5 data ethics principles you can't ignore
Learn what data ethics means and the five principles you need to apply when using data within your business
For airports and parking operators handling millions of customer journeys each year, data ethics isn’t just a compliance exercise; it’s the foundation of commercial success. Every parking booking, every payment transaction, every vehicle registration number, and every passenger itinerary creates both opportunity and responsibility.
Yet many airports and parking operators struggle to translate broad ethical principles into practical action.
For instance, what does data ethics mean when you’re managing 50,000 parking spaces across multiple car parks, processing contactless payments at barrier systems, or sharing customer data with retail partners in your terminal? How do you build systems that enforce ethical standards by default when you’re juggling booking platforms, revenue management systems, access control, and partner data feeds?
In this article, we’ll explain what data ethics actually means and outline five principles to help you apply a more ethical approach when adopting a data-centric strategy.
What does ‘data ethics’ mean?
Data ethics is the branch of ethics that evaluates data practices with respect to their impact on people, organisations, and society. It asks fundamental questions about the morality of collecting, storing, analysing, sharing, and using data, particularly when that data relates to individuals.
While legal compliance sets minimum standards through regulations like GDPR, data ethics goes further. It asks not just what you can legally do with data, but what you should do.
For instance, you might be technically permitted to retain a customer’s number plate data indefinitely, but is it ethical to do so when the booking was completed two years ago? You may have legal grounds to share passenger contact details with every commercial partner in your terminal, but should all partners have unrestricted access?
Data ethics encompasses several core areas:
Consent: Do passengers understand what data you’re collecting when they book Meet & Greet services or pre-book parking? Have you clearly explained how their vehicle registration will be used beyond access control?
Purpose limitation: Are you using booking data solely to deliver the parking service customers purchased, or are you repurposing it to build profiling models or share with advertisers in ways customers never anticipated?
Fairness: Does your dynamic pricing algorithm disadvantage certain customer groups? Are you creating promotional offers that discriminate based on data you’ve collected about travel patterns?
Accountability: When a data breach exposes customer payment details or vehicle information, who takes responsibility? How do you make it right with the thousands of customers affected?
5 data ethics principles you need to be aware of
To apply data ethics effectively in your airport or parking operation, you need to understand the core elements required to embed ethical data handling across your organisation and partner ecosystem.
1) Clear ownership and accountability
Data ethics in an airport environment begins with knowing exactly who is responsible for each category of data flowing through your operation. Without clear ownership, ethical questions fall into grey areas where nobody feels empowered to make the right decision.
This isn’t just about organisation charts. It’s about designating individuals who make the calls on critical questions: Does the car park operator control vehicle registration data or does the airport? Who decides whether flight delay information can be shared with retail partners? When a customer requests data deletion, who is responsible for ensuring it’s removed from booking systems, access control databases, and partner platforms?
The complexity increases when you’re managing data across multiple systems, such as parking booking platforms, barrier control systems, payment gateways, ANPR cameras, customer service platforms, and partner data feeds. Each system may have different data controllers and processors, creating a web of responsibilities that must be clearly mapped.
For airports working with multiple commercial partners, for example, parking operators, car rental firms, hotels, lounges, retail concessions, you need collaborative governance processes that make data ownership clear.
When a food and beverage partner wants access to footfall data linked to parking duration, who approves that request? When a customer’s parking booking data could enhance a loyalty programme run by an airline, who decides whether that data sharing is ethical?
These questions require designated decision-makers with the authority to say yes or no, and clear escalation paths, should the need arise.
2) Privacy by design and regulatory compliance
When building airport systems, whether booking platforms, payment systems, access control, or commercial analytics, data protection and privacy must be at the forefront of mind.
You need to make conscious decisions about what data you truly need to collect, how long you keep it, and who can access it. Privacy should be a design constraint that shapes how you build systems, not a compliance checkbox to tick before launch.
For airports and parking operators, this translates into specific architectural decisions. Do you really need to retain customer booking data for seven years, or is two years sufficient for operational and financial purposes? Are you collecting mobile phone numbers with proper consent mechanisms in place, or are you assuming that purchasing parking implies permission to send SMS marketing? Are you tagging personally identifiable information in your databases so that teams know when they’re working with sensitive vehicle registration numbers versus anonymised parking duration statistics?
Consider a practical example: ANPR cameras at car park entry and exit barriers capture every vehicle registration. This data is essential for access control and billing, but how long should you retain it?
Privacy by design means storing it only as long as necessary to verify the customer collected their vehicle and resolve any billing disputes, perhaps 90 days. Retaining it indefinitely creates unnecessary risk and violates the principle of data minimisation.
Regulatory compliance is the baseline. GDPR requires that you collect data only for specified purposes, process it fairly, keep it secure, and delete it when no longer needed.
That said, data ethics goes beyond minimum compliance. It asks whether you are collecting flight details you don’t need simply because customers volunteer them during booking.
It questions whether retaining complete payment card data (even if encrypted) serves any legitimate purpose beyond what your payment processor already handles and ensures that access controls are as restrictive as possible while still allowing car park staff, customer service teams, and finance analysts to do their jobs.
Automation plays a critical role here. Systems should enforce privacy rules automatically rather than relying on individuals to remember them. When vehicle registration data is involved, access should require explicit authorisation and be logged.
When retention periods expire, booking records should be automatically anonymised or deleted. When a customer withdraws consent for marketing, all systems (booking platform, CRM, email service provider) should stop processing immediately. Build these controls into the technical architecture so that doing the ethical thing is also the easiest thing.
3) Transparency and trust
Transparency in data ethics means that passengers can understand and verify how their data is being used across your airport and parking operation.
According to Forbes, 39% of consumers view data transparency as the best way to build trust. For airports, this means being clear in your communication about what you collect, why you collect it, and what you do with it. For internal teams, it means knowing where data comes from, what transformations it has undergone, and whether it can be trusted for commercial decision-making.
Building transparency requires both technology and communication. On the technology side, use data lineage tracking so that teams can trace any piece of information back to its source.
When a commercial analyst looks at car park utilisation linked to retail spend, they should be able to see exactly where that data came from. This transparency builds confidence and prevents teams from making pricing decisions or partner commitments based on data they don’t fully understand.
On the communication side, be explicit with customers about data practices. When passengers book parking, they should understand that their vehicle registration will be used for access control, their payment details for billing, and their email address for booking confirmations. If you want to use their flight details to send them targeted offers for lounge access or car rental, ask for explicit consent and explain exactly what that means.
Privacy policies should be written in plain language for your customers. When a family books Meet & Greet parking for their summer holiday, they shouldn’t need a law degree to understand what happens to their data. Explain it the way you’d explain it to a friend: “We’ll use your number plate to identify your car when you arrive. We’ll keep your email address to send your booking confirmation and parking reminder. We’ll share your arrival time with our car park attendants so they can be ready for you.”
When asking for consent to share data with partners, make clear what customers are consenting to. “We work with retail partners in the terminal. With your permission, we’ll share that you’ve booked parking so they can send you exclusive offers for airport shops and restaurants.” That’s transparent. “We may share your information with selected third parties for marketing purposes” isn’t .
When teams consistently find that data is accurate, up to date, and properly governed, they trust it enough to base commercial decisions on it. When customers see that you handle their vehicle information and payment details responsibly and communicate honestly about your practices, they trust you with repeat bookings and remain loyal over time. Trust is fragile and slow to build, but it’s the foundation of every successful commercial operation.
4) Security and access control
Data ethics requires that access to customer information is controlled, auditable, and limited to what individuals genuinely need to perform their roles in your airport or parking operation. The principle of least-privilege access states that people should have access to the minimum data necessary, nothing more. This protects against both accidental misuse and intentional abuse.
Using least-privilege access means defining roles carefully and mapping data permissions to those roles:
- A car park attendant might need to see a customer’s vehicle registration and booking reference to locate their car for Meet & Greet service, but shouldn’t have access to payment card details or home address.
- A revenue analyst needs parking duration and pricing data to optimise yield management, but shouldn’t have unrestricted access to personally identifiable customer information.
- A customer service agent resolving a billing dispute needs to see the booking history and charges, but doesn’t need access to every customer in the database.
These distinctions matter for regulatory compliance under GDPR, but they also matter ethically. Exposing more data than necessary increases risk for customers and creates unnecessary temptation for misuse. If car park attendant’s login credentials are compromised, the damage should be limited to the specific vehicles they’re currently handling, not the entire customer database.
Security extends beyond internal teams to how data is shared with external partners and stakeholders. Sending customer booking data to a retail partner via email or unencrypted file transfers isn’t just technically insecure, it’s unethical because it exposes passengers to risks they didn’t consent to when they booked parking. Use secure transfer mechanisms like SFTP with IP whitelisting, encrypted APIs, or purpose-built data sharing platforms that maintain full audit trails of who accessed what information and when.
Consider the practical example of sharing data with a food and beverage partner who wants to send promotional offers to customers with long parking durations (indicating they’re likely taking a holiday flight). That partner needs email addresses and parking dates, but they don’t need vehicle registrations, payment details, or home addresses. Ethical data handling means creating a filtered data feed that contains only what’snecessary for the specific use case, with contractual terms that prevent the partner from repurposing that data or sharing it further.
Auditability is equally important. Every access to sensitive customer data should be logged. If regulators or internal compliance teams need to understand who accessed vehicle registration data and why, you should be able to provide that information completely and quickly. When a customer exercises their right to know how their data has been used, audit logs allow you to tell them precisely when their booking details were used and what for.
This auditability is an ethical obligation to the customers whose data you hold in trust. They have a right to know that their information is being handled responsibly, and audit logs are how you demonstrate that responsibility.
5) Ethical partner collaboration
Data ethics in commercial partnerships is particularly critical for airports, where dozens of partners operate within your ecosystem. Each partner has legitimate commercial interests in understanding customer behaviour, but also competitive sensitivities that must be respected.
Ethical data handling in this context demands clear agreements about what gets shared, how it can be used, and what protections are in place.
The foundation of ethical partner collaboration is transparency about data flows. Before any customer information changes hands, all parties should understand exactly what data is being shared, in what format, at what frequency, and for what purposes.
If you’re sharing parking booking data with a hotel partner so they can offer room deals to customers with early morning flights, that arrangement should be documented in a formal data sharing agreement that specifies retention periods, usage restrictions, and security requirements.
Verbal agreements and informal arrangements create ethical grey areas. When a retail partner asks for “some customer data to help with targeting,” what exactly does that mean? Which customers? What data fields? For what campaigns? How long will they keep it? Without formal documentation, you can’t ensure ethical handling, and you can’t demonstrate compliance if regulators come asking.
Paris Bielby, Data Director at CAVU, shared her perspectives on what good collaboration looks like when working with commercial partners in the airport ecosystem:
When it comes to commercial sensitivities, the key is designing collaboration models that protect competitive information while still enabling insight. That typically means role-based access, data minimisation, and aggregation so partners only see what they need to operate effectively.
It also means strong contractual frameworks, data-sharing agreements, retention rules, and transparent auditability, so every partner knows the boundaries and feels confident operating within them.
But the people side matters just as much. Partners need to feel that their data is respected, that their concerns are heard, and that the airport is a neutral steward rather than a competitor. When you create that environment through good communication, predictable processes, and a governance model everyone trusts, collaboration stops being a risk and becomes a genuine competitive advantage.
Consider a practical scenario: you want to create a loyalty programme that rewards customers who book parking, use the lounge, and make retail purchases. This requires sharing data between your parking platform, the lounge operator, and retail concessions.
Each partner is understandably protective of their customer relationships and transaction data. Ethical collaboration means creating a governance model where each partner contributes data under clear terms, where the aggregated insights benefit everyone, and where individual customer relationships remain protected.
It’s important to remember that passengers don’t distinguish between you and your partners. If a car rental company you shared data with sends intrusive marketing emails, customers will blame the airport where they booked parking. If a retail partner suffers a data breach involving customer information you provided, passengers will hold you accountable. This means partner selection is an ethical decision, not just a commercial one.
Work with partners who demonstrate strong data ethics in their own operations. Include specific data protection requirements in commercial contracts, not just boilerplate terms, but operational commitments about encryption, access controls, and breach notification. Audit partner compliance regularly. Your reputation depends on their behaviour, so choose and manage partnerships accordingly.
Learn how to build ethical data foundations with our expert-led webinar
Understanding data ethics is one thing. Implementing it across your airport or parking operation is another.
On Wednesday, 18 March 2026, join CAVU’s Data Director, Paris Bielby and Lead Data Engineer Jamal Karim for a comprehensive webinar on building data foundations that support commercial growth.
In this session, you’ll learn how to:
- Design cross-ecosystem data strategies that protect sensitive information
- Use processes that enable collaboration, whilst building governance frameworks that enforce ethical standards
- Create the technical architecture that makes data ethics scalable and sustainable.
Register for The Data Strategy Blueprint: Laying the Foundations for Commercial Growth, and we’ll email you an exclusive access link on the day of the webinar.
