How much data is enough data for your IoT application?
This probably seems self-evident to most people. For example, if Jones somehow gains access to Smith’ medical records without getting Smith’s approval beforehand, then Jones has clearly behaved wrongly.
So, consent seems to be a very important component, if the collection of personal data is going to be ethically legitimate. In other words, consent seems to be a necessary condition for legitimate collection of personal data.
But notice that it is also often a sufficient condition. This means, that if Jones has collected Smith’ consent beforehand, then we do not need any additional information in order to know that it was ethically legitimate for Jones to gain access to Smith’s information.
In most cases, however, the consent would need to be a genuine and informed consent. This means that, if Jones threatens Smith to give him the medical records, or if Smith believes that he is consenting to something else, then the consent doesn’t count.
Cases of uninformed consent are, unfortunately, common in the tech-world. Too often, the data subject is asked to confirm that they have read a very long terms and conditions form. Surprises can be intentionally hidden in the form, since it is very unlikely that the data subject will actually read the whole thing.
In other cases, information has been collected without any form of consent, for example when producers of smart TV’s spy on customers through the TV’s camera. See for example this Article.
When talking about consent, it is important to make the distinction between explicit and implied consent. Explicit consent means that Smith has explicitly given Jones permission to gain access to Smith’s medical record.
Contrast this with the following example of implicit consent: Smith has voluntarily uploaded his medical record online, for everyone to see, so Jones now has access to the record. Has Jones now behaved wrongly? It seems not. By voluntarily uploading the record online, Smith has implicitly consented to people gaining access to the medical record.
When Seluxit gains access to data about people, it is most often not personal data, in the sense that it is traceable to an identifiable individual. Most often, the data is about how a specific device is being used. Nonetheless, Seluxit makes sure that the data subject has given explicit consent, before Seluxit collects any data. And, Selulix strongly encourages customers to comply with this principle. In general, we stand by this principle: No consent - no collection.
So what exactly is Seluxit doing about data ethics? Seluxit has taken the initiative to employ a PhD student in the field of philosophy with a specialization in ethics, and is writing a collection of principles of data ethics.
These principles have general application but stem from questions that arise in our daily work. The principles will serve to guide the decisions we make in our work. The principles, which can be browsed here on our website, are being published in a series.