This document discusses ethical, privacy, and data protection considerations for a project called DEVELOP. It outlines relevant ethical values like autonomy, dignity, inclusion and beneficence. It also discusses the right to privacy under the European Convention on Human Rights and EU data protection law. The document provides an overview of the EU Data Protection Directive and the new General Data Protection Regulation. It raises specific privacy and data protection issues like informed consent, data minimization, and anonymity that DEVELOP should address.

1. ETHICAL, PRIVACY & DATA
PROTECTION CONSIDERATIONS
Joanna Simon & Rachel Finn
Trilateral Research Ltd

2. PRIVACY, DATA PROTECTION & ETHICAL CONSIDERATIONS
 Ethical considerations
 Privacy challenges
 Data protection legislation
Ethical values and principles underpin and inform privacy
and data protection considerations.
The concepts are intertwined.
Not simply about legislative compliance.

3. ETHICAL VALUES – RESPECT FOR AUTONOMY & DIGNITY
 Autonomy (equated with liberty) – Art 6 European Charter of Fundamental Rights, Art 3 UN Universal Declaration of Human
Rights
 QUESTIONS:
o Does DEVELOP curtail a person’s liberty in any way?
o Does DEVELOP have implications for a person’s freedom of movement or association?
o Is there a meaningful choice? I.e., what are the implications of not participating?
 Dignity – Art 1 Charter, Art 1 Universal Declaration
 Should be able to participate actively in formation and implementation of policies that affect their well-being.
 Treated fairly regardless of age, gender, racial or ethic background, disability or other status.
 QUESTIONS:
o Does DEVELOP violate dignity?
o Does DEVELOP mark users as cognitively or physically disabled (perhaps via non-participation?)?
PRIVACY is an essential component of autonomy and dignity

4. OTHER ETHICAL VALUES
 Various other relevant ethical values: e.g. inclusion/exclusion, isolation, discrimination, beneficence,
accessibility
 Does DEVELOP have any effect on the inclusion or exclusion of any groups?
 Will DEVELOP replace human contact?
 Could DEVELOP be seen as stigmatising for any particular group, including those who do not use the system?
 Could DEVELOP be perceived as discriminating against any groups?
 Who benefits and in what way? Employer, user, etc.?
 Is a certain level of technological knowledge or physical capability required?
 What are the consequences of not participating?

5. RIGHT AND EXPECTATION OF PRIVACY
 Article 8 European Convention of Human Rights
 Protects private life of individuals against arbitrary interference by public authorities and private organisations
 covers 4 areas
o private life
o family life
o home
o correspondence
 Article 7 Charter of Fundamental Rights of the European Union

6. EU DATA PROTECTION LAW
Legal Framework
 Charter of Fundamental Rights of the European Union enshrines
data protection as a fundamental right
 An individual’s personal data must be adequately protected
 Article 8 Charter – “everyone has the right to the protection of personal data”
 Principal EU legal instrument regulating data protection – Data Protection Directive (95/46/EC)
 Regulates processing of data and free movement of such data
 Designed to give substance to the principles in the right to privacy
 Draft General Data Protection Regulation – to supersede the Data Protection Directive

7. DATA PROTECTION DIRECTIVE 95/46/EC
 Article 6 – principles relating to data quality
Personal data must be:
 Processed fairly and lawfully
 Collected for specified, explicit and legitimate purposes
 Adequate, relevant and not excessive in relation to
purpose for which collected/ processed
 Accurate, kept up to date. Where inaccurate or
incomplete reasonable steps must be taken to rectify
or erase
 Identification of data subjects for no longer than is necessary

8. DATA PROTECTION DIRECTIVE 95/46/EC
 Article 7 – Criteria for making data processing legitimate
Personal data may be processed only if:
 Data subject gives unambiguous consent, or
 Processing is necessary for:
o performance of a contract, or
o compliance with a legal obligation, or
o protecting vital interests of the data subject, or
o performing task in the public interest/ exercise of official authority
o legitimate interests of data controller

9. DATA PROTECTION DIRECTIVE 95/46/EC
 Article 8 – Special categories of data
Prohibition on processing personal data revealing:
 Racial or ethnic origin
 Political opinions
 Religious or philosophical beliefs
 Trade-union membership
 Data concerning health or sex life
 Exception – explicit consent

10. DATA PROTECTION DIRECTIVE 95/46/EC
 Articles 10 & 11 – Information to be given to the data subject
Data controller must provide data subject with at least the following information:
 Identity of the controller
 The purposes of the processing
 Any further information, such as
o Recipients or categories of recipients of the data
o Whether replies to questions are obligatory or voluntary, consequences of failure to answer (where data collected from data subject)
o Categories of data
o Existence of right of access and right to rectify data

11. DATA PROTECTION DIRECTIVE 95/46/EC
 Article 12 – Right of access
 Outlines individual’s rights of access to their data
 Article 17 – Security of processing
 Individual’s data should be protected from misuse and unauthorised disclosure or access

12. GENERAL DATA PROTECTION REGULATION – WHAT’S NEW?
 Article 17 – Right to erasure (“right to be forgotten”)
 Article 19 – Right to object – on grounds including profiling
 Article 20 – Right not to be subject to a decision based solely on automated processing, including
profiling

13. GENERAL DATA PROTECTION REGULATION – WHAT’S NEW?
 Article 23 – Data protection by design and by default
 Implement appropriate technical and organisational measures designed to
implement data protection principles
 Article 30 – Security of processing
 Implement appropriate technical and organisation measures to ensure level of
security appropriate for risk, including:
o pseudonymisation and encryption of personal data
o ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems
and services processing personal data;
o the ability to restore the availability and access to data in a timely manner in the event of a
physical or technical incident;
o a process for regularly testing, assessing and evaluating the effectiveness of technical
and organisational measures for ensuring the security of the processing.

14. PRIVACY AND DATA PROTECTION CONSIDERATIONS
 Various privacy and data considerations flow from the ethical and legal constraints and values, e.g.:
 Informed consent
 Data minimisation
 Data quality
 Purpose specifications
 Use limitation
 Confidentiality
 Transparency
 Individual participation and access to data
 Anonymity
 Privacy of personal communications

15. INFORMED CONSENT
 Art 7 EU Data Protection Directive – personal data can only be processed if data subject has unambiguously given consent
 Consent must be meaningful:
 Given freely after person informed of nature, significance, implications and risks
 Questions:
 How will DEVELOP obtain free and informed consent?
 Informed of nature, significance, implications and risks of product?
 Evidence in writing, dated, signed, marked in some way?
 Does consent outline use for which data is collected, how it is collected, how to obtain copy of data, mechanism to correct
erroneous data, who has access to data?
 Right to withdraw?
 Truly voluntary? i.e. consequences of not consenting?
 Employer/employee relationship is significant here.

16. DATA MINIMISATION
 How will the project determine what constitutes the minimum
amount of personal data to be collected?
 Will any data be collected which is not necessary for fulfilling
the stated purpose of the project?
 Is information collected in ways of which the data subject is
unaware?
 Is information collected against the wishes of the person?
 For how long will the information be retained?
 Will the information be deleted when it is no longer needed for the purpose for which it was collected?

17. DATA QUALITY
 What measures will be put in place to ensure quality of information gathered?
 What assurances that data is true and accurate?
 Has information been collected from others than the person to whom it pertains?
 What are the implications of data inaccuracies?
 What measures are there to correct data inaccuracies?

18. CONFIDENTIALITY
 What measure to ensure protection of personal data?
E.g., encryption, access control etc.
 Who will have access to personal data?
 What safeguards will be put in place to ensure those who have
access treat the information in confidence?

19. ANONYMITY
 Have steps been taken to ensure that person cannot be identified from the data collected?
 Have pseudonyms or codes been use to replace data that could identify the individual?
 Could data from different sources be aggregated or matched in a way that undermines anonymity?

20. ACTION PLAN FOR UPCOMING DELIVERABLE
T4.1 – legal and
social
considerations –
due M09
Review legal
frameworks at EU
and national level
Review social
norms and
background for
each participating
country – drawing
on ethical principles
Draft framework of
legal and
social/ethical
considerations for
design of
DEVELOP
Framework to be
fed into design
principles for
DEVELOP, in
consultation with
other partners

21. CONSULT WITH CONSORTIUM
Partners to help us understand architecture
Describe information flows
Who will collect what
information?
• From whom?
• For what purpose?
How will the collected
information be used?
How will information be stored,
secured, processed and
distributed
• (i.e. to whom might the
organisation pass the
information)
• for what purpose
How well will secondary users
(e.g. the organisation’s service
providers, apps developers)
protect that information?

22. CONTACT US
 Joanna Simon – joanna.simon@trilateralresearch.com
 Rachel Finn – rachel.finn@trilateralresearch.com
 Website: www.trilateralresearch.com
 Twitter: @Trilateral_UK
 E-mail: info@trilateralresearch.com
 Phone: +44 (0)207 559 3550
 Address: Crown House
72 Hammersmith Road
London
United Kingdom