Data Protection Network | GDPR | Advice & Resources

AI in the workplace survey report Business grapple with AI governance AI governance is described as being in its infancy by Data Protection Officers and those who work in data protection related roles. Many are concerned employees are using AI tools for work purposes without telling anyone. This is just one of a number of concerns DPOs have about AI use. Many organisations have yet to decide who should be responsible for governing AI and managing the potential risks. These are just some of the findings of our 2024 AI in the Workplace Survey. Learn more in our survey report:

How to prevent DSAR complaint escalation Nearly forty thousand complaints were received by the Information Commissioner’s Office in the past year. Staggeringly, 39% of them concerned people’s Right of Access according to the ICO’s Annual Report 2023/24. Handling Data Subject Access Requests (aka DSARs or SARs) can be fraught. Often those requesting a copy of their personal data are already disgruntled, be it an employee going through a grievance procedure or a dissatisfied customer. This means requestees are often quick to react if the statutory deadline is missed. They may also closely scrutinise your response, looking for any mistakes or omissions. Or their solicitor will. Any requestee has the potential to become dissatisfied and escalate matters to the ICO. More than a decade ago, I was handling a request and missed the deadline by 24 hours. Much to my frustration they’d had already fired off their complaint to the ICO, and this was pre-GDPR! I know of many businesses who’ve received letters from the ICO following a DSAR complaint. These will usually ask you to address the issues raised directly with the individual – and quickly! However, if your organisation racks up too many ICO complaints, the regulator is likely to delve deeper. This delving has led to a number of ICO DSAR-related reprimands being issued. Most recently, the Labour Party has been in the spotlight for ‘repeatedly failing to respond to people who asked what personal information the party held on them’. A backlog of requests mounted up after a cyber attack in October 2021, with the ICO receiving 150 complaints. During its investigation, the ICO discovered 78% of people had not received a response within the maximum extended timescale of three months and more than half were delayed by over a year. They also found an unmonitored ‘privacy inbox’ was overflowing with hundreds of DSAR and erasure requests – none of which received any form of response whatsoever. Hopefully most organisations will avoid such a catalogue of problems, but it’s still worth remembering certain factors can prompt a spike in DSAR requests. In this case a cyber attack, but a non-cyber data breach could also create a surge. Similarly, a business restructure might prompt a rise in employee-related requests. And let’s not forget the random factor – like Mr Farage’s very public DSARs to NatWest, which not only led to NatWest getting an increase in requests, but reportedly had a knock-on effect on other banks too. Here are my tips for getting on the front foot and mitigating the risk of complaint escalation. 6 golden rules for managing DSARs 1. Staff awareness & a sense of urgency A request can be submitted in writing, verbally or even via social media. It doesn’t matter who in the business receives a request. Employees all need to be able to recognise them (and other privacy rights, such as erasure), and know what to do if they receive or spot one. Failing to do so puts you on the back foot straight away. Everyone needs to be aware time is of the essence, so training and clear guidance is essential. Refresh it too, with friendly reminders. Quick checklist: ✓ Individual privacy rights are covered in new starter and refresher training. ✓ Ongoing awareness via posters, intranet posts, newsletters etc. ✓ Specialist training for those involved in the process of fulfilling requests. 2. Robust procedure A clear procedure which walks relevant staff through the key steps and considerations is invaluable, especially for times when key people aren’t available and someone else has to pick up the reins. Procedures should clearly set out how to retrieve the data, the collation and assessment stage, what to redact (or extract), when exemptions might apply and so on. Without this, a lot of knowledge could walk out the door when a key person leaves the business or is not available in cases of long periods of absence like maternity or sickness leave. 3. Adequate resourcing Businesses receiving a significant volume of requests are likely to have a dedicated person or team to handle them. They might also have sophisticated software to help speed up the process. But for those who have low or fluctuating volumes, it can be tricky to judge how many people need to understand the process and manage requests. In my experience, often the one or two people who have to handle requests end up snowed under for weeks and completely distracted from their day jobs when a DSAR lands on their desk with an ominous thump. What happens if your go-to DSAR person is not available? The clock is ticking. You also need to factor in how to handle any spike in requests – seen or unforeseen. Have you got other adequately trained staff, or alternative resources on standby to cover higher volumes? There was a case in Belgium where the Data Protection Authority ruled the person who normally handled DSARs being on long-term absence was no excuse for a late response. I think the UK’s ICO would take a similar stance. 4. Assigned responsibilities While one person or a team may have ultimate responsibility for managing DSARs and responding to them on time, it’s likely others across the business will need to support them. For example, your IT team may play a significant role in retrieving the data, or HR may need to be closely involved in an employee-related DSAR. It helps to make sure it’s clear who’s responsible for retrieving the data, reviewing the data, applying exemptions, apply redactions, reviewing the response, approving it and sending it out securely. 5. Managing expectations and communicating This is my personal favourite; quite often requestees don’t quite understand what a DSAR really entitles them to, so it pays to set out your stall from the start. Explain what the right is and what they can expect to receive. Tell them you have a duty to protect the privacy of others, that it’s not a right to documentation and that exemptions may apply. Keep in touch with requestees, and dare I say it, even pick up the phone and talk things through. Confrontation can sometimes be defused – I’ve known of DSARs being withdrawn after a decent chat (and with no pressure whatsoever applied). 6. Polished response A good covering letter can go a long way to satisfying the individual that you’ve made every effort to fulfil their request. This can for example explain; ✓ The personal data being provided ✓ Some of the internal processes (where appropriate) ✓ Redactions have been applied to protect the privacy of others (if relevant) ✓ Why an exemption has been applied (if relevant) ✓ Legally necessary supplementary information, (or a link to a Privacy Notice if this covers matters sufficiently) The above is by no means an exhaustive list and I’m a big fan of a template response letter which can be adapted as needed. Finally, don’t forget to inform people about their privacy rights such as the right to object, erasure, rectification and access. Privacy notices should set out these rights, and it should be clear how people can submit a request. And of course, tell them they have the right to raise a complaint with the ICO (with fingers firmly crossed they don’t). Check out our DSAR Guide for more tips on seeking clarification, retrieving the data, complex requests and applying redactions.

Data Protection Impact Assessments Guide A quick guide to managing DPIAs This short guide to Data Protection Impact Assessments covers what a DPIA is and when it’s mandatory to conduct one under UK GDPR and EU GDPR. It also includes helpful tips on how to manage the process. DPIAs not only help to protect people’s data, they also help to protect the business.

Monitoring employees and data protection Is it transparent, reasonable and proportionate? There are plenty of reasons why employers might want to monitor staff; to check they’re working, to detect and prevent criminal activity, to make sure people are complying with internal policies, to check their performance, for safety and security reasons, and so on. With significant advances in technology, there are multiple options available for employees seeking to monitor their workforce, such as: Camera surveillance, including CCTV and body worn cameras Webcams and screenshots Monitoring timekeeping or access control using biometric data Keystroke monitoring Internet tracking for misuse Covert audio recording Add the growing number of AI-powered solutions into the mix, and the opportunities are seemingly endless. I’ve even seen demos of AI tools which sentiment check emails; scanning the language employees use to detect content which might be discriminatory, bullying or aggressive. Just because a range of monitoring technologies exist, doesn’t mean we should use them. A survey commissioned by the UK’s Information Commissioner’s Office in 2023 revealed almost one in five people believe they’ve been monitored by their employer, and would be reluctant to take a job if they knew they were going to be monitored. This research showed 70% of the public believe it’s intrusive to be monitored in the workplace. However, there is a broad understanding employers might carry out checks on the quality and quantity of their work and an appreciation there may be a necessity to do this proportionately to meet health and safety or other regulatory requirements. Emily Keaney, the ICO’s Deputy Commissioner of Regulatory Policy says “While data protection law does not prevent monitoring, it must be necessary, proportionate and respect the rights and freedoms of workers. We will take action if we believe people’s privacy is being threatened.” Earlier this year, the ICO did just that, and ordered a Leisure Company to stop using biometric data to monitor their staff. You can read more about the case here: using biometrics to monitor staff To prevent monitoring employees in an overly intrusive and disproportionate way, it’s crucial to carefully consider any planned monitoring activity and make sure it’s a reasonable thing to be doing. Workplace monitoring checklist Here are some of the key considerations to take into account: 1. Is it `lawful, fair and transparent? To be lawful you need to identify a lawful basis under UK GDPR and meet relevant conditions. Remember, consent would only work where employees have a genuine and fair choice. Often an imbalance of power means consent is not appropriate in an employee context. Employees may feel duty-bound to give consent and therefore there may be an imbalance. You may be tempted to rely your employment contract with individuals, (i.e the ‘contractual necessity’ lawful basis) but this would need to be genuinely necessary. Many employers may choose to rely on legitimate interests, but this requires a balancing test, and we’d highly recommend conducting and keeping a record of your Legitimate Interests Assessment (LIA). To be fair you should only monitor workers in ways they would reasonably expect, and in ways which wouldn’t have unjustified adverse effects on them. The ICO says you should conduct a Data Protection Impact Assessment to make sure any monitoring is fair and proportionate. To be transparent you must be open and upfront about what you’re doing. Monitoring should not routinely be done in secret. Monitoring conducted without transparency is fundamentally unfair. There may however be exceptional circumstances where covert monitoring is justified. 2. Will monitoring gather special category data information? If monitoring involves special category data, you’ll need to identify a special category condition, as well as a lawful basis. Special category data includes data revealing racial or ethnic origin, religious, political or philosophical beliefs, trade union membership, genetic and biometric data, data concerning health or data about a person’s sex life or sexual orientation. You may not automatically think this is relevant, but be mindful even monitoring emails, for example, could, without appropriate controls in place, lead to the processing of special category data. 3. Have you clearly set out your purpose(s) for employee monitoring? You need to be clear about your purpose(s) and not monitor workers ‘just in case’ it might be useful. Personal details captured should not subsequently be used for a different purpose, unless this is assessed to be compatible with the original specified purpose(s). 4. Are you minimising the personal details gathered? Organisations are required to not collect more personal information than they need to achieve their defined purpose(s). This should be approached with care as many monitoring technologies and methods have the capability to gather more information than necessary. You should take steps to limit the amount of data collected and how long it’s necessary to retain it for. 5. Is the information gathered accurate? You need to take all reasonable steps to make sure the personal information gathered through monitoring workers is accurate and not misleading, or taken out of context, and people should have the ability to challenge the results of any monitoring. 6. Have you decided how long information will be kept? Personal information gathered must not be kept for any longer than is necessary. It shouldn’t be kept just in case it might be useful in future. Organisations must have a data retention schedule and delete any information in line with this. The UK GDPR doesn’t tell us precisely how long this should be, but other laws might. Organisations need to be able to justify any retention periods they set. 7. Is the information kept securely? You must have ‘appropriate technical and organisation measures’ in place to protect personal information. Technical measures include things like firewalls, encryption, multi-factor authentication, and so on. Data security risks should be assessed, access should be restricted, and those handling the information should receive appropriate training. If monitoring is outsourced to a third-party processor, you’ll be responsible for compliance with data protection law. 8. Are you able to demonstrate your compliance with data protection law? Organisations need to be able to demonstrate their compliance with UK GDPR. This means making sure appropriate policies, procedures and measures are put in place for workplace monitoring activities. And let’s also consider any monitoring of workers who work from home, or other ‘offsite’ locations. As with everything this must be proportionate to the risks. The ICO says organisations should make sure ‘overall responsibility for monitoring workers rest at the higher senior management level’. Monitoring people is by its very nature intrusive, it must be proportionate, justified and people should in most circumstances be told it’s happening. The ICO has published detailed guidance on this: Employment practices and data protection: monitoring workers and the regulator’s overriding message is organisations should carry out a DPIA if they’re considering monitoring their staff.

Understanding and handling Special Category Data Why is it special and what does data protection law tell us we need to do? There is a distinct subset of personal data which is awarded ‘special’ protection under data protection law. This subset includes information for which people have been persecuted in the past, or suffered unfair treatment or discrimination, and still could be. These special categories of personal data are considered higher risk, and organisations are legally obliged to meet additional requirements when they collect and use it. Employees need to be aware special category data should only be collected and used with due consideration. Sometimes there will be a clear and obvious purpose for collecting this type of information; such as a travel firm needing health information from customers, or an event organiser requesting accessibility requirements to facilitate people’s attendance. In other situations it will be more nuanced. What’s special category data? Special Categories of Personal Data under UK GDPR (and it’s EU equivalent), are commonly referred to as special category data, and are defined as personal data revealing: Racial or ethnic origin e.g. diversity and inclusion data Political opinions Religious or philosophical beliefs Trade union membership The definition also covers: Genetic data Biometric data (where this is used for identification purposes) Data concerning health e.g. medical records, sickness records, accessibility requirements and so on. Data concerning a person’s sex life or their sexual orientation. E.g. diversity and inclusion data Inferring special category data Sometimes your teams might not realise they’re collecting and using special category data, but they might well be. It’s likely if you have inferred or made any assumptions based on what you know about someone, for example they’re likely to have certain political opinions, or likely to suffer from a certain health condition, this will mean you are handling special category data. There was an interesting ICO investigation into an online retailer which found it was targeting customers who’d bought certain products, assuming from this they were likely to be arthritis sufferers. This assumption meant the retailer was judged to be processing special category data. If you collect information about dietary requirements these could reveal religious beliefs, for example halal and kosher. It’s also worth noting in 2020 a judge ruled that ethical veganism qualifies as a philosophical belief under the Equality Act 2010. Other ‘sensitive’ data There’s sometimes confusion surrounding what might be considered ‘sensitive’ data and what constitutes special category data. I hear people say “why is financial data not considered as sensitive as health data or ethnic origin?’ Of course, people’s financial details are sensitive and organisations do still need to make sure they’ve got appropriate measures in place to protect such information and keep it secure. However, UK GDPR (and EU) sets out specific requirements for special category data which don’t directly apply to financial data. To understand why, it’s worth noting special protection for data such as ethnicity, racial origin, religious beliefs and sexual orientation was born in the 1950s, under the European Convention on Human Rights, after Europe had witnessed people being persecuted and killed. Special Category Data Requirements In a similar way to all personal data, any handling of special category data must be lawful, fair and transparent. Organisations need to make sure their collection and use complies with all the core data protection principles and requirements of UK GDPR. For example; Do you have a clear purpose and reason for collecting/using special category data? Have you identified a lawful basis? For example: is this data necessary in order for you to fulfil a contract you have with the individual? Are you legally obliged to hold this data? Should you be seeking their consent? Or is there another appropriate lawful basis? Quick Guide to Lawful Bases. Have you told people what their special category data will be used for? What does your Privacy Notice tell people? Have people seen your Privacy Notice? Can you minimise the amount of special category data you are collecting? Have you decided how long this data will be kept for? How will you make sure this data is not used for another different purpose? What security measures will you put in place? e.g. can you limit who has access to this data? What makes special category data unique is it will be considered a higher risk than other types of data, and also requires you to choose a special category condition. Other key considerations and requirements Risk Assessments Confirm whether you need to conduct a Data Protection Impact Assessment for your planned activities using special category data. DPIAs are mandatory for any type of processing which is likely to be high risk. This means a DPIA is more likely to be needed when handling special category data. That’s not to say it will always be essential, it really will depend on the necessity, nature, scale and your purpose for using this data. Special Category Condition Alongside a lawful basis, there’s an additional requirement to consider your purpose(s) for processing this data and to select a special category condition. These conditions are set out in Article 9, UK GDPR. (a) Explicit consent (b) Employment, social security and social protection (if authorised by law) (c) Vital interests (d) Not-for-profit bodies (e) Made public by the data subject (f) Legal claims or judicial acts (g) Reasons of substantial public interest (with a basis in law) (h) Health or social care (with a basis in law) (i) Public health (with a basis in law) (j) Archiving, research and statistics (with a basis in law) Associated condition in UK Law Five of the above conditions are solely set out in Article 9. The others require specific authorisation or a basis in law, and you’ll need to meet additional conditions set out in the Data Protection Act 2018. If you are relying on any of the following you also need to meet the associated condition in UK law. This is set out in Part 1, Schedule 1 of the DPA 2018. Employment, social security and social protection Health of social care Public health Archiving, research and statistics. If you are relying on the substantial public interest condition you also need to meet one of 23 specific substantial public interest conditions set out in Part 2 of Schedule 1 of the DPA 2018. The ICO tells us for some of these conditions, the substantial public interest element is built in. For others, you need to be able to demonstrate that your specific processing is ‘necessary for reasons of substantial public interest’, on a case-by-case basis. The regulator says we can’t have a vague public interest argument, we must be able to ‘make specific arguments about the concrete wide benefits’ of what we are doing. Appropriate Policy Document (APD) Almost all of the substantial public interest conditions, plus the condition for processing employment, social security and social protection data, require you to have an APD in place. The ICO Special Category Guidance in includes a template appropriate policy document. Privacy Notice A privacy notice should explain your purposes for processing and the lawful basis being relied on in order to collect and use people’s personal data, including any special category data. Remember, if you’ve received special category data from a third party, this should be transparent and people should be provided with your privacy notice. Data breach reporting You only have to report a breach to the ICO if it is likely to result in a risk to the rights and freedoms of individuals, and if left unaddressed the breach is likely to have a significant detrimental effect on individuals. Special category data is considered higher risk data, and therefore if a breach involves data of this nature, it is more likely to reach the bar for reporting. It is also more likely to reach the threshold of needing to notify those affected. In summary, training and raising awareness are crucial to make sure employees understand what special category data is, how it might be inferred, and to know that collecting and using this type of data must be done with care.

DSAR ruling and other people’s data High Court judgement in Harrison vs Cameron case A recent high court ruling concerning a Data Subject Access Request reveals some interesting points relating to how organisations comply with people’s right to know the identity of the recipients of their personal data, and how organisations apply the ‘third-party exemption’. The right of access gives people the right to receive a copy of their own personal data, it doesn’t give them the right to receive personal data relating to others. However, often other people’s details are intertwined as part of the data retrieved. In this particular case, the focus was on other people the requester’s data had been shared with, and whether the requester had the right to know the identity of these recipients. The ‘third party exemption’ frequently comes up for debate when handling DSARs and this case sheds light on how this exemption should be applied. In the ruling the Judge found that it’s necessary to apply a ‘balancing test’ when considering the third-party exemption. It was also acknowledged that the controller is the ‘primary decision maker’ when assessing whether it is reasonable or not to disclose personal data relating to others, and has a ‘wide margin of discretion’ in this decision. Here’s some background to two of the key points of law in this case: What’s the third-party exemption? The third-party exemption is set out in the UK Data Protection Act 2018 and says organisations (controllers) do not have to comply with a DSAR, if in doing so this would mean disclosing information which identifies another individual. Organisations can disclose such information if the third party has given their consent, or if it’s reasonable to disclose without their consent. What about the recipients of personal data? Along with the right to receive a copy of their personal data, when an individual submits a DSAR they are also entitled to receive other supplementary information. This includes details of any ‘recipients’ or ‘categories of recipients’ the organisation has, or will, disclose their personal data to. The Harrison vs Cameron case Mr Harrison, Chief Executive of a real estate investment company was covertly recorded making threats to Mr Cameron, the owner of a gardening business. Here’s a summary of what happened next: Mr Cameron shared the recording with some of his employees, members of his family and friends. Mr Cameron sent the recording to twelve people in total, and it was then shared on to a further three people. Mr Harrison claimed the recordings had been shared more widely and damaged his business. Mr Harrison submitted a DSAR to Mr Cameron in a personal capacity (I’ll come back to this) and submitted similar requests to others, including employees at the gardening business. He demanded to know the identity of the people who’d received the recording. Mr Cameron and others declined his request, and the case ended up in the High Court. The Court decided Mr Cameron was not himself a controller of Mr Harrison’s data, and that he’d made the recordings in his capacity as a director of the gardening company. Therefore the company, not Mr Cameron was the controller and responsible for fulfilling the request. According to the judge, a person’s rights extend to being provided with details of the specific recipients of their personal data, including the names of individuals who’ve received their data. The rationale behind this is to enable the individual to check the lawfulness of how their personal data is being handled. This is a potentially worrying development as organisations may have previously viewed this as an either provide the names of specific recipients, or provide just the categories of recipient. This ruling makes it clear this is the requester’s choice, not the controller’s decision. However, in this case the judge found the gardening company could rely on the third-party exemption and not disclose the identity of the recipients. Why? None of the fifteen recipients consented to their names being disclosed to Mr Harrison, due in part to concerns this may expose them to abusive and threatening behaviour. Due to these safety concerns the judge ruled it would not be reasonable to disclose people’s names, without their consent. Ultimately this ruling makes it clear it is the controller’s decision to make; is it reasonable or not to disclose information which identifies other people? Third-party balancing test The ICO’s Right of Access guidance provides helpful pointers on how to conduct a balancing test when considering the third-party exemption. There isn’t a blanket rule, a balanced decision is required on whether it’s appropriate in the circumstances to disclose information relating to others, or withhold it. 1. Can you redact or not provide? Consider if it’s possible to comply with the request without revealing information that relates to, and identifies another individual. For example, can this third-party information be redacted, or can you separate out the requestor’s personal data? Sometimes, even redacting other people’s names doesn’t render them unidentifiable. There may be situations where you can reasonably assume the requester will be able to work out whose name has been redacted. 2. Can you seek consent? If you can get the consent of another individual to disclose their details, it’s a problem solved. I’ve been involved in cases where the consent of other employees has been sought in employee related requests and they’ve given it. However, you’re not obliged to seek consent and it may not be appropriate to do so. You might not have contact details for the third-party, you might not want to share information with them, or let them know a particular individual has submitted a DSAR. 3. Reasonable to disclose without consent? Where the information about other individuals if fairly innocuous and you can’t identify any negative impact on them, you may choose to disclose the information without consent. In assessing whether this is reasonable to do, you need to take account of: the type of information you intend to disclose whether it was possible to seek consent or not whether consent was declined any duty of confidentiality Any potential repercussions for the third-party if their data is disclosed (or they are identifiable from what you provide) can be considered. As this case shows concerns for a person’s safety can be justification for applying the third-party exemption. I’ve worked on many cases where this has been debated, situations where redaction wouldn’t render the third-party unidentifiable and it wasn’t appropriate to seek consent. The context is crucial, sometimes it has been reasonable to disclose, other times we had justified concerns and chose to withhold. It’s important to be clear with the requester about what you are giving them in your response to their DSAR. If you rely on the third-party exemption, you should tell them, and explain why. I’d also highly recommend documenting your decision-making just in case it’s challenged.

Data Sharing Checklist Controller to Controller Data Sharing Data protection law doesn’t stop us sharing personal data with other organisations, but does place on us a requirement to do so lawfully, transparently and in line with other key data protection principles. Organisations often need to share personal data with other parties. This could be reciprocal, one-way, a regular activity, ad-hoc or a one off. Quick Data Sharing Checklist Here’s a quick list of questions to get you started on how to share personal data compliantly. (The focus here is on sharing data with other controllers, i.e. other organisations who will use personal data for there own purposes. There are separate considerations when sharing data with processors, such as suppliers and service providers). Controller or processor, what are we? 1. Is it necessary? It may be possible to achieve your objective without sharing personal data at all, or perhaps the data could be anonymised. 2. Do we need to conduct a risk assessment? Check if what you’re planning to do falls under the mandatory requirement to complete a Data Protection Impact Assessment. Depending on the nature and sensitivity of the data it might be a good idea to conduct one anyway. Quick DPIA Guide. 3. Do people know their data is being shared? Transparency is key, so it’s important to make sure sure people know their personal details are being shared. Would they reasonably expect their personal data to be shared in this way? Is it covered in your Privacy Notice? In some situations it may not be possible to be transparent, in which case a robust and defensible justification is needed. 4. Is it lawful? To be lawful we need a lawful basis and we need to meet the relevant conditions of the basis we’ve chosen. For example, if we’re relying on consent is this specific, informed and an unambiguous indication of the person’s wishes. If we’re relying on legitimate interests, have we balanced our interests with those of the people whose data we’re sharing? Quick guide to lawful bases. 5. Can we reduce the amount of data being shared? Check what data the other organisation actually needs, you may not need to share a whole dataset, a sub-set may suffice. 6. Is it secure? Agree appropriate security measures to protect the personal data, both when it’s share and at rest. This includes security measures where the other organisation is being given access to your systems. Are controls in place to make sure only those who need access, have access? 7. Can people still exercise their privacy rights? Both parties should be clear about their responsibilities to fulfil privacy rights, and it should be easy for people to exercise them. 8. How long with the personal data be kept for? Consider if it’s appropriate to have specific arrangements in place for the shared data to be destroyed after a certain period of time. 9. Is the data being shared with an organisation overseas? If the personal data is being shared with a business located outside the UK, it will be necessary to consider the international data transfer rules. 10. Do we need a data sharing agreement? UK GDPR does not specify a legal requirement to have a agreement in place when data is shared between organisations acting as controllers. However, the UK ICO considers it ‘good practice’ as and agreement can set out what happens to the data at each stage, and agreed standards, roles and responsibilities. ICO Data Sharing Agreement guidance. Other data sharing considerations Are we planning to share children’s data? Proceed with care if you are sharing children’s data. You need to carefully assess how to protect children from the outset, and will need a compelling reason to share data relating to under 18s. This is likely to be a clear case of conduct a DPIA! Is the other organisation using data for a ‘compatible purpose’? Consider the original purpose the data was collected for, and whether the organisation you’re sharing it with will use it for a similar purpose. It’s worth noting the UK Department of Education came a cropper for sharing data for incompatible purposes. Is data being shared as part of a merger or acquisition? If data is being shared as part of a merger or acquisition, the people the data relates to should be made aware this is happening. You’d want to be clear the data should be used for a similar purpose. Robust due diligence is a must, and perhaps a DPIA to assess and mitigate any risks. Is it an emergency situation? We’ve all heard the tales about people being scared they’ll be breaching data protection rules if they share personal data with paramedics, doctors or others in emergency situations. The ICO is clear on this point: in an emergency you should go ahead and share data as is necessary and proportionate. The ICO has a Data Sharing Code of Practice, full useful information about how the Regulator would expect organisations to approach this.

Tackling AI and data protection Raising staff awareness of data protection risks from their use of AI The growth of AI continues at a tremendous rate. Its use in the workplace has plenty of benefits including streamlining processes, automating repetitive tasks, and helping employees to be do their jobs ‘better’ and more effectively. While many people are jumping in with both feet, others have growing concerns about the implications for individuals and their personal data. There are also very real concerns surrounding intellectual property and commercially sensitive information which may be being ‘leaked’ out of the business through AI applications. As employees increasingly bring AI into the workplace, the risks grow. A recent Microsoft and LinkedIn Report found all generations of workers are bringing their own AI tools to work – ‘ 73% of Boomers’ through to ‘85% of Gen Z’. The report found many are hiding their use of AI tools from their employers, possibly fearing their jobs may be at risk. Generative AI is a key focus for data protection authorities. The ICO has recently concluded a year-long investigation into Snap Inc’s launch of the ‘My AI’ chatbot, following concerns data protection risks had not been adequately assessed. The regulator is warning all organisations developing or using generative AI that they must consider data protection from the outset, before bringing products to the market or using them in the workplace. In this article I’ve taken a look at how Generative AI works, the main concerns and what employers can do to try and mitigate the risks. And most importantly how to control the use of AI in the workplace. Generative AI and Large Language Models Generative artificial intelligence relates to algorithms, such as ChatGPT, which can be used to create new content like text, images, video, audio, code and so on. Recent breakthroughs in generative AI has huge potential to impact our whole approach to content creation. ChatGPT for instance relies on a type of machine learning called Large Language Models (LLMs). LLMs are usually VERY large deep-neural-networks, trained on giant datasets such as published webpages. Recent technology advances have enabled LLMs to become much faster and more accurate. What are the main AI concerns? With increased capabilities and the growth in adoption of AI come existing and emergent risks. We are at trigger point, where governments and industry alike are keen to realise the benefits to drive growth. The public too are inspired to try out AI models for themselves. There’s an obvious risk of jobs being displaced, as certain tasks carried out by humans are replaced by AI technologies. Concerns recognised in the technical report accompanying GPT-4 include: Generating inaccurate information Harmful advice or buggy code The proliferation of weapons Risks to privacy and cyber security Others fear the risks posed when training models using content which could be inaccurate, toxic or biased – not to mention illegally sourced! The full scope and impact of these new technologies is not yet unknown and new risks continue to emerge. But there are some questions that need to be answered sooner rather than later, such as: What kinds of problems are these models best capable of solving? What datasets should (and should not) be used to create and train generative AI models? What approaches and controls are required to protect the privacy of individuals? What are the main data protection concerns? AI data inputs The datasets used to train generative AI systems are often likely to contain personal data that might not have been lawfully obtained. In many AI models, the data used may be obtained by “scraping” (the automated gathering of data online), which often violates most privacy principles. Certain information may have been used without consideration of intellectual property rights, where the owners have not been approached nor given their consent for use. The Italian Data Protection Authority (Garante) blocked ChatGPT, citing its illegal collection of data and the absence of systems to verify the age of minors. Some observers have pointed out these concerns are broadly similar to why Clearview AI received an enforcement notice. AI data outputs AI not only ingests personal data, but may also generate it. Algorithms can produce new data that may unexpectedly exposes personal details, which leaves individuals with limited control over their data. There are many other concerns such as transparency, algorithmic bias and inaccurate predictions and the risk of discrimination. Fundamentally, there are concerns that appropriate accountability for AI is often lacking. Key considerations for organisations looking to adopt AI We need to understand what people across the business are already doing with AI, or planning to do. Get clarity about any personal data they are using; particularly any sensitive or special category data. Make sure they are aware of the potential risks and know what questions to ask, rather than dive straight in. We suggest you start by talking business leaders and their teams to identify emerging uses of AI across your business. It’s a good idea to carry out Data Protection Impact Assessment (DPIA) to assess privacy risks and identify proportionate privacy measures. Rather than adopting huge ‘off-the-shelf’ generative AI models like Chat GPT (and what may come next), businesses may consider adopting smaller, more specialised AI models trained on the most relevant, compliantly gathered datasets. Do we need an AI Policy for employees? To make sure AI is being used responsibly in your organisation its crucial employees are provided with clear guidance on considerations and expected behaviour when using AI tools. A robust AI Policy can go some way to mitigate risks, such as those relating to inaccurate or harmful outputs, data protection, intellectual property and commercially sensitive information and so on. Here are some pointers for areas to cover in an AI Policy: 1. Your approach to AI: Does your company permit, limit or ban the use of AI in the workplace? What tasks is it permitted to be used for? What tasks must it never be used for? 2. Internal procedures and rules: Set out clear steps employees must follow. Be clear where the red lines are and who they should contact if they have questions or concerns, or if they need specialist support. 3. AI risks: Clearly explain the risks and you are likely to want to prohibit employees from using sensitive data of a personal, commercial or confidential nature. 4. Review of AI-generated work: Humans should review all AI generated outpusts as these may be may be inaccurate or completely wrong. Human review should be baked in to your procedures. Also will you hold employees accountable for errors in their AI generated work? 5. List of permitted AI tools/platforms Regularly update and circulate the policy to take account of developments. In all of this, organisations need to be mindful of emerging AI regulations around the globe, and in particular the jurisdictions in which your organisation operates. Differing regulatory approaches EU – The EU has adopted the world’s first Artificial Intelligence Act. It’s taking a ‘harm and risk’ approach which bans ‘unacceptable’ use of artificial intelligence and introduces specific rules for AI systems proportionate to the risk they pose. It imposes extensive requirements on those developing and deploying high-risk AI systems, yet be lighter touch for low risk/low harm AI applications. Some have questioned whether existing data protection and privacy laws are appropriate for addressing AI risk. We should be mindful AI can increase privacy challenges and add new complexities to them. IAPP EU AI Cheat Sheet UK –Despite calls for targeted AI regulation, the UK has no EU-equivalent legislation and currently looks unlikely to get one in the foreseeable future. The current Tory Government says it’s keen not to rush in and legislate on AI, fearing specific rules introduced too swiftly could quickly become outdated or in effective. For the time being the UK is sticking to a non-statutory principles-based approach, focusing on the following: Safety, security, and robustness; Appropriate transparency and explainability; Fairness; Accountability and governance; and Contestability and redress. Key regulators such as the Information Commissioner’s Office (ICO), the Financial Conduct Authority (FCA) and others are being asked to take the lead. Alongside this a new advisory service; the AI and Digital Hub has been launched. There’s a recognition advanced General Purpose AI may require binding rules. The government’s approach is set out in its response to the consultation on last year’s AI Regulation White Paper. ICO guidance can be found here: Guidance on AI and data protection. Also see Regulating AI: The ICO’s strategic approach April 2024 US – In the US a number of AI guidelines and frameworks have been published. The National AI Research and Development Strategic Plan was updated in 2023. This stresses a co-ordinated approach to international collaboration in AI research. As for the rest of the world, the IAPP has helpfully published a Global AI Legislation Tracker Wherever you operate it is vital data protection professions seek to understand how their organisations are planning to use AI, now and in the future. Evaluate how the models work and assess any data protection and privacy risks before adopting them.