Written by Haim Ravia and Dotan Hammer
The United Kingdom’s Information Commissioner’s Office (ICO), the British privacy regulator, published an updated version of its guide on artificial intelligence and data protection, in response to calls from the British industry for clarification. The guide was initially published in 2020 and provides an outline of the legal obligations relating to the use of artificial intelligence. I also established a recommended code of conduct in the industry.
The ICO revised the guide in several key aspects:
- The topics that organizations are required to examine when they conduct a data protection impact assessment (DPIA) in the field of artificial intelligence. Among other things, the DPIA must include evidence that the organization considered the use of “less dangerous” alternatives to achieve the goals for which it chose to use artificial intelligence and the reasons why those alternatives were rejected. When an organization considers the proportionality of using artificial intelligence, it must factor in the potential harm to data subjects that could arise from biases or inaccuracies in the AI algorithm and data sets.
- The principle of transparency in the use of artificial intelligence, under which organizations that collect personal information directly from the data subject and use it to train AI models must explicitly inform the data subject.
- The organization’s obligation to determine the lawful basis for processing information using artificial intelligence. That legal basis may not be changed later without sufficient reason. The guide emphasizes the importance of distinguishing between the development and assimilation phases of artificial intelligence as it concerns the legal basis. Each of these raises different risks for data subjects. If organizations rely on consent as the legal basis for processing, they must ensure that consent is given freely and that it is specific, informed, and unambiguous.
- The principle of fairness, according to which organizations may process personal information only in ways that data subjects would reasonably expect, and not in ways that could cause disproportionate harm or mislead the data subjects.
According to the ICO, given the rapid rate of developments in technology, additional updates to the guide as likely in the future.
Click here to read the updated version of the Guidance on AI and data protection.