- 20 March 2023
- Privacy and Data Protection
Artificial Intelligence (AI) is a new technology and its laws and regulations, as well as guidance released on good practices in this area, are quickly developing. Since our last article on AI, on 15 March 2023, the UK Information Commissioner’s Office (ICO) updated its Guidance on AI and Data Protection. This was influenced by UK organisations requesting clarification on the requirements for fairness in AI.
The UK Government previously stated in its policy paper Establishing a pro-innovative approach to regulating AI, that ‘clear, innovative-friendly and flexible approaches to regulating AI will be core to achieving our ambition to unleash growth and innovation while safeguarding our fundamental values and keeping people safe and secure’.
Notwithstanding AI’s great potential, there is a concern about data protection in this developing area. We summarise the ICO’s updates below.
Changes/additions to the guidance
The ICO posted a new chapter titled ‘How do we ensure transparency in AI?’. It states that before processing personal data in an AI system, transparency obligations towards individuals whose personal data is to be processed must be considered. This means that you should include information regarding your purposes for processing individuals’ personal data, how long that personal data will be retained by you, and who the personal data will be shared with.
The above information should be provided at the time the personal data is collected from the individuals, before it is used to train a model or apply that model to those individuals. In the alternative, if the data is collected from other sources, the information should be provided within one month of this.
A chapter on accountability and governance implications of AI has also been included. It states that a data protection impact assessment (DPIA) is a way to demonstrate compliance with data protection law. Your DPIA needs to describe the nature, scope, context and purposes of any processing of personal data. It needs to make clear how and why you are going to use AI to process the data. You need to detail:
- how you will collect, store and use data;
- the volume, variety and sensitivity of the data;
- the nature of your relationship with individuals; and
- the intended outcomes for individuals or wider society, as well as for you.
Senior management and data protection officers will be accountable for understanding and addressing the issues brought about by AI. It could also be demonstrative of ensuring that humans are held accountable for the AI. The ICO considers that the DPIA should also include evidence of consideration of less risky alternatives.
Data protection officers will be accountable for understanding and addressing the issues brought about by AI.
A chapter on ensuring lawfulness in AI has been added, which discusses, amongst other things, ‘special category data’ and how this should be handled. This category of data requires both a lawful basis and an additional condition for processing. This data is personal data which requires extra protection due to its sensitivity, for example, medical, biometrics or criminal convictions data.
Data may fall into special category data if it can be used to infer relevant information about someone, or someone is to be treated differently depending on the inference. The reason this is relevant to AI, is because AI systems can be used to guess or predict details about individuals. It may therefore be possible to infer or guess details which fall within what constitutes special category data.
The ICO also included a chapter titled ‘How do we ensure fairness in AI?’. It states that fairness is a key principle of data protection and personal data must be used fairly in order to comply with, for example, Article 5(1)(a) of the UK GDPR and Section 2(1)(a) of the Data Protection Act 2018. Personal data should be processed in ways that people would reasonably expect, rather than be used in ways which could have unjustified adverse effects on people. It gives an example of using AI to infer data about people, and states that the AI system should be accurate and avoid discrimination.
It is interesting to see the quick developments in this area, and we can imagine that businesses are excited to find out more about how they can use AI in their organisation in a way which complies with laws, regulations and guidance. Keep an eye out for our articles regarding any updates in AI and data protection.
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.
Read, listen and watch our latest insights
- 27 February 2024
Changing Attitudes to Menopause
We have set out some answers to the frequently asked questions that employers ask when considering how to support a menopausal employee.
- 22 February 2024
Time to take the heat off menopausal women
On 22 February 2024, the EHRC released guidance and resources for employers designed to help employers understand their legal obligations in relation to supporting workers experiencing menopausal symptoms.
- 22 February 2024
Talking Employment Law: What to do if you’re at risk of redundancy
In this podcast, Harry Berryman and Rebecca Dowle, members of the employment team, will talk through the steps that need to be taken for a redundancy to be fair and the range of criteria that can be used when determining which employees will be made redundant.
- 12 February 2024
The World of Work in 2024- What Can HR Expect?
In many senses, 2024 is unlikely to be a year with radical ruptures from those that have gone before it. The significance of 2024 though, is that it is likely to build upon those megatrends impacting the world of work, which have been emerging for some time now and are only likely to strengthen as we move on in time.
- 30 January 2024
Large-scale Redundancies – What to expect as an employee
In today’s uncertain economic environment, it is rare to see a week go by without a major employer announcing redundancies, be they as a result of a restructuring, a contracting business or a merger or acquisition.