The importance of an ethical decision-making framework for lawful disclosure of personal data.

Our world today is increasingly digitalised and connected, with new digital services continuously being made available. This has resulted in organisations processing ever increasing volumes of personal data. According to the World Economic Forum, the amount of data generated each day is expected to reach one billion gigabytes globally by 2025.

Demands for access to personal data for law enforcement and judicial purposes have also grown exponentially. It is generally accepted that effective law enforcement – acting in full compliance with democratic values and fundamental rights, including respect for private and family life, freedom of expression and the right to the protection of personal data – is a prerequisite for protecting citizens and maintaining safe and secure societies.

In this context, many organisations receive legal demands for the disclosure of personal data, from security agencies and law enforcement authorities. In responding to such demands, organisations are required to consider their legal and ethical responsibilities, particularly in striking a balance between a citizen’s right to privacy and civil authorities’ right to seek the information.

In its 2020 EU Security Union Strategy, the European Commission observes that electronic evidence is needed in about 85% of investigations concerning serious crime.

Evolving Regulatory Landscape

Data privacy will be one of the most important issues for organisations over the next decade and the future of building trust in a business will be generated on the  foundations of transparency and ethics, according to Forbes. Therefore, it has become a top priority for companies to be transparent and ethical in their practices when considering the disclosure of personal data.

Access to personal data and electronic communications data governed by laws and regulations such as the e-Privacy Regulation, GDPR, Lawful Disclosure and legislation on the e-Evidence Package are contributing to the evolving landscape, along with:

• Growing demands by citizens for more transparency.
• Enhanced privacy rules and regulation of all organisations, particularly technology companies.
• Increased law enforcement demands for the disclosure of personal data.
• Judgements by the European Court of Justice defining the considerations influencing the balance between a citizen’s right to privacy and civil authorities’ right to seek the information.
• Rise in fines from regulators, resulting in significant financial loss, reputational damage and impact on customer trust.
• Increase in fines year on year. In 2021, €1.1bn in the EU (7x higher than 2020) and $1.25bn in the USA.

By 2024, 75% of the world’s population willhave their personal data protected under modern privacy regulations. Enhanced privacy rules are anticipated across more than 60 jurisdictions throughout Europe, the USA and Asia.

Building trust while simplifying the complex decision-making process

At iTrust Ethics, our research has shown that the existing approach to decision-making when handling requests for disclosing data is complex, manual, inconsistent, and involves a high risk of human error.

Maureen King and Peter Kirwan of iTrust Ethics have developed the first decision-making framework to standardise and simplify complex decision making when disclosing personal data – iTrust6A™.

This is based on 20+ years’ experience of handling disclosure of data requests from law enforcement agencies. The framework is implemented and operational into Group 2000’s Workflow Management Software (LIMA) which provides tailor-made client workflows with a traceable and transparent record of the considerations and steps taken in the decision-making process when handling such requests. Together, iTrust6A™ powered by LIMA is the first standardized compliance solution launched to the market.

Our compliance solution will enable organisations to demonstrate compliance by fully documenting and keeping audit records of every decision making step. It also presents organisations with a significant opportunity to standardise meaningful transparency reports – with one click of a button, you can generate a transparency report for all countries you operate in.

iTrust6A™ powered by LIMA also helps to build trust in your organisation. In today’s digital age customers are rightfully concerned about their privacy, security and use of their personal data. By prioritising ethics and transparency when disclosing personal data, organisations can demonstrate to their customers that they are trustworthy and transparent, and to regulators that they are compliant and committed to protecting user data.

In addition to standardising and simplifying the decision making rationale for disclosing personal data, adherence to the six principles of iTrust6A™ will also infuse an ethical mindset of ‘doing what is right’ within an organisation.

Simplicity in its design

iTrust6A™ powered by LIMA simplifies the complex decision-making process when disclosing personal data. The six principles of the compliance solution framework are:

1. Authentication
2. Assurance
3. Appropriateness
4. Assessment
5. Authorisation
6. Accountability

Organisations can use the six guiding principles to systematically and comprehensively analyse all considerations involved when deciding whether to disclose data or not. It helps to identify and minimise data protection risks and acts as an accountability tool by creating a compliance mechanism for ensuring that the privacy rights of individuals are upheld.

Compliance Standardisation

iTrust6A™ powered by LIMA standardises the decision making process and will add value to organisations that aim to:

• Strengthen governance models in order to readily demonstrate decision-making rationale and compliance.
• Reduce the risk of human error.
• Reduce operational costs and improve efficiencies.
• Mitigate privacy, security and non-compliance risks.

The steps record decisions made, who in your organisation made them, their legal basis, and traces the actions taken to authorise the disclosure of personal data Workflows are designed in consultation and tested extensively prior to deployment in our client’s own IT environment. This maximizes organisational flexibility, and workflow configurations can be modified and added after initial installation without any system downtime.

iTrust6A™ powered by LIMA can be integrated into existing lawful interception and lawful disclosure solutions, or it can be deployed as a standalone solution.

iTrust6A™ powered by LIMA can be adopted in any organisation, of any size, in any jurisdiction, by mapping the specific regulatory, legal and policy requirements, into six guiding principles.