ICO launches data analytics toolkit
What’s in the ICO’s new data analytics toolkit, and how far down the privacy compliance road does it take you?
The key takeaway
The UK Information Commissioner’s Office’s (ICO) new toolkit provides organisations with key data protection points they need to consider for any project which involves data analytics and personal data.
The background
As part of its priority work on artificial intelligence (AI), the ICO has launched a new toolkit for organisations which are planning to use personal data for data analytics. The toolkit outlines important personal data protection considerations which organisations should consider at the beginning of any scheme involving personal data processing. It is part of the ICO’s AI priority work and follows the ICO’s recent publications “Explaining decisions made with AI” and “Guidance on AI and data protection”. As the ICO notes, the toolkit will assist businesses in identifying some of the most significant risks for individuals’ privacy rights and freedoms that can result from the use of personal data analytics. The ICO stresses that many data analytics risks are context specific, so the toolkit cannot guarantee complete compliance with data protection law. That said, it should be regarded as one of your main starting points on any data analytics project you are considering.
The toolkit
The toolkit is aimed at assisting organisations at the beginning of a data analytics project lifecycle. It focuses on helping recognise some of the central risks to the rights and freedoms of individuals created by the use of data analytics and is designed to be a basic introduction to some of the risks to individuals that data analytics may create or worsen.
Many of the risks that arise from the application of data analytics are context specific, therefore the ICO cannot include an exhaustive or definitive list of issues to consider. Naturally assessing the risk in the context of organisations processing activities form part of the organisation’s responsibility as a controller. The toolkit therefore comes with the clear caveat that: “you should not view this toolkit as a pathway to absolute compliance with data protection law, but as a starting point for what you will need to consider”.
The toolkit is designed for organisations and their data protection officers (DPOs) to consider risks, rights and freedoms in the context of data protection law. It is not a comprehensive analysis of every factor that needs to be considered when implementing a data analytics system. Although there are links between the fairness principle of data protection law to ethics and equality, organisations will need to consider these and other elements separately to ensure they are compliant with any additional obligations they may have.
Data analytics
The toolkit defines data analytics as “the use of software to automatically discover patterns in data sets (where those data sets contain personal data) and use them to make predictions, classifications or risk scores”. Integral to data analytics as defined by the ICO are algorithms, and organisations are increasingly using a specific category of advanced algorithm, namely AI to complete tasks. The ICO defines AI as “the theory and development of computer systems able to perform tasks normally requiring human intelligence” and cross-refers to the ICO’s earlier guidance on AI for an analysis of the risks that the use of AI can create for individuals. The ICO stresses that the toolkit can assist regardless of whether AI is used in connection with personal data analytics projects.
How does the toolkit work?
The toolkit starts by asking various questions to determine the legal regime the organisation will be processing under as well as questions relating to lawfulness, accountability and governance, the data protection principles, and data subject rights. Upon using the toolkit, a short, tailored report is created suggesting practical actions the organisation can take and provides links to additional guidance that will help the organisation improve its data protection compliance. The ICO notes that complying with these recommendations is not a guarantee that the toolkit will comply with data protection law, and it is crucial that organisations consider the advice