UK ICO Updates Guidance on Artificial Intelligence and Data Protection

by  

Photos of the authors

From left to right: Marianna Drake, Marty Hansen, Lisa Peets, and Mark Young (photos courtesy of Covington & Burling LLP)

On 29 March 2023, the UK Information Commissioner’s Office (“ICO”) published updated Guidance on AI and data protection (the “Guidance”) following “requests from UK industry to clarify requirements for fairness in AI”. AI has been a strategic priority for the ICO for several years. In 2020, the ICO published its first set of guidance on AI (as discussed in our blog post here) which it complemented with supplementary recommendations on Explaining Decisions Made with AI and an AI and Data Protection risk toolkit in 2022. The updated Guidance forms part of the UK’s wider efforts to adopt a “pro-innovation” approach to AI regulation which will require existing regulators to take responsibility for promoting and overseeing responsible AI within their sectors (for further information on the UK Government’s approach to AI regulation, see our blog post here).

The updated Guidance covers the ICO’s view of best practice for data protection-compliant AI, as well as how the ICO interprets data protection law in the context of AI systems that process personal data. The Guidance has been restructured in line with the UK GDPR’s data protection principles, and features new content, including guidance on fairness, transparency, lawfulness and accountability when using AI systems.

Below is a summary of the key updates:

  • Accountability and Governance – New content is included in the Guidance to address the accountability and governance implications of AI, including what organisations using AI systems should consider when conducting a Data Protection Impact Assessment (“DPIA”) under the UK GDPR. In particular, organisations should ensure that the DPIA includes evidence to demonstrate that “less risky alternatives” were considered, and reasoning on why those alternatives were not chosen. When considering the impact of the processing on individuals, organisations must consider both allocative harms (i.e., harms resulting from a decision to allocate goods and opportunities among a group) and representational harms (i.e., harms occurring when systems reinforce the subordination of groups along identity lines).
  • Transparency in AI – A new, standalone chapter has been added to complement the ICO’s existing guidelines on Explaining Decisions Made with AI. The new chapter contains high-level recommendations on the UK GDPR’s transparency principle as it applies to AI, including that, where data is collected directly from individuals, they must receive privacy information before their data is used to train a model or application of the model on them. If personal data is collected from other sources, privacy information must be provided “within a reasonable period and no later than one month, or even earlier if you contact that person or disclose that data to someone else”.
  • Lawfulness in AI – The ICO has included a new chapter on lawfulness in AI relating to inferences, affinity groups and special category data. In relation to using AI systems to make inferences, the Guidance states that it may be possible to infer or guess details about someone that fall within special categories of data. Whether or not this counts as special category data and triggers Article 9 UK GDPR depends on how certain that inference is, and whether that inference is drawn deliberately. The inference is likely to be special category data if the use of AI results in the ability to infer relevant information about an individual, or there is an intention to treat someone differently on the basis of the inference. In relation to affinity groups, the Guidance is clear that, where an AI system involves making inferences about a group – creating ‘affinity groups’ – and linking these to a specific individual, then data protection law applies at multiple stages of the processing, meaning that “even if an individual’s personal data is not part of your training dataset, data protection law applies when you use that model on them.”
  • Fairness in AI – A new chapter is included on fairness in AI systems, including recommendations on how data protection law’s approach to fairness applies to AI; considerations for when organisations are processing personal data for bias mitigation; and key questions to ask when considering fairness in the context of automated decision-making under Article 22 UK GDPR. Additionally, the ICO have added a new annex on data protection fairness considerations across the AI lifecycle. It sets outs why aspects of building AI may have an impact on fairness, and explains how different sources of bias can lead to unfairness, as well as possible mitigation measures.

Although not legally binding, the updated Guidance provides useful insights on how the ICO might apply the UK GDPR to organisations using AI. It also offers another set of best practices for organisations to consider as they apply AI to their workplaces and services.

 are Partners at Covington & Burling LLP.  This post first appeared in the firm’s blog. 

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).