Data: Ethics, Privacy and Cyber Implications

Vanessa Cathie, Vice President, Lockton Companies LLP

Vanessa Cathie, Vice President, Lockton Companies LLP

We’ve all seen the headlines. Data is the “new gold”, the “new oil”, the “new currency”. Call it what you like but putting all the clichés to one side, there’s no denying that data is indeed a hugely valuable resource.

Businesses that deal with the asset that is “information”, fully appreciate its true economic value. Even a cursory understanding of how Facebook, Amazon, Apple and Google operate, lends support to this proposition.


As data bases evolve, organisations are starting to understand the benefits of the fluid sharing of information. Artificial Intelligence or “machine learning” technologies applied to combined data sets create valuable insights by cleaning, modifying and adapting the information. Simply put, AI aggregates data and creates new ways of seeing things from it.

The benefits are tangible:

• a retailer using insights to improve customer experience and personalisation

• an organisation analysing emissions to assist in the reduction ofits carbon footprint

• a healthcare service provider developing new software tools based on new data insights, to increase the impact of health services in developing countries

• predictive analysis of transport patterns to reduce congestion and improve public transport services, guiding policy decisions

• the collection of pandemic data to identify the effects of lockdown on children’s wellbeing, prompting future safeguarding

• data-sharing between public authorities and supermarkets regarding prioritising food delivery slots during the pandemic

• the analysis of housing needs across the country based on affordability and demand.


The ethical and transparent management and protection of digital assets is critical to today’s businesses. The public needs to be able to accept the use of data, knowing that it is being used fairly, avoiding harmful impacts. Customers are far more inclined to share data in such circumstances, thereby enabling the benefits of data sharing to be fully realised.

Historically, private data not always been well-managed. This knowledge provokes strong reactions in people: it is quite reasonable for parties to expect that others are ethical with their information.

For organisations that embrace the ethical aspects of data use, this can serve as a powerful differentiator. “Trust” is a critical part of this process and an asset of equal importance as the data itself.

Also relevant to the concept of trust is that parties using the data have a right to know that the data is accurate and can be trusted, both in form and content. It has been estimated by IBM that data quality issues costs $3.1trillion per year in the US alone. The A-levels grade debacle that hit the UK over summer 2020 (whereby a poorly-designed algorithm downgraded around 40 % of predicted results) considerably undermined the public’s trust. The outcry was tangible and many would say, entirely warranted. (Point of order: algorithms are inherently morally neutral. This algorithm performed exactly as it was designed. Whilst algorithms take humans out of the loop in their operation phase, it is entirely possible for an algorithm to be poorly-designed at the outset).

It may be useful to mention topical “data trusts” at this point. Whilst there seems to be some inconsistency around the meaning of this term, one thing appears to be universally accepted. Rather than a “legal” trust (but nonetheless an organisation managing data in some way), the term “data trust” encapsulates the very concept of trust: in the collection, maintenance, sharing of and access to data. The way data is used should generate trust - about the information itself and the data trust’s activities – thereby reinforcing the ethical principles.

Any consideration of ethics and trust starts with an analysis of how data is collected, shared and used. Business tools are available to assist with the management of this process.

Privacy Laws

Global privacy laws continue to emerge and mature, providing legal and regulatory frameworks to support these ethical considerations. Carefully managed processes are fundamental to ensure ongoing compliance with applicable data protection principles.

Understanding the full extent of these laws can be complex: the rules themselves are often complicated but the implications will be compounded by the various data parties involved and the nature of the data itself. There are many different types of data users who collect, store, manage, analyse, modify, or otherwise use data in various ways. A full analysis of potential legal liability against the legal framework is critical.

Consider the following:

1. Does the data institution “touch” the raw data or simply extrapolate information that is provided to them in an anonymised format?

2. What agreements / contractual obligations / confidentiality provisions are in place with respect to data?

3. How was the raw data obtained: Is the data recipient confident that it has received the data ethically?

4. What actions have been taken to reduce the risk of re-identification?

5. Is data “anonymised” or “pseudonymised” with a view to it being not re-identifiable?

6. Is it possible to de-anonymise the data? What are the risks of this happening?

Ransomware and the Effect on Data Privacy

Another data threat looms large…an external threat to the safety of a business’s digital assets.

As we’ve come to expect with any valuable asset, criminals are never far away. Data is no exception. The opportunities to exploit this precious resource are plentiful in cyber-space, where criminals lurk around the dark corners of the internet.

Ransomware is the weapon of choice. This year has seen a huge surge in ransomware attacks, exacerbated by the pandemic where network vulnerabilities have been more exposed with businesses operating remotely. Earlier forms of ransomware involved encrypting systems and offering a decryption key in exchange for a paid ransom demand. Some businesses were able to be side-step such threats due to the ability to reinstate digital assets from back-ups (and therefore avoid payment of any ransom).

We are now seeing the “two-pronged” attack.  Cyber-criminals deploying ransomware variants such as Ryuk and Maze often exfiltrate data as well, demanding payment of a second ransom, without which data will be released into the public domain. If the data in question has political, economic or environmental significance, cyber-terrorists may show particular interest, perhaps installing malware to monitor data, or threatening the release of that data, for commercial or political gain.

Protecting Reputations

Whilst it is outside the scope of this paper to list the full range of mitigating measures available to organisations, at the very least a bespoke risk assessment, including cyber risk identification, analysis, and potential transfer (by way of standalone cyber / privacy insurance) would be advisable.

Appropriate “data stewardship” is vital to ensure that businesses operate above the law and reduce cyber risks, particularly as they relate to personal data, and the protection, use of and access to that data. Reputations are made and broken in this arena: the commercial sensitivities ought not to be underestimated.

Weekly Brief

Read Also

Protect or Innovate? Cutting Through the Noise When Evaluating Predictive Models

Protect or Innovate? Cutting Through the Noise When Evaluating Predictive Models

Tom Fletcher, PhD, VP, Data Analytics, North America Life, PartnerRe
Optimizing Innovation Initiatives by Artfully Managing Change

Optimizing Innovation Initiatives by Artfully Managing Change

Lori Pon, Director, Claim Contact Center and Claim Handling Unit at AAA-the Auto Club Group
 Digital Ecosystems and Insurance - A Winning Partnership

Digital Ecosystems and Insurance - A Winning Partnership

Sean Ringsted, Chief Digital Officer, Chubb
Data Governance Systems Undergoing Ongoing Evolution

Data Governance Systems Undergoing Ongoing Evolution

Paul Pries, Director – Data Governance, West Bend Mutual Insurance Company
People as Decision-Makers; Technology  as an Enabler

People as Decision-Makers; Technology as an Enabler

Ralph LaSpina, EVP, Chief Marketing & Underwriting Officer, FCCI Insurance Group