The (digital) traces we leave behind

Photo credit: BBC

By Mette Wichmand

The technological development has in recent years given us more and more opportunities to access, create and store data about ourselves and others. We communicate online with family, friends, acquaintances and people we do not know at all. We follow people, companies and organizations as well as hashtags online. We share thoughts, opinions and ideas in cyberspace together with our whereabouts, selfies and photos of others, and the things we do and buy. We register our sleep, steps, meals and temperature. And while we do all of that – and more – we leave digital traces behind – knowingly or not.

Together, these traces create an unprecedented amount of social data. Data that forms a goldmine for researchers in social science – like myself and my colleagues, and probably also you, dear reader, as you are reading this blog.

It is easy to become euphoric when thinking of the amount of data that the technologies are generating and giving us access to. Think about the insights we can create on how viruses travel and spread across boarders or how student socialize and learn online. Knowledge that can help us build better health services and stronger educational systems. But the opportunities come with ethical challenges. Because is the data actually ours to collect, store, share and analyse in the name of research, just because it exists and is accessible? Or does the data belong to the individuals who created it and should they be consulted before we use it? 

I have no clear answer to this question, but I think it a crucial one. Therefore I have been looking around for help and guidance.

I began my search by looking into the infamous GDPR, the extensive piece of legislation that was adopted in April 2016 by the European Council and Parliament. This piece of legislation seems to work well for private companies, but is not very helpful for me as a researcher looking for ethics. I am no legal expert, but from reading people who are, I understand that research occupies a privileged position within the Regulation: “Organizations that process personal data for research purposes may avoid restrictions on secondary processing and on processing sensitive categories of data (Article 6(4); Recital 50). As long as they implement appropriate safeguards, these organizations also may override a data subject’s right to object to processing and to seek the erasure of personal data (Article 89). Additionally, the GDPR may permit organizations to process personal data for research purposes without the data subject’s consent (Article 6(1)(f); Recitals 47, 157)” (see: https://iapp.org/news/a/how-gdpr-changes-the-rules-for-research/)

My own conclusion: Good to know what the rules are, but not the right place to look for ethical guidance.

So, looking for ethics, my next stop, was the homepage of the Danish ‘Council of Data Ethics’ (Dataetisk Råd). The council was established in May 2019 by the government with the stated task of supporting ‘a responsible and sustainable use of data in the private and the public sector’ (see: https://digst.dk/data/dataetisk-raad/). It would seem to be an obvious place to find some guidelines but turned out to be another dead-end. On the homepage, the council writes that it is essential that the data ethical challenges of the public sector are addressed, but at this point in time they have only prepared recommendations directed at the private sector.  

Finding no help with the Council of Data Ethics made me think that I might need to change my search. Instead of looking for ethical guidelines concerned with the use of personal digital data in social research, perhaps I should be looking for guidelines developed for health and medical researchers as this group has been dealing with ethical issues connected to working with sensitive and personally identifiable data for years. Maybe there was something to learn from our colleagues?

This led me to the website of the Danish Ethical Council, who prepared and published a statement in 2015 on research involving digital health data and biological material in Denmark (see: (https://www.etiskraad.dk/etiske-temaer/sundhedsdata/publikationer/udtalelse-om-sundhedsdata-2015). The statement is partly based on a background paper discussing the ethical aspects (see: https://www.etiskraad.dk/~/media/Etisk-Raad/Etiske-Temaer/Sundhedsdata/Publikationer/2015-05-12-Sundhedsdata-etiske-aspekter.pdf?la=da).

In the following, I will extract some central points of the statement and discuss their relevance and how they might help inform a similar discussion in the field of social science.

Personal ownership and consent

First of all, the publications underline that medical science is based on a 400 years old liberal tradition where every person is believed to have ownership of their own body and all information connected to it – in a medical context meaning tissue, bioproducts and genetic information et cetera.

I think this opens up an interesting discussion in relation to the data we create about ourselves online. Could and should we understand the data that is produced online in line with data derived from our physical body and as such place it under the banner of personal ownership?

If we were to accept the idea that every individual owns the data they produce online, the next step according to the Ethic Council would be for researchers to ask for ‘informed consent’ from the data owners when we want to use their data. In doing so, we should enable the data owners to decide not only if the data can be collected and by whom – but also which purposes it can be used for.

Having to ask for consent might seem inarguable when you want to drain human blood or take a biopsy from person’s liver, but when the data is accessible and can be collected with a webspider that no one sees or feel it might become easy to think of the data as finders keepers?   

Anonymity, privacy and confidentiality

The ethical imperative behind having to ask for consent from the data owners is the idea that people have the right to autonomy and self-determination. Meaning that people should be free to decide whether their personal data is used in ways that are aligned with their personal values and beliefs. If there is no alignment it could be claimed that the autonomy of a person has been violated. In health research we might agree to our data being used to do research on a rare eye disease but not for anything connected to euthanasia. I think the same considerations could be pertinent in relation to social online data, where it would be possible to imagine cases where the focus of the research is not aligned with the values of the individuals producing the digital social data used in the study. On could imagine a study focused on political differences between men and women, that a person who does not subscribe to the idea of a binary biological gender might take affront to and therefore would not wish to contribute their data to.

Further, the Ethic Council states in its report that it is often assumed unproblematic to use anonymized personal data in research. But if one applies the idea of autonomy and self-determination, it is no longer possible to think of it as unproblematic, as a person’s personal values and believes can still be violated even though the data can’t be traced back to an individual level. Furthermore, there is always a risk that the data is not thoroughly anonymized and it can therefore be argued that it should be the individual data owners themselves who decide if they find it sound to provide their data to a research project.

Solidarity and public interest

There is no doubt when reading the reports from the Ethical Council that they are concerned about people’s data and their right to self-determination, anonymity and privacy and that they advocate that we as researcher ask for consent before collecting and using personally identifiable data. With that being said, the Ethical Council points to the importance of enabling researchers to build knowledge that is of societal value – even though this can be undesirable for the individual. The argument goes that in order to be able to heal and help people, health researchers need the ability to access personal information. A cure for cancer can’t be created on basis of theoretical hypotheses only, but demands blood, sweat and tissue from many individuals. Therefore, we as individuals must show solidarity and put the collective interest before our own – even when we pay with our private data. I believe that the same could be argued for social research. Access to data – including sensitive personal data – impacts the knowledge we are able to build. The key question is when the knowledge is of such an interest to the public that we can justify using the data. Is it when data helps us make informed decisions on how to diversify the way we teach in order to meet different learning styles? Or is it when we use data to predict who will pass and fail a study and base our admissions of students on such predictions? I am afraid that there is no simple, clear-cut answers to such questions.         

What now?

I started out by asking if online social data is ours to collect, store, share and analyse in the name of research just because it exists and is accessible? Or if it belongs to the individuals who created it and who we need to consult before we can create, collect and use the data? 

Neither the legislative texts of the GDPR, nor the reports from the Ethical Council, give me any strict guidelines, but I do think that they call for a larger awareness of and discussion in the social science research community on how we should deal with public and private data and how we make sure to consider and deeply reflect on whether what we do as researchers is of such a nature and interest to the public that we can justify collecting and analyzing sensitive personal data regardless of the relative ease with which we can access it online.   

We can make rules and laws like the General Data Protection Regulation (GDPR) but in the end the matter also has to do with trust. Does the public trust us researchers and the institutions we represent to such a degree that they are willing to grant us access to their cells and internal organs as well as their (secret) desires, habits, ideas and opinions expressed online? Earning, having and keeping that trust – now and in the future – depends on how we think about and handle sensitive personal data today. It is a discussion we have to engage in. Together. So, what are your thoughts?   

Mette Wichmand is an Assistant Professor of Communication Studies at Roskilde University