ICO’s guidance on the use of artificial intelligence

Most updates in the ICO guidance have been made in the chapters of lawfulness, fairness and transparency. As transparency is key to every processing of personal data, the ICO issued an own guidance on this topic, called the Explaining decisions made with AI Guidance (see this link).

When an organisation uses AI systems, it must always ensure that it fulfils the principles of lawfulness, fairness, and transparency in the personal data processing. The black box issue makes this particularly challenging for data controllers. Accordingly, even developers and designers often cannot predict how an AI system reaches decisions; thus, fairness cannot be guaranteed due to a lack of transparency.

The new guidance can assist you to develop a GDPR-compliant information for data subjects in accordance with Art. 13 and 14 UK GDPR when using AI, as it describes in three parts the basics of explaining AI in general, explaining AI in practice and the impact of those explanations for your company.

Further, a lawful basis must be established whenever processing personal data. In many cases, consent that is freely given, specific, informed, unambiguous and involves a clear affirmative act on the part of the individuals can be the appropriate legal basis, if you have a direct relationship with the data subjects. In AI systems, the particular purposes for the use of data cannot always be fully predicted as processes are not entirely transparent. Furthermore, individuals must always be able to withdraw consent, which can become complicated if personal data is put into an AI system.

The legal basis for performance of a contract or legal obligation can only be valid if the use of AI is absolutely necessary. In general, processing activities without AI can take place here to receive the same outcome. Therefore, such legal bases can only be used in very limited cases, if any.

Considering the legal basis on overriding legitimate interests, you must demonstrate those interests of yours. You best do so by conducting a legitimate interests assessment (LIA). However, as you must balance the interests of the data subjects against yours, when it comes to AI, most of the times the interests of the individuals may outweigh those of the company using AI.

For processing of personal data you always need to take fairness into account. Fairness is given when you only process personal data in ways that can be reasonably expected and is not of discriminating factors, especially not against Human Rights. As AI is complex and can easily provide discriminating outcomes without intention of the developer, privacy by design and by default are key. A DPIA is a great tool to develop the necessary measures in this regard to ensure a safe and compliant AI, as it will allow you to learn potential risks and their harm to individuals and react to those with the correct and state of the art measures.

In case of accuracy, it is necessary to highlight that accuracy in data protection differs from the statistic accuracy in regard to AI. Accuracy in data protection is a principles of Art. 5 UK GDPR, requiring you to ensure that personal data is accurate and, where necessary, kept up to date. In AI, accuracy describes the number of times the AI tool guessed the correct answer.

To ensure accuracy under the UK GDPR, you need to test your AI on its accuracy and implement the AI in such a way to only acknowledge its outcomes as guesses rather than facts. Also, only when the AI is accurate, you can process personal data in a fair, lawful and accurate manner. So it is important to take the right measures. The guidance gives examples of what measures can be for AI processing, for example to detect phishing emails.

Art. 22 UK GDPR, which applies to all automated individual decision-making and profiling, introduces additional rules to protect individuals from being subjected to a decision based solely on automated processing that has legal or similarly significant effects on them. This is only allowed if the processing is (1) necessary for the entry into or performance of a contract, (2) authorised by law, or (3) based on valid consent. Thus, to comply with Article 22 GDPR, you must ensure that you

• give individuals information about the processing,
• introduce simple ways for them to request human intervention or challenge a decision, and
• carry out regular checks to make sure your systems are working as intended.

Not every AI automatically falls within the scope of Art. 22 UK GDPR. To evaluate if your AI tool provides an automated decision-making as defined here, you have to evaluate what kind of decision is made, when the human-determined processing would take place and the context of the decision. When AI falls within this scope is described in more details in the additional guidance on Art. 22 UK GDPR by the ICO (see this link).

AI systems usually process large amounts of data. The ICO refers to the risk of failing to comply with the principle of data minimisation. Accordingly, you may process the personal data that you need for the AI system. That means you must consider if the data you are processing in an AI system is “adequate, relevant and limited” to what is necessary. Especially in the context of machine learning AI, where AI is trained by processing large amounts of data, it can be challenging to comply with the data minimisation principle.

Data security is also a huge consideration when it comes to AI. Several attacks on personal data arise which must be mitigated as much as possible. Measures can be constant revision of the data and blocking of accounts or rate-limiting, where you limit the amount of requests in a certain time period.