June 3, 2023

Volume XIII, Number 154


June 02, 2023

Subscribe to Latest Legal News and Analysis

June 01, 2023

Subscribe to Latest Legal News and Analysis

May 31, 2023

Subscribe to Latest Legal News and Analysis

UK ICO Issues Updated Guidance on AI and Data Protection

On March 15, 2023, the UK Information Commissioner’s Office (“ICO”) published an updated version of its guidance on AI and data protection (the “updated guidance”), following requests from UK industry to clarify requirements for fairness in AI. 

The key updates are summarized as follows:

  • The updated guidance has been restructured using the data protection principles as the core of the structure. According to the ICO, this structure “makes editorial and operational sense” and will make updating the guidance in the future more efficient.

  • A new section has been inserted detailing what an organization should assess when conducting a data protection impact assessment (“DPIA”) on AI. For example, the DPIA should include evidence of consideration of “less risky alternatives” to achieve the same purpose and why those alternatives were not chosen.

  • A new chapter has been added containing a high-level description of the transparency principle as it applies to AI. For example, the updated guidance confirms that, when personal data is collected directly from a data subject, the data subject should be provided notice if that personal data is to be used to the train the AI model. This chapter is supplementary to the ICO’s existing guidance on explaining decisions made with AI .    

  • A new chapter has been added regarding ensuring lawfulness in AI. The new content in this chapter relates to AI and inferences, affinity groups and special category data. For example, the updated guidance notes that it may be possible, using AI, to infer or guess details about a person, which may constitute special category data. According to the updated guidance, an inference is likely to be special category data if an organization can (or intends to) infer relevant information about an individual, or intends to treat someone differently on the basis of the inference (even if it’s not with a reasonable degree of certainty).

  • A new chapter has been added regarding ensuring fairness in AI. The new content in this chapter includes information on, e.g., the data protection approach to fairness; how fairness applies to AI and a non-exhaustive list of legal provisions to consider; the difference between fairness, algorithmic fairness, bias and discrimination; and processing personal data for bias mitigation.

  • A new annex has been added related to fairness in the AI lifecycle. The annex details data protection fairness considerations across the AI lifecycle, from problem formulation to decommissioning. It also sets outs why fundamental aspects of building AI may have an impact on fairness, identifies the different sources of bias that can lead to unfairness and lists possible mitigation measures.

According to the ICO, the updated guidance “supports the UK government’s vision of a pro-innovation approach to AI regulation and more specifically its intention to embed considerations of fairness into AI.” The ICO also noted that the guidance will require further updates in the future to keep up with the “fast pace of technological developments” and confirmed it will be supporting the implementation of the UK government’s forthcoming White Paper on AI Regulation.

Copyright © 2023, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XIII, Number 75

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct