5 suggested draft principles for Ethical Use of Data Analytics and AI

(Written on a personal basis – no endorsement or approval is implied by any organisation that I am associated with.)

Over the past couple of months I have been reading and thinking quite a lot about ethics in data analytics and artificial intelligence, as well as completing a Microsoft course on it.

What follows is my current suggested shortlist for 5 key principles for Ethics and Data Analytics and AI. I try to bring together in this list what I consider to be the most important principles arising not only from the Microsoft course, but also from several existing published frameworks (see note * below for a list).  These frameworks tend to be much longer documents which while very useful as reference documents, don’t to my mind meet the need for a quick document that practitioners and executives sponsoring, using or building AI projects are far more likely to read.

5 Suggested key principles for Data Analytics and AI work (DRAFT v0.2)

  1. Avoid harm to others (including by respecting their privacy, equality and autonomy, and speaking up about potential harm/violations of these principles)
  2. Increase societal well-being (including by sharing prosperity from AI benefits widely, and taking extreme care before introducing advanced AI that might lead to supremacy of AI intelligence)
  3. Professionalism: clean the data, treat data as an asset, comply with legal requirements and any applicable professional body codes, thoroughly assess and balance benefits v risks, keep models under review, and be flexible. Builders and owners of AI systems must take responsibility for outcomes.
  4. Act to preserve or increase trust (including via explain-ability as far as possible, transparency and accountability – particularly where explain-ability is impossible, engage widely with diverse stakeholders, build ethics into design)
  5. Retain human control: humans should choose how and whether to delegate decisions to AI systems, to accomplish human-chosen objectives.

Comments/criticisms most gratefully received!

Note (*): the sources I have drawn on in compiling the above list include:

Ethics and Law in Data and Analytics (Microsoft edX Course)

Discussions (still ongoing) with colleagues on the joint Institute and Faculty of Actuaries and Royal Statistical Society Data Science Focus Group, including outputs from joint workshops considering the Industrialisation and Professionalism of Data Science. Any errors in the draft principles are mine and mine alone however, and they should not be taken as being endorsed by anyone else at this stage!

The Partnership of the Future (Microsoft CEO Satya Nadella’s 6 principles for future AI work, June 2016).

Data Ethics Framework (from the UK Government’s Department for Digital, Culture, Media & Sport, published 13 June 2018 and updated 30 August 2018).

Seven IEEE Standards Projects Provide Ethical Guidance for New Technologies (from the Institute of Electrical and Electronic Engineers, IEEE, May 2017).

Ethical Guidance for Applying Predictive Tools within Human Services (MetroLab Network, September 2017).

AI Now 2017 Report (Alex Campolo, Madelyn Sanfilippo, Meredith Whittaker, Kate Crawford, AI Now 2017 Symposium and Workshop, January 2018).

Code of Ethics and Professional Conduct (Association for Computing Machinery, July 2018, see also here).

AI Principles (Asilomar conference, Future of Life Institute, January 2017).

I am grateful to Leisha Watson, Regulatory Lawyer at the Institute and Faculty of Actuaries for drawing most of the above to my attention.

Like the EU, many EU country data protection regulators don’t show cookie notices either

(Post by Patrick Lee, 28 August 2018).

Further to my previous article on the EU and cookies, here is a link to a short video “The EU website has no cookies notice”.

This can be viewed as a curiosity if the EU updates its website to include cookie notices, so that it is in line with what many (most) businesses have felt they have had to do. And some – but by no means all – country data protection regulators.

So, what ARE the country data protection regulators doing about cookies?

https://en.wikipedia.org/wiki/National_data_protection_authority has a list of data protection regulators.

This is by no means an exhaustive survey, but from the ones that I have looked at so far:

Regulators with cookie notices on their sites

If you haven’t yet added cookie notices, you seem to be in good company (the EU …)

GDPR and cookies: I was looking for best practice

(Post by Patrick Lee, 26 August 2018).

I was trying to answer questions from an acquaintance about cookie notices, and I went looking for examples of best practice. So I visited both the UK Information Commissioner’s Office ( ICO) and the European Union (EU)’s websites. This is what I found.

The EU’s General Data Protection Regulations (GDPR) came into force across the whole of the EU just over 3 months ago, on 25 May 2018. As a result, many of you will have seen (and indeed before May) prominent cookie notices asking you to give explicit consent when visiting websites.

The ICO’s website: looks pretty good

This cookie notice is what you see, and very prominently when you visit the UK Information Commissioner’s (ICO) website for the first time (or after clearing cookies):


The reason for this is that cookies can be used to record personal information. Under GDPR, (and this is from the ICO’s own guidance – the bold emphasis is mine):

Consent must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, sending an email or subscribing to a service. The crucial consideration is that the individual must fully understand that by the action in question they will be giving consent.

In other words, the ICO is implying that users need to knowingly perform an action to give consent to cookies. And that is precisely what the ICO’s own website does via its prominent cookie control notice.

To me (and I should make clear that I am not a lawyer) the ICO website does indeed appear to be very much in line with the letter and spirit of the GDPR.

The EU’s website: a very different story

What about the EU’s website, europa.eu? Remember that I visited in the expectation of seeing an example of good, or perhaps best practice.

At present, the EU’s website, http://europa.eu doesn’t give visitors any notice or prominent indication that it is storing cookies on their device.

This is what you see the first time you go to http://europa.eu (or if you have cleared cookies). Notice as well as the absence of any cookie notice, the “Not secure” warning from Google Chrome. This seems to be because, unlike the ICO, the EU website does not (initially at least) redirect users to the secure version of their website (https://europa.eu):

If you click on English as your desired language, you then see (notice that the site has now at least redirected me to its secure version):


There is no cookie notice, or prominent link to information about what cookies it stores and what their purpose is. You have to look in the top right or scroll right down to the bottom of the page to see links to Cookies and Privacy policy.

EU Cookies page says they “may” store cookies

The Cookies page says that they may use cookies (amongst other reasons) to record whether visitors have agreed (or not) to the use of cookies on their site.


Remember that the site says it *may* use cookies. What is it actually doing by this stage? If you are using Google Chrome, you can see which cookies a site is storing on your device by using Ctrl + Shift + I to bring up the developer tools. Then click on the Application tab from the top, and click and expand the Cookies link on the left and click on the name of the site you are visiting.

By this stage, I had decided to look at the site’s Privacy Policy page, and this is what came up:


So while the site’s Cookies page says that it “may” store cookies, or (at the top) “we sometimes place” (them) on your device, it has already stored 4 cookies. In fact it stored 2 cookies when I opened the home page, and the third, has_js, when I clicked on the link to use English as my desired language. The 4th, PIKIW_SESSID, appeared when I went to the Privacy Policy page.

The privacy policy page says that by default website visitors are tracked using cookies from Europa. Rather than (as recommended by the UK Information Commissioner’s Office guidance) asking for explicit consent (in other words, an explicit opt-in), notice that the EU has chosen to rely on an implicit opt-in, i.e. you have to untick the box to opt out:

By default, website visitors are tracked using the first-party persistent cookies from Europa. You may choose not to be tracked by Piwik (opt-out). If you change your mind, you can choose to be tracked again by Piwik (opt-in).

Notice again the PIWIK_SESSID cookie. That seems to be the tracking cookie that the EU is referring to.

Let’s try opting out

But what happens if you decide to opt out? Does the EU’s site do what it says it will do? When you first visit the Privacy Policy page, the Piwik cookie is stored on your pc. The privacy page says that you are opted-in to be tracked by Piwik, but that you can choose not to have a unique web analytics cookie stored on your device, presumably the Piwik cookie that has just been stored. So let’s try opting out by unticking the “you are currently opted in” checkbox.

The site now says that you have opted out, and has an extra cookie (piwik_ignore) to record that you have opted out:


The tracking cookie is still there …

But the PIWIK cookie (PIWIK_SESSID) cookie is still there!

Does it disappear when I go to another page on the site, e.g. the page on Personal Data Protection? No, the cookie is still there.

Perhaps it will go away if we close the browser completely and re-open it …

What if I close the browser completely and open it up again. Will the cookie have disappeared? Apparently not!


It’s not just Google Chrome: similar things happen if you open the site in a different browser, Microsoft Edge.


My conclusion? Again, I am not a lawyer, but I think it is not clear whether the EU website complies with the GDPR (its own regulations) at the moment:

  • there is no prominent cookie notice when you visit the site
  • you have to explicitly opt out of being tracked
  • even when you do opt out, contrary to what the site says, the same or very similar cookie that is used for tracking is still there.

(Article dated 26 August 2018). #GDPR, #EU #Cookies #Privacy