AI and Data Ethics: Privacy by Design

AI and Data Ethics Privacy by Design

In this series on AI and Data Ethics, we're talking about ADP's ethics principles of Accountability & Transparency, Explainability, Data Governance, Ethical Use of Data and Privacy.

We talked with Cécile Georges, ADP's Global Chief Privacy Officer and member of ADP's AI and Data Ethics Advisory Board, about privacy and why it matters in the design and use of HR software.

When ADP talks about its products having privacy by design, what does that mean?

Georges: Privacy by design is a methodology to ensure that privacy principles are embedded into the products from the beginning and throughout the development process. It's a concept that is becoming a common term; even the European General Data Protection Regulation (GDPR) that came into force in 2018 references it. But ADP has always been focused on privacy because of the nature of the personal data we process for our clients.

What does it mean to embed privacy in technology?

Georges: When we are talking about privacy and technology, we are looking at how and whether personal information about individuals is protected. We need to make sure there are guardrails about how that data is used, managed, stored and shared.

Embedding privacy into technology means making sure that you have a good reason to collect and use personal data about people. There are several approaches we take:

  • Using only the data you need to achieve a particular purpose is one way we protect privacy. For example, with time and attendance software, you don't need someone's address to schedule and track when they work.
  • Another protection is transparency to let people know what data you have about them and give them the ability to correct or delete the information.
  • Another way we embed privacy into tech is by including restrictions on how data is used or transferred.
  • When we can, we use anonymized data. We remove personally identifiable information so that someone could not go back to the original information or connect data to determine whose data is involved. We also control who has access to the original data during the anonymization process. The conditions of anonymization are extremely strict.

With many solutions, such as payroll, when we can't anonymize the data, we offer other ways to secure data and protect privacy. So, we must have other ways to secure the data and protect privacy. Privacy needs security to make sure the data is used appropriately and protected against breach.

How does ADP protect privacy in the design of new products?

Georges: Because ADP deals with payroll information that includes names, addresses, social security numbers, employers, wages and sometimes banking and benefits information, privacy is at the core of what we do.

When we are evaluating a new product idea, we do a privacy impact assessment where we look at what kind of data are going to be used and how it is selected, used, and could be shared. We look to see where there are gaps to be closed.

We of course look at legal requirements for security and privacy, but we are also focused on implementing high standards of data protection, even if it's not always required by law. ADP embeds privacy in the design because it's the right thing to do.

Why is privacy an ethics issue?

Georges: We are processing personal information about our clients' employees. There are legal and contractual requirements about how we do that. But it's also about integrity, fairness, and making sure that our clients understand what we are doing with the data.

Where we can, we also want to give workers the option of either activating or disabling features where their data may be used. For example, we have a tool that allows an employee to compare their retirement plan and benefits with others who are in similar situations. But before that feature gets activated, we let our clients know what it does and they can choose to use it or opt out.

At ADP, one of our core values is "integrity is everything," and we believe privacy contributes to the ethical processing of personal data. Handling personal and private information about people is the core of our business. Everyone at ADP is committed to process and protect that information the right way.

Learn more about ADP's privacy commitment and read our position paper, "ADP: Ethics in Artificial Intelligence," linked from the AI, Data & Ethics blade on the Privacy at ADP page.

Related article: AI and Data Ethics: 5 Principles to Consider