At the moment, practitioners have relied on traditional ADR standards and guidance to consider the ethical concerns involved with using ODR, even though they are less than ideal when applied to technology. ODR is rife with ethical concerns that possess new challenges that previous standards, legislation and regulation do not address (Wing et al., 2021). Thankfully, many laudable efforts are being made to edit the traditional standards of mediation to fit with ODR, as well as efforts to help guide implementation. As standards come out, mediators will finally receive the guidance and information needed to help provide an ethical ODR practice.
That said, Ethics Standards and Codes can only do so much, and at times they directly conflict with each other. For that reason, ethics case studies and examples have always been used as helpful ways of teaching and studying ethics. In that spirit, this is the first of a series of ODR Ethics Case Studies to help guide ODR practitioners through the dilemmas they will inevitably face during their practice.
Case Study #1
In the midst of scheduling a mediation, you reach out to the participants and tell them you take their confidentiality seriously, so any further emails will be end-to-end encrypted. It is your standard practice and you have been quite happy with the feedback you’ve received. You phone one of the parties to provide the password they need to access future emails and attachments, but the moment you tell them they reply: “that sounds complicated, just send it to me normally.”
What are some of the ethical components or conflicts in this case?
How would you approach them?
There are two significant ethical standards that appear to be in conflict in this case. The first is the mediator’s obligation to keep a party’s information confidential, and the second is respecting the party’s right to make their own decisions regarding the process of the mediation. A party’s self-determination is important; after all, mediation’s embrace of party empowerment and self-determination is what separates it from other ADR processes (that ethics book), however, the necessity of proper cybersecurity measures should not be underestimated.
Confidentiality and Privacy
Confidentiality, which states that a party’s information must not be disclosed beyond what has been agreed, and privacy, which refers to an individual’s ability to control access to their own information, are the ethical principles that have likely undergone the most significant change with the surge of ODR. Traditionally, the documents a mediator would receive were hard copies that could be stored under lock and key, or disposed of quite simply. The mediation themselves took place in physical rooms where the amount of parties involved could be clearly seen and it wasn’t easy to hide something like a recording device. That was enough to ensure information was kept confidential, and the parties remained in control over their information. However, with ODR far more needs to be taken into consideration if confidentiality and privacy are to be maintained: what email program is being used? How is data being stored? Is it being sent to a location that is secure? These are just a few of the new questions mediators need to be asking themselves to conduct an ODR practice that respects the parties’ right to confidentiality and privacy.
With that in mind, a mediator is obligated to ensure their practice involves a level of cybersecurity that can reasonably ensure the sensitive data they receive and send is safe. Exactly what that may entail is up for debate, and will likely be one of the helpful guides provided in any upcoming reports or standards. It would not be a stretch to suggest strong passwords, the use of Multi-Factor-Authentication (MFA), and ensuring any saved data is encrypted are a minimum standard (Ferguson, 2020). That said, in this case, the challenge isn’t adopting appropriate cybersecurity measures, but considering how much a mediator ought to push their own cybersecurity process on a party that isn’t willing.
Respect for Persons and Autonomy
The notions of Confidentiality and Privacy are not just about protecting the parties’ information. Both are founded on the ethical principles of Respect for Persons and Autonomy, which denote having the freedom and ability to make choices about issues affecting one’s life, decisions about personal goals, and the ability to act on the choices we make (Burkhardt, 1996). In other words, the individual has the right to keep their information to themselves and not have it shared, and by the same logic, they can also choose what they want to do with their information and what risks they are willing to take whether anyone agrees with them or not.
That said it is important to ensure someone has the appropriate knowledge and understanding of what they are involved with when they exercise their right to self-determination. The idea of Informed Consent often goes hand in hand with Autonomy, and stems from the notion that someone can only make a truly autonomous choice if it is voluntary, informed, and they have the capacity to make it (WTH is Bioethics?, 2019). In other words, a choice cannot be coerced and must be chosen willingly. It has to be informed, which typically requires the party to be told about the nature of the process, the expected benefits, the risks, likely consequences of not doing it, and any alternative courses of action (WTH is Bioethics?, 2019). And finally, the individual must have the capacity to make the decision, in other words they have to be able to understand the information they are given, and possess the ability to appreciate the consequences of the decisions they make.
In this case, if the party responded to bypass the cybersecurity measures followed by the mediator it would be important for the mediator to take a moment and ensure that the party is making an informed decision. The mediator would have to explain what end-to-end encryption does and why it is being used, the benefits and risks of using it, the possible consequences of not doing it, and any alternative methods. Alternatives are particularly important in cases of ODR where a party may agree that cybersecurity is important and feel uncomfortable with the notion of freely sending confidentiality information via email, but simply struggle with the technology. Finally, it has to be determined that the party has the capacity to make the decision. In cases of ODR this will likely be less about someone’s mental capacity as much as someone’s unfamiliarity with the technology or their discomfort admitting they do not understanding.
Once the party has been given the information, they understood it, and their opinion is given voluntarily, it is important for the mediator to accept the client’s decision. Honouring and trusting a party’s ability to make the best choices for themselves are important factors in developing a trusting relationship, which is vital in a successful mediation.
Limitations to Autonomy
There are, of course, circumstances where someone’s right to self-determination may be limited. These situations usually involve considerations around decisions that could harm themselves or others. One would expect, for instance, that there is a limit to a party’s autonomy in which a mediator can override a party’s self-determination if they are choosing an option that could harm them, such as a method of communication that puts their information at risk, particularly if that information is very sensitive, like a social insurance number. However, given the importance of self-determination in mediation, if the party truly insists even after being told the potential risks, the mediator may respect the party’s wishes.
More importantly, while autonomy speaks to the choices of an individual, their decisions are not made in isolation and are often made in conjunction with others. In a mediation, information isn’t always just sent between the mediator and a single other party. In civil cases for instance, lawyers will send the mediation briefs to both the mediator and the opposing party, and one party’s information could contain confidential information of the other party. In such cases, one party would not be in a position to unilaterally decide what measures ought to be taken, or not taken, to protect the confidential information involved.
Respecting another’s self-determination directs us to honour the right of persons to chose, whether we agree or not. In this case, the party has a different view than us in regards to cybersecurity, and if they have given their informed consent, in most cases the mediator ought to respect that. On the other hand, if the party’s decision put extraordinarily sensitive data at risk, or if there are more parties involved, a mediator may be obligated to enforce certain rules on the parties to ensure their data is kept reasonably secure.
1. End-to-End Encryption: Whenever you send data to another computer or server on the internet, there are some risks, like theft, because your data passes through many unknown servers, routers, and devices where a hacker can intercept them. In order to protect your data, it is typically encrypted, which is when the data you are sending gets scrambled so it isn’t possible for any party intercepting it to read or understand. The encrypted data can only be turned back into the original data by someone who has the encryption key. End-to-end encryption is the act of applying encryption to messages on one device such that only the device to which it is sent can decrypt it. The message travels all the way from the sender to the recipient in encrypted form. This differs from the encryption most commonly used, which only protects the data in transit between your device and the company’s servers.
2. A further explanation to the importance of cybersecurity in ODR can be found in my article Navigating Cybersecurity in ADR (https://www.mediate.com//articles/ferguson-cybersecurity.cfm.=
Burkhardt, M.; Nathaniel, A. (1996). Patient Self-Determination and Complementary Therapies. Bioethics Forum, Winter.
Ferguson, J. (2020). Navigating Cybersecurity in ADR. Mediate.com. Retrieved from https://www.mediate.com/articles/ferguson-cybersecurity.cfm on July 7, 2021
Seay, G.; and Nuccetelli, S. (2017). Engaging Bioethics: An Introduction with Case Studies. Taylor & Francis Group.
Wing, L.; Martinez, J.; Katsh, E.; Rule, C. (2021). Designing Ethical Online Dispute Resolution Systems: The Rise of the Fourth Party. Negotiation Journal, Winter.
WTH is Bioethics? (2019). Informed Consent. Uploaded August 25. Available at: https://www.youtube.com/watch?v=xTIdmv2VzNs&t=207s. (Accessed July 6, 2021).