data. It is time to step up to data ethics, and data governance must take the lead.

“There are precious few at ease with moral ambiguities, so we act as though they don’t exist.” This lyric from the musical Wicked captures the essence of the ethics challenges that we face with data. Data ethics is ambiguous so many simply choose not to discuss it—to act as though the ethical ambiguities don’t exist. It is time to recognize that data ethics is an increasingly important topic of data management and an area where data governance can take a leading role.

Ethics is the challenge of deciding the right thing to do – how to do good for all stakeholders. It is challenging because “right” and “good” are not always clear. It is common to think of ethics as doing right for others, but when doing right for others is harmful to the self, ethics is not served. Nor is ethics served when doing right for self is harmful to others. Ethics has two aspects – the tension of right vs. wrong and the tension of right vs. right.

Four hard questions that help sort out the uncertainties of ethical dilemmas are:

• Which course of action will do the most good and the least harm?
• Which alternative best serves others’ rights, including shareholders’ rights?
• What can I live with that is consistent with my basic values and commitments?
• Which course of action is feasible in the world as it is?

Data itself has no ethical implications. The ethical questions arise from the things that we do (or don’t do) with data – how we collect data, how we protect it, and how we use it. Collection, protection, and use of data all call for ethical judgments. The need for judgment is the core of the problem – judgment has no absolutes.

So we need to ask hard questions, make organizational judgments about hypothetical dilemmas, and translate those judgments into policies and guidelines that help people to make ethical decisions in day-to-day work with data. Ten areas where we need to ask questions and make judgments include:

Informed Consent: Should individuals be provided with full disclosure about the data that is collected about them? Should collection and use of individuals’ data be subject to their agreement?

Anonymity: Should all personally identifying information be eliminated from the data? Should data be collected only in the form of aggregates such that individuals can’t be identified?

Confidentiality: Should sources and providers of data be protected from disclosure?

Security: To what degree must data be protected from intrusion, corruption, and unauthorized access?

Privacy: To what degree should individuals have the right to determine which data about them can be shared with third parties?

Accuracy: What level of exactness and correctness is required of the data?

Ownership: Is personal data about individuals an asset that belongs to the business or privately owned information for which the business has stewardship responsibilities?

Honesty: To what degree should the business be forthright and visible about data collection, protection, and usage practices?

Responsibility: Who is accountable and at what level for use and misuse of data?

Transparency: On a continuum with polar extremes of “totally open” and “stealth data collection,” what is the right level of transparency?

We can’t succeed at managing ethics until we begin to talk about ethics. Most of us believe that ethical conduct yields rewards and unethical behavior brings risk. Belief and conviction, however, are not enough to drive the discussion of ethics. Someone must be responsible to start and to sustain the discussions. I believe that someone needs to be the data governance leadership.

Data ethics has a direct relationship with four core goals of data governance – quality, privacy, security, and compliance. For each of these, we need to address ethics in six dimensions:

• We should discuss ethics because doing so will advance the level of professionalism in our data management and governance practices.
• We should discuss ethics because doing so will help us avoid abuse and the negative consequences of abuse.
• Policy gaps. We should discuss ethics because technology advances create and will continue to create temporary policy vacuums.
• New policies. We should discuss ethics because the use of big data and analytics transforms some ethical issues to a degree that requires major policy reform.
• New issues. We should discuss ethics because the use of big data and analytics creates unique ethical issues that require special attention.
• We should discuss ethics because the set of novel and transformed issues is large enough to define a new domain of corporate governance requirements.

Intersecting governance goals with ethics dimensions yields 24 areas of focus for ethics in governance as shown in this matrix.

From this view, it is clear that data ethics is a topic that is broad in scope and deep in complexity. We can’t solve it all at once. As with any complex problem, prioritization and iteration are essential – small steps and steady progress. The first step is simply to start talking about it. We can’t afford to act as though ethical questions don’t exist. It is time to start the conversations and involve all data stakeholders. Data governance must take the lead to make data ethics a reality.