Click to open contact form.
Your Global Partners in the Business of Innovation

The ICO Issues Draft Guidance on AI Auditing Framework

Publications / Feb 27, 2020

Article written by Adi Shoval

The Information Commissioner’s Office in the UK (the “ICO”) issued its draft guidance on auditing AI technologies. This guidance aims to provide solutions to companies that design or implement AI, with a methodology to audit applications to ensure that they process personal data fairly.

The guidance explains how one can assess the risks to the rights and freedoms of individuals that AI can trigger, and the appropriate measures to mitigate them. The guidance focuses on a risk-based approach to AI and suggests technical and organizational measures and procedures proportionate to the possible risks to the rights and freedoms of individuals.

The guidance discusses the accountability and governance implication of AI, stating that organizations shall perform a data processing impact assessment before using AI. The assessment should include, among others, an explanation of any relevant variation or margins of error in the performance of the AI system, which may affect the fairness of the processing, analysis of the necessity and proportionality of the AI system, and the risks of using the AI system and mitigating measures taken.

The guidance notes that organizations should distinguish between the development or training of AI systems and their deployment, as each may have distinct and separate purposes and risks, that in turn require a different lawful basis for processing personal data.

Finally, the guidance discusses the effect AI may have on the rights of the data subjects with regards to the processing of their personal data. It recognizes that enabling individuals to exercise their rights may be difficult in some cases, such as when using machine learning models, which can make it difficult to link training data to a particular individual. Nevertheless, the fact that a request may be harder to fulfill does not take the data processed out of scope and the organization shall take reasonable measures to verify the individuals’ identity and respond to their requests.

CLICK HERE to read the full ICO guidance.