If adopted efficiently, the PDPC’s Ethical Accountability Framework should help organizations to demonstrate and enhance trust with individuals.

In October, 2018, Hong Kong’s Privacy Commissioner for Personal Data (PCPD) presented the findings of an inquiry into the ethics of data processing, commissioned by the PCPD with the help of the Information Accountability Foundation (IAF). The result of the inquiry, published as the Ethical Accountability Framework, provides an “instruction manual” for processing data in an ethical and accountable manner.

Following on the heels of the PCPD’s report, the Hong Kong Monetary Authority (HKMA) issued a Circular titled Use of Personal Data in Fintech Development, encouraging authorized institutions (AIs) to adopt the PCPD’s Ethical Accountability Framework.

The Ethical Accountability Framework is centred around a set of core principles, which were established to address underlying concerns identified by the PCPD. The Circular encourages AIs to embed these principles into their FinTech development and their relationships with service providers and strategic partners, including startups and other tech-centric organizations. While the Circular provides very little additional guidance on how AIs should apply these principles, data ethics and stewardship in the context of collecting and processing personal data will clearly be a focus for the HKMA going forward.

This blog considers the Ethical Accountability Framework’s relevance to FinTech and provides practical steps AIs (and their strategic partners, including start-ups in the FinTech space) can take to implement the framework.

An Overview of the PCPD’s Ethical Accountability Framework

1. Enhanced Data Stewardship Elements: The PCPD worked with interested parties in Hong Kong to outline principles for handling and processing data ethically, including “ethics by design,” implementing processes for ethical review, and being able to evidence such processes.
2. Data Stewardship Values: Three core values for the ethical processing of data were proposed: Respectful (understanding context for use of data and defining what is reasonable and respectful of the impact on individuals), Beneficial (considering the benefits to the individual and society as a whole, as well as the risks), and Fairness (taking measures to avoid uncertainty, discrimination, unequal treatment, and distress to individuals).
3. Model EDIA: A framework for assessing the processing of data and development of technologies against the concerns outlined above. The framework is broader than a standard privacy impact assessment (PIA) process, such as that historically recommended by the PCPD.
4. Model Oversight Process: An outline of steps that can be taken to ensure appropriate governance measures are in place to monitor, validate, and iterate the concerns outlined above.

Why is data ethics important to FinTech?

The intention of the Ethical Accountability Framework, when properly implemented, is to provide a way for organizations to demonstrate and enhance trust with individuals. This trust is particularly important when considering emerging FinTech trends. If an organization is taking any data — transaction records, behavioural data, personal data — and analysing that data to produce profiling or credit scoring, facilitating automated decisions such as to grant a loan, or providing recommendations on investment, the Ethical Accountability Framework offers guidance on best practice for building trust with those customers.

When developing FinTech in-house, or partnering with a third party to integrate FinTech into an existing business, product, or service, a variety of risks arise when the technology uses data. These risks include the security of that data; ensuring datasets are accurate and provide valid outputs; providing effective means for anonymizing data; and enabling individuals to isolate, access, amend, and delete their data.

How can an AI implement the Ethical Accountability Framework?

An AI may well have much of the framework in place to allow for efficient adoption of measures outlined in the Ethical Accountability Framework — particularly if there is an existing PIA and review process in place.

AIs should review their data governance processes and consider the creation of (or, if such measures are already in place, development and/or maintenance of) processes and forms, such as:

• An ethical data processing policy — identifying which technologies are high risk (g., artificial intelligence) and what the organization should keep front-of-mind when developing these technologies.
• A governance framework that reflects the values of the ethical data processing policy.
• An Ethical Data Impact Assessment (EDIA) process reflecting the policy and framework. The Model EDIA set out in the Ethical Accountability Framework is a helpful starter, and an AI may want to integrate this with the existing PIA form to streamline the process of product/service/system review.

AIs should also ensure that they have robust accountability and audit processes in place ensuring they are capable of demonstrating ongoing compliance with the above processes, particularly given the HKMA or another authority may seek information about the implementation of the Ethical Accountability Framework.

What next?

The PCPD has indicated that the Ethical Accountability Framework is the beginning of strengthened “cultural change” in data privacy protection, suggesting that ethical considerations will become a much more integral part of the PCPD’s approach to regulating data processing. The HKMA’s Circular further supports the case that ethical considerations will be scrutinized in the FinTech space as technologies evolve and data becomes even more valuable.