News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Member Directory Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Utilizing PIAs to limit institutional discrimination and bias Related reading: IAPP statement on racial injustice

rss_feed

""

I view privacy as sitting at the convergence of what is legal, what is possible and what is ethical regarding the composition of what makes a person unique. While there are various forms of privacy, I’m going to focus on information privacy because it is perhaps the easiest to conceptualize in this situation.

As a privacy community, we seem to have a firm grasp on what is legally permissible when using a person’s data. Likewise, if you have ever worked with an IT department, they are rightly quick to tell you when something is not possible or probable given the current state of technology. 

The question of ethics, on the other hand, seems to slip by the wayside rather often. In other words, when something is legal, possible and profitable, privacy in the U.S. is known to take the backseat. If the past weeks have shown us anything in terms of our jobs as privacy professionals and the rights and liberties we help to protect on a daily basis, we need only to look at the news to see the multitudes of privacy issues regarding the reality of profiling, targeting and, at times brutality, inequality and injustice by way of institutionalized discrimination.  

One of the main tenets of ethics in privacy is defined by harm to the individual. This concept is well ingrained in the field of privacy. As a profession, we know how to imbed this concept into our privacy impact assessments. We know how to look at whether the use of data causes physical, financial, or reputational harm or embarrassment to the individual and to our company. 

However, should we look only at harm to the individual, or should we also look at harm to a class of individuals based on the personal data that is used?  

I would argue our ethical duty is both. While it is required to ensure that an individual person is not harmed, we should also be ensuring that classes of individuals are not harmed, the result of which is that an individual person is ultimately harmed, in a systemic way, through their identification of being a member of a specific class. If we are looking for equality and fairness, it is imperative that we seek to include institutionalized discrimination and bias into our understanding of privacy risk.  

What is institutionalized discrimination?

Institutionalized or systemic, discrimination “involves patterns, practices, or policies where the alleged discrimination has a broad impact on an industry, profession, company, or geographic area.”  

Two of the most prevalent forms of institutionalized discrimination are racism and sexism. Moreover, according to the Oxford Dictionary of Sociology, studies about societal behavior have shown that “discrimination against some groups in society can result from the majority simply adhering unthinkingly to the existing organizational and institutional rules or social norms. Prejudice, stereotyping, and covert or overt hostility need not be factors in the exploitation of one group by another, or in the unfair distribution of rewards.”  

For example, unconscious bias might allow a person to unknowingly act in a specific way without intent; this is currently the debate around facial recognition programs that identify different races and genders with varying degrees of accuracy, the highest point of accuracy being white males who have traditionally been the programmers of such products.  

In recent weeks, this exact problem has caused significant reputational issues for the companies offering such products, which has led to public distrust. Medical artificial intelligence technologies favoring a specific gender, race or culture type, allowing for better medical advancements and outcomes based on the classification of a person through the use of their personal data is yet another example.

What is a PIA?

People put trust in organizations and ultimately in privacy professionals to handle their data both legally and ethically. One industry standard privacy professionals use to ensure both harm and risk are limited is the PIA.

A PIA is a documented analysis tool to identify and reduce privacy risks associated with processing data related to a person. It is an effective tool for identifying privacy issues, as well as providing remedial or mitigating actions and mechanisms to ensure that a project, product or service does not violate a person’s rights, company policy and procedures, societal expectations, and the ethical use of data. 

PIAs influence how data is processed and used and, ultimately, the development of services or products. PIAs reduce costs and reputation damage. Furthermore, the PIA process gives documented evidence of identified risks, why decisions were made, and can be used as a tool to change past practices and learn from past mistakes should the need arise. 

Why identification of institutional discrimination should be part of the PIA process

If the ultimate goal is to reduce both harm and risk to an individual by identifying overall societal harm to a class — which ultimately impacts the individual who is part of an identified class — privacy professionals have perhaps the best grasp on data use in relation to risk and harm because we live and breathe these concepts in our daily work. 

PIAs already identify various logistics of harm and risk, and it is not a stretch to understand or evaluate classes of individuals who might be negatively impacted on a broad scale by the implementation of a specific project, product or service.  

For example, as privacy professionals, we already think about how data is collected, used, stored and shared, as well as what harms and risks may follow from such actions. Our job is to identify ethical, compliance, and reputational issues and advise on remedial and mitigating mechanisms. We are well-positioned within our organizations to work with various stakeholders to create the best outcomes for projects, products and services, as well as advise on risk and harms resulting from specific data processing.  

For example, utilizing a person’s face (their personal data) in a facial recognition program in which faces are identified at varying rates of accuracy, based on gender and race, is not a hard concept to identify as discriminatory. This could ultimately result in the loss of life or liberty in an unfair manner. 

It is relatively easy to think of the physical and financial implications of targeting a person in light of the area in which they live, their race or gender, rather than their qualifications for credit, housing and job placement, but this was the cause for investigation by the U.S. Department of Housing and Urban Development and Equal Employment Opportunity Commission with regard to targeted advertising by large data companies in March 2019. 

It is not difficult to understand the reputational and possible emotional harm of labeling people as a marginalized class, such as disabled or LGBTQ, and then penalizing them for being part of such a class (i.e., limiting their access to the social media platform) based on the platform's classification of the individual as part of the identified class. Yet, this happened in January 2019. 

It is also relatively effortless to understand that allowing targeted advertising based on key terms of hate speech is likely to bolster ideals of hate toward already-marginalized populations, but this happened earlier this year. 

While these are a few examples that quickly come to mind because they became headlines for their respective companies, others are less obvious or more discrete while still creating serious ethical and privacy issues revolving around institutionalized discrimination based on a person’s data.  

These situations could have been identified and prevented through the use of a PIA. Undoubtedly, identification would not only have saved money and reputational damage for the companies involved, but it would have limited institutionalized discrimination, harm to the groups involved as a whole and, ultimately, harm to the individuals. 

While we are in the golden age of data, we must take care of how we utilize the data entrusted to us. Though not all institutionalized discrimination is likely to be caught through a PIA, it is a significant start to solve a longstanding problem. If the goal is to aggregate, analyze and ultimately target the individual while identifying and mitigating institutionalized discrimination, incorporating analysis of institutionalized discrimination and class harm into the PIA is perhaps the easiest place to start.

We as privacy professionals are uniquely equipped to handle such issues.  

This article was prepared by Amanda Ruff in her personal capacity. The opinions and views expressed in this article are the author's own and do not necessarily reflect the views of her employer.

Photo by Markus Spiske on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Amanda Ruff, CIPP/E, CIPP/US, CIPM, FIP IAPP Member Contributor
Tags
Biometrics
Ethics
Personal Privacy
Privacy Law
Privacy Opinion
Social Networking
Comments

If you want to comment on this post, you need to login.

Related Stories
IAPP statement on racial injustice
12
The events of the past weeks have shocked and saddened all of us at the IAPP. The violent deaths of George Floyd, Ahmaud Arbery, Breonna Taylor and too many other Black Americans have reminded us of the deep and systemic malignancy of racism within our society. The violence toward our Black communit...
Read More queue Save This
When surveillance perpetuates institutional racism
4
I have to be honest with you. I’ve been working as a journalist in the privacy space for the last six years, and privacy never really mattered that much to me.  When I first understood, via Snowden, that the U.S. government was collecting data on all of us, I didn’t knee-jerk freak out. I thought a...
Read More queue Save This
Notes from the IAPP, June 12, 2020
Greetings from Portsmouth, New Hampshire. As I began writing this letter, I realized that not only would today have been my parents' 44th wedding anniversary, but it is also Loving Day. June 12 is the anniversary of the 1967 U.S. Supreme Court ruling in Loving v. Virginia that ended the ban on inte...
Read More queue Save This
IBM halts work on facial recognition tech
TechCrunch reports IBM will end its facial recognition offerings, and CEO Arvind Krishna wants discussions on whether the systems should be deployed at all. In a letter, Krishna said IBM "will not condone" using biometric technologies for "any purpose which is not consistent with our values and Prin...
Read More queue Save This
Related Stories
Tags
Biometrics
Ethics
Personal Privacy
Privacy Law
Privacy Opinion
Social Networking
Recent Comments