Was good to read. Thanks.

Further to this blog, the Information Commissioner's Office (ICO) has shared some further advice to councils to assist in complying with the relevant data protection legislation. The guidance is:

• As a data controller you are responsible for ensuring your processing complies with the UK GDPR. This includes any processing carried out by a processor on your behalf. If you decide to engage a third party to process personal data using algorithms, data analytics or AI, you are responsible for assessing that they are competent to process personal data in line with UK GDPR requirements. You should ensure that you have a sufficient understanding of the processing activity in order to be able to make this assessment. For more information on your responsibilities as a controller, you may wish to review the ICO’s guidance on controllers here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/controllers-and-processors/what-does-it-mean-if-you-are-a-controller/. You may also wish to review the ICO’s detailed guidance on contracts and liabilities between controllers and processors here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/contracts-and-liabilities-between-controllers-and-processors-multi/.

• You should regularly review your privacy policy, and identify areas for improvement. You must also bring any new uses of an individual’s personal data to their attention before you start the processing. You may wish to review the ICO’s guidance on the right to be informed here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/about-this-detailed-guidance/

• You should continue to demonstrate accountability for the data processed. As part of this, the council should consider conducting a DPIA for any type of processing including certain specified types of processing that are likely to result in a high risk to the rights and freedoms of individuals. You may wish to review the ICO’s guidance on DPIAs here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/what-is-a-dpia/

• You should review personal data processed using algorithms, data analytics or similar systems, to ensure that you have a clear understanding of what personal data you hold, and why you need it. You should be able to clearly justify how long you keep personal data, and should regularly review information, and erase this when it is no longer required – in line with your retention policy. You may find it useful to review the ICO’s guidance on storage limitation here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/storage-limitation/ and the ICO Records Management checklist here: https://ico.org.uk/for-organisations/sme-web-hub/checklists/data-protection-self-assessment/records-management-checklist/

• You have a responsibility to ensure that the information processed is accurate and up to date. You should reactively and proactively review data processed using algorithms, data analytics or similar systems, and update it as necessary. You may find it useful to review the ICO’s guidance on accuracy here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/accuracy/

• Should you consider the use of any future systems using data analytics or AI, you should recognise any risks to the rights and freedoms of individuals created by the processing. You may wish to consider the ICO’s toolkit for organisations considering using data analytics: https://ico.org.uk/for-organisations/toolkit-for-organisations-considering-using-data-analytics/. You should also be able to explain the processes, services and decisions delivered or assisted by AI to the individuals affected by them. You may find it useful to review the ICO and The Alan Turing Institute guidance on explaining decisions made with AI: https://ico.org.uk/for-organisations/guide-to-data-protection/key-dp-themes/explaining-decisions-made-with-artificial-intelligence/.