AI-generated DSARs: learnings from ICO guidance on FOIA requests

Individuals are increasingly turning to AI to help them generate and submit information requests, whether under the Freedom of Information Act 2000 (FOIA) or the GDPR. However, although the use of AI may benefit those who previously struggled with exercising their rights through formal correspondence, it is also leading to an increase in volume and complexity of FOIA requests and GDPR data subject access requests (DSARs). Acknowledging the strain this is placing on public authorities, the Information Commissioner’s Office (ICO) has published new guidance for public authorities on AI-generated FOIA requests. We set out below some of the takeaways from the guidance, including for organisations in the private sector grappling with similar concerns under the DSAR regime. 

Different regimes but common complaints 

Under FOIA, individuals have a right to request recorded information held by UK public authorities. Under the GDPR, individuals have a right to access personal data concerning them and other supplementary information from any organisation processing their personal data. Crucially, requests under both regimes are often time-consuming and burdensome for the organisation or authority to fulfil and open to abuse. 

The use of AI tools to help generate and submit information requests has exacerbated this problem, with requests tending to be longer and broader in scope. In addition, AI-generated requests can hallucinate, including by misquoting legislation, or require significant clarification before they can be processed. 

Key takeaways from the guidance

The ICO is concerned that without clear, practical support, AI-generated requests risk placing pressure on FOIA teams and could lead to delays, errors or increased complaints. It is likely to have similar concerns in respect of DSARs and so a number of the takeaways below are likely to be relevant to data privacy teams handling DSARs: 

• Decisions should remain anchored in the existing legal frameworks: the AI-generated nature of such requests has no impact on their validity, and they cannot be refused on that basis alone. All the existing rules and guidance will continue to apply, for example in relation to timelines and possible exemptions. The ICO is likely to have a similar view in respect of AI-generated DSARs.
• Individuals can be encouraged to verify and review their requests before submission: the ICO has provided an example AI notice for public authorities to use to deter individuals from submitting burdensome and erroneous AI-drafted requests. The notice prompts the individual to check their request meaningfully to prevent straining public resources, however, elements of it could potentially be adapted for DSAR requestors in the private sector.
• Vexatious requests: The ICO acknowledges that using AI to draft FOIA requests may result in an increased volume of requests, repetition of requests or an inappropriate tone. It suggests situations where a request may be refused on the grounds of being vexatious (under s 14 of FOIA), including where the requester is using AI to send repeated requests for substantially similar information, or to send requests intended only to disrupt work or impact resources. However, the refusal test for DSARs is different (i.e. manifestly unfounded or excessive), which is typically considered to be a slightly higher threshold, so private sector organisations should take a cautious approach when drawing parallels.
• AI can be leveraged in the response process: as long as data protection laws are adhered to, AI can be used to streamline the response process by triaging inboxes, summarising disclosures, and supporting redaction. Proactive measures that harness AI responsibly will help to manage the rising volume of requests. This is likely to be relevant to DSARs as well, which will be comforting news to the many private sector organisations already doing or considering doing this.  
• Accuracy and transparency: authorities are reminded that information produced through their own use of AI will be subject to FOIA. This same principle is likely to apply equally to DSARs and so private organisations that are using AI to process personal data should be prepared to disclose it if it meets the criteria under the GDPR.

Overall this guidance serves as reminder that although the ICO understands the pressures at play, there is no get-out-of-jail card for AI generated FOIA requests and DSARs. Legal principles should be applied consistently, regardless of how a request is created. Having said that, the FOIA guidance is intended to give teams practical, sensible support, rather than add new burdens. If anything, used responsibly, AI can help teams handling these requests and this should be factored into internal policies and processes. 

Many thanks to Lewis Laithwaite for his assistance with this post.