remote workThe UK Information Commissioner (ICO) has launched a new toolkit for organizations which are planning to use personal data for data analytics as part of the ICO’s priority work on artificial intelligence (AI).

The toolkit outlines some important personal data protection considerations which organizations should take into account at the beginning of any scheme involving such personal data processing and follows the ICO’s recent publications ‘Explaining decisions made with AI’ and ‘Guidance on AI and data protection’.

The ICO notes that the toolkit will assist businesses in identifying some of the most significant risks for individuals’ privacy rights and freedoms that can result from the use of personal data analytics and is likely to be most helpful at the start of data analytics projects.  The ICO observes that many data analytics risks are context specific, so the toolkit cannot guarantee complete compliance with data protection law, but should be regarded as a starting point regarding the issues that require consideration.

The toolkit defines data analytics as “the use of software to automatically discover patterns in data sets (where those data sets contain personal data) and use them to make predictions, classifications or risk scores.”, noting that algorithms are central to data analytics as defined in this way and that the use of AI (special types of sophisticated algorithms) to complete tasks is increasing.

The toolkit observes that AI can be defined as “the theory and development of computer systems able to perform tasks normally requiring human intelligence” and cross refers to the ICO’s earlier guidance on AI for an analysis of the risks that the use of AI can create for individuals, (although the ICO stresses that the toolkit can assist regardless of whether AI is used in connection with personal data analytics projects).

The toolkit starts by posing various questions relating to lawfulness; accountability and governance; the data protection principles; and data subjects’ rights, following which the toolkit generates a report including tailored advice in relation to the organization’s data analytics project.  The ICO notes that the toolkit is anonymous and any answers provided will not be saved by or visible to the ICO, (in view of this, the ICO suggests taking a copy of the report for future reference).

Reports generated by the toolkit include details of appropriate actions for organizations to take and links to further guidance to strengthen data protection compliance.  The ICO stresses that organizations’ data protection officers should be consulted about data analytics projects in addition to using the toolkit.

The new toolkit should be helpful in assisting organizations and their data protection officers to consider the risks to data subjects’ data protection rights and freedoms that may arise in the context of data analytics projects and to take steps to ensure that such risks are addressed and mitigated.  This additional guidance will doubtless be welcomed by those undertaking personal data processing in the context of data analytics exercises and should hopefully increase data protection compliance in this increasingly significant area.