theonline.mba
← Back to unit 1: Data Foundations

OMBA 102 · Unit 1 · Lesson 5 of 5

Ethics and Governance in Business Data

Data Foundations

Lesson

Power without guardrails

A national retailer deployed dynamic pricing that raised essential goods prices in neighborhoods experiencing flood warnings. The model used browsing history and zip-level demand signals. It was likely legal in many jurisdictions that day. It was also a reputational catastrophe: screenshots spread, politicians called, and trust eroded faster than margin rose. The analytics team had optimized revenue per session. No one had asked whether exploiting vulnerability was within corporate values. Ethics and governance are how firms align data power with permission to operate.

Across Lessons 1–4, you learned to ask decision-grade questions, respect measurement scales, audit quality and bias, and structure data responsibly. This closing lesson addresses what you may do with sound analysis. Managers set tone on collection, use, retention, access, and accountability. Personal data (information that identifies or can identify a person) flows through HR systems, marketing stacks, credit models, and collaboration tools. Mishandling it harms people and triggers regulatory, legal, and brand costs.

Unit 1 ends here, but the habits compound. A well-structured cohort table (Lesson 4) built on biased survey data (Lesson 3) analyzed with wrong averages (Lesson 2) to answer a vague business question (Lesson 1) is still a failure. Ethics is the outer ring: even perfect mechanics do not justify harmful uses.

Privacy, consent, and purpose limitation

Privacy is not secrecy alone. It is bounded use of identifiable information with informed expectations.

Core principles:

  • Purpose limitation: collect for a stated purpose; do not repurpose silently
  • Data minimization: collect only fields needed for that purpose
  • Transparency: people understand what is collected and why
  • Retention limits: delete or de-identify when no longer needed

GDPR (General Data Protection Regulation, European Union privacy law) and CCPA (California Consumer Privacy Act, California privacy law) grant rights such as access, deletion, and opt-out of certain sales/sharing. Sector laws add teeth: HIPAA (Health Insurance Portability and Accountability Act, U.S. health data rules) for health; GLBA (Gramm-Leach-Bliley Act, U.S. financial privacy rules) for financial institutions.

Regulatory lists change. The managerial constant is respect for reasonable expectations: collect for a clear purpose, protect what you store, delete when done, and tell people the truth in plain language.

"We can technically track it" is not "we should." Managers should ask: Would we defend this collection in a customer letter? If uncomfortable, pause and redesign.

Employee monitoring deserves the same lens. Keystroke logging may boost short-term productivity metrics while destroying trust and raising attrition (a cost analytics rarely models).

Consent must be meaningful, not a terms-of-service wall nobody reads. If users would be surprised to learn a field is collected, you are out of step with purpose limitation even before lawyers weigh in. For employees, disclose what is measured, how scores influence pay and promotion, and how to challenge errors.

Children's data, precise geolocation, and health-related fields deserve heightened caution. Even when legal, combining them with advertising or punitive HR actions crosses common-sense lines that customers and employees remember longer than regulators.

Fairness, disparate impact, and proxy variables

Even without explicit race or gender fields, models can produce disparate impact (unequal outcomes across protected groups) through proxy variables (features correlated with protected attributes).

Zip code as a credit feature can proxy for race and neighborhood disinvestment history. Attendance as a performance signal can disadvantage caregivers. Delivery speed targets can penalize drivers assigned harder routes.

Fairness work is not only legal compliance. It is product legitimacy and risk management.

Historical training data encodes past discrimination and past commercial choices (redlining maps, legacy hiring patterns). A model trained naively on outcomes will recommend repeating them. Governance asks whether the firm is willing to sacrifice short-term model accuracy to remove proxies that should not drive decisions.

Mitigation steps managers can require:

  1. Document protected classes relevant to the decision (lawful scope varies by country).
  2. Test outcome rates by group where ethical and legal review permits.
  3. Prefer interpretable factors tied to legitimate business risk (repayment capacity, job requirements).
  4. Maintain human review for high-stakes automated decisions (credit, hiring, discipline).

Appeals should be measurable, not theatrical. Track time-to-resolution, overturn rate, and reasons. A low overturn rate can mean a good model or a broken appeal path; disaggregate by reviewer and segment.

From Lesson 3, biased samples make fairness testing harder. Governance and quality intersect: you cannot audit what you do not measure.

Security as governance, not only IT

Data governance includes who may access which fields, how exports are logged, and how production data is handled on laptops.

Controls:

  • Role-based access control (permissions by job function)
  • Encryption for sensitive exports
  • Audit logs for bulk downloads
  • Separation of production and test environments (no real customer emails in dev)

Breaches are ethical failures with legal price tags. A lost laptop with unencrypted applicant data can end careers and contracts.

Managers approve tools and data sharing. When a vendor asks for full customer dumps "for training," ask about retention, subprocessors, and deletion clauses. A free analytics tier often funds itself with your customer behavior. Saying no is cheaper than explaining a leak.

Require least privilege: analysts who need aggregated campaign performance should not have access to government ID numbers or precise home addresses. Access reviews quarterly catch role creep when people change jobs but keep old permissions.

Algorithmic accountability and documentation

When ML (machine learning, statistical models that learn patterns from data) scores applicants, sets prices, or prioritizes leads, maintain:

  • Model documentation: training data snapshot, features, known limits
  • Version control: which model scored this case on this date
  • Appeal path: humans can review overrides with reasons
  • Monitoring: performance drift by segment (Lesson 2 structure; Lesson 3 quality)

Black-box convenience becomes liability when outcomes harm people and nobody can explain why. Regulators and journalists increasingly ask for interpretability and process, not only accuracy.

Document who approved deployment, what alternatives were rejected, and what monitoring will trigger a pause. That paper trail is boring until it is the only proof the company acted reasonably after a wrongful denial complaint.

Surveillance, culture, and the newspaper test

Short-term metric gains from surveillance often borrow against long-term culture. Ask the newspaper test: Would we be comfortable if this monitoring method appeared on the front page of a major business publication?

If the answer is no unless "everyone does it," that is not ethics; that is reputational arithmetic. Leadership should model restraint.

Surveillance can also distort the behavior it measures. Sales teams told that email response time is scored may game timestamps while customers wait. Teachers measured on test scores may teach to the test while learning suffers. The metric becomes the mission, and ethics asks whether that mission matches stated values.

Governance operating model

Not every startup needs a formal committee. Every company needs named owners and a pause button for gray-area projects.

RoleResponsibility
Executive sponsorSets risk appetite and escalation
Data owner (domain)Metric definitions, access policy
Privacy/legalRegulatory mapping and contracts
Analytics leadQuality, documentation, reproducibility
Ethics review (ad hoc)High-stakes new uses (pricing, HR scoring)

Integrate governance into the decision memo template from Lesson 1: purpose, population, limitations, fairness check, retention plan. The memo should also list data classes (public, internal, confidential, restricted) and who may access each. Restricted fields (government IDs, full payment card numbers) should never land on general analytics sandboxes.

When analytics competes with speed, the pause button is how you avoid becoming a cautionary tale. A 48-hour ethics review on a pricing experiment is cheaper than a 48-hour social media storm.

Third-party vendors, subprocessors, and data sharing

Most firms store data in cloud SaaS (software as a service, subscription software hosted by vendors) tools: CRM, marketing automation, data warehouses. Each vendor becomes a subprocessor (a vendor processing data on your behalf) with contractual duties.

Before approving a vendor export, review: data residency (country of storage), encryption, breach notification terms, deletion on contract end, and whether your data trains their global models. "Free analytics tier" often funds itself with your customer behavior.

Data sharing with partners (co-marketing, credit bureaus) needs purpose limitation in contracts. If you collected email for product updates, sharing emails to an ad network without consent violates expectations and may violate GDPR/CCPA depending on configuration.

Managers should maintain a vendor register: system, owner, data classes stored, last security review date.

International and cross-border considerations

Serving customers in multiple countries multiplies rules. GDPR emphasizes consent, deletion, and data minimization for EU persons. U.S. practice is sectoral and state patchwork (CCPA/CPRA in California, and evolving state laws). A global dashboard that centralizes personal data in one warehouse must document lawful basis for transfer mechanisms.

Do not assume anonymization allows free export. Aggregates built from small groups can re-identify individuals. Lesson 3 coverage concepts apply internationally: if you only sample EU users who opt in, your model may underrepresent reluctant users.

Cross-border transfers may require SCCs (standard contractual clauses, EU-approved contract terms for data transfers) or other mechanisms depending on legal advice. Document the mechanism in the vendor register. "We store everything in one U.S. bucket" is not a strategy.

When uncertain, escalate to privacy/legal before launch. A two-week legal review beats a two-year investigation headline.

Consent, notice, and employee boundaries

Consumer consent must be specific and not buried. Pre-checked boxes and dark patterns erode trust and attract regulators. For employees, collective agreements or local labor law may restrict monitoring beyond disclosed policies.

Publish an internal acceptable use policy for customer data: no browsing celebrity accounts, no exporting passwords, no "fun" side projects on production tables. Culture starts with what executives tolerate.

Training matters: new managers should see one example of a halted project and why. Ethics training that only lists laws without case texture feels distant. Use your own near-miss stories (sanitized) to make governance memorable.

Incident response and the breach playbook

When customer data leaks, governance shifts from policy to crisis. Teams need a written incident response plan: contain access, preserve logs, notify legal, assess scope, communicate to users and regulators within required windows. GDPR emphasizes timely notification; many U.S. state laws add similar duties.

Post-incident, run a blameless review: which role had excessive access, which export lacked approval, which vendor contract failed. Update retention and access rules. Lesson 3's quality dimensions apply after breaches: accuracy of scope counts, completeness of affected user lists, timeliness of disclosure.

Managers practice scenarios tabletop-style once a year. "An analyst emailed a CSV of applicants to a personal account" should trigger known steps, not improvisation.

Ethics review for new data uses

High-stakes new uses (pricing vulnerable households, scoring workers for termination, selling location histories) deserve a structured pause. A lightweight ethics review memo answers: purpose, population, harms, mitigations, alternatives, and opt-out paths. Participants: product, legal, analytics, and a dissenting voice not rewarded for saying yes.

The memo is not bureaucracy if it prevents one front-page failure. Tie approval to monitoring commitments (Lesson 3 drift checks; Lesson 4 logging of model versions).

Ethics also includes whistleblower safety. If an analyst flags disparate impact and is told to "just run the numbers," governance failed culturally even if policies exist on paper. Executives should reward escalation on harm risks, not only speed to ship.

Retail pricing during local emergencies, covert employee sentiment scoring, and selling sensitive inferences to data brokers are recurring gray zones. The review memo forces naming harms in plain language before code ships.

Unit 1 closes with a simple integration test for leaders: Can you state the decision question, the population, the grain, the known biases, the legitimate summaries for each field, and the ethical guardrails? If any answer is missing, the work is not ready for capital allocation.

Ethics is not the opposite of innovation. It is how innovation scales without backlash. Firms that explain their data practices clearly often earn pricing power and talent advantages that spreadsheets understate.

Returning to Unit 2, you will describe business performance with descriptive statistics. Those summaries only help when the underlying questions, scales, quality checks, structures, and governance boundaries from Unit 1 are already explicit.

Board members rarely ask for p-values first. They ask whether the data was collected fairly, whether the metric can be explained to a journalist, and whether the decision respects customers and employees. Governance is how you answer yes with evidence.

When in doubt, choose the slower path with documentation. Speed without guardrails is how competent teams become case studies other MBAs read for the wrong reasons.

Carry Unit 1 habits into every subsequent analysis: name the decision, name the population, name the grain, document bias limits, and state who approved sensitive uses. Those five sentences belong in the footer of every executive slide deck that touches personal or high-stakes data. If the footer cannot be written honestly, the slide is not ready for the boardroom, the public, or your own team yet.


Worked example: HelioBank alternative credit model

HelioBank wants to approve thin-file applicants using cash-flow signals from linked accounts and utility payments.

Part A: Setup and stakes

Business question: Can we expand approvals without raising default rates?

Data: Transaction categories, rent payments, overdraft counts, education level, zip code.

Stakeholders: Chief risk officer, compliance, community advocates, product lead.

Part B: Risk review

Proxy risk: zip_code and education_level may recreate demographic disparities. MNAR risk (Lesson 3): only applicants who opt into linking appear; enthusiastic users differ.

Fairness test (simplified): approval rate by race/ethnicity where lawfully collected for monitoring; if gaps exceed policy threshold, investigate features driving gap.

Part C: Controls adopted

  • Remove zip_code as direct feature; allow macroeconomic region only at coarse level approved by compliance
  • Require reason codes for denials
  • Human review for scores near cutoff
  • Quarterly drift monitoring by segment
  • Retention: raw transaction features deleted 90 days post-decision; keep model inputs summary only

Check: documented feature list version v3.2 signed by compliance ✓; access roles: risk analysts read scores, marketers cannot ✓.

Part D: Managerial read

Expansion proceeds with limits: marketing cannot reuse cash-flow features for unrelated campaigns (purpose limitation). Board question: "What is default rate by segment vs incumbent model, and what is our appeal volume?" Ethics here is competitive advantage if trust rises.

Part E: Ongoing monitoring

HelioBank schedules quarterly fairness metrics and appeal rates. If approval gaps widen for a monitored group beyond policy tolerance, compliance can throttle auto-approvals and require manual review. Version 3.2 features remain archived even after v3.3 ships so applicants can learn which logic scored them.


Worked example: Northstar HR "productivity score"

Northstar Logistics rolled out a warehouse productivity score blending picks per hour, idle time from badge scans, and bathroom break duration.

Part A: Ethical flags

Surveillance density harms dignity. Bathroom signal disproportionately affects workers with medical needs. Lesson 2 warning: ratio metrics without context ignore assignment difficulty (aisle distance, SKU weight).

Part B: Governance response

Pause bathroom feature. Normalize picks per hour by assigned zone difficulty index. Publish transparent formula to workers. Create appeal channel with union/HR review. Run disparate impact check on termination recommendations tied to score.

Part C: Outcome framing

Short-term picks/hour rose 4%. Voluntary attrition rose 11% among tenured pickers. Net productivity after rehiring costs fell. The newspaper test failed.

Part D: Managerial read

Replace score-as-punishment with coaching bands and shared goals. Governance lesson: metrics become policy weapons unless culture and appeal paths exist.

Part E: Board questions

Directors should ask: "What did we stop measuring after the backlash?" and "What is attrition cost versus productivity gain?" Ethics reviews that only approve new metrics, never retire harmful ones, fail the newspaper test repeatedly.


Common mistakes beginners make

MistakeReality
Treating compliance as checkbox after buildPrivacy and fairness by design cheaper than retrofit
Using proxies without disparate impact reviewModels replicate historical discrimination
Letting vendors train on customer data without contractsData leaves your control
No appeal path on automated denialsLegal and moral indefensibility
Employee monitoring without transparencyTrust collapse shows up later as attrition cost
Confusing anonymization with low riskRe-identification is often feasible
Storing data "just in case"Retention creep increases breach impact

Practice problem

A health tech app, VitalLoop, proposes selling aggregated step-count data to insurers while retaining user-level histories indefinitely for "future products."

Tasks:

  1. List three privacy risks using purpose limitation and minimization.
  2. Propose governance controls (technical, process, cultural).
  3. How does Lesson 3 missingness/bias appear if only avid trackers opt in?
  4. Write two sentences for a user-facing transparency notice in plain language.

Solution

1. Risks: Repurposing beyond original wellness purpose; indefinite retention expands breach surface; insurer use may affect pricing in ways users did not expect; avid-tracker sample is not general population.

2. Controls: Opt-in with granular purpose flags; default aggregates only with k-anonymity thresholds; retention schedule with auto-delete; DPIA (data protection impact assessment, structured privacy risk review) before insurer deal; legal review of HIPAA/state health privacy if applicable; internal access on need-to-know.

3. Selection bias: MNAR/self-selection; healthy enthusiasts overrepresented; models understate risk for sedentary members; fairness harm if insurer rates use non-representative data.

4. Notice example: "We use step counts to show your weekly activity trends in the app. We do not sell your name with step data. If you opt in, we share anonymous city-level averages with research partners. You can delete your account data anytime in Settings."


Practice problem 2

RetailCo wants to rank store managers on conversion rate minus shrink without adjusting for store traffic volatility.

Tasks:

  1. Identify one fairness issue and one measurement bias issue (Lesson 3 link).
  2. Name two governance artifacts to require before HR uses the ranking.
  3. What does the newspaper test suggest?

Solution

1. Fairness: Managers assigned high-shrink urban stores look worse regardless of skill. Measurement bias: Shrink definitions drift when loss prevention changes tagging; conversion ignores staffing cuts corporate imposed.

2. Artifacts: Written metric definition with owner; annual disparate impact review by store demographic context at coarse level; appeal workflow with regional review; versioned dashboard changelog.

3. Newspaper test: Headline "RetailCo punishes managers for corporate shrink policies" suggests pause; adjust metrics or publish contextual bands.

Explain why: HR analytics without governance artifacts becomes automatic discipline. Employees experience metrics as surveillance; Lesson 5 ties fairness to operational legitimacy, not only compliance checklists.


Practice problem 3

An app sells mental wellness content and considers sharing mood-check-in text with employers who subsidize the benefit.

Tasks:

  1. List two harms if employers see raw text.
  2. Name purpose limitation violation if users signed up for personal wellness only.
  3. Propose an aggregate alternative and one access control.

Solution

1. Harms: retaliation risk, stigma, loss of candid responses, chilling effect on help-seeking.

2. Users expected personal support; employer analytics is new purpose requiring new consent and legal review (HIPAA/ERISA context may apply depending on setup).

3. Aggregate: monthly anonymized stress index by company site with minimum cell size k=20; no text. Access: role-based view; employer sees only aggregates prepared by independent administrator.

Explain why in prose: Wellness data is among the most sensitive categories because users type honestly only when they trust boundaries. Employer access destroys that trust and may violate purpose limitation even when technically feasible.


Practice problem 4 (integrative)

A fitness app shares "anonymized" workout routes on a public map. Routes start and end at home addresses for 40% of users in low-density suburbs.

Tasks:

  1. Is this anonymized? Why or why not?
  2. Name two harms.
  3. Propose one technical and one policy fix.

Solution

1. Not sufficiently anonymized; sparse routes re-identify residences.

2. Harms: stalking risk, landlord or insurer inference about health conditions, loss of user trust.

3. Technical: snap endpoints to grid cells or truncate start/end within 500m of known gyms only. Policy: opt-in sharing default off; ethics review for any public map feature.


Key takeaways

  • Privacy, fairness, security, and accountability are managerial duties, not legal footnotes.
  • Proxy features can produce disparate impact even without explicit protected-class columns.
  • Document models, limit retention, control access, and provide appeal paths for automated decisions.
  • Apply the newspaper test before deploying surveillance or exploitative personalization.
  • Name owners and integrate ethics checks into decision memos alongside data quality notes.

After this lesson

  1. What data does your team collect that users or employees may not expect? Who approved it?
  2. Where could an automated rule disparately impact a group? What test would you run first?
  3. Return to the unit page for assessments, or continue to Unit 2: Describing Business Performance.

Lesson exercise

40 min

Apply: Ethics and Governance in Business Data

Using your anchor company (or Data, Statistics and Managerial Decisions default), complete a focused exercise on **Ethics and Governance in Business Data**. 1. Write the decision frame (choice, owner, date, constraints). 2. Apply the lesson framework with at least one table and one explicit assumption. 3. Add a downside scenario and a guardrail metric. 4. Conclude with a recommendation and what would change your mind.

Deliverable

One-page workbook entry or memo section filed under OMBA 102 Unit materials.

Rubric

  • Decision frame is specific and time-bound
  • Framework applied with auditable steps
  • Downside case is plausible, not strawman
  • Guardrail metric defined with owner
  • Recommendation links to evidence quality label