On March 15, 2023, the ICO (UK’s data protection authority) published an updated Guidance on AI and Data Protection, in response to requests from the UK industry for clarification on fairness requirements in AI. This update aims to help organizations adopt new technologies while protecting people and vulnerable groups, in line with the ICO25 strategy. The guidance has been restructured into separate chapters based on the foundational nature of data protection principles.
Key changes in the updated guidance include:
- New content on Data Protection Impact Assessment (DPIA): A new section highlights the importance of accountability and governance in AI systems and outlines factors to consider when conducting a DPIA.
- Stand-alone chapter on transparency in AI: A new chapter focuses on the transparency principle as it applies to AI. The main guidance on transparency and explainability can still be found in the existing guidance on “Explaining Decisions Made with AI.” The new chapter emphasizes informing data subjects about the purposes for processing their personal data, retention periods, and data sharing.
- Stand-alone chapter on lawfulness in AI: The section on lawfulness now has its own chapter, with added content on AI and inferences, affinity groups, and special category data. The chapter clarifies that applying AI results to individuals constitutes processing of personal data, even if the training data set did not contain any personal data.
- Stand-alone chapter on accuracy and statistical accuracy: The chapter explains the distinction between data protection law’s accuracy principle and statistical accuracy in AI. AI systems must be sufficiently accurate to ensure personal data is processed lawfully and fairly, even if not 100% statistically accurate.
- Expanded content on fairness in AI: A new chapter on fairness covers various topics, including data protection’s approach to fairness, differences between fairness, algorithmic fairness, bias, and discrimination, high-level considerations for evaluating fairness, and technical approaches to mitigate algorithmic bias.
- New technical annex on fairness in the AI lifecycle: In addition to the new chapter on fairness, a new annex addresses fairness considerations across the AI lifecycle, from problem formulation to decommissioning. This annex is mainly technical and intended for AI engineers and key decision-makers in the development and use of AI products and services.
The updated ICO guidance emphasizes the importance of a principles-based approach to AI and data protection, which will help future-proof the use of AI in a rapidly evolving environment. The principles and main subject matter of the guidance also correspond with other familiar AI regulation frameworks, such as the suggested EU AI Act and the recently published NIST AI Risk Management Framework.
The APM Technology and Regulation Team is dedicated to helping our clients navigate diverse regulatory requirements and strategically develop their products and services to minimize legal risks. Should you require assistance in incorporating these principles within your organization or have any questions, please feel free to contact us.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as binding legal advice, but rather a practical overview based on our understanding. APM &Co. is not licensed to practice law outside of Israel.