r-statistics.co by Selva Prabhakaran

About

Data Ethics for R Programmers: Privacy, Consent & Responsible Analysis

Data ethics is the set of principles that guide how we collect, analyze, and report data. As R programmers, we wield powerful tools — and with that power comes responsibility to avoid harm, respect privacy, and report honestly.

You can run a t-test in one line of R code. But should you run it? On what data? Collected how? Reported to whom? These questions matter as much as the code itself. This guide covers the ethical frameworks, practical guidelines, and R-specific tools that help you do data science responsibly.

Why Data Ethics Matters for R Users

R is overwhelmingly used in research, healthcare, social science, and policy — domains where bad analysis can cause real harm:

  • Medical research: A flawed analysis could lead to approving an ineffective drug
  • Social policy: Biased models can perpetuate discrimination in hiring, lending, or criminal justice
  • Academic research: p-hacking and selective reporting waste resources and erode trust
  • Business analytics: Misleading dashboards can drive costly bad decisions

The code is not neutral. Every choice — which data to include, which outliers to remove, which model to fit, which results to report — is a decision with ethical implications.

Ethical Framework: Five Core Principles

1. Informed Consent

People should know their data is being collected and how it will be used.

# Good practice: Document data provenance data_provenance <- list( source = "Survey of 500 participants", consent = "IRB-approved consent form signed by all participants", collection_date = "2026-01-15 to 2026-02-28", anonymized = TRUE, retention_policy = "Data destroyed after 5 years", purpose = "Study the effect of sleep duration on cognitive performance" ) cat("=== Data Provenance Record ===\n") for (field in names(data_provenance)) { cat(sprintf("%-20s: %s\n", field, data_provenance[[field]])) }


  






2. Data Minimization



Collect and retain only the data you actually need for your analysis.





  


    
# BAD: Keeping everything "just in case"
full_data <- data.frame(
  name = "Alice Smith",           # PII - do you need this?
  ssn = "123-45-6789",           # Definitely not needed
  email = "alice@example.com",    # PII - needed for follow-up?
  age = 32,                       # Relevant to analysis
  treatment = "A",                # Relevant
  outcome_score = 85              # Relevant
)

# GOOD: Keep only what the analysis requires
analysis_data <- data.frame(
  participant_id = "P001",        # Pseudonymous ID
  age_group = "30-39",            # Binned to reduce re-identification risk
  treatment = "A",
  outcome_score = 85
)

cat("Full data columns:", names(full_data), "\n")
cat("Analysis data columns:", names(analysis_data), "\n")
cat("\nReduced from", ncol(full_data), "to", ncol(analysis_data), "columns\n")


    


      

      

    


    


  






3. Avoiding P-Hacking



P-hacking means running multiple analyses and only reporting the ones that produce significant results. It's one of the biggest threats to scientific integrity.





  


    
# DEMONSTRATION: How easy it is to find "significant" results by chance
set.seed(42)

# Generate 20 completely random variables (no real relationship)
n <- 100
random_data <- data.frame(matrix(rnorm(n * 20), ncol = 20))
names(random_data) <- paste0("var", 1:20)

# Test all pairs against var1 — some will be "significant" by chance
p_values <- sapply(2:20, function(i) {
  cor.test(random_data$var1, random_data[[i]])$p.value
})

cat("=== P-hacking demonstration ===\n")
cat("Testing var1 against 19 random variables:\n")
cat("Number of 'significant' results (p < 0.05):", sum(p_values < 0.05), "\n")
cat("Expected by chance alone: ~1 (5% of 19)\n\n")

cat("If you only report the significant ones, you've p-hacked.\n")
cat("Always report ALL analyses you ran, not just the 'hits'.\n")


    


      

      

    


    


  






4. Transparency and Reproducibility



Every analysis should be reproducible by an independent researcher.





  


    
# Good practice: Record your R environment
cat("=== Session Info for Reproducibility ===\n")
cat("R version:", paste(R.version$major, R.version$minor, sep = "."), "\n")
cat("Platform:", R.version$platform, "\n")
cat("Date of analysis:", format(Sys.Date(), "%Y-%m-%d"), "\n")

# In real projects, use:
# renv::snapshot()    # Lock package versions
# targets::tar_make() # Reproducible pipeline
# set.seed(12345)     # For any randomization


    


      

      

    


    


  






5. Responsible Reporting



Report uncertainty honestly. Don't cherry-pick results. Show what the data actually says, not what you want it to say.





  


    
# GOOD: Report effect sizes AND confidence intervals, not just p-values
set.seed(123)
group_a <- rnorm(30, mean = 100, sd = 15)
group_b <- rnorm(30, mean = 105, sd = 15)

result <- t.test(group_a, group_b)

# Cohen's d effect size
pooled_sd <- sqrt((sd(group_a)^2 + sd(group_b)^2) / 2)
cohens_d <- (mean(group_b) - mean(group_a)) / pooled_sd

cat("=== Responsible Reporting ===\n")
cat(sprintf("Group A: M = %.1f, SD = %.1f\n", mean(group_a), sd(group_a)))
cat(sprintf("Group B: M = %.1f, SD = %.1f\n", mean(group_b), sd(group_b)))
cat(sprintf("Mean difference: %.1f\n", mean(group_b) - mean(group_a)))
cat(sprintf("95%% CI: [%.1f, %.1f]\n", -result$conf.int[2], -result$conf.int[1]))
cat(sprintf("t(%d) = %.2f, p = %.3f\n", result$parameter, result$statistic, result$p.value))
cat(sprintf("Cohen's d = %.2f\n", cohens_d))
cat("\nNote: Report ALL of these, not just the p-value.\n")


    


      

      

    


    


  






Practical Checklist for Ethical R Analysis



Use this checklist before starting any analysis:







Step
Question
Action






1
Was data collected with proper consent?
Verify IRB approval or consent documentation




2
Are you collecting only necessary data?
Remove PII columns before analysis




3
Have you pre-registered your hypotheses?
Use aspredicted.org or OSF before looking at data




4
Is your analysis plan documented?
Write the plan before coding




5
Are you correcting for multiple comparisons?
Use p.adjust() with Bonferroni or FDR




6
Are you reporting all analyses?
Include null results in your report




7
Are effect sizes included?
Report Cohen's d, r-squared, or odds ratios




8
Is the code reproducible?
Use set.seed(), renv, version control




9
Could the results cause harm?
Consider who is affected and how




10
Is uncertainty communicated clearly?
Show confidence intervals, not just point estimates







Exercises



Exercise 1: Spotting P-Hacking



A researcher runs 10 different models on the same dataset and reports only the two that have p < 0.05. What should they do instead?





  


    
# Think about it, then check:
cat("=== Answer ===\n")
cat("1. Pre-register the primary analysis before looking at data\n")
cat("2. Report ALL 10 models, not just the 'significant' ones\n")
cat("3. Apply multiple comparison correction: p.adjust(p_values, method='BH')\n")
cat("4. Clearly label exploratory vs confirmatory analyses\n")


    


      

      

    


    


  






Exercise 2: Data Minimization



Given a medical dataset with name, SSN, DOB, gender, diagnosis, and treatment outcome, which columns should you keep for an analysis of treatment effectiveness by gender?





  


    
# Think about what's needed, then check:
cat("=== Answer ===\n")
cat("Keep: participant_id (pseudonymous), gender, diagnosis, treatment_outcome\n")
cat("Remove: name (PII), SSN (PII, never needed), DOB (convert to age group)\n")
cat("Transform: DOB -> age_group (bins reduce re-identification risk)\n")


    


      

      

    


    


  






Summary







Principle
What It Means
R Tool/Practice






Informed consent
People agree to data use
Document provenance




Data minimization
Only collect what you need
Remove PII columns




No p-hacking
Report all analyses
p.adjust(), pre-registration




Transparency
Others can reproduce
renv, targets, set.seed()




Responsible reporting
Show uncertainty honestly
CIs, effect sizes, all results







FAQ



Is it ever okay to remove outliers? Yes, but only with a pre-specified rule (e.g., "remove values beyond 3 SD from the mean") that you document before looking at the data. Never remove outliers just because they make your results non-significant.



What's the difference between ethics and compliance? Compliance means following laws and regulations (GDPR, HIPAA). Ethics goes further — it's about doing the right thing even when the law doesn't require it. A legally compliant analysis can still be ethically problematic.



Do I need IRB approval for analyzing publicly available data? It depends. If you're at a university, check with your IRB. Even public data can raise ethical issues — for example, analyzing scraped social media posts without users' awareness. When in doubt, consult your institution's ethics board.



What's Next




        


        
      


      

        

        
© 2016- Selva Prabhakaran.
          This work is licensed under the Creative Commons License.