The ICO’s updated Guidance on AI and Data Protection: What is new?

Artificial Intelligence (AI) is a new technology and its laws and regulations, as well as guidance released on good practices in this area, are quickly developing. Since our last article on AI, on 15 March 2023, the UK Information Commissioner’s Office (ICO) updated its Guidance on AI and Data Protection. This was influenced by UK organisations requesting clarification on the requirements for fairness in AI.

The UK Government previously stated in its policy paper Establishing a pro-innovative approach to regulating AI, that ‘clear, innovative-friendly and flexible approaches to regulating AI will be core to achieving our ambition to unleash growth and innovation while safeguarding our fundamental values and keeping people safe and secure’.

Notwithstanding AI’s great potential, there is a concern about data protection in this developing area. We summarise the ICO’s updates below.

Changes/additions to the guidance

The ICO posted a new chapter titled ‘How do we ensure transparency in AI?’. It states that before processing personal data in an AI system, transparency obligations towards individuals whose personal data is to be processed must be considered. This means that you should include information regarding your purposes for processing individuals’ personal data, how long that personal data will be retained by you, and who the personal data will be shared with.

The above information should be provided at the time the personal data is collected from the individuals, before it is used to train a model or apply that model to those individuals. In the alternative, if the data is collected from other sources, the information should be provided within one month of this.

A chapter on accountability and governance implications of AI has also been included. It states that a data protection impact assessment (DPIA) is a way to demonstrate compliance with data protection law. Your DPIA needs to describe the nature, scope, context and purposes of any processing of personal data. It needs to make clear how and why you are going to use AI to process the data. You need to detail:

• how you will collect, store and use data;
• the volume, variety and sensitivity of the data;
• the nature of your relationship with individuals; and
• the intended outcomes for individuals or wider society, as well as for you.

Senior management and data protection officers will be accountable for understanding and addressing the issues brought about by AI. It could also be demonstrative of ensuring that humans are held accountable for the AI. The ICO considers that the DPIA should also include evidence of consideration of less risky alternatives.

A chapter on ensuring lawfulness in AI has been added, which discusses, amongst other things, ‘special category data’ and how this should be handled. This category of data requires both a lawful basis and an additional condition for processing. This data is personal data which requires extra protection due to its sensitivity, for example, medical, biometrics or criminal convictions data.

Data may fall into special category data if it can be used to infer relevant information about someone, or someone is to be treated differently depending on the inference. The reason this is relevant to AI, is because AI systems can be used to guess or predict details about individuals. It may therefore be possible to infer or guess details which fall within what constitutes special category data.

The ICO also included a chapter titled ‘How do we ensure fairness in AI?’. It states that fairness is a key principle of data protection and personal data must be used fairly in order to comply with, for example, Article 5(1)(a) of the UK GDPR and Section 2(1)(a) of the Data Protection Act 2018. Personal data should be processed in ways that people would reasonably expect, rather than be used in ways which could have unjustified adverse effects on people. It gives an example of using AI to infer data about people, and states that the AI system should be accurate and avoid discrimination.

It is interesting to see the quick developments in this area, and we can imagine that businesses are excited to find out more about how they can use AI in their organisation in a way which complies with laws, regulations and guidance. Keep an eye out for our articles regarding any updates in AI and data protection.