I think that requests for individual information should not be traceable to the identity of the owner of that information. If there is a violation of this section, it is not only unethical, but it is also illegal.
To prevent unlawful and ethical reasons, I would require applicants to reduce their need for too much personal information. Directly identifiable information such as contact information or addresses must be concealed. indirectly identifiable information must be broad enough that it cannot be traced to an individual for instance geolocation must be defined as region-wide enough to not be able to identify a particular home and narrow enough to be useful for research purposes.
I think there must be a contract for what purpose the information will be used. Including explaining how to keep the data safe, when the data will be destroyed after a period of time, And the signing of a non-disclosure agreement.