Category: GDPR

Guidance on AI – FOI requests

ICO Logo - the logo of the Information Commissoner's Office - Data Protection Training from Concrew Training

NEW ICO guidance ON dealing with AI-generated FOI requests

New guidance from the ICO on dealing with AI-generated FOI requests.  The ICO have published new guidance to help public authorities confidently handle Freedom of Information requests that involve the use of artificial intelligence.  

Drivers behind the new guidance

  • The growing number of AI-generated requests is placing strain on authorities 
  • Some FOI requests misinterpret or misquote legislation 
  • This guidance from the ICO provides practical support to help organisations respond confidently and meet their legal duties 

More Information on the ICO website

GDPR explained – necessary proportionate fair

Concrew Training Logo

Understanding the GDPR terms Necessary, Proportionate and Fair

The GDPR does not require organisations to gain consent before personal information is processed, it merely requires that a lawful basis is established.

However For the processing to be lawful a legal basis for processing has to be decided upon and this has to be evidenced as necessary, proportionate and fair.

Further, the GDPR requires all of the above be transparent. That is to say the basis and underlying considerations be recorded and made available to data subjects (the people whose data is being processed) before the processing takes place.

Identifying an overarching “legal” basis for processing and outlining this within a “privacy policy” may appear sufficient but in the event of a complaint or breach it is likely to be found woefully inadequate

To meet the “necessary and fair” requirements of the GDPR each policy, process, policy, approach, project or initiative needs to have a legal basis for processing identified and the key underlying principles of Necessary, Proportionate and Fair and met. Additionally final decisions and outcomes need to be transparent; that is to say made available, in an easy to understand manner, to the appropriate staff, stakeholders and service users.

Except in situations where the precise processing activity is specifically required by a Government directive all organisations need to demonstrate, for each and every individual processing activity, that the “necessary, proportionate fair and transparent” requirements have been met.

In the event of complaint or breach organisations will struggle to evidence GDPR compliance

Necessary
Processors need to demonstrate that the processing is ‘necessary’ for a specific purpose.

It is not enough to argue that processing is necessary because it is part of your particular business model, processes or procedures, or because it is standard practice. This does not mean that processing has to be absolutely essential. However, it must be more than just useful or habitual. It must be a targeted, proportionate and fair way of achieving the said purpose.

Processing is not deemed “Necessary” if you can reasonably achieve the same purpose by less intrusive means.

Proportionate
Organisations need to consider the, scope, extent and intensity of the processing.

That is to say consider the impact the processing may have on the data subjects, conduct a fair balance assessment and then explore ways in which the impact of the processing can be reduced.

Processing is not deemed “proportionate” if you can reasonably achieve the same purpose through less intrusive means

Fair
Organisations must use personal data in a way that is fair.

In general, fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them. You need to stop and think not just about how you can use personal data, but also about whether you should.

Assessing whether you are processing information fairly depends partly on how you obtain it. In particular, if anyone is deceived or misled when the personal data is obtained, then this is unlikely to be fair.

In order to assess whether or not you are processing personal data fairly, you must consider more generally how it affects the interests of the people concerned – as a group and individually.

If you have obtained and used the information fairly in relation to most of the people it relates to but unfairly in relation to one individual, there will still be a breach of this principle.

Personal data may sometimes be used in a way that negatively affects an individual without this necessarily being unfair. What matters is whether or not such detriment is justifiable

Organisation also ensure they treat individuals fairly when/if data subjects seek to exercise their rights over their data. This includes for example providing clear information on how to object to the processing and the right to be forgotten

Transparent Processing
Processors must be clear, open and honest with people from the start about how they use the personal data provided. Data subjects have a right to be informed.

You must ensure that you tell individuals about your processing in a way that is easily accessible and easy to understand. You must use clear and plain language.

You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.

The level of detail provided within the privacy policy should be proportionate; in situations where the need for processing may not be readily obvious to the data subject then the privacy policy needs to provide greater detail on the legal basis and how the necessary, fair and proportionate requirements have been met.

Transparency is fundamentally linked to fairness. Transparent processing is about being clear, open and honest with people from the start about who you are, and how and why you use their personal data.

Transparency is always important, but especially in situations where individuals have a choice about whether they wish to enter into a relationship with you. If individuals know at the outset what you will use their information for, they will be able to make an informed decision about whether to enter into a relationship, or perhaps to try to renegotiate the terms of that relationship.

Transparency is important even when you have no direct relationship with the individual and collect their personal data from another source. In some cases, it can be even more important – as individuals may have no idea that you are collecting and using their personal data, and this affects their ability to assert their rights over their data. This is sometimes known as ‘invisible processing’.

Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage.

Impact Assessments
Whilst the GDPR only requires impact assessments be conducted for high risk activities, they are the perfect way to inform evidence necessary, fair and transparent decisions.

Good practice dictates that impact assessments should be completed, recorded and made available to all staff for each and every policy, procedure, process, initiative, project or assignment.

Such an approach delivers the best opportunity to keep personal data safe.

Recording Processing Decisions
Organisations are required by law to document all their data processing activities. This means data controllers you need to maintain an internal record of all processing activities carried out by any processors on behalf of your organisation.

In the event of complaint or breach the ICO may require organisations to demonstrate that processing is in line with the accountability principle and may require you to provide records of processing activities to them.

For processing to be lawful organisations need to be able to justify a legal basis for the processing and evidence that the requirements for “necessary, fair and transparent” have been met.

Additionally Data Controllers need to ensure that the processing decision information is made available to those tasked with processing the data

Our courses help refresh your knowledge of GDPR and in doing so help your organisation keep personal information.

Concrew Training
August 2023

PECR and the TPS

TPS Logo

Do you check with the TPS before making a sales call? if not you need GDPR/PECR training. Prices start at £395+vat.

The TPS (Telephone Preference Service) allows businesses and individuals to opt out of unsolicited sales and marketing calls.

Whilst the GDPR and PECR should prevent organisations making unsolicited calls registering with the TPS adds another barrier and provides a far faster way for resolution in the event of breach.

All those making sales and marketing calls need to check the numbers against the TPS lists BEFORE making a sales call. Even if the number has been contacted previously it could now have been added to the barred list.

There are several organisations offering barred call lists and the prices charged can be high, especially as the data needs to be updated at least every 28 days. We have no affinity with the TPS but do note that their charges for accessing the barred call list is significantly lower than some charge.

If you have been making unsolicited sales calls without checking each number against the TPS lists you are probably breaching the GDPR and PECR in other respects too.

Our GDPR/PECR training starts at just £395+vat – way lower than the average £150,000 fine for GDPR breaches.