Artificial IntelligencePrivacy
Last week at the forum we discussed how to construct a privacy notice, considering both statutory required inclusions and other useful information. Whilst we discussed privacy notices generally there was an underlying focus on changes that may be required for organisations adopting AI systems and AI features that have gone live in their current systems.
Setting the Ground Rules: The Importance of Transparency
Privacy notices are how organisations comply with the transparency principle set out in Article 13 & 14 UK GDPR. Being open and upfront about what you do with people’s personal data helps you deal with them in a clear and transparent way. This makes good sense for any organisation and is key to developing trust with individuals
There is no prescriptive legislative description of how a privacy notice should be set out although it does need to include the following types of information:
- The name and contact details of your organisation
- The contact details of your data protection officer
- The purposes of the processing
- The lawful basis for the processing
- Explain which lawful basis you are relying on in order to collect and use people’s personal data and/or special category data.
- The legitimate interests for the processing
- The recipients, or categories of recipients of the personal data
- The details of transfers of the personal data to any third countries or international organisations
- The retention periods for the personal data
- The rights available to individuals in respect of the processing
- The right to withdraw consent and how
- The right to lodge a complaint with a supervisory authority
- Tell people that they can complain to a supervisory authority.
- The details of whether individuals are under a statutory or contractual obligation to provide the personal data
- Tell people if they are required by law, or under contract, to provide personal data to you, and what will happen if they don’t provide that data.
- The details of the existence of automated decision-making, including profiling. This is particularly important when AI is being used for placing pupils in capability related classes, exam levels and similar decisions which have a significant effect on a pupil.
AI & Privacy Notices: New Challenges
For any AI systems that process personal data, they must be included in the recipients and international transfers sections at a minimum. If a system is entirely AI, you should explain what the system is used for, who the vendor is, and the name of the system. It may be easier and more user-friendly to add a separate AI section addressing these systems. If AI features have been added to existing systems, you should expand the section of your notice that refers to that system/processor to explain the feature. This might include transcribing tools in Teams/Google Meet or grading in edTech systems for example.
For any systems used for automated decision-making and/or profiling, there are extra legal provisions to comply with. You should confirm your use of AI-enabled decisions, when you use them, and why you choose to do this, including which systems and vendors are involved. It is important to include a “human-in-the-loop” for decisions that have legal or similar effects, as Article 22 gives individuals the right not to be subject to a solely automated decision.
Article 21 of the UK GDPR also gives individuals the right to object to any profiling that you carry out on the basis of legitimate interests or a public task. In these cases, an individual can object on grounds relating to their particular situation. This applies to all systems and not just those which use AI.
If you do not use AI for automated decision making and/or profiling it can be useful to state this within your privacy notice but you would need to be certain that edTech systems aren’t being used in this way in any of your schools. Given that vendors are rushing to introduce AI in their systems it might not be possible to confidently state this in your privacy notice.
Q&A Session
A great debate emerged during our Q&A session about centralised control versus academy-level autonomy when it comes to privacy notices. Privacy notices are the responsibility of the ‘data controller,’ which in a multi-academy trust (MAT) is the Trust itself, not the individual academies. While there’s nothing stopping a Trust privacy notice from having a section relating to processing at each individual academy, this may be redundant.
The question to consider is what school-specific information would be included that couldn’t already be part of the Trust notice. If this relates to the use of systems, it may be worth adding in a paragraph for a specific school under the relevant section.
It’s also worth splitting your privacy notices into separate documents for different classes of data subjects, as a single notice can become quite large. This could include separate notices for pupils, parents/guardians, staff, governors/trustees, and suppliers/contractors. You might also consider a visitor notice, especially if you have CCTV on site.
Final Thoughts
Privacy notices and the implications of AI are complex topics, and these are just some of the key takeaways from our forum discussion. As we move forward, we’ll continue to explore new challenges. Our next session will be on 14 November at 12:45 pm, where we’ll be diving into the latest on Article 30 Record of Processing Activities including what’s required and recommended process for populating
I look forward to seeing you there!
Click here to add it to your Google Calendar or download the attached .ics file at the bottom of this blog post.
Thanks again to everyone who joined the session. See you at the next one.
Please feel free to reach out if you would like to find out more about our range of data protection, information governance & AI governance services.
