Reflections on Data Privacy

22 May 2020

By Mahsa Hedayati and Amanda Wang, Information System Officers, Policy, Strategy and Governance Division, OICT

The topic of privacy is gaining momentum in the mainstream big data discourse. Governments, policy makers, businesses, academics, and civil society are increasingly reflecting on how to strike the right balance between the potential benefits of exponential data collection and discovery, on the one hand, and the protection and privacy of data subjects, on the other hand.  

Is the privacy discourse new?

While interest in data privacy appears to be growing in both the public and private sectors, it is not a new topic. In 2018, the European Union introduced the General Data Protection Regulation (GDPR). However, this was not the first regulatory framework related to data privacy and it will likely not be the last. For example, in 1980, as computers became increasingly used to processing business transactions, Organisation for Economic Co-operation and Development (OECD) policy makers published a first set of guidelines on the protection of privacy and transborder flows of personal data. At national levels, it appears that data privacy regulation was introduced decades ago within several countries, including Japan, Sweden and the United States.  

When looking at the concept of privacy more broadly, we see that the UN General Assembly adopted the Universal Declaration of Human Rights in 1948, with privacy outlined as the 12th fundamental human right. This historical international document, which was created just three years after the UN was founded, demonstrates that privacy as a global standard has been important to the UN system for more than eight decades.

We believe that the UN’s role as a global privacy champion will grow in the digital world. And as part of this evolving role, it will be important to continue ensuring that no country or society is left behind. Much like the traditional notion of privacy established by the UN in 1948, data privacy must be a common standard of achievement for all people and all nations.

Privacy from within

With respect to the Organization’s internal operations, some notable progress has been made to advance data privacy work. For example, in 2018, the same year that GDPR came into effect, the UN High Level Committee on Management (HLCM) published Personal Data Protection and Privacy Principles for the entire UN system. These principles were designed to inform how to process personal data, defined as “information relating to an identified or identifiable natural person (“data subject”), by, or on behalf of, the United Nations System Organizations in carrying out their mandated activities”.

Currently, entities across the UN system are working on developing policies and programmes that can integrate the 2018 HLCM principles into their operations. And to further strengthen the Organization’s commitment to data privacy internally, the Secretary General’s new Data Strategy has called for the integration of data protection and privacy into all current and future data-related work across the UN.

Thoughts on next steps

Regarding the application of data privacy measures within an organization, we would like to share three thoughts.

First, we believe that regulations associated with data privacy in an organization’s internal operations must include – from the very start - a multidisciplinary approach that includes diverse professionals from a variety of backgrounds including law, policy, computer science, and management.

We stress this point because we believe that there is a bias in the technology industry, which perceives “regulation” as a matter that should be solely solved by lawyers and policy makers. While the role of such professionals is certainly crucial, it is important to recognize that regulation can also be achieved through digital infrastructures. Indeed, depending on their design, the technologies that we use to collect, discover and analyze data can significantly influence our behaviors and actions, including in the realm of data privacy. In this way, “regulation” can be achieved not only through law or policy, but also through a technology’s design. [1]

For this reason, we believe that creating an environment that protects the privacy of data subjects must be a collaborative, multi-stakeholder process, with the concept of “regulation” understood more broadly.

Second, we believe that to respect and protect the privacy of data subjects, all data work within an organization should be guided by the principle of “do no harm”. For example, in international affairs literature, the concept of “do no harm” stresses that certain forms of international support in post-conflict or development settings historically may have inadvertently weakened rather than strengthened local processes. The literature notes that, consequently, such efforts may have done more harm than good, even if unintentionally.

The principle of “do no harm” could also be useful to the data privacy discourse. As digital technologies increasingly enable us to connect and discover more data, committing to the “do no harm” principle provides us with an important ethical lens. Such a lens can help us be more mindful of unintended consequences that could potentially arise when working with ever-growing volumes of data – especially data we must keep protected and private. This means that whether we are creating, collecting, sharing, connecting, or analyzing data related to our work, we should keep the principle of “do no harm” in mind. And of course, this concept must be backed by smart regulation, as per our first point.

Third, and closely related to the principle of doing no harm, we believe that it is important to recognize the role of the individual in the responsible handling of private data. Whether it be in relation to data that each of us create or manage in our professions, or data we generate and share about ourselves and others as private citizens, our individual actions can have an impact on the protection and privacy of identifiable and other sensitive data. As such, each of us should become better informed about how our own unique actions affect data privacy – including through trainings, workshops, readings, and broad discussions with our peers and communities.

In conclusion, the topic of data privacy – while not new – is an increasingly important subject area. In line with the UN’s historical commitment to privacy, we, in OICT, will work closely with our partners across the UN Secretariat and beyond to help design and build digital infrastructures and policies that protect the privacy of data subjects. The principle of “do no harm” will provide us with an important ethical foundation throughout this journey. And we will also be mindful that – ultimately - data privacy awareness begins at the level of the individual.

*The views expressed in the blog piece are those of the author and do not reflect the views of OICT or the UN.

[1] This broader, more collaborative approach to solving for data privacy is often referred to as “privacy by design”. For more on the concept of privacy by design, as well as the role of infrastructure as a form of regulation, we recommend exploring published works by Dr. Ann Cavoukian, Luk Arbuckle and Dr. Benedict Kingsbury.