AI: data round up - the ICO toolkit and data protection

This instalment of our "AI: data round up - what’s the story?" covers the ICO Toolkit.

Data analytics are becoming increasingly synonymous with AI. When organisations decide to implement or utilise AI which will have access to or process personal data, there are various data protection considerations including that the personal data will need to be processed in accordance with UK GDPR. The ICO has produced a toolkit (here) to assist businesses at the start of their data analytics project.

What are data analytics?

The ICO defines data analytics in the toolkit as: “the use of software to automatically discover patterns in data sets (where those data sets contain personal data) and use them to make predictions, classifications or risk scores”. Data analytics do not always employ AI and the toolkit is still useful for businesses to consult when considering non-AI driven data analytics software.

Data protection by design

The toolkit helps those implementing data analytic software to meet with the UK GDPR principles including data protection by design and by default. (i.e. considering data protection and privacy issues upfront).

Content of the toolkit

The toolkit poses questions, to ensure considerations such as the lawfulness of the processing, the potential impacts, and operational or technical adjustments that may need to be made. These include the following:

Step 1 - Data protection by design

• Data Protection Impact Assessments (DPIA): Article 35 of the UK GDPR requires controllers to assess the impact of the envisaged processing operations on the protection of personal data prior to the processing and in particular when using new technologies. This can also help to demonstrate a business’ compliance with data protection law, in accordance with the accountability principle contained in Article 5(2).
   
• System design: Article 25 sets out the requirements for “data protection by design and by default”. Controllers will need to ensure the data analytics software implements appropriate technical and organisational measures and integrates necessary safeguards.

Step 2 – Lawful basis

• Legal grounds for processing: consider the lawfulness of the processing and find a legal ground as set out in Article 6. If, for example, businesses had previously relied upon consent for their processing they will need to consider whether the consent provided provides for the use of data analytics.
   
• Condition for special category data: if processing special category data, an Article 9 condition for processing will also need to be considered too.

Step 3 – “AI considerations”

This step highlights some of the key issues using automated processes, including fairness and prevention of discrimination. It also flags the need to consider the business’ privacy notice to ensure it would accurately reflect the processing.

• Automated decision-making or profiling: When using automated decision-making or profiling, notify data subjects and provide some information around the logic and potential impacts. There are also additional safeguards required under Articles 13 and 14 (information to be provided), 15 (right of access by the data subject) and 22 (automated individual decision-making, including profiling).
   
• Fairness: Personal data should be processed "fairly" (Article 5(1)), which the ICO states “means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned”.
   
• Discrimination: Data analytics which learn from data may reflect discrimination or bias and therefore, may proliferate discrimination. Businesses will need to consider the data the data analytics software is provided at inception, but also the ongoing data it is fed to avoid discrimination and keep up with ever-changing demographics.

Step 4 – Security measures

Step 4 requires businesses to consider security measures, purpose limitation, consideration of individual rights and human oversight.

Toolkit for implementing data analytics?

The toolkit is a helpful resource and starting point, but it states itself it is not a comprehensive analysis of every factor.