ICO launches data analytics toolkit
What’s in the ICO’s new data analytics toolkit, and how far down the privacy compliance road does it take you?
The key takeaway
The UK Information Commissioner’s Office’s (ICO) new toolkit provides organisations with key data protection points they need to consider for any project which involves data analytics and personal data.
As part of its priority work on artificial intelligence (AI), the ICO has launched a new toolkit for organisations which are planning to use personal data for data analytics. The toolkit outlines important personal data protection considerations which organisations should consider at the beginning of any scheme involving personal data processing. It is part of the ICO’s AI priority work and follows the ICO’s recent publications “Explaining decisions made with AI” and “Guidance on AI and data protection”. As the ICO notes, the toolkit will assist businesses in identifying some of the most significant risks for individuals’ privacy rights and freedoms that can result from the use of personal data analytics. The ICO stresses that many data analytics risks are context specific, so the toolkit cannot guarantee complete compliance with data protection law. That said, it should be regarded as one of your main starting points on any data analytics project you are considering.
The toolkit is aimed at assisting organisations at the beginning of a data analytics project lifecycle. It focuses on helping recognise some of the central risks to the rights and freedoms of individuals created by the use of data analytics and is designed to be a basic introduction to some of the risks to individuals that data analytics may create or worsen.
Many of the risks that arise from the application of data analytics are context specific, therefore the ICO cannot include an exhaustive or definitive list of issues to consider. Naturally assessing the risk in the context of organisations processing activities form part of the organisation’s responsibility as a controller. The toolkit therefore comes with the clear caveat that: “you should not view this toolkit as a pathway to absolute compliance with data protection law, but as a starting point for what you will need to consider”.
The toolkit is designed for organisations and their data protection officers (DPOs) to consider risks, rights and freedoms in the context of data protection law. It is not a comprehensive analysis of every factor that needs to be considered when implementing a data analytics system. Although there are links between the fairness principle of data protection law to ethics and equality, organisations will need to consider these and other elements separately to ensure they are compliant with any additional obligations they may have.
The toolkit defines data analytics as “the use of software to automatically discover patterns in data sets (where those data sets contain personal data) and use them to make predictions, classifications or risk scores”. Integral to data analytics as defined by the ICO are algorithms, and organisations are increasingly using a specific category of advanced algorithm, namely AI to complete tasks. The ICO defines AI as “the theory and development of computer systems able to perform tasks normally requiring human intelligence” and cross-refers to the ICO’s earlier guidance on AI for an analysis of the risks that the use of AI can create for individuals. The ICO stresses that the toolkit can assist regardless of whether AI is used in connection with personal data analytics projects.
How does the toolkit work?
The toolkit starts by asking various questions to determine the legal regime the organisation will be processing under as well as questions relating to lawfulness, accountability and governance, the data protection principles, and data subject rights. Upon using the toolkit, a short, tailored report is created suggesting practical actions the organisation can take and provides links to additional guidance that will help the organisation improve its data protection compliance. The ICO notes that complying with these recommendations is not a guarantee that the toolkit will comply with data protection law, and it is crucial that organisations consider the advice the ICO gives in the context of processing and seek the advice of their DPO where needed.
The ICO further notes the toolkit is anonymous, and the answers provided are not visible to or retained by the ICO. It advises organisations to download a copy of the report generated and retain this for future reference.
Why is this important?
It is vital that data protection compliance is built in from the start whenever data analytics are being contemplated to process personal data. This is not only the law but a crucial step in gaining public trust and confidence.
The toolkit is a useful practical addition to the ICO’s two pieces of guidance on AI referred to above, namely “Explaining decisions made with AI” and “Guidance on AI and data protection”. Although none of these, either individually or combined is intended to provide a one-size fits all solution, they do provide a strong foundation for data protection compliance and their application will provide key evidence of accountability under the GDPR.
Any practical tips?
The toolkit is a welcome addition to compliance processes when commissioning, designing, and implementing data analytics. It’s definitely a good place to start on any of these projects, but there’s no substitute for doing a deeper dive with your DPO. After all, data compliance sits at the heart of any analytics programme and getting the privacy building blocks lined up correctly from the start is crucial.