Search

How can we help?

Icon

The ICO’s updated Guidance on AI and Data Protection: What is new?

Artificial Intelligence (AI) is a new technology and its laws and regulations, as well as guidance released on good practices in this area, are quickly developing. Since our last article on AI, on 15 March 2023, the UK Information Commissioner’s Office (ICO) updated its Guidance on AI and Data Protection. This was influenced by UK organisations requesting clarification on the requirements for fairness in AI.

The UK Government previously stated in its policy paper Establishing a pro-innovative approach to regulating AI, that ‘clear, innovative-friendly and flexible approaches to regulating AI will be core to achieving our ambition to unleash growth and innovation while safeguarding our fundamental values and keeping people safe and secure’.

Notwithstanding AI’s great potential, there is a concern about data protection in this developing area. We summarise the ICO’s updates below.

Changes/additions to the guidance

The ICO posted a new chapter titled ‘How do we ensure transparency in AI?’. It states that before processing personal data in an AI system, transparency obligations towards individuals whose personal data is to be processed must be considered. This means that you should include information regarding your purposes for processing individuals’ personal data, how long that personal data will be retained by you, and who the personal data will be shared with.

The above information should be provided at the time the personal data is collected from the individuals, before it is used to train a model or apply that model to those individuals. In the alternative, if the data is collected from other sources, the information should be provided within one month of this.

A chapter on accountability and governance implications of AI has also been included. It states that a data protection impact assessment (DPIA) is a way to demonstrate compliance with data protection law. Your DPIA needs to describe the nature, scope, context and purposes of any processing of personal data. It needs to make clear how and why you are going to use AI to process the data. You need to detail:

  • how you will collect, store and use data;
  • the volume, variety and sensitivity of the data;
  • the nature of your relationship with individuals; and
  • the intended outcomes for individuals or wider society, as well as for you.

Senior management and data protection officers will be accountable for understanding and addressing the issues brought about by AI. It could also be demonstrative of ensuring that humans are held accountable for the AI. The ICO considers that the DPIA should also include evidence of consideration of less risky alternatives.

Data protection officers will be accountable for understanding and addressing the issues brought about by AI.

A chapter on ensuring lawfulness in AI has been added, which discusses, amongst other things, ‘special category data’ and how this should be handled. This category of data requires both a lawful basis and an additional condition for processing. This data is personal data which requires extra protection due to its sensitivity, for example, medical, biometrics or criminal convictions data.

Data may fall into special category data if it can be used to infer relevant information about someone, or someone is to be treated differently depending on the inference. The reason this is relevant to AI, is because AI systems can be used to guess or predict details about individuals. It may therefore be possible to infer or guess details which fall within what constitutes special category data.

The ICO also included a chapter titled ‘How do we ensure fairness in AI?’. It states that fairness is a key principle of data protection and personal data must be used fairly in order to comply with, for example, Article 5(1)(a) of the UK GDPR and Section 2(1)(a) of the Data Protection Act 2018. Personal data should be processed in ways that people would reasonably expect, rather than be used in ways which could have unjustified adverse effects on people. It gives an example of using AI to infer data about people, and states that the AI system should be accurate and avoid discrimination.

It is interesting to see the quick developments in this area, and we can imagine that businesses are excited to find out more about how they can use AI in their organisation in a way which complies with laws, regulations and guidance. Keep an eye out for our articles regarding any updates in AI and data protection.

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Author profile

About this article

Read, listen and watch our latest insights

art
  • 07 July 2026
  • Employment

6 month unfair dismissal rights: What employers need to know

Under the new Employment Rights Act 2025 the minimum period of service required to qualify to bring a statutory claim for unfair dismissal has been reduced from 2 full years to 6 months from 1 January 2027 onwards.  

art
  • 24 June 2026
  • Employment

What are employer’s obligations during a heatwave?

During the summer, employers can come across employee issues relating to the heat and hot weather. How can employers handle hot weather and what are employer obligations during a heatwave?

art
  • 23 June 2026
  • Employment

Pride month and employment law: Ensuring compliance with LGBTQ+ protections

With each Pride month, companies unveil rainbow logos and send office wide emails of solidarity. These gestures are valuable, giving visible demonstrations of support, but only really make a difference if those companies are able to truly say that their policies and practices are inclusive and legally compliant.

Pub
  • 18 June 2026
  • Employment

Employment Rights Act 2025: Key Changes for Employers

Join Katie Glendinning and Lucy White for an on demand webinar as they break down the key changes introduced by the Employment Rights Act 2025, offering clear insights into what these reforms mean in practice for employers and HR professionals.

art
  • 16 June 2026
  • Employment

Shaping the Future of Work: Insights from the 114th ILO International Labour Conference

Having recently returned from the 114th Session of the International Labour Conference in Geneva, I have been reflecting on the work of the International Labour Organisation (ILO) and the important role it plays in global standard setting, as well as promoting social and economic inclusivity.

art
  • 03 June 2026
  • Employment

Holiday Pay Record Keeping – What this new duty means for employers

The Employment Rights Act 2025 made certain changes to the rules around holiday records, which came into effect on 6th April 2026.