Coursework One: Case study

CST4080

Legal, Ethical and Security Aspects of Data Science

Words: 2500

Your Name

Supervisor Name

University

Date
 Question 1: (Data Protection)

At the start of its operations, MRL were advised to conduct a data protection impact assessment. An
important aspect of a data protection impact assessment is the identification and assessment of the risks
to the rights and freedoms of data subjects. Explain at least three different types of risks related to the
processing activities of MRL.

Violation of legal compliance and intellectual property rights: MRL might violate intellectual
governing the use of the big data system. Given that big data system might have third-parties service
providers, the right over the database, images, data, and big data algorithms might not full be owned
by MLR. Therefore, the company might violate intellectual property if some of the resources in the
system are taken by third-parties for illegal use. In case data subjects are illegally used, the MRL
Company might also violate the General Data Protection Regulation (GDPR) rights based on Article
35(7) of UK laws (Nwankwo, 2021). The two violations might lead to serious legal implications
such as financial penalty and imprisonment. Especially, when the actual owners of the intellectual
properties finds that MRL are using their properties for company gains with or without company
consent.

Cyber-attacks: might threaten data confidentiality, integrity, and privacy. Patient’s data might find its
way to third-parties who could decide to use it to cause more harm to the data subjects.

Data loss: Due to increased online hacking and illegal access, attackers can decide to steal or delete
all the data from MRL system leading to data loss.

MRL wants to develop a new IT system to be used for their data science activities involving the
extensive processing of personal data. They have been advised that any new IT system should comply
with data protection by design and default. Citing legal authority advise MRL on what data protection
by design and default means and give examples of the kind of measures that they can take to comply
with this obligation.

According to UK-GDPR (2016) and European Union (2016) on data protection MRL should develop
a new IT system that comply with Article 35 and Article 40 of GDPR laws on data protection. This
means that the new IT system should protect subject’s data by design and by default. By design, it
means that the MRL new IT system has to incorporate robust technical functions, features, and
provisions to safeguard individual data from rights and freedom violations. For instance, the new
system should have strong password policy and inform access control list functions so that user
information’s are hardly accessed by illegally. The system by design, should have robust data
encryption function to ensure even if the illegal person penetrates the password and accesses the IT
system databases, still they would not be able to understand the data or use it unless in possession of
decryption keys.

The (EU) 2016/679 (GDPR) data protection by default means that any action undertaken by MLR
pertaining the new IT system should be informed with data protection and privacy principles. For
instance, if MRL discloses patients data to third-parties without informed consent to the patients or
data subjects, then it mean privacy by default has been violated according to (EU) 2016/679 (GDPR,
2016).
Citing relevant legal authority, advise MRL on their data protection obligations if they discover a
cyber-attack that resulted in an extensive data breach affecting thousands of identifiable medical
records.

According to EC and its GDPR (2016) regulation and UK data Protection Act (2018) and Carey
(2018) MRL has a first obligation to protect the right of data subjects from cyber-attackers. GDPR
(2016) article 28 requires MRL to recruit a controller and the processor officer to oversee data
security mechanisms and ensure they comply with protect patients data from exposure and illegal
use. The MRL through its data controller should inform all user of data breaches and attacker in
order to draw their consent into the matter. Regular and systematic supervision of data subjects in
order to ensure data integrity and privacy as well as rights and freedom of data subjects. Further, the
MRL has an obligation to undertake data security measure to correct the mistake that led to the
cyber-attack. For instance, strengthen system’s exploit or vulnerable spots.

Citing relevant legal authority, advise MRL on their legal obligations if issued with the following from
the UK Information Commissioner: an information notice to provide a true account of any cyber-
attacks within the last year; a request to inspect IT systems used to process personal data in order
discharge an international obligation; an information notice to produce communications that they had
with their lawyers, in regard to any cyber-attack.

According to EU and UK GDPR (2018) Data Protection Act 2018 (DPA 2018) on behalf of UK
information commissioner, the MRL has the first legal obligation to report the cybercrime occurrence to
relevant authority i.e. UK commissioner of information within 72 hours for legal action (GDPR, 2016). The
MRL is legally obligated to comply and collaborate with the cyber security investigation team and
freely provide any information that will assist the investigation. The MRL through its data controller
and processing officer should not interfere with the investigation since it might lead to imprisonment
or financial penalty or both (DPA 2018). The MRL should give evidence and true account of
cybercrime.

Question 2: (Intellectual Property Rights)

Six months ago, MRL entered secret talks with a French research institution to collaborate on a
project. The French research institution showed MRL their secret blueprint to develop a new gene
sequencing machine. Due to disagreements over financial issues MRL decided not to pursue the
collaboration, however, they used information from the blueprint to develop their own gene sequencing
machine.

MRL should refrain from intellectual theft as it has serious legal implication. According to UK
Intellectual Property Act (2014) in case MRL proceeds to develop the gene sequencing machine
using secret blueprint obtained from the French research institute, the company risks breaching the
patent protection law. The MRL official risks imprisonment of its officials of up to six months and
fine of 2% of company turnover. To avoid any legal implications of patent infringement and related
intellectual property theft, MRL should design its own blueprint for the sequencing machine using
the blueprint develop the software application and then create a patent for it.

An MRL researcher (David) interested in gene sequencing techniques photocopied an article

(six pages) from a book on genetics (that he found in his colleague’s office) so that he could
read the article when relaxing at home.

The MRL researcher breached the UK-GDPR (2016) and UK Intellectual Property Act (2014) on
intellectual property. In particular, violation of copyright laws, which required him to seek informed
consent from the colleague before photocopying the gene sequencing technique. According to UK-
GDPR (2016) and UK Intellectual Property Act (2014), photocopying a registered document is not
allowed without seeking consent from the author. This is a criminal offence that might see David
being jailed or fined in courts of law. If found guilty for copyright infringement, David could be
fined £50,000 or face up to a six months jail term or both (GDPR, 2016).

An MRL researcher (Alan) who is a part-time student at a local university has access to a lot of data
held in the university library. He downloaded 10GB of data from the university, to perform data
mining to complete a commercial project for a client.

Alan used data from university without their consent for personal economic gain. He exposed
University intellectual property to third-parties and for commercial use. The university as the
registered author has the sole right to sell and use their authorship data. This means that Alan took
ownership of the University intellectual property for his personal gains. Also, against the backdrop of
failing to acknowledge the university or perhaps giving the formal consent on the use of data for his
data mining activities. This contravenes with the UK ethical academic practices. Although the UK
intellectual Property Act (2014) has little provision on the subject of fair academic practice and
cheating, plagiarism is illegal and infringes copyright or fair use or fair dealing. Therefore, Alan has
committed plagiarism and he could face expulsion from the University. Equally, he may face charges
leading to up to six month jail and fine or both (Intellectual Property Act, 2014).

MRL recently produced a new food supplement, that is being marketed in a bottle similar to
an existing bottle produced by a competitor. The design of the competitor’s bottle is NOT
registered as a trade mark, however, the competitor’s bottle has been well-known in the UK
and popular for over 20 years.

Owners of unregistered trademarks in UK still have legal right of their intellectual property
according to UK (Intellectual Property Act, 2014). Therefore, MRL might still be sued for passing-
off infringement and copying ideas of a famous trademark in the market. The competitor could use a
common law and sue MRL for passing-off or design right infringement. According to UK GDPR
(2016), Passing off is used as a common law in the UK to protect intellectual properties that are
unregistered such as product design and trademarks. Therefore, MRL should use ethics and design a
new company brand to avoid passing-off violation implication.

A researcher (Sarah) employed at MRL wrote a report based on various research experiments that she
conducted at work over two years. Due to her hard work, she requested that her name should be
published as part of the report. MRL published the report but did not include her name.

It appears that MRL could have violated Joint-work author rights of authorship, which Sarah still
have authorship right as an employee. According to Copyright Design and Patent Act (1988)
regardless of level of contribution, all author have equal right of authorship ownership. In the UK,
the law of joint authorship and copyrights ownership is stipulated in section 10(1) of Copyright
Design and Patent Act of 1988. The Act protect victims such as Sarah to enjoy equal authorship
rights as employees. Therefore, MRL should include her name on the list of authors to avoid
violation of joint authorship rights. If the MRL does not address the issue, based on Copyright
Design and Patent Act, the responsible company officials could face a maximum fine of £5,000
and/or six months imprisonment.

MRL recently imported a drug from a company located in a country, where the drug is manufactured
without a licence from the UK pharmaceutical company who developed the drug.
A company (MRL) that holds a manufacturer's licence (regulation 17, Human Medicines Regulations
2012 (HMRs)) can only sell the product to the holder of the marketing authorisation. Companies
from foreign countries that do not have the marketing authorisation or license contract to sale drug in
the UK are not allowed to use local companies such as MRL for its business operation under
wholesale dealer's licence (regulation 18, HMRs). Therefore, MRL is violating the Medicines
Regulation Act (2012), which requires the foreign company to acquire a licence first before
partnering with MRL to sell drugs in the UK market.

Question 4: (Legal issues AI/Machine Learning)

Machine Learning (ML) algorithms are increasingly being used as part of decision-making processes in
both the public and private sectors, with potentially significant consequences for individuals,
organisations and societies. The governance of such algorithms (with social impacts) should include
principles such as: Fairness, Transparency, Accountability, Explainability and Accuracy. Carry out
individual research and for each principle, explain to MRL (i) the meaning of the principle and what it
involves/entails and (ii) why it is important to MRL. In your answer cite any relevant legal authorities
or sources of information used.

The European Commission (2018) provided five ethical and social principles to guide the artificial
intelligence and machine learning, which include; beneficence, non-maleficence, autonomy, justice
and, explicability. The explanation and importance are discussed below;

Name of Principle: Beneficence

Explanation of principle: This principle requires all machine learning or AI systems to be beneficial
to the users regardless of their orientation. The machine learning application or system should be
designed to benefit all people and society (European Commission, 2018). Therefore, the principles
oblige that the benefit be non-discriminatory and equal to everyone.

Importance of principle to the activities of MRL: It is important for MRL to use this principle to
design a machine learning algorithm that benefit everyone globally. The machine learning tools can
be used to collect big data, analyses, and generate information that can be used to create solution to
disease or problems facing patients. It is important for MRL to design AI and machine learning tools
that benefit not only system users but entire society either directly or indirect. For instance, MRL can
create a machine learning function that fetches gene sequencing data from patients in order to aid the
development of vaccine and disease treatment.

Name of Principle: Non-maleficence

Explanation of principle: According to European Union (2018) non-maleficence principle entail

values that prevent harm as a result of machine learning or AI use. The principle requires AI
application to be a source of happiness for its user rather than suffering. The principle offer basis that
obliges companies to create AI and machine learning tools that do not cause offense to its users of
the society at large.

Importance of principle to the activities of MRL: Non-maleficence is significant to MRL since it can
use this principle to strengthen medical ethics in its medical information management system. To
obtain the objective it is critical that MRL do not practice in any harm and reciprocate illegal
activities using their machine learning tools. In particular, it is important for MRL to use this
principle to enhance its machine learning tools to protect patient’s data from harm caused by cyber-
attacks or illegal access. This means that by applying this principle, patients will achieve more data
protection rights and freedom. Besides, data stored in the AI application will not be used as source to
incite discrimination for the system users (Jahn, 2011).

Name of Principle: Justice

Explanation of principle: The principle of justice requires companies of AI or machine learning to

design and develop machine learning tools that equitable disperse benefit, risks, cost, and resource to
everyone. Therefore, each beneficiary will be accorded equal treatment based on the need, merit,
efforts, contribution, and share.

Importance of principle to the activities of MRL: This principle is important to MRL since can use to
design machine learning tools that distributes resources, benefits, costs, and risks equally in order to
enhance fairness. Justice is important since MRL will use it to determine the equal share of what its
beneficiaries deserves based on their contribution, efforts, and merit as well as share.

Name of Principle: Explicability

Explanation of principle: The principle states that for artificial intelligence application to promote
and not constrain human autonomy, the decision regarding stakeholder that should decide must be
informed by knowledge of how AI would act instead of data subjects” (Robbins, 2019). There is a
strong perception that in case a machine learning algorithm decides, for example, whether to give a
patient support, then that algorithm should be understandable and not biased.

Importance of principle to the activities of MRL: The actual importance for the need of explicability
for MRL is to improve the result of its entire process. Ideally, not the process itself, but it is required
that in all its decisions should be understandable and partial. Also, MRL can use this principle to
ensure that there is a justifiable explanation for every decision or action they make concerning data
management and use of machine learning tools (Robbins, 2019). Explicability is important since
MRL will use it as a platform to seek informed consent for data subjects to appropriately understand
how their data is being used. MRL can also use provisions championed by the explicability principle
to update the stakeholders about data security in order to dispel mistrust.
Name of Principle: Respect of autonomy

Explanation of principle: Respect for autonomy is a principle in machine learning usage that requires
the designers and implements of machine learning application to people, their social and cultural
orientation. It is essential for the stakeholder not to use AI tools as a platform to disrespect data
subjects, undermine, or discriminate users based on their physical attribute or perhaps skin colour.
The European Union uses this principle in relation to machine learning to encourage respect of data
subjects and allow them to make self-determination without being coerced or undermined based on
their socio-cultural attributed in order to influence their decision.

Importance of principle to the activities of MRL: It is important for MRL to use this principle to
allow or encourage its data subjects or users to make their own decision on how their data should be
used. By applying this principle, MRL will allow more rights and freedom to for patients to power
over their data and how it is used. This means that MRL will seek informed consents every time
patient’s data is used.
 References

Carey, P., 2018. Data protection: a practical guide to UK and EU law. Oxford University Press,
Inc..

European Union 2018. Establishing the rules for building trustworthy AI. Nature Machine
Intelligence, 1(6), pp.261-262.

Jahn W. T. (2011). The 4 basic ethical principles that apply to forensic activities are respect for
autonomy, beneficence, nonmaleficence, and justice. Journal of chiropractic medicine, 10(3), 225–
226. https://doi.org/10.1016/j.jcm.2011.08.004

UK Gov.2018 Data protection act. London Station Off, 5.

https://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf

Nwankwo, I.S., 2021. Towards a transparent and systematic approach to conducting risk assessment
under Article 35 of the GDPR (Doctoral dissertation, Hannover: Institutionelles Repositorium der
Leibniz Universität Hannover).
UK Gov, Partnership Act, 1890. Accessed On 11 November 2021.
https://www.legislation.gov.uk/ukpga/1890/39/pdfs/ukpga_18900039_en.pdf

Robbins, S. A Misdirected Principle with a Catch: Explicability for AI. Minds & Machines 29, 495–
514 (2019). https://doi.org/10.1007/s11023-019-09509-3

Regulation, G.D.P., 2016. Regulation EU 2016/679 of the European Parliament and of the Council of
27 April 2016. Official Journal of the European Union.