Baylor Privacy Officer Explains Five Ethical Principles that Should Drive Data Privacy Discussions

WACO, Texas (Jan. 31, 2019) – The method of collecting information and how that information is then used and shared are key factors to consider when creating privacy policies, said Doug Welch, Baylor University’s chief privacy officer. But what drives those considerations and decisions?

“One of the signature initiatives of Illuminate, Baylor’s academic strategic plan, is that the University will strive to be a global leader in the ethics and integrity of human interaction,” Welch said. “Today, a substantial amount of human interaction occurs electronically. Part of Baylor establishing a privacy program and the efforts to publicize data privacy is to take a leadership role in the higher education community on this important issue.”

Therefore, privacy policy discussions, he said, are informed by five generally accepted principles, each with their own ethical context. They are: choice, transparency, access, security and minimization. 

Welch explained the five principles and how they should help guide privacy discussions.

Choice

Most people would consider collecting personal information without consent to be an unfair practice. Data ethicists, Welch said, believe that everyone should have a choice about whether their personal information is collected.

“The primary debate is whether the choice is made through an ‘opt-in’ or ‘opt-out’ decision,” Welch said. “Opt-in requires an active indication of consent; opt-out automatically makes the user a part of the system with an opportunity to remove themselves.”

Opt-in systems are preferred by data privacy advocates, he explained, because notice is provided prior to any data collection.

“From a business standpoint, though, the number of people who participate under an opt-in choice is generally lower because the notice often scares potential users away,” he said. “But that’s somewhat the point of making an informed choice.”

Transparency

“Transparency is the biggest buzzword in data privacy today,” Welch said.

A guiding principle found in every privacy law or regulation is that data subjects be told what data is being collected, the intended use for the data and whether the data will be sold or transferred to a third party, he said. Generally, it makes sense and builds customer confidence and trust when organizations let customers know in advance what they are subjecting themselves to if they continue to use the website or app.

Welch said the European General Data Protection Regulation (GDPR) has made transparency a cornerstone of its framework.

“The GDPR mandate is the reason for the now common pop-up on virtually every commercial website you visit telling you that it uses cookies or its privacy policy has changed,” he explained.

Access

A person should have access to all personal information held by a data collector or processor so that they can review the information, correct any mistakes and even to have that information deleted, Welch said. Under the GDPR, this is known as the “right to be forgotten.”

A corollary to the ‘right to be forgotten’ is the concept of data retention and destruction, Welch said.

“Some states have mandated in their privacy laws a short retention period after which data must be discarded unless subject to another legal requirement,” he said. “The idea behind such a mandate is: If you don’t have the data, it can’t be lost or stolen.”

Security

Either accidental releases or unauthorized access to personal information can be devastating—both to the providers of the data in the form of identity theft or other fraud, and to the company in terms of damaged reputation. 

Welch said measures, such as the use of Baylor’s Duo two-factor authentication, are important to protect privacy.

“It seems more than reasonable that if after you have given informed consent through the transparency and choice process that the entity with whom you have shared information will keep it safe and secure,” Welch said. “An ethical data collector will ensure that commercially reasonable steps are taken to secure the information entrusted to it.”

Minimization

Collecting data that is not necessary for a transaction or other interaction can lead to significant issues—risk of release to unauthorized parties, unnecessary intrusion and the potential for abuses from data mining, Welch said.  

“An effective privacy program reduces the amount of personally identifiable, confidential and sensitive information collected and minimizes the number of persons who have access to sensitive data,” he said. “The fewer people who have access to sensitive information, the lower the chance of the data being compromised.”

Welch said it’s important for institutions to take the right steps to collect and protect private information, but consumers and customers also need to take responsible actions.

“People have expectations of privacy and strong reactions when that privacy is breached, yet many of us willingly open ourselves up to a breach, generally because there is some reward for the exchange of personal information,” he said. “For example, so many of us accept terms of service we never read in exchange for free services, but the trade-off is a surrender of privacy that is resold and often used to target us with ads or other things intended to influence our behavior.”

Welch advised carving out time to learn more about data privacy issues and taking proactive steps to defend against those who seek to steal personal information.

ABOUT BAYLOR UNIVERSITY

Baylor University is a private Christian University and a nationally ranked research institution. The University provides a vibrant campus community for more than 17,000 students by blending interdisciplinary research with an international reputation for educational excellence and a faculty commitment to teaching and scholarship. Chartered in 1845 by the Republic of Texas through the efforts of Baptist pioneers, Baylor is the oldest continually operating University in Texas. Located in Waco, Baylor welcomes students from all 50 states and more than 80 countries to study a broad range of degrees among its 12 nationally recognized academic divisions.