Search

How can we help?

Icon

The ICO’s updated Guidance on AI and Data Protection: What is new?

Artificial Intelligence (AI) is a new technology and its laws and regulations, as well as guidance released on good practices in this area, are quickly developing. Since our last article on AI, on 15 March 2023, the UK Information Commissioner’s Office (ICO) updated its Guidance on AI and Data Protection. This was influenced by UK organisations requesting clarification on the requirements for fairness in AI.

The UK Government previously stated in its policy paper Establishing a pro-innovative approach to regulating AI, that ‘clear, innovative-friendly and flexible approaches to regulating AI will be core to achieving our ambition to unleash growth and innovation while safeguarding our fundamental values and keeping people safe and secure’.

Notwithstanding AI’s great potential, there is a concern about data protection in this developing area. We summarise the ICO’s updates below.

Changes/additions to the guidance

The ICO posted a new chapter titled ‘How do we ensure transparency in AI?’. It states that before processing personal data in an AI system, transparency obligations towards individuals whose personal data is to be processed must be considered. This means that you should include information regarding your purposes for processing individuals’ personal data, how long that personal data will be retained by you, and who the personal data will be shared with.

The above information should be provided at the time the personal data is collected from the individuals, before it is used to train a model or apply that model to those individuals. In the alternative, if the data is collected from other sources, the information should be provided within one month of this.

A chapter on accountability and governance implications of AI has also been included. It states that a data protection impact assessment (DPIA) is a way to demonstrate compliance with data protection law. Your DPIA needs to describe the nature, scope, context and purposes of any processing of personal data. It needs to make clear how and why you are going to use AI to process the data. You need to detail:

  • how you will collect, store and use data;
  • the volume, variety and sensitivity of the data;
  • the nature of your relationship with individuals; and
  • the intended outcomes for individuals or wider society, as well as for you.

Senior management and data protection officers will be accountable for understanding and addressing the issues brought about by AI. It could also be demonstrative of ensuring that humans are held accountable for the AI. The ICO considers that the DPIA should also include evidence of consideration of less risky alternatives.

Data protection officers will be accountable for understanding and addressing the issues brought about by AI.

A chapter on ensuring lawfulness in AI has been added, which discusses, amongst other things, ‘special category data’ and how this should be handled. This category of data requires both a lawful basis and an additional condition for processing. This data is personal data which requires extra protection due to its sensitivity, for example, medical, biometrics or criminal convictions data.

Data may fall into special category data if it can be used to infer relevant information about someone, or someone is to be treated differently depending on the inference. The reason this is relevant to AI, is because AI systems can be used to guess or predict details about individuals. It may therefore be possible to infer or guess details which fall within what constitutes special category data.

The ICO also included a chapter titled ‘How do we ensure fairness in AI?’. It states that fairness is a key principle of data protection and personal data must be used fairly in order to comply with, for example, Article 5(1)(a) of the UK GDPR and Section 2(1)(a) of the Data Protection Act 2018. Personal data should be processed in ways that people would reasonably expect, rather than be used in ways which could have unjustified adverse effects on people. It gives an example of using AI to infer data about people, and states that the AI system should be accurate and avoid discrimination.

It is interesting to see the quick developments in this area, and we can imagine that businesses are excited to find out more about how they can use AI in their organisation in a way which complies with laws, regulations and guidance. Keep an eye out for our articles regarding any updates in AI and data protection.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

art
  • 20 January 2025
  • Employment

AI Opportunities Action Plan – The impact of AI on employment

The Government has announced its ‘AI Opportunities Action Plan’ in which it plans to increase the use of AI across the UK to ensure the UK is a world leader in the field. 

art
  • 14 January 2025
  • Employment

Is this the end of working from home?

In this article, we explore what legal rights employees and businesses have in this context as well as considering more commercial factors.

art
  • 08 January 2025
  • Employment

Round-up of employment law changes in 2024 and what to look out for in 2025

In this article, we will take a whistlestop tour of the various key employment law and case law changes that have taken place this year and then we will highlight what to expect in 2025.

Pub
  • 06 January 2025
  • Employment

TUPE Podcast Series: Unfair Dismissal and TUPE

In this eighth episode of our TUPE Podcast Series, Katie Glendinning, a Partner in the employment team, focuses on dismissals in a TUPE context and, in particular, the additional protection afforded by TUPE.

art
  • 03 January 2025
  • Employment

Fire and Rehire – Change to compensation rules from 20 January 2025

This article considers the Regulatory Policy Committee’s recently published opinion on the impact assessments for the Employment Rights Bill. The Committee assessed the quality of evidence and analysis used to inform the government proposals and came to the overall opinion that the impact assessments are currently “not fit for purpose”.

art
  • 18 December 2024
  • Employment

Are Sober Christmas Parties the Future? Employment Law Risks of Festive Cheer

As the festive season approaches, many employers are rethinking their approach to the traditional office Christmas party. Once synonymous with free-flowing alcohol, these events are increasingly being rebranded as “sober” or activity-based celebrations, reflecting a broader cultural shift.