Quiz: Building a Data Ethics Program

Test your understanding before moving to the next chapter. Target: 70% or higher to proceed.

Section 1: Multiple Choice (1 point each)

1. Which of the following best describes the relationship between compliance and ethics as presented in this chapter?

  • A) Compliance and ethics are synonymous — a fully compliant organization is an ethical one.
  • B) Compliance is a floor (the minimum legal requirement); ethics is a ceiling (what an organization should aspire to beyond legal mandates).
  • C) Ethics is less important than compliance because ethics are subjective while compliance is objective.
  • D) Compliance addresses external behavior while ethics addresses internal beliefs; organizations need only manage external behavior.
Answer **B)** Compliance is a floor (the minimum legal requirement); ethics is a ceiling (what an organization should aspire to beyond legal mandates). *Explanation:* Section 26.1 makes this distinction explicit. The chapter argues that compliance alone is insufficient because fines are often absorbed as a cost of doing business (Meta's 1.2 billion euro fine representing less than 1% of revenue), and because legal minimums do not address the full range of ethical obligations to data subjects. Option A conflates two distinct concepts. Option C inverts the chapter's position. Option D introduces a belief/behavior distinction that the chapter does not support.

2. Ray Zhao describes a meeting where a VP asks "What's the actual fine, historically?" and learns it is about 0.1% of revenue. This anecdote illustrates:

  • A) That regulatory fines are an effective deterrent for most organizations
  • B) That compliance becomes a risk-management calculation when fines are economically insignificant relative to revenue
  • C) That VPs are not interested in ethical considerations
  • D) That the GDPR's 4% fine cap is too low to matter
Answer **B)** That compliance becomes a risk-management calculation when fines are economically insignificant relative to revenue. *Explanation:* Section 26.1.1 uses this anecdote to illustrate that large organizations can treat regulatory fines as operating expenses, making compliance a cost-benefit calculation rather than a genuine constraint. The VP is not portrayed as unethical per se but as responding rationally to economic incentives — which is precisely why ethics programs are needed to go beyond what compliance alone achieves. Option A contradicts the anecdote's point. Option C overgeneralizes about VPs. Option D focuses on GDPR specifics rather than the broader principle.

3. According to the chapter, the single most important design question for an ethics committee is:

  • A) How many members should serve on the committee?
  • B) Does the committee have the power to stop things?
  • C) How frequently does the committee meet?
  • D) Is the committee composed entirely of senior executives?
Answer **B)** Does the committee have the power to stop things? *Explanation:* Section 26.2.3 states this directly: "The single most important design question for an ethics committee is: Does it have the power to stop things?" Without binding authority, ethics committees' recommendations can be — and routinely are — overridden by business leaders when ethics conflicts with profitability. Committee size (A), meeting frequency (C), and composition (D) all matter, but authority determines whether the committee's work produces real outcomes.

4. The chapter identifies several levels of ethics committee authority. Which of the following correctly orders them from weakest to strongest?

  • A) Advisory, Decorative, Gate-keeping, Veto
  • B) Decorative, Advisory, Advisory-with-escalation, Gate-keeping, Veto
  • C) Veto, Gate-keeping, Advisory-with-escalation, Advisory, Decorative
  • D) Advisory, Gate-keeping, Veto, Decorative
Answer **B)** Decorative, Advisory, Advisory-with-escalation, Gate-keeping, Veto. *Explanation:* Section 26.2.3 presents this five-level spectrum explicitly. Decorative boards exist on paper but rarely meet. Advisory boards make recommendations without binding authority. Advisory-with-escalation requires formal responses and allows escalation to the CEO or board. Gate-keeping boards must approve high-risk projects before launch. Veto boards can block projects outright. Option A places Decorative after Advisory. Options C and D misordering the sequence.

5. Which of the following is NOT listed as a composition element essential for an ethics committee?

  • A) Independent external members with no financial relationship to the organization
  • B) Community or consumer representatives from affected populations
  • C) The organization's largest shareholders or investors
  • D) Ethicists or philosophers trained in ethical reasoning
Answer **C)** The organization's largest shareholders or investors. *Explanation:* Section 26.2.2 lists six essential composition elements: diverse technical expertise, legal and compliance, ethicists/philosophers, community/consumer representatives, domain experts, and independent external members. Shareholders and investors are not included — and their presence could actually undermine the committee's independence, since investor priorities (growth, returns) may conflict with ethical considerations (data minimization, privacy protection).

6. The concept of "ethics-washing" most closely parallels:

  • A) Regulatory arbitrage — choosing jurisdictions with weaker regulations
  • B) Greenwashing — performing environmental concern without substantive environmental action
  • C) Lobbying — attempting to influence regulatory outcomes through political engagement
  • D) Risk management — identifying and mitigating organizational risks
Answer **B)** Greenwashing — performing environmental concern without substantive environmental action. *Explanation:* Section 26.6 draws the explicit parallel between ethics-washing and greenwashing. Both involve an organization performing concern (publishing principles, appointing officers, making public statements) without making the substantive operational changes that would address the underlying problem. The analogy is structural: just as a company can label products "eco-friendly" while continuing environmentally destructive practices, a company can publish AI ethics principles while continuing ethically questionable data practices.

7. Mira's conversation with her father Vikram (Section 26.1.2) centers on VitraMed's predictive analytics platform being sold to insurance partners. Mira's challenge — "Just because it's legal doesn't mean those patients would be okay with it if they knew" — illustrates:

  • A) That VitraMed is violating HIPAA
  • B) The gap between the compliance floor and the ethics ceiling
  • C) That Mira is opposed to all commercial data use
  • D) That insurance companies should not be allowed to use health data
Answer **B)** The gap between the compliance floor and the ethics ceiling. *Explanation:* Mira's challenge is the chapter's central argument in miniature. VitraMed's practice is legal (HIPAA compliant), but Mira questions whether it is *right* — whether patients would consent to this use if they truly understood it. This is precisely the gap between compliance (what the law requires) and ethics (what responsible practice demands). Option A is incorrect — the chapter confirms HIPAA compliance. Options C and D overstate Mira's position.

8. Which of the following best describes why the chapter recommends that ethics committees have budget independence?

  • A) So that committee members can be paid for their service
  • B) To prevent business units from defunding the ethics function when its recommendations are uncomfortable
  • C) Because ethics reviews are expensive and require dedicated funding
  • D) To comply with GDPR requirements for independent data governance
Answer **B)** To prevent business units from defunding the ethics function when its recommendations are uncomfortable. *Explanation:* Section 26.2.4 identifies budget independence as a structural protection for the ethics committee. When the ethics committee's budget is controlled by the business units it oversees, those units can exercise indirect control by reducing funding. Budget independence removes this leverage and ensures the committee can function even when its recommendations are unwelcome. Option A is a practical detail, not the reason. Option C describes a general truth but not the structural argument. Option D cites a regulation that does not require this specific arrangement.

9. The chapter argues that ethics programs need "ethics champions" within business units. What is the primary function of an ethics champion?

  • A) To report violations to the ethics committee
  • B) To serve as a bridge between the ethics program and day-to-day operational decisions, making ethics actionable at the team level
  • C) To replace the need for a centralized ethics committee
  • D) To ensure that all team members have completed annual ethics training
Answer **B)** To serve as a bridge between the ethics program and day-to-day operational decisions, making ethics actionable at the team level. *Explanation:* Section 26.5 describes ethics champions as embedded advocates who translate organizational ethics principles into the daily work of their teams. They do not replace centralized oversight (C) or serve primarily as compliance monitors (A, D) — they make ethics part of operational culture by raising questions in real time, flagging concerns before they escalate, and modeling ethical reasoning in practice.

10. The chapter states that the business case for ethics "opens the door; genuine ethical commitment keeps it open." This means:

  • A) The business case is a more persuasive argument than the moral case
  • B) Economic justifications can introduce ethics to organizational leaders, but ethics programs that exist solely for business reasons will be abandoned when they become unprofitable
  • C) Ethical commitment is less important than financial sustainability
  • D) Organizations should never use economic arguments to justify ethics programs
Answer **B)** Economic justifications can introduce ethics to organizational leaders, but ethics programs that exist solely for business reasons will be abandoned when they become unprofitable. *Explanation:* Section 26.1.3 explicitly makes this point: "An organization that pursues ethics only because it's profitable will abandon ethics the moment it becomes unprofitable." The business case is a useful tool for gaining organizational buy-in, but it cannot be the foundation of a genuine ethics program. A program built solely on business logic is vulnerable to any situation where doing the right thing costs money — which, in data ethics, is frequent.

Section 2: True/False with Justification (1 point each)

11. "An ethics committee composed entirely of internal employees can be just as effective as one with external, independent members."

Answer **False.** *Explanation:* Section 26.2.4 argues that independence is "not a luxury — it's a precondition for credibility." Internal-only committees face groupthink (members share the same organizational culture), career pressure (raising uncomfortable concerns can jeopardize promotion), and information filtering (internal members see data through the organization's lens). External members bring outside perspectives, face no career risk from the organization, and can push back without personal consequences. Dr. Adeyemi states directly: "The committee that reviews itself never finds fault."

12. "A company that publishes detailed AI ethics principles on its website has, by definition, established a data ethics program."

Answer **False.** *Explanation:* Section 26.6 explicitly addresses this misconception. Published principles are a necessary but wholly insufficient component of an ethics program. Without operational mechanisms — a committee with authority, review processes, incentive structures, culture change — published principles are "ethics-washing." The chapter cites multiple examples of organizations with impressive published principles and no meaningful operational ethics practice. A data ethics program requires institutional infrastructure, not just institutional rhetoric.

13. "Incentive alignment means paying bonuses to employees who report ethical violations."

Answer **False.** *Explanation:* Section 26.4 defines incentive alignment more broadly: it means ensuring that the organization's reward structures, performance metrics, promotion criteria, and cultural signals all support ethical behavior rather than undermining it. This includes removing incentives that inadvertently encourage ethical shortcuts (e.g., rewarding speed of deployment without considering ethical review), building ethical practice into performance evaluations, and recognizing teams that identify and address ethical risks. A whistleblower bounty is a narrow, reactive mechanism — incentive alignment is systemic and proactive.

14. "The chapter argues that the most common composition failure in ethics committees is a lack of technical expertise."

Answer **False.** *Explanation:* Section 26.2.2 identifies the most common failure mode as *homogeneity* — not the absence of any single type of expertise, but the dominance of perspectives already well-represented in the organization (senior executives, lawyers, engineers). Technical expertise is important, but the chapter emphasizes that committees dominated by technical and business perspectives miss the voices of affected communities, independent ethicists, and external observers.

15. "According to the chapter, social psychology research supports the idea that organizational context shapes ethical behavior more powerfully than individual character."

Answer **True.** *Explanation:* Section 26.2.1 states this directly, citing Milgram (1963) and Zimbardo (2007): "The social psychology literature is unambiguous on this point: context shapes behavior more powerfully than character." This insight is foundational to the chapter's argument that individual good intentions are insufficient and that organizational structures — ethics committees, decision tools, incentives, culture — are necessary to produce consistently ethical outcomes.

Section 3: Short Answer (2 points each)

16. Explain the difference between an ethical risk assessment and an ethical decision tree (Sections 26.3.2 and 26.3.3). When would you use each, and what does each produce?

Sample Answer An ethical risk assessment is a structured evaluation tool that identifies the potential ethical risks of a proposed data practice, rates each risk for likelihood and severity, and proposes mitigations. It produces a risk matrix — a documented inventory of risks and responses that can be reviewed, debated, and tracked. It is used proactively during project planning to surface ethical concerns before implementation. An ethical decision tree is a branching logic tool that guides practitioners through a series of yes/no questions to reach a recommended action. It produces a decision — proceed, modify, escalate, or stop. It is used in real time by teams facing specific decisions (e.g., "Should we include this data field in our model?") and provides immediate, actionable guidance. The risk assessment is diagnostic (what could go wrong?). The decision tree is prescriptive (what should we do?). Both translate abstract ethical principles into operational tools. *Key points for full credit:* - Distinguishes the two tools clearly - Identifies when each is used and what each produces - Connects both to the operationalization of ethical frameworks

17. The chapter presents five arguments for the business case for ethics (Section 26.1.3): risk reduction, trust as competitive advantage, talent attraction and retention, regulatory anticipation, and better decisions. Select any two and explain how they apply specifically to VitraMed's situation.

Sample Answer **Risk reduction** applies directly to VitraMed because the company's predictive analytics platform handles sensitive health data for 180,000 patients. Proactively identifying ethical risks — such as the potential for insurance partners to misuse patient risk scores (a concern surfaced later in the DPIA, Chapter 28) — could prevent a reputational and legal crisis that would threaten VitraMed's business relationships and regulatory standing. An ethics program that catches these issues early costs far less than managing the fallout. **Talent attraction and retention** is relevant because VitraMed is a growing health-tech company competing for data scientists and engineers who increasingly want to work on products they believe in. If VitraMed's workforce learns that patient data is being sold to insurance partners without genuine patient understanding, talented employees may leave — or refuse to join. A credible ethics program signals that VitraMed takes its responsibilities seriously, making it more attractive to mission-driven talent. *Key points for full credit:* - Selects two distinct business case arguments - Applies each specifically to VitraMed (not generically) - References specific VitraMed details from the chapter

18. What does the chapter mean by "the committee that reviews itself never finds fault" (Dr. Adeyemi, Section 26.2.4)? Why is this observation critical for ethics program design?

Sample Answer Dr. Adeyemi's statement captures the structural problem of self-regulation. When an ethics committee is composed entirely of people within the organization it oversees, the committee members share the organization's incentives, culture, and blind spots. They face career pressure not to raise uncomfortable questions. They may unconsciously (or consciously) avoid findings that would embarrass leadership or slow profitable products. The result is a review process that validates the organization's existing practices rather than genuinely challenging them. This is critical for design because it means independence is not optional — it is a structural requirement for credibility and effectiveness. The chapter recommends external members, separate reporting lines, budget independence, and term protections precisely because self-review produces self-validation, not self-correction. *Key points for full credit:* - Explains the structural dynamic (shared incentives, career pressure) - Connects to the independence requirements in Section 26.2.4 - Distinguishes self-review from genuine oversight

19. Section 26.5 discusses culture change. Explain why the chapter argues that policy alone is insufficient to change organizational behavior around data ethics. What additional mechanisms are needed?

Sample Answer Policy establishes rules, but behavior is shaped by culture — the informal norms, habits, stories, and incentives that determine how people actually work. An organization can have a comprehensive data ethics policy and still operate unethically if the culture rewards speed over care, if managers signal that ethics review is an obstacle to be minimized, or if employees learn through observation that ethical concerns are career risks. The chapter identifies several mechanisms beyond policy: leadership modeling (tone at the top), ethics champions embedded in business units, training that involves real scenarios rather than abstract principles, incentive structures that reward ethical practice, consequences for ethical violations, celebration of ethical decisions (making visible the people and teams who flagged and resolved ethical concerns), and transparent post-incident review that treats failures as learning opportunities rather than occasions for blame. *Key points for full credit:* - Explains why policy alone is insufficient (culture vs. rules distinction) - Identifies at least three additional mechanisms - Connects to the chapter's argument about context shaping behavior

Section 4: Applied Scenario (5 points)

20. Read the following scenario and answer all parts.

Scenario: DataVault Analytics

DataVault Analytics is a mid-size data brokerage firm with 800 employees. It collects consumer data from public records, social media scraping, purchase histories, and location data providers. It sells this data to clients in advertising, insurance, and financial services.

After negative media coverage of the data brokerage industry, DataVault's CEO announces a new "Ethics First Initiative." The initiative includes: - Appointing the VP of Legal as "Chief Ethics Officer" (dual role, no additional budget) - Creating an "Ethics Advisory Panel" with four members: the CEO, the CTO, the VP of Sales, and a law professor from a local university - Publishing a set of "DataVault Ethical Principles" on the company website: Fairness, Transparency, Accountability, Privacy, Innovation - Requiring all employees to complete a one-hour online ethics training module annually - Establishing an anonymous ethics hotline for employees to report concerns

(a) Using the spectrum of authority from Section 26.2.3, classify the Ethics Advisory Panel. Is it decorative, advisory, advisory-with-escalation, gate-keeping, or veto? Explain your reasoning. (1 point)

(b) Identify at least three specific design weaknesses in the Ethics Advisory Panel's composition, using the principles from Section 26.2.2. For each, explain the consequence of the weakness and propose a remedy. (1 point)

(c) The published principles include "Fairness, Transparency, Accountability, Privacy, Innovation." Evaluate these principles against the operationalization criteria from Section 26.3. Are they actionable as written? What would be needed to convert them from aspirational statements into operational tools? (1 point)

(d) The appointment of the VP of Legal as a dual-role Chief Ethics Officer creates a structural conflict. Identify the conflict, explain why it undermines the ethics program's effectiveness, and propose an alternative reporting structure. (1 point)

(e) Considering DataVault's business model (selling consumer data to advertisers, insurers, and financial services), identify the most fundamental tension that an ethics program at this company would face. Is it possible for a data brokerage firm to operate ethically? Construct an argument for or against, drawing on at least two concepts from this chapter. (1 point)

Sample Answer **(a)** The Ethics Advisory Panel is **decorative to weakly advisory**. There is no indication that it has binding authority, escalation mechanisms, or even a defined review process. The panel's composition (CEO, CTO, VP of Sales, and one external academic) ensures that business leadership controls the conversation. Without a charter, regular meeting schedule, or decision-making authority, the panel exists primarily as a response to media criticism rather than a governance mechanism. **(b)** Three design weaknesses: 1. **No community or consumer representatives.** DataVault sells consumer data — but no consumers sit on the panel. Consequence: the panel cannot represent the perspectives of the people most affected by DataVault's practices. Remedy: add at least two external members representing consumer advocacy or affected communities. 2. **No independence from business leadership.** Three of four members are C-suite executives with direct financial interest in DataVault's data sales. Consequence: the panel will face structural pressure to validate existing business practices. Remedy: ensure that at least a majority of panel members are external and independent. 3. **No technical ethics expertise.** The panel includes a law professor but no ethicist, social scientist, or privacy researcher. Consequence: discussions will be framed by legal and business logic rather than ethical reasoning. Remedy: add members with expertise in data ethics, philosophy, or social impact assessment. **(c)** The five principles — Fairness, Transparency, Accountability, Privacy, Innovation — are aspirational but not operational. As written, they are too abstract to guide specific decisions. "Fairness" does not specify fairness to whom, measured how, or at what cost. "Transparency" does not define what must be transparent, to whom, or through what mechanisms. To operationalize them, DataVault would need: (1) specific definitions tied to measurable outcomes, (2) decision trees or risk assessments that apply each principle to concrete scenarios, (3) processes for resolving conflicts between principles (e.g., Innovation vs. Privacy), and (4) accountability mechanisms for when principles are violated. **(d)** The VP of Legal has a structural conflict because the legal function's primary obligation is to minimize the company's legal liability — which often means limiting disclosure, restricting transparency, and advising against actions that increase exposure. The ethics function should push toward greater transparency, honest risk assessment, and stakeholder-centered decision-making. These objectives regularly conflict. Having the same person hold both roles ensures that legal caution will dominate ethical aspiration. Alternative: the Chief Ethics Officer should report directly to the board of directors (or a board-level committee), not through the legal function, and should have a separate budget and independent authority. **(e)** The fundamental tension is that DataVault's business model depends on collecting and selling consumer data, often without consumers' meaningful knowledge or genuine consent. An ethics program at DataVault would eventually confront the question: is it ethical to profit from data that people did not knowingly share, sold to parties whose purposes may harm those people (insurance pricing, targeting of vulnerable populations)? A genuine ethics program would require DataVault to ask whether its core business practices — social media scraping, combining datasets to create profiles, selling to insurers — can be conducted ethically. The chapter's consent fiction theme applies directly: consumers cannot meaningfully consent to data brokerage because they often do not know brokers exist. The power asymmetry is total: brokers know everything about their subjects; subjects know nothing about the brokers. It is possible to argue that a data brokerage could operate more ethically by limiting data sources to truly public records, providing consumer access and deletion rights, prohibiting sales to discriminatory use cases, and being transparent about data practices. But the chapter's analysis suggests that the core business model — profiting from asymmetric information without genuine consent — faces irreducible ethical tensions that even the best-designed program cannot fully resolve.

Scoring & Review Recommendations

Score Range Assessment Next Steps
Below 50% (< 15 pts) Needs review Re-read Sections 26.1-26.3 carefully, redo Part A exercises
50-69% (15-20 pts) Partial understanding Review specific weak areas, focus on Part B exercises
70-85% (21-25 pts) Solid understanding Ready to proceed to Chapter 27
Above 85% (> 25 pts) Strong mastery Proceed to Chapter 27: Data Stewardship and the Chief Data Officer
Section Points Available
Section 1: Multiple Choice 10 points (10 questions x 1 pt)
Section 2: True/False with Justification 5 points (5 questions x 1 pt)
Section 3: Short Answer 8 points (4 questions x 2 pts)
Section 4: Applied Scenario 5 points (5 parts x 1 pt)
Total 28 points