AI Consultation by the UK ICO
Last week, the UK Privacy Authority also launched a consultation in relation to the Artificial Intelligence phenomenon. The Information Commissioner’s Office (ICO), on 19 February, considered it a priority to dictate its guidelines, as it is one of the main strategic priorities that must also comply with the dictates of privacy.
The strategic priorities are set out in another ICO document, Technology Strategy 2018–2021, there are four:
- #1: Ensuring effective and informed education for ICO staff on technology issues;
- #2: providing effective guidance for organisations on how to address data protection risks arising from technology;
- #3: ensure that the public is effectively informed about data protection risks arising from technology;
- #4: support and facilitate new research on data protection risks and data protection by design.
The following elements are listed in the framework:
- the tools that the Autority will use for the audit and consultation necessary for the investigation work
- the draft guidelines indicating the necessary preventive measures in the use of AI in private or professional settings, which could have an impact on the privacy of the users involved.
This consultation is part of a programmatic and wider work, which also includes the guidelines, of which I had previously written, including the Explain draft, which will be published within the year, and the surveys on the phenomenon of “facial recognition”.
Unlike the other works, already published until now, also by other authorities, this framework is not a normative code, but a “summa” of “best practices”, therefore first of its kind!
Structured in four sections, the official document reads as follows:
«The frame of reference:
- provides us with a robust methodology to verify IA applications and ensure that they process personal data in a fair, legal and transparent manner;
- ensures that the necessary measures are in place to assess and manage the risks to the rights and freedoms arising from IA; and
- supports the work of our investigation and insurance teams in assessing the compliance of organisations using IA».
As you read, the keywords for proper industry compliance are all there!
Clearly, at the beginning of the document, it is specified that the most relevant legislation in the UK is the Data Protection Act 2018, in combination with the GDPR, Part 2 addresses the integration of the GDPR in the UK, Part 3 regulates a separate regime for law enforcement authorities, and Part 4 establishes a separate regime for the three intelligence services.
Apart from the introduction, in which the ICO explains the purpose of the consultation, in relation to the AI phenomenon, the other 4 sections contain the following questions as headings:
- What are the accountability and governance implications of IA?
- What should we do to ensure legality, fairness and transparency in IA systems?
- How should we assess the security and minimisation of data in IA?
- How can we guarantee individual rights in our IA systems?
The ICO states that feedback from those who develop and implement AI systems is essential, and therefore targets two groups in particular:
- those with a focus on compliance, such as data protection officers, general advisors, and risk managers, particularly those responsible for approving the implementation of AI systems in their organizations.
- Technology specialists, including machine learning experts, data scientists, software developers and engineers and IT security risk managers.
The hearings will end on April 1, 2020, and then open for consultation and a final document will be published by the summer.
All Rights Reserved
Raffaella Aghemo, Lawyer
