ICO: data protection principles apply to AI use

Priya Jhakra of Pinsent Masons, the law firm behind Out-Law, said the draft guidance on a new AI auditing framework that the ICO is consulting on, is useful because it shows how existing data protection principles should and can be applied to AI. Jhakra said the guidance also includes good practice recommendations which may help controllers and those processing personal data to comply with their legal obligations under data protection law when using AI systems.

Like the European Commission in its recent white paper on AI, the ICO has endorsed a risk-based approach to regulation and compliance, with its guidance addressing areas such as accountability and governance, fair, lawful and transparent processing of data, data minimisation and security, and the exercise of individuals' rights under data protection law in the context of AI systems.

"It is unrealistic to adopt a ‘zero tolerance’ approach to risks to rights and freedoms, and indeed the law does not require you to do so – it is about ensuring that these risks are identified, managed and mitigated," the ICO said.

The ICO said that the use of AI must be necessary, proportionate and for a legitimate purpose. It said it is not sufficient for a data controller to use AI simply because the technology is available – businesses need to evidence that they cannot accomplish the purposes of their data processing in a less intrusive way.

Jhakra said: “These are not new principles, and they should be applied to AI as with any other processing of personal data. However, with AI more thought is required to comply with these principles due to the specific nature of the risks posed by using AI, and the way personal data can be processed by AI."

In its guidance the ICO has also emphasised that it is a legal requirement for organisations to undertake a data protection impact assessment when seeking to use AI systems. This is because processing personal data using AI is deemed "likely to result in high risk to individuals’ rights and freedoms" and so triggers the DPIA requirements under the General Data Protection Regulation (GDPR). Businesses might want to produce two versions of a DPIA for different audiences, it said.

"A DPIA should identify and record the degree of any human involvement in the decision-making process and at what stage this takes place," the ICO said. "Where automated decisions are subject to human intervention or review, you should implement processes to ensure this is meaningful and also detail the fact that decisions can be overturned."

"It can be difficult to describe the processing activity of a complex AI system. It may be appropriate for you to maintain two versions of an assessment, with: the first presenting a thorough technical description for specialist audiences; and the second containing a more high-level description of the processing and explaining the logic of how the personal data inputs relate to the outputs affecting individuals," it said.

On accountability, the ICO endorsed the principle of data protection by design, as well as the upskilling and training of staff. The ICO said it is also developing a more general accountability toolkit to help organisations comply with the GDPR.

The ICO has also offered guidance on when, in the context of using AI, organisations are considered to be a data 'controller' or a 'processor' under data protection law. Controllers and processors are subject to different obligations under the GDPR.

The ICO said organisations need to clearly identify who is a controller and who is a processor at the outset.