Data doesn’t just exist in the digital world; it can have a very real impact on resources in the real world. In this article first published in Business Brief's April edition, Data Protection Commissioner Brent Homan illustrates environmental costs of data processing and explains three key factors to be considered with regard to ESG reporting.
You would be forgiven for wondering what good data governance has to do with supporting sustainability and ESG, but data collection, processing and storage can all impose a heavy carbon footprint. Data centres, for example, which enable all our personal and business systems to function, consume massive quantities of energy and water.
Recent technological innovations – while undoubtedly offering many benefits – also require sizeable resources. While Artificial Intelligence can help find sustainable solutions and solve environmental challenges, the public use of AI tools has a huge environmental impact. Research published by the University of California in April 2023 found that:
“…the global AI demand may be accountable for 4.2 – 6.6 billion cubic meters of water withdrawal in 2027, which is more than the total annual water withdrawal of 4 – 6 Denmarks or half of the United Kingdom. This is very concerning, as freshwater scarcity has become one of the most pressing challenges shared by all of us in the wake of the rapidly growing population, depleting water resources, and aging water infrastructures.”*
Data minimisation and storage limitation are both key principles of data protection legislation AND better for the environment.
From the Data Rights perspective- reducing the amount of data your organisation holds means a reduced risk of people’s personal information being lost or stolen.
From an environmental perspective- mitigating global harm is a growing concern for responsible businesses and many now collect personal data as part of monitoring their environmental, social, and governance (ESG) factors.
Appreciating that ESG reporting requirements exist, the OPDA has outlined three key considerations towards ensuring that ESG reporting aligns with data protection obligations:
1. Data collection
It is unlikely that there are any ESG reporting obligations that compel you to collect information that is linked to an identified (or identifiable) living person. So, wherever possible, you should collect information from people anonymously. If data is genuinely anonymous data protection laws do not apply – as anonymous data is not personal data. You can therefore save yourself a lot of time and effort simply by collecting anonymous data instead of personal data.
For data to be considered anonymous you must have no way of connecting any information to a particular person. It is important to note that this is different to the concept of ‘pseudonymising’ data where you separate a person’s identity from the data but retain the ability to join it back together, for example, by using a key.
2. Risk to individuals
Wherever facts or opinion exist about an identified or identifiable living person you must adhere to the Law to ensure you are taking care of that information appropriately so that their ‘significant interests’ are not placed at risk. Any legitimate data collection made as part of your ‘environmental’ and ‘governance’ reporting requirements is unlikely to pose a high risk to individuals.
However, covering ‘social’ factors could pose a risk to individuals, as (depending on what factor you are reporting on, and how you go about measuring it) you may be asking people to reveal protected characteristics about themselves. Many of the characteristics you might be asking people about - such as their sex life, gender identity, health status - are classed as ‘special category data’ under data protection law. This type of information about people requires more safeguards because of its sensitivity.
If you are collecting personal data or special category data you must take full account of the Law’s requirements, as well as adhering to relevant discrimination legislation. In all cases you can minimise the risk to individuals if you collect the relevant information anonymously.
3. Public disclosure of data
ESG reporting requirements usually result in organisations publishing high-level information summaries as opposed to detailed information linked to named people. So even if you have chosen to collect information that you can link to individuals (for example: so you can check that everyone in your organisation has responded) there is no requirement for you to make that level of detail publicly available.
You can find more information about this and much more under the
guidance section of our website.
* Research paper, April 2023, the University of California, Riverside.
&
Indulge