ICO publishes updated Guidance on AI and Data Protection
After receiving requests from UK industry to explain the fairness requirements for artificial intelligence, the ICO has updated its Guidance for AI and Data Protection. Several chapters have been restructured and new ones have been added to keep up to date with recent developments and challenges in AI. The amended Guidance is part of the ICO’s commitment, namely the ICO25 Commitment, to support businesses in using new technologies while simultaneously safeguarding vulnerable groups and all individual’s data protection rights.
The ICO continues to work in collaboration with the UK Government, and its partners within the Digital Regulation Cooperation Forum, on proposals on regulatory reform. The ICO intends to continue to provide user-friendly guidance which minimises the burden of compliance for different organisations whilst reflecting changes to AI regulation and data protection. Doing so is intended to support and further the UK Government’s aim to boost industry whilst ensuring appropriate regulatory measures are in place.
The specific chapters and annexes within the Guidance that has been amended/inserted are:
1. “What are the accountability and governance implications of AI?”: This chapter provides new guidance on what should be covered by a Data Privacy Impact Assessment when using AI to process personal data.
2. “How do we ensure transparency in AI?”: This new chapter explores the transparency principle in accordance with Article 5(1)(a) of the UK GDPR when using AI systems to process personal data.
3. “How do we ensure lawfulness in AI”: This chapter repositions existing ICO guidance and includes two new sections regarding inferences, affinity groups and special category data.
4. “What do we need to know about accuracy and statistical accuracy?”: This new chapter deals with the accuracy principle. Whilst the ICO acknowledges that statistical accuracy is pivotal in fairness, it was believed to be best categorised under this chapter that centres on the accuracy principle.
5. “Fairness in AI”: This new chapter is taken from existing and new material in an aid to make data protection approaches to the fairness principle more user friendly. It provides information on:
- The approach to fairness within the context of data protection, how it pertains to AI as well as a non-exhaustive list of legal provisions that ought to be considered.
- Differentiating fairness, algorithmic fairness, discrimination and bias.
- Considerations to evaluate fairness and inherent trade-offs.
- Processing personal data for bias mitigation.
- Approaches to mitigate algorithmic bias via technological means.
- Exploring how exclusively automated decision-making and relevant safeguards coincides with fairness. It also explores the crucial questions to establish when considering Article 22 of the UK GDPR (dealing with solely automated decision making).
6. “Annexe A: “Fairness in the AI Lifecycle”: This annexe explores fairness in data protection considerations throughout the AI lifecycle ranging from problem formulation to decommissioning. It also illustrates distinct sources of bias that can lead to unfairness and likely mitigation measures.
Further technical terms are also added to the updated glossary.
In order to keep up with technological developments and advancements, the ICO iterates that further updates will be required in order for the data protection principles to make “editorial and operational” sense. Moreover, we will see further revisions and amendments to the Guidance in light of the UK Government’s White Paper on AI Regulation.
The ICO’s updated Guidance is available here. For a further exploration of the topic, please read our previous article here.
How can we help?
Our Data Protection & Cyber Security team can assist with any data protection related queries that you might have, so please do not hesitate to contact us.
This article was co-written by Arina Yazdi, Trainee Solicitor.