Data Privacy and Inclusion Best Practices

This new white paper by Stanford Institute for Human-Centered Artificial Intelligence (HAI) titled "Rethinking Privacy in the AI Era" addresses the intersection of data privacy and AI development, highlighting the challenges and proposing solutions for mitigating privacy risks. It outlines the current data protection landscape, including the Fair Information Practice Principles, GDPR, and U.S. state privacy laws, and discusses the distinction and regulatory implications between predictive and generative AI. The paper argues that AI's reliance on extensive data collection presents unique privacy risks at both individual and societal levels, noting that existing laws are inadequate for the emerging challenges posed by AI systems, because they don't fully tackle the shortcomings of the Fair Information Practice Principles (FIPs) framework or concentrate adequately on the comprehensive data governance measures necessary for regulating data used in AI development. According to the paper, FIPs are outdated and not well-suited for modern data and AI complexities, because: - They do not address the power imbalance between data collectors and individuals. - FIPs fail to enforce data minimization and purpose limitation effectively. - The framework places too much responsibility on individuals for privacy management. - Allows for data collection by default, putting the onus on individuals to opt out. - Focuses on procedural rather than substantive protections. - Struggles with the concepts of consent and legitimate interest, complicating privacy management. It emphasizes the need for new regulatory approaches that go beyond current privacy legislation to effectively manage the risks associated with AI-driven data acquisition and processing. The paper suggests three key strategies to mitigate the privacy harms of AI: 1.) Denormalize Data Collection by Default: Shift from opt-out to opt-in data collection models to facilitate true data minimization. This approach emphasizes "privacy by default" and the need for technical standards and infrastructure that enable meaningful consent mechanisms. 2.) Focus on the AI Data Supply Chain: Enhance privacy and data protection by ensuring dataset transparency and accountability throughout the entire lifecycle of data. This includes a call for regulatory frameworks that address data privacy comprehensively across the data supply chain. 3.) Flip the Script on Personal Data Management: Encourage the development of new governance mechanisms and technical infrastructures, such as data intermediaries and data permissioning systems, to automate and support the exercise of individual data rights and preferences. This strategy aims to empower individuals by facilitating easier management and control of their personal data in the context of AI. by Dr. Jennifer King Caroline Meinhardt Link: https://lnkd.in/dniktn3V

This Stanford study examined how six major AI companies (Anthropic, OpenAI, Google, Meta, Microsoft, and Amazon) handle user data from chatbot conversations.  Here are the main privacy concerns. 👀 All six companies use chat data for training by default, though some allow opt-out 👀 Data retention is often indefinite, with personal information stored long-term 👀 Cross-platform data merging occurs at multi-product companies (Google, Meta, Microsoft, Amazon) 👀 Children's data is handled inconsistently, with most companies not adequately protecting minors 👀 Limited transparency in privacy policies, which are complex and hard to understand and often lack crucial details about actual practices Practical Takeaways for Acceptable Use Policy and Training for nonprofits in using generative AI: ✅ Assume anything you share will be used for training - sensitive information, uploaded files, health details, biometric data, etc. ✅ Opt out when possible - proactively disable data collection for training (Meta is the one where you cannot) ✅ Information cascades through ecosystems - your inputs can lead to inferences that affect ads, recommendations, and potentially insurance or other third parties ✅ Special concern for children's data - age verification and consent protections are inconsistent Some questions to consider in acceptable use policies and to incorporate in any training. ❓ What types of sensitive information might your nonprofit staff  share with generative AI?  ❓ Does your nonprofit currently specifically identify what is considered “sensitive information” (beyond PID) and should not be shared with GenerativeAI ? Is this incorporated into training? ❓ Are you working with children, people with health conditions, or others whose data could be particularly harmful if leaked or misused? ❓ What would be the consequences if sensitive information or strategic organizational data ended up being used to train AI models? How might this affect trust, compliance, or your mission? How is this communicated in training and policy? Across the board, the Stanford research points that developers’ privacy policies lack essential information about their practices. They recommend policymakers and developers address data privacy challenges posed by LLM-powered chatbots through comprehensive federal privacy regulation, affirmative opt-in for model training, and filtering personal information from chat inputs by default. “We need to promote innovation in privacy-preserving AI, so that user privacy isn’t an afterthought." How are you advocating for privacy-preserving AI? How are you educating your staff to navigate this challenge? https://lnkd.in/g3RmbEwD

Should we be collecting people's identity data on HR systems? I love data, and I love the power good intersectional data provides us in DEI work. But right now, in this political climate - it's a very scary time to be handing over data about your gender identity, sexuality and (although it's not my lived experience) I imagine its the same for people of different ethnicities or immigration statuses, people with disabilities and Aboriginal and Torres Strait Islander peoples. In Victoria, public service organisations are being recommended to collect that data through the Gender Equality Action Plan process but you can't force someone to share that information, so you are still relying on trust. (And continuing down that path signals to me a lack of understanding of the current global situation) Politics in the US and UK have shown how quickly things can shift. One day, you're safe and affirmed as a trans girl in girl guides; the next, you’re excluded. One day, you're working for an organisation with strong inclusion values; the next, the government changes and you're losing your job—or being made to feel like a criminal. So why would people share this information in a world like this? And how do we do strong, intersectional DEI work without reliable HR data? We: 1. Run best practice, confidential surveys managed externally with strong data governance. 2. Facilitate externally-run focus groups where people can show up fully, with only de-identified summaries shared back. 3. Test our assumptions about workplace barriers with people from diverse backgrounds, then co-design—or at the very least, meaningfully consult on—solutions. 4. Evaluate our actions through qualitative feedback, and quantitative data where possible. 5. Make strong, consistent commitments to inclusion, no matter what's happening around us (Australian Girl Guides have shown leadership here with a brilliant public statement). This work is hard. And right now, it's harder. Many people leading it don’t yet understand the full nuance of what’s going on around the World or the impact it’s having on employees. So: get learning and adapt your strategies. PS: Want help with this? Reach out (I'm on leave for most of January but around next week for conversations!) #DEI #Inclusion #PeopleAndCulture

We talk about data privacy like it's only a compliance issue. It's not. It's a dignity issue too. Every day, vulnerable populations share their most intimate information with social services. Income data. Health records. Immigration status. Housing history. They share because they need help, not because they've chosen to. But do we always handle this with the care it deserves? For example, imagine an organization serving domestic violence survivors and considering a new case management system that would "streamline operations" by centralizing all client data in the cloud. Efficient? Yes. But also potentially dangerous if that data was breached or subpoenaed. They could choose a different path. Local storage. Encrypted communications. Clear data retention policies. It might be more complex, more expensive. But it could better respect the trust their clients place in them. This aligns with how Crisis Text Line handles their 10+ million conversations - they've achieved ICH accreditation by maintaining strict confidentiality protocols, only breaking them when absolutely necessary for safety (https://lnkd.in/gvikqPCs). Privacy isn't just about preventing breaches. It's about recognizing that the people we serve have already had too many choices taken away. The least we can do is protect the information they trust us with. How are you supporting the dignity of your clients in how you treat their data? #DataDignity #PrivacyMatters #TrustInTech #EthicalData #TechWithRespect

Recommended: "AI Ethics and Governance in Practice: Responsible Data Stewardship in Practice" by The Alan Turing Institute Key takeaways: 1. Core Principles of Responsible Data Stewardship  - Data Integrity: Ensuring data is accurate, consistent, complete, and traceable throughout its lifecycle.  - Data Quality: Data must be relevant, representative, up-to-date, and sufficient for the intended use.  - Data Protection and Privacy: Emphasise compliance with laws like GDPR, minimization of data use, and ensuring data security.  - Data Equity: Focus on addressing biases and ensuring fair representation of marginalized communities in datasets. 2. The Data Lifecycle  - the data lifecycle includes stages such as data planning, creation, procurement, curation, analysis, retention, reuse, and decommissioning.  - Iterative processes ensure quality and integrity as regulations or project goals evolve. 3. Practical Application  - Data Factsheets: A tool to document and evaluate datasets' integrity, quality, and stewardship practices across the project lifecycle.  - Risk Management Frameworks: These are used alongside factsheets to identify potential harms and ensure ethical compliance. 4. Workshop and Training Approach  - Activities like case studies (e.g., facial recognition in policing) and group discussions aim to build capacity and practical understanding of responsible data practices.  - Facilitators and participants are encouraged to analyze and apply concepts in real-world scenarios critically. 5. Considerations for AI in Specific Domains  - Use cases focus on policing, healthcare, and social care, emphasizing harm mitigation and public benefit.  - Examples highlight risks such as biases in predictive modeling and the need for trust-building measures with stakeholders. 6. Integration with Broader Governance  - The workbook ties into a broader framework of eight workbooks on AI ethics, covering sustainability, accountability, fairness, and safety.  - Encourages alignment of AI project teams with ethical and legal guidelines for trustworthy AI innovation. #AI #responsibleAI #governance

The Cybersecurity and Infrastructure Security Agency together with the National Security Agency, the Federal Bureau of Investigation (FBI), the National Cyber Security Centre, and other international organizations, published this advisory providing recommendations for organizations in how to protect the integrity, confidentiality, and availability of the data used to train and operate #artificialintelligence. The advisory focuses on three main risk areas: 1. Data #supplychain threats: Including compromised third-party data, poisoning of datasets, and lack of provenance verification. 2. Maliciously modified data: Covering adversarial #machinelearning, statistical bias, metadata manipulation, and unauthorized duplication. 3. Data drift: The gradual degradation of model performance due to changes in real-world data inputs over time. The best practices recommended include: - Tracking data provenance and applying cryptographic controls such as digital signatures and secure hashes. - Encrypting data at rest, in transit, and during processing—especially sensitive or mission-critical information. - Implementing strict access controls and classification protocols based on data sensitivity. - Applying privacy-preserving techniques such as data masking, differential #privacy, and federated learning. - Regularly auditing datasets and metadata, conducting anomaly detection, and mitigating statistical bias. - Securely deleting obsolete data and continuously assessing #datasecurity risks. This is a helpful roadmap for any organization deploying #AI, especially those working with limited internal resources or relying on third-party data.

The biggest privacy risks often hide in plain sight 👀 Over the past few weeks, Timothy Nobles has been diving deep into quasi-identifiers - those seemingly harmless data points that become privacy landmines when combined. ZIP codes, age ranges, visit dates - individually safe, collectively dangerous. This challenge keeps coming up in conversations with teams across healthcare, fintech, and consumer analytics. Organizations are drowning in complex privacy regulations while trying to maintain data utility for critical insights. That's why our team at Integral Privacy Technologies created this comprehensive Pocket Guide to Quasi-Identifiers 📋 What's packed inside: ✔️ Real-world industry scenarios - from the "rare disease specialist" healthcare dilemma to financial "transaction fingerprints" ✔️ Practical risk assessment frameworks - no PhD in statistics required ✔️ Actionable implementation strategies - statistical safeguards, technical controls, and governance best practices ✔️ The privacy-aware mindset - how to spot risks before they become compliance nightmares The guide breaks down complex concepts like Dr. Latanya Sweeney's research showing 87% of Americans can be uniquely identified using just ZIP code, birth date, and gender - insights that fundamentally change how we think about "anonymous" data. For teams navigating: - Healthcare data with rare conditions creating small cohorts - Financial transaction patterns that reveal individual behaviors - Consumer research combining household demographics with purchase data We’re excited to share this practical guidance born from working with teams who need to balance privacy protection with business value every day. Download the complete pocket guide: https://lnkd.in/eQuuxhzH Ready to transform your approach to sensitive data compliance? Let's connect: useintegral.com

Responsible data management is essential – regardless of your industry or whether you’re B2B or B2C. Trust and accessibility should be at the heart of how we collect and use data. This recent The Wall Street Journal article highlights several principles that resonate even beyond consumer personalization and are foundational for any data strategy. A few key takeaways: ⚫ Trust is paramount: Data can only drive value when stakeholders trust how it’s collected, managed, and used. Building this trust requires transparency, ethical practices, and governance. ⚫ Consent matters: Whether working with customer, partner, or employee data, obtaining clear and explicit consent is critical. This not only ensures compliance but also strengthens relationships and protects reputation. ⚫Accessibility unlocks innovation: Breaking down data silos and making high-quality data accessible across teams enables better problem solving and more informed decision-making. ⚫ Cross-functional collaboration is key: Effective data management requires alignment between business, IT, privacy, and risk teams. Unified strategies and shared goals help organizations maximize the value of their data assets. These principles apply whether you’re personalizing marketing, improving operations, or driving strategic decisions. Responsible data management isn’t just about compliance, it’s about creating value and enabling innovation. I’d love to hear from you: How is your organization building trust and accessibility into its data practices? https://lnkd.in/eCwXUsSd

🔍⚖️ Practitioners Guide To Responsible AI - Part 3 Building on our previous discussions (https://lnkd.in/ekchutB4), today we delve deeper into the first layer of our Responsible AI framework: Model Training & Data Security. In the healthcare and life sciences sectors, the integrity and security of data are paramount. This layer addresses key concerns such as: 1/ Data Privacy: Ensuring patient data is protected and compliant with regulations. 2/ Bias Mitigation: Implementing comprehensive strategies to prevent bias in AI models, ensuring equitable outcomes across different demographics. 3/ Data Integrity: Maintaining the accuracy and consistency of data throughout its lifecycle. and 4/ Secure Data Handling: Safeguarding data during storage and transfer to prevent unauthorized access. So, what does this mean in practice? Let’s look at some examples: If your organization handles unique patient data, it's crucial to ensure that your AI models do not inadvertently favor specific races or genders. But when you want to do this at scale, you will need integrated tools to continuously validate, test, and audit both the data and the model through their lifecycle. Another example, when sharing data across lines of business, the data and its metadata should be self-contained and easily interpretable to prevent misinterpretation. Again, you will need tools to do this at scale – accounting for discovery, authentication and authorization. Well, it's easier said than done! How would one go about supporting these responsible AI practices at scale? AWS, for example, offers a range of integrated tools that allow for organizations to manage these issues at scale. Amazon SageMaker Clarify helps detect and mitigate bias during data preparation, model training, and deployment, providing insights into model predictions for greater transparency. Amazon DataZone facilitates governed data sharing and metadata management, ensuring data privacy and integrity across business lines. Additionally, AWS Identity and Access Management (IAM) and AWS Key Management Service (KMS) ensure secure data handling by managing access and encryption. These tools collectively enable healthcare and life sciences organizations to implement robust data governance and responsible AI practices effectively. In my next post, I will dive deeper and share insights on the next layer of our Responsible AI framework: Model Usage, Infrastructure, and Deployment. 💬 How are you integrating Responsible AI practices and tools into your operations at scale? 📢 Subscribe to my newsletter to get access to strategies and practical guidance on accelerating adoption of generative AI within your organization. Get started here: https://lnkd.in/g3bdneR7 #genai #ai #aws #ResponsibleAI #AIinLifeSciences #HealthcareAI #AIEthics #AIGovernance #AISecurity