The ICO publication follows on from the UK Government’s 2023 AI Regulation White Paper, which advocates a proportionate and pro-innovation, principles-based AI regulatory framework – a framework designed not to stifle responsible innovation with onerous legislative requirements. This approach arguably contrasts with that taken by the European Union, as evidenced by the recently adopted EU AI Act. The UK Government’s White Paper instead defers to the expertise of existing regulators, such as the ICO, to interpret and apply five AI principles within their remit, in line with the UK Government's initial guidance for regulators: Implementing the UK’s AI Regulatory Principles.
Organisations working with AI that take time to understand the five principles and the ICO’s approach to regulating AI will likely achieve compliance with the UK’s data protection regime.
Principle 1: Safety, security and robustness: Security is a data protection principle, with organisations expected to ensure appropriate levels of security against the unauthorised or unlawful access, processing, accidental loss, destruction or damage to data. With that in mind, a good understanding of the ICO’s Guidance on AI and Data Protection, which recommends robust security and data handling measures to mitigate risks to individuals that AI might cause, is recommended.
Principle 2: Appropriate transparency and explainability: Transparency is a data protection principle and AI systems should be suitably transparent and explainable. Awareness of the ICO’s guidance on Explaining Decisions Made with AI, published in conjunction with the Alan Turing Institute, should help organisations in explaining how their AI systems make decisions.
Principle 3: Fairness: Fairness is a key data protection principle such that organisations should only handle personal data in ways that people would reasonably expect. Compliance with the ICO’s AI and Data Protection Guidance will help organisations involved with AI ensure that they meet their data protection fairness obligations.
Principle 4: Accountability and governance: Accountability is a data protection principle requiring organisations to take responsibility for their handling of personal data and how they comply with the data protection principles. AI developers and deployers should familiarise themselves with the ICO’s Accountability Framework, including specific AI accountability guidance, and have regard to the ICO’s current consultation series on generative AI. They should also look out for forthcoming guidance from the ICO and the Equality and Human Rights Commission, the London Office of Technology and Innovation, and the Local Government Association for local authorities procuring AI systems.
Principle 5: Contestability and redress: Individuals have various information rights under data protection law. Where decision-making is assisted by AI, the ICO expects organisations to ensure that individuals can still exercise those rights in respect of their personal information. For example, organisations must ensure that people can contest decisions made solely by automated processes where those decisions affect their legal rights.
Keeping up to date with the ever-evolving framework is key. The ICO recently issued a call for views focusing on individual rights as part of its generative AI consultation series, and views will also be sought on biometric classification technologies.
The ICO's strategic approach to AI provides organisations with much-needed guidance in a complex AI regulatory landscape. Finalising the approach is the initial step. Effective implementation and governance are crucial.
Please contact one of our specialists should you have any questions in relation to the ICO’s approach to AI regulation.
This article was co-authored by Trainee Solicitor, Tulsi Mount.