The Role of Privacy in the Framework for Responsible Research and Innovation in ICT for Health, Demographic Change and Ageing

. Responsible Research and Innovation (RRI) is an approach to research governance that promotes the sustainability, acceptability and desirability of research and innovation processes and outputs. Given the importance of private sector companies in funding and executing research and in particular innovation, it is important to understand how their practices map onto RRI. This paper describes the role of RRI in industry and then focuses on the way in which privacy can be considered. It draws on a workshop undertaken in the context of the IFIP Summer School on Privacy and Identity Management to develop some suggestions on future integration of privacy in RRI for industry.


Introduction
Responsible Research and Innovation (RRI) is now a well-known approach in the field of research governance.The RRI concept has been progressing and received support from of previous European research programmes, as well as European and national policies.It is now widely acknowledged that the future of new technologies requires consideration of the social and ethical aspects and a genuine engagement of all stakeholders.Stakeholder engagement approaches have been widely accepted among research and innovation actors as the new normative foundation (e.g.Greenwood, 2007;DEECD, 2011).These approaches are especially fruitful for the development of emerging technologies, quantum computing, nanotechnologies, internet of things or synthetic biology, to name but a few, where multiple innovative initiatives are in place to address advanced innovation issues, and stakeholder dialogue are organized at different levels (i.e.local, regional, national, and international levels).
The European Commission report "Options for Strengthening Responsible Research and Innovation" (European Commission, 2013) outlines the fact that a large number of innovation fields still lack RRI approaches.In fact, the focus of RRI is currently mainly on the project and policy level of publicly funded research, and little attention has been given to industry contexts.Research and innovation in industry need to embed consideration of values, such as privacy, security, sustainability, among others, into the innovation process for industrial stakeholder and citizens.
For example, when big data and internet of things (IoT) are combined with stakeholder engagement, and comply with privacy regulation and data protection principles, they enable a better understanding of users' expectations and behaviors.These could ultimately support the creation of innovative products and services, anticipate the right designs for them, and help discover appropriate ways to use them.
The paper starts by discussing the concept of RRI and explaining how it relates to industry.This is followed by a description of the framework for RRI in Industry that was used as a basis for the workshop.This workshop, and the way it was framed around the question of privacy in RRI for Industry, is discussed in the subsequent section.The discussion section highlights key insights which inform recommendations spelled out in the conclusion.

RRI in Industry
In defining RRI, Von Schomberg (2011) argues that "a transparent, interactive process by which societal actors and innovators become mutually responsive to each other with a view on the (ethical) acceptability, sustainability and societal desirability of the innovation process and its marketable products".
The European Commission's reading of RRI comprises six key areas: Governance; Public engagement; Gender equality; Science education; Open access/open science; Ethics (European Commission, 2012).More recent work on RRI focuses on expanding the notion in relation to societal challenges.The Rome Declaration in 2014 emphasizes that "the benefits of Responsible Research and Innovation go beyond alignment with society: it ensures that research and innovation deliver on the promise of smart, inclusive and sustainable solutions to our societal challenges."(Rome Declaration, 2014).In line with this approach, the recent report from the Expert Group on Policy Indicators for Responsible Research and Innovation (Strand et al., 2015) has considered two additional areas: "sustainability" and "social justice/inclusion", in reference to the Europe 2020 strategy.
An alternative reading of RRI that is based on the work undertaken by Owen, Stilgoe and their collaborators (Owen et al. 2013; Stilgoe et al. 2013), and that was subsequently adopted by the UK Engineering and Physical Sciences Research Council, which proposed the AREA framework as key to RRI (Owen, 2014).AREA stands for anticipation, reflection, engagement and action.It suggests that research and innovation, in order to be responsible, need to anticipate possible outcomes and impacts, to reflect on the research and innovation activities themselves as well as the way they are implemented, to engage with relevant stakeholders and to take action according to the outcomes of the first three steps.This reading of RRI is arguably broader than the one proposed by the European Commission based on its policy agendas, but they both aim in the same direction of rendering research and innovation more open to societal influences with a view to ensuring they meet societal needs.
One shortcoming of the RRI discourse is that it is mostly focused on publicly funded research.This is understandable, as it is driven by public research funders who have an interest in ensuring that their work contributes to the wellbeing of the taxpayers who provide the funding for the research.At the same time, it is a shortcoming, as much research and most of the innovation activities that are closer to the market are undertaken by companies.The question of whether and how RRI principles and ideas are already implemented in industry and how current practices can improve industrial research and innovation activities is therefore at the heart of this paper.
To give a number of examples, the benefits of mitigating risks associated with the innovative actions, the enhancement of company brand value, greater competitive advantage in the market, and attracting the best talent by engaging citizens and public authorities are perfectly understood as advantages by industrial stakeholders that can be encouraged to develop a genuine interest in RRI.In so far as responsible innovation leads, for a company, to developing added value, making its business more sustainable and enabling its customers to have more privacy, tapping into new markets, launching new business models, and increasing customers and stakeholders' confidence, industrial stakeholders can be expected to commit to an RRI approach.
However in practice, industrial stakeholder engagement in responsible innovation as it stands is facing significant obstacles.These limitations most often come from the fact that these benefits are long-term objectives, and responsible innovation can be viewed in the first place as a constraint, or an additional normin both cases, an external element, far away from the core business and immediate value of the company.While the ambition to move towards RRI is supported, the practical route to responsible innovation for industry remains difficult.In markets where awareness of social and environmental impacts can deliver economic value, can companies continue to avoid Responsible Innovation?Is RRI a prerogative of those public research organizations and large companies that have either a duty or the resources to address these aspects?
A lack of awareness of ethical, legal, environmental and social issues often leads companies to either overestimate or underestimate the associated risks (Carroll and Shabana, 2010).Fundamentally, costs and time to overcome the environmental, social or ethical challenges of an innovation are considered too high, and the business will opt for the development of othermore standardizedproducts and services that do not raise 'unmanageable' concerns.In another case, companies equally consider that they have insufficient time and resources to take these challenges on board and would then prefer to ignore them, and push their service or product forward, overlooking stakeholders' concerns or legal and social regulations, irrespective of the fact that these may eventually jeopardize their business model (Carroll and Shabana, 2010).In both cases, the "environment" is seen as a threat, not as an opportunity.Furthermore, the detriment to innovation is obvious: new products and services are not launched, or they are developed with a weak consideration of their environment and ultimately have a greater chance of failing.However for companies, ignoring responsible innovation challenges is no longer an option either.The acceptability of their business is at stake and opportunities of advanced positions in markets can be lost.
More regulation may not be the answer to engage companies in RRI because few new issues have arisen that were not anticipated .Many aspects of RRI are subject to regulation, but exclusively relying on public regulation is unlikely to achieve the aim of ensuring RRI acceptability and desirability.
This leads to key questions such as: How can the route to responsible innovation be made easier?Is this a matter of leading companies to responsible innovation, or of growing responsible innovation in the business innovation?
The range of innovation support methods (e.gDahlander and Gann, 2010) becomes richer every year with new approaches and concepts developed: eco-design, cradle to cradle, the circular economy, open innovation etc.These methods have proven to be efficient in many respects.Nonetheless, they often face limits as they only consider one aspect of the business.Whilst a particular value can be gained e.g.making privacy for research and innovation, the whole business model depends on a larger series of aspects that are all equally important.Often the gap to applying responsible innovation lies in the fact that these innovation support methods are used in isolation.
Collectively, social, environmental and ethical issues should be addressed in particular industries.Specific issues such as privacy need to be taken into account, and specific knowledge needs to be taken on board, for example with regards to established ways of dealing with such issues.This requires support tools and roadmaps to be adapted to the particular features of the industry and calls for a collaborative approach, where companies and support organizations draw external resources of knowledge and advice, whilst engaging with stakeholders.The questions remain, however, how this can happen, who should be in charge and how success can be measured.In order to respond to these questions we have developed what we called a framework for RRI in industry that we outline in the next section.

Framework of RRI in Industry
In order to better understand how RRI is currently undertaken in industry and which gaps remain, the Responsible-Industry project (www.responsible-industry.eu)undertook a number of activities to map current practice, compare it with the RRI discourse, and develop ideas about how RRI can be integrated into industrial practice.The activities undertaken by the project include a review of the literature on RRI and industry, five illustrative case studies, a set of 30 expert interviews with stakeholders from the information and communication technology (ICT) industry and a Delphi Study comprising more than 170 respondents.On this basis we developed a framework for RRI in industry. 1his framework starts with a vision of RRI industry that shows its roots as well as the link with existing activities.It provides options and recommendations for implementing RRI in companies.These are grouped around key questions such as who is responsible for what?How can RRI be integrated along the value chain?How can ethical and social impact analysis be performed?What tools can be used for RRI?
The ensuing recommendations can be summarized as follows:  Reflect on a vision for RRI within the organization, promoting capacity building and instilling RRI in the culture of the organization. Integrate RRI into existing structures and processes, including research and innovation (R&I), corporate social responsibility, quality and other company functions. Promote reflection and awareness of ethical and societal issues related to specific R&I products in ICT for an ageing society. Perform in depth ethical analysis of ICT products/services from early stages of the R&I value chain. Support early identification of appropriate preventive and precautionary measures. Foster stakeholder engagement, and in particular end users, from early stages of product development. Pursue open and transparent communication with stakeholders about risk and impact. Perform ongoing assessment and management of the impacts of ICT products and services, both in the short/ medium term and longterm. Ensure training and professional development opportunities to enable staff to fully participate and take responsibility. Foster multidisciplinarity between engineering, natural sciences, ethics and social sciences. Apply equality principles in recruitment and career progression.
The framework also provides examples of policy and communication actions that can support and foster RRI in industry and links to resources that enable these to be realized.
This framework is currently being tested and scrutinized through a number of indepth case studies and industry-led focus groups.It will be finalized in early 2017.The workshop during the IFIP summer school served as one way of assessing the quality and value of the framework.Its specific question was whether privacy is well represented in the framework and how this might be improved.

RRI, Privacy and Economic Concerns
Privacy is the most widely discussed ethical and social concern linked to ICT (Stahl, Timmermans, & Mittelstadt, 2016).Concerns around privacy are not novel and contemporary discussion is often led back to Warren and Brandeis' seminal paper on the topic (Warren & Brandeis, 1890).It is therefore not surprising that privacy has been highlighted as a key concern that RRI in ICT needs to deal with (Stahl, 2013).Achieving data safety and security in ICT is not what companies might expect by applying RRI in the first place but it is certainly something that is highly discussed in responsibility in ICT in long run.The threat is obvious.Breaches of privacy occur not just from a theft of customer data and passwords or credit cards.In fact, if companies have too many breaches of data privacy that undermines consumer trust, which is absolutely counter productive to the use of technologies that could otherwise have a beneficial effect on environmental and social questions.Thus, it is absolutely essential that ICT must comply with basic privacy principles as laid down by the General Data Protection Regulations (GDPR) 2 .
Before we discuss how privacy concerns have been integrated into the framework for RRI in industry, however, we think it is important to highlight that privacy is far from the only ethical issue that companies need to consider.This implies that ways of addressing privacy need to be sensitive to other ethical and social issues.Similarly, privacy as a social value can conflict with other values.Ways need to be found to balance competing values.Data ownership, quality of data, intellectual property and traceability are some of the most important issues of debate from a legal and technical point of view (Baysinger et al., 1991;Granstrand 1999;Batini et al., 2009).Based on an open innovation model, these technologies challenge traditional business models: where does the value stem from: the data or the service?What is the most effective way to redistribute dividends to different links in the value chain?
Emerging technologies and big data imply a significant pervasiveness of technology in every place and a new set of relations between individuals and objects, with a stronger dependence on ICT, despite and because of its original ambition to increase its relevance and adherence to users' needs.Big can include the collection of large amounts of personal information, the protection of which is regularly challenged.Regardless of the definition of privacy, one can realize a significant role for it in solving research and innovation challenges in emerging technologies and big data.The GDPR and its requirements for privacy impact assessment (Clarke 2009; Information Commissioner's Office 2009) or an ethics impact assessment (Wright 2011) are very high on the companies' agenda these days because of either the necessity of assessment activities towards privacy issues or the increased fines that the GDPR (see section 148) will introduce and which therefore may scare industry.As such, industrial stakeholders dealing with ICT must consider privacy in order to address RRI issues, and ICT designers must highlight privacy by design in their design process (Guerses et  From an economic viewpoint, being aware of these challenges and developing a capacity to address them will enable any company to become more competitive and sustainable.While emerging technologies and big data are more than ever at a crossroad between ethical issues and economic opportunities, what role can a company play in this area?How can a company seize and create value from big data whilst still operating in an ethical and safe environment?Some initiatives have been taken to draw entrepreneurs' attention to the ethical and legal issues raised by emerging tech- nologies and big data.However, companies support services often remain segmented: business development, legal and ICT aspects and social issues (such as stakeholder engagement) are not addressed systematically, and are usually separated from one another for the simple reason that they relate to different expertise and organizational units.
The responsible innovation framework will take the ambition to address all related challenges in a comprehensive approach by bringing together stakeholders and experts, and eventually help companies, in particular ICT companies to benefit from the big data revolution whilst securing their own development.

Privacy in the RRI Framework
In light of the importance of privacy in ICT in general, as well as the possible conflict between privacy and other values, it is important to spell out which role privacy plays in version of the framework for RRI in industry that was used in the workshop.
Privacy first appears in the framework document in the context of open questions that should motivate companies to consider RRI.These are a list of likely upcoming developments that can raise concern and of which companies should be aware.This list was compiled on the basis of the AALIANCE2 roadmap3 , a document stemming from the AALIANCE 2 project for the purpose of planning the future of assistive technologies.Privacy is recognized in this list as one of the likely concerns that can motivate companies to take RRI seriously.It forms part of a set of concerns that were summarized as individual rights and liberties that may be vulnerable to challenge from new ICTs.
One way of dealing with open questions in RRI is through the introduction and use of standards.The framework therefore highlights issues that may be subject to standardization: this includes privacy and data protection.The idea of privacy by design is strongly promoted by privacy advocates and can be seen as an attempt to create standards to safeguard this particular value.The framework therefore references these ideas as one option that companies can pursue in the governance of their research and innovation activities.
Privacy is furthermore already a well-established right enshrined in legislation and regulation.Companies wanting to be responsible need to comply with such legislation.The framework therefore makes reference to legislation such as the Privacy Directive (EC) 95/46/EC on processing and free movement of data, regulation (EC) 45/2001 on processing and free movement of data by EU institutions and bodies, Directive 2002/58/EC (e-Privacy) processing of personal data and the protection of privacy.
One can thus argue that there is significant attention paid to privacy in the framework.However, in order to ascertain whether this way of including privacy is sufficient and convincing, we undertook the workshop around privacy in the IFIP summer school that is described in the next section.

Workshop on Privacy in RRI in Industry
The idea behind the workshop was thus to collect feedback on privacy as a particular component of the framework from an audience which is either expert in privacy issues or has a high level of interest in privacy and identity management.We wanted to find out whether the way in which privacy was included in the framework resonated with this audience and whether audience members could provide further insights into how to improve the framework.
It was decided to assess the framework with five groups of participants (each group consist of 2-3 members).Each group was asked whether the framework would have helped them to gain an insight into RRI, how could develop the current responsible business model, and whether it could help the RRI community promote responsibility within research and innovation initiatives.The workshop was also used to gain further insights into whether questions of privacy and data protection are currently covered well enough, which aspects could be strengthened and how they could be communicated to intended audiences.
The aims of the workshop included:  to reflect on the effectiveness of the RRI framework:  to discuss the way in which privacy is represented in the framework; to explore opportunities to refine the RRI framework;  to explore facilitation methods to best use the RRI framework.
The workshop developers introduced the responsible industry project framework, elaborated on the main aspects of RRI in industry, and presented responsible industry case studies in the domain of ICT for healthy ageing.The intention of RRI to ensure acceptability and desirability of research and innovation is often translated as a focus on grand social challenges.One of the key ones in Europe, due to its demographic development is that of healthy ageing.ICT is often portrayed as a technology that can help address this challenge, which renders ICT for healthy ageing a primary candidate for RRI.
During the second half of the workshop, participants were asked to comment directly on the framework.The aim was to gather a structured form of feedback from participants at the end of the workshop using the RRI framework to identify which methods or techniques should be applied to fulfill key responsibilities for RRI within the organization.
Relevant feedback was expected to arise from the following questions:  How can the framework be improved? How should the framework be communicated and disseminated? Is privacy adequately covered? Which aspects are missing? How should they be included?Documentary evidence from the workshop supported assessment of the quality and value of the framework.The collected data were used in the discussion section of this work to address the above questions.

Discussion
During the workshop there was a general recognition by the participants of the necessity to embed privacy in the framework for RRI in industry.This discussion section covers two different sets of concerns, both of which are important for RRI in industry.On the one hand there are issues of organizational structure and governance, which are not related to privacy per se but which are relevant in order to instill the very idea of RRI into an organization.On the other hand there are privacy issues in a narrow that immediately pertain to personal data.
The organizational issues of privacy were recognized as crucial.There was a discussion about engaging companies' owner(s) and investor(s) into RRI actions.One participant argued that "whilst probably individual investors will be more willing to implement ethical procedures, institutional investors will likely respond only to financial considerations."In principle, consultation with owner(s) in addition to chief executive officers was highly valued by the participants.
There was also discussion about the usefulness of the framework for different sizes of companies.From the responses, it is understood that the framework seems to assume a large rigid organization.It is less clear how small and medium sized enterprises (SMEs) can implement it, which has to be taken into account for further development of the framework.
The discussion and further recommendations from participants for improving the framework can be summarized as follows:  Acknowledge the need for engaging companies' owners and stress the distinction between individual investors and institutional counterparts;  Consider SMEs for the framework;  Refine the actual information flows in the framework;  Highlight the process of embedding responsibility in industry which will likely be an iterative, rather than a one-off, exercise;  Develop some practical tools to assist thinking about RRI principles.
First, there is a common recognition by participants to involve owners of the company as well as the chief executive officer (CEO).Since the CEO executes the plan set by the owners, there is a need for the framework to stress the role of companies' owners and investors.Second, workshop participants stressed that the RRI framework targets mainly multinational corporations, and misses somewhat to consider specific approaches of applying RRI in SMEs.Third, understanding actual information flows in the framework between different sections needs to be revisited: e.g.innovation can come from any group; marketing may provide customer requests as well as disseminate information.Fourth, industrial stakeholders must consider RRI as an iterative process rather than a one-off exercise.Finally, there are still a limited number of practical RRI tools that can be used by industrial stakeholders, and this generally needs to be drawn attention to in any improved version of the RRI framework.
The RRI framework and workshop results identified the need to embed privacy into Responsible-Industry framework.Figure 1 demonstrates the interaction between privacy and various organizational functions.This figure was used to stimulate the discussion among workshop participants.
Accordingly, privacy should be at the core of Responsible-Industry framework.In fact, the workshop represents the benefits delivered to industry by embedding privacy in the RRI framework.Individual stakeholders and different departments collectively may apply privacy in company' governance, innovation, compliance, and communication initiatives.Put differently, privacy helps to improve executive management, research and innovation, corporate social responsibility, legal, human resources, and marketing; steers company activities to new level of ethical behaviour"; and introduces new RRI-oriented products and services."Privacy is perhaps too abstract a concept in the example given of the healthcare user.Privacy as an abstract concept may not be important but personal autonomy or freedom from discrimination may be important despite requiring privacy".
The results of the discussion and the recommendations made by the workshop participants highlighted the relevance of privacy in RRI.This did not come as a surprise, given that privacy and data protection have long been recognized as a key aspect that raises concerns across a vast range of ICTs.The discussion showed furthermore that privacy is interlinked with other ethical and social concerns.It is furthermore distributed across the organization, and it is difficult to pinpoint one particular area that has exclusive or dominant responsibility for it.
From the point of view of the framework, we learned that the level of attention paid to privacy in the framework itself seems to be appropriate.There was very little discussion of the concept of privacy in the workshop.This may reflect the backgrounds of the workshop participants who had a significant amount of expertise in privacy, and who may not therefore have felt the need to delve into the conceptual side of privacy in any more detail.It may also reflect the fact that there is a finite amount of space in a document like the framework and therefore there must be a limit to the level of conceptual discussion that can be included.
An interesting finding from the workshop, from the perspective of the Responsible-Industry project and framework, was that there was also relatively little discussion of the technical detail concerning specific privacy measures.When presenting the framework to an expert audience with a particular interest in privacy and identity management, we had expected requests for more detail of the way in which privacy in ICT for health, demographic change and wellbeing is addressed.There was little discussion of such detailed questions, which we interpret as a sign that the treatment of privacy in the framework is at an appropriate level.

Conclusion
From the perspective of the Responsible-Industry project, the workshop described in this paper constituted an opportunity to reflect on and further refine the framework.For the participants it gave an opportunity to see the way privacy is addressed in a slightly different context where privacy is one of many different issues.
In substantive terms, the outcomes of the workshop constitutes a confirmation of the principles and content of the way in which privacy is treated by the Framework for RRI in ICT as developed by the Responsible-industry project.It did not lead to any significant changes or point to major omissions in the framework.Interestingly, it also did not point to particular technical developments that might need to be included.
The value of the workshop was in improving the presentation of the framework and raising awareness of its existence in the community of privacy scholars.It should thereby contribute to a better uptake of RRI by industrial actors, with specific reference to privacy and data protection.Privacy is a key to delivering future responsibility.The RRI framework is intended as a primary step in RRI literature for embedding privacy into the core of industrial stakeholder activities.The workshop's participants helped in raising awareness of privacy within subsequent versions of RRI frameworks, to support industrial stakeholders on the journey towards responsibility.
The workshop contributed to:  Raising awareness of RRI principles among privacy scholars;  Improving privacy and social inclusiveness within RRI principles and actions.
In addition to helping reflect on and improve the Responsible-Industry framework, we believe that the workshop will have developed participants' understanding of the way in which social and ethical issues in ICT more broadly can be addressed in an industrial setting.
Much research in the area of data protection and privacy is technical, focusing on questions of encryption, storage, data transmission etc.Such work is of vital importance for privacy preservation.However, we believe that the framework shows clearly that many of the key privacy concerns are not technical.A company developing a new technology needs to have the organizational resources and processes in place, in order to safeguard privacy.Without these pre-requisites, the technical capability to protect privacy is unlikely to suffice.
Working with the RRI in industry framework showed the participants the complexity and number of linkages between different organizational functions, environments and processes that need to be considered when addressing privacy issues.Finally, at the risk of stating the obvious, we believe that the workshop made it clear that privacy and data protection are one important issue but, at the same time, they are one issue among many.Privacy must not be seen in isolation, rather it should be understood as an important and valid social concern that interacts with and links to numerous others.
In this spirit, we hope that the insights gained by the Responsible-Industry consortium that will help us further refine the RRI in industry framework have been matched by the learning of workshop participants.Both of these aspects will hopefully have contributed to the overall shared goal of ensuring that new and emerging technologies contribute to the greater good of society.