The Information Commissioner’s Office (ICO) is urging all organisations considering using data analytics on personal data to look at its new toolkit.
It aims to help organisations build data protection compliance into the start of any data analytics project and is part of the ICO’s wider AI work. It builds on the ICO’s two recent pieces of AI guidance - the explainability guidance produced in partnership with the Alan Turing Institute, and the more recent general guidance on AI and data protection – and is designed to “assist organisations navigate the challenges that AI systems may pose on individuals' rights”.
What does the ICO mean by data analytics?
As part of the toolkit’s introduction, the ICO also sets out some basic descriptions of what it means by data analytics, algorithms and AI.
It describes data analytics as “the use of software to automatically discover patterns in data sets (where those data sets contain personal data) and use them to make predictions, classifications, or risk scores”. Algorithms are a ‘set of mathematical instructions or rules that are given to computer systems to complete tasks’ which are integral to data analytics, and AI is described as “a specific category of advanced algorithm” or “the theory and development of computer systems able to perform tasks normally requiring human intelligence.”
How does the toolkit work?
The toolkit takes organisations through some of the key data protection issues they need to consider from the outset of any project they are planning which involves data analytics and personal data. It:
- asks a series of questions, separated into the themes of lawfulness, accountability and governance, the data protection principles, and data subject rights. The questions cover issues such as "have you conducted a data protection impact assessment", "have you considered the competing interests in your data analytics system and how to manage them" and "have you considered how you will prevent discrimination?";
- offers basic information about the UK GDPR (or law enforcement regime set out in the Data Protection Act 2018 where relevant) for those requiring further information to help them answer the questions; and
- produces a report at the end of the process which the ICO describes as “containing tailored advice for your data analytics project”. For example, if you answered that you had not considered how you would prevent discrimination, your report would contain a short description of the rules in this area and point you to the relevant section of the guidance on AI and data protection.
Will the toolkit tell me I comply with the law?
The ICO acknowledges that the toolkit is not “a pathway to absolute compliance with data protection law” but more of a starting point to help organisations understand what they will need to consider.
The anonymous nature of the report, together with the ‘yes/no’ structure of the questions mean that the toolkit itself is more of a checklist (although, the ICO says, not a definitive list) of issues to consider, while the ‘tailored advice’ in the report seems to be a mechanism to point organisations to some of the main pieces of guidance for those areas requiring additional consideration. This, in itself, is a useful resource given the array of guidance available, the volume of which can be confusing (and in some cases overwhelming). It does, therefore, seem to be a helpful start point. However, it will be interesting to see whether it will be further developed over time to tackle more nuanced issues, and to bring together a more comprehensive list of relevant guidance.
“It is vital that data protection is built in from the start when using data analytics to process personal data. This is not only the law but it’s a crucial step to gaining public trust and confidence in the technology and how your organisation is using people’s data.”