17 September 2024

Ethical Use of AI: A New Area of Demand for Data Protection Professionals

By Jess Pembroke, Head of Data Protection

AI systems that involve processing personal data must comply with any data protection regulations, such as the General Data Protection Regulation (GDPR) and in-country legislation; however, this growing area puts additional pressure on Information Governance and privacy professionals to assess and advise on the ethical and privacy issues of artificial intelligence.  

The topic of AI is certainly not new to Information Governance professionals: the UK’s Information Commissioner’s Office (ICO) was making significant commentary on this area several years ago.[1] The challenges around this tool are similar to those we already face about the implementation of any new project, these can include:

Privacy by Design

One of the challenges for a Data Protection Officer (DPO) is encouraging staff to complete Data Protection Impact Assessments (DPIAs). These assessments are crucial for identifying and minimising data protection risks in projects. As part of the accountability obligations outlined in the GDPR, DPIAs ensure that privacy and data protection are integrated from the beginning of any project. 

They are especially important when new data processing activities, including those involving artificial intelligence (AI), could pose a high risk to individuals’ rights and freedoms. However, getting staff to recognise the necessity and importance of DPIAs can be difficult, particularly if they perceive the data processing as low risk.

Some organisations have introduced additional assurance processes, and Data Protection teams may need to consider if templates should be adapted and updated to consider issues specific to AI. Data Protection professionals could look to the Data Ethics Framework – GOV.UK (www.gov.uk) including an editable template for examples of considerations that may need to be incorporated within the Data Protection Impact Assessment process.  

AI can mean many things and its application will vary enormously, but depending on the specific application, it use can also introduce other issues of wider legal compliance such as human rights law, equality, copyright and other types of Intellectual Property so the question then arises as to who should contribute to these issues. 

Although a Data Protection Officer has expertise in GDPR that doesn’t mean they are best placed to be the ethical decision maker. Delivering an AI project should “involve a collaborative effort between the data scientists, product managers, data engineers, domain experts, and delivery managers on your team to align the development of artificial intelligence technologies with ethical values and principles that safeguard and promote the wellbeing of the communities that these technologies affect”.[2]

Data Subject Views

Practitioners must ensure that they communicate with departments/teams implementing any AI systems to explain the risks to service user/data subject trust of failing to communicate. Engaging with data subjects about AI projects is essential to ensure fair consultation. 

In the recent ICO reprimand to Chelmer Valley High School the ICO stated “The controller also failed to seek advice from their DPO in relation to the introduction of the facial recognition technology, nor did they consult with parents or students before commencing with the processing”[3].

Failing to engage service users and subsequent negative press coverage of AI issues can result in service users withdrawing from wider services, for example “some patients have decided to deregister from their GPs over the fear of how AI may be used in their healthcare and how their private information may be shared…”This of course means that these individuals may not receive the healthcare they may need in the future and fall through the cracks,”.[4]

Conclusions

These two issues are just a handful of those that data protection practitioners must consider when their organisations are planning to implement a new system or solution involving AI.  

Interestingly, for those in the public sector with responsibilities for Freedom of Information as well as Data Protection the issue of AI is being asked questions around its use[5] and the policies and procedures[6] organisations have in place to manage these tools.

As AI continues to evolve and integrate into various sectors, data protection professionals are expected to acquire additional skills and knowledge. They must stay abreast of technological advancements and ethical considerations to effectively guide their organisations in the responsible use of AI. This includes understanding the nuances of AI-specific risks, ensuring compliance with evolving regulations, and fostering a culture of transparency and trust with data subjects.

Why not take a look at our latest courses, including:

  • AI and Information Law: Privacy and Ethical Considerations (half day; 3 CPD UK points)

This half-day course introduces participants to the challenges that artificial intelligence (AI) poses to personal data. It analyses key issues related to complying with the UK data protection law regime (the Data Protection Act 2018 and UK GDPR), covering principles such as lawfulness, fairness, transparency, and security, and respecting people’s rights. 

The course draws from current developments in the UK and globally, equipping participants with the skills and knowledge to address contemporary challenges associated with new technologies. It also examines intellectual property ownership as a specific ethical issue relating to AI.

  • An Overview of the Freedom of Information Act and Environmental Information Regulations (half day; 3 CPD UK points)

This course is ideal for participants seeking practical guidance on their responsibilities when individuals exercise their rights under the Freedom of Information Act and Environmental Information Regulations. It explores the management of Freedom of Information Requests (FOIs) with scenarios that guide participants through the essential steps involved in handling requests compliantly.


[1] Our work on Artificial Intelligence | ICO

[2] understanding_artificial_intelligence_ethics_and_safety.pdf (turing.ac.uk)

[3] Reprimand (ico.org.uk)

[4] AI in healthcare: what are the risks for the NHS? – BBC News

[5] Use of generative AI tools (e.g. ChatGPT) by employees – a Freedom of Information request to Peterborough City Council – WhatDoTheyKnow

[6] https://www.whatdotheyknow.com/request/ai_use

Recent News

Back to News

Discover more from Naomi Korn Associates

Subscribe now to keep reading and get access to the full archive.

Continue reading