The ICO said that the use of AI must be necessary, proportionate and for a legitimate purpose. It said it is not sufficient for a data controller to use AI simply because the technology is available – businesses need to evidence that they cannot accomplish the purposes of their data processing in a less intrusive way.
Jhakra said: “These are not new principles, and they should be applied to AI as with any other processing of personal data. However, with AI more thought is required to comply with these principles due to the specific nature of the risks posed by using AI, and the way personal data can be processed by AI."
In its guidance the ICO has also emphasised that it is a legal requirement for organisations to undertake a data protection impact assessment when seeking to use AI systems. This is because processing personal data using AI is deemed "likely to result in high risk to individuals’ rights and freedoms" and so triggers the DPIA requirements under the General Data Protection Regulation (GDPR). Businesses might want to produce two versions of a DPIA for different audiences, it said.
"A DPIA should identify and record the degree of any human involvement in the decision-making process and at what stage this takes place," the ICO said. "Where automated decisions are subject to human intervention or review, you should implement processes to ensure this is meaningful and also detail the fact that decisions can be overturned."
"It can be difficult to describe the processing activity of a complex AI system. It may be appropriate for you to maintain two versions of an assessment, with: the first presenting a thorough technical description for specialist audiences; and the second containing a more high-level description of the processing and explaining the logic of how the personal data inputs relate to the outputs affecting individuals," it said.
On accountability, the ICO endorsed the principle of data protection by design, as well as the upskilling and training of staff. The ICO said it is also developing a more general accountability toolkit to help organisations comply with the GDPR.
The ICO has also offered guidance on when, in the context of using AI, organisations are considered to be a data 'controller' or a 'processor' under data protection law. Controllers and processors are subject to different obligations under the GDPR.
The ICO said organisations need to clearly identify who is a controller and who is a processor at the outset.