Ethical Impact Assessment – Drudge or necessary evil?

Wednesday, January 23, 2019

The current emphasis on developing an evidence-based approach to policing has resulted in the increase of police and academic collaboration. New partnerships are being forged to tackle all manner of national security and neighbourhood safety concerns. These partnerships are also serving to encourage police officers participation in research and innovation activities with academic and private industry partners. 

An excellent example of active police participation in research is project ARIES (reliaAble euRopean Identity EcoSystem), which seeks to reduce levels of identity fraud, identity theft and other related cybercrimes by creating a new system to improve the security of personal online data. Funded by the Horizon 2020 Secure Societies programme of the European Commission, and being delivered by a multi-disciplinary consortium of partners, ARIES is being informed by the user-requirements provided by police officers.

The active contribution of police officers in research is essential, both to share operational challenges and to ensure research outcomes have positive impacts upon community safety. The research being undertaken by police officers to progress project ARIES includes the creation of cutting-edge information technology, requiring access and exposure to sensitive data which has presented unique challenges. As UK police officers are guided by the College of Policing Code of Ethics in their operational duties, it is timely to remind all police officers that ethics in their research activities is just as important, especially when engaging in research to tackle cyber fraud, the UK’s number one crime.

Personal data

Eyes glaze over at the mention of undertaking an ethical impact assessment. Many police officers engaged in research think that having done a privacy impact assessment, and complied with quality standards and technical regulations, there is no need to do anything more in order to comply with best practice in the handling of personal data.

The prospect of doing another impact assessment is rarely seen as a relevant or an opportunity. And yet, that is precisely what an ethical impact assessment is.  It is a way to demonstrate to users and citizens that the service being provided can be trusted and that that trust is sustainable.  This is vital in todays police as trust = confidence.

An ethical impact assessment is important because it prioritises the precautionary principle of do no harm: handling of personal data and information in a way that is consistent with not allowing people’s data to be linked to anything else, without their express consent. 

Ethical impact assessments are designed to alert researchers to what they are actually doing and allowing to be done with personal information.  Accordingly, they are to be explicit about the purpose for which data is collected and limit that use to that specific purpose.  Not only would such sharing breach the purpose limitation and informed consent principles, but the data subject would not have any knowledge of who or what (in the case of automated access and data handling) was accessing the data and information and for what purpose.

Checks and balances

Conducting an ethical impact assessment potentially averts all manner of problems arising from legitimate concern over disproportionate access to an individual’s personal information. Similarly, an ethical impact assessment heightens awareness among research partners about how they are safeguarding the information under their control including: the principles of data minimisation, purpose specification, purpose limitation, non-likeability, accessibility and accountability.

The rigorous completion of an ethical impact assessment during research is therefore key to developing trust in the reliability and dependability of the product or service being designed.  Demonstrating how redress can be easily obtained without litigation, and how the provider is trustworthy and accountable for what happens to information (processed by a human or by a machine) helps to create trust and sustain it.

All police officers engaged in research are never to forget that this is not simply a matter of asserting that a product or service meets all legal requirements. It requires evidence that information is processed fairly, equably, justly and in ways that are essential to completing the transaction envisaged. It means not requiring and retaining information extraneous to that; and not engaging in a tick box exercise to show that a service user or customer has ‘consented’ to onward use or linkage of any information they provide. For police officers engaged in research these are essential aspects of data sharing agreements amongst multi-agency consortium partners.

Ethical practice

The advantages of project ARIES outcomes to citizens and to those trying to combat cyber fraud lie in making it more difficult for would-be fraudsters to impersonate the genuine claimant to a genuine identity. The research to progress project ARIES has shown that it is important for police officers engaged in research which accesses personal information that the data minimisation principles behind ethical processing are followed. This means that no more information should be sought than is essential which is just one of a series of challenges encountered during cyber-related research.

An Ethical Impact Assessment is something developers of programmes should do to ensure that they are aware of the potential ethical detriments that could arise and because just complying with a privacy impact assessment is never enough now to build and sustain trust. 

The Aries system seeks to facilitate digital exchanges while minimising data disclosure to what is the essential purpose for the transaction. So, if someone buys alcohol, the Aries eID would simply show that a person was of the requisite age, and not reveal their dob and address, for example.  But security exceptions allow data linkage as necessary.

But the completion and regular update of ethical impact assessments during the activities of project ARIES has managed to navigate a course through these numerous ethical research challenges. There is no doubt that the aim of projects such as ARIES are ambitious but the ethical challenges related to accessing personal data must not deter police officer engagement in such research which, after all, is directly responding to the need to increase the protection of personal data, and in particular individual identities, which are becoming increasingly vulnerable in our virtual world.

Professor Juliet Lodge

Professor Juliet Lodge is the Senior Research Analyst at Saher (UK) Ltd and is leading their work on the ethical aspects of project ARIES (reliaAble euRopean Identity EcoSystem).  An international expert in research ethics, Juliet is a member of the Biometrics Institute Privacy Expert Group and has given evidence on cross border information exchange to the European Parliament and British parliamentary committees.