ICO guidance on how to use AI and personal data appropriately and lawfully

  1. The ICO advises that a risk-based approach should be taken when developing and deploying AI. The ICO considers a DPIA will be needed in most cases. Organisations should consider whether they need to use AI or if there is a more privacy friendly option which can be used. There may be occasions where it is not possible to proceed with a project if the risks are too high.

  2. Whilst there is no requirement to have an “AI policy” you will need to think about how you can meaningfully explain to data subjects how decisions are made via AI. The processing may be complex, but you still have an obligation to provide clear, intelligible information about it.

  3. Collect only the data you need. AI systems have a tendency to use a lot of data but mapping the data will assist with deciding what is needed, to aid compliance with the data minimisation principle.

  4. Address risks of bias and discrimination at an early stage. Consider what biases may be presented by the data you are collecting and how you can counter these.

  5. Take time and dedicate resources to preparing the data appropriately. The ICO emphasises that ensuring the quality of data input should improve the quality of data output.

  6. AI systems don’t need to be 100% accurate to comply with the accuracy principle but you must consider the possibility of the outputs being incorrect and the impact this may have on decisions you take on the basis of inferences.

  7. Ensure your AI system is secure.

  8. Ensure any human review of AI decisions is meaningful. The ICO warns against rubber stamping by a human reviewer. The degree and quality of the intervention and the fact it is performed before a decision is made is essential.

  9. Using a third-party supplier does not absolve you from your responsibilities. You must ensure you comply with your obligations where you are controller of the personal data (which the ICO states is likely in most cases).

The ICO has also highlighted difficulties in using consent as a legal basis where processing operations are complex, there are multiple uses of data and where withdrawal of consent would pose issues in removing the individual’s data from consideration.

You can access the full guidance here.


Don't just take our word for it