Guide to Data Protection Act for Data Controllers

Pages: All Pages This Page Download

Individual rights

Rights in relation to automated decision making

At a glance

The DPA has provisions on solely automated individual decision-making (making a decision exclusively by automated means without any human involvement).
An individual may at any time give you a notice in writing requiring that a decision which affects significantly them is not solely based on processing by automated means.
If you make decisions that significantly affect individuals solely by automated means, you must notify the individual that the decision was taken on that basis.
The individual may then notify you within twenty-one days that you need to reconsider the decision on a different basis (not solely based on automated means). You must then, within twenty-one days inform the individual explaining what steps you intend to take to comply with the notice.
This right is not absolute and there are circumstances when it does not apply.

Checklist

All automated individual decision-making and profiling

To comply with the DPA

We meet a lawful condition in Schedule 2 of the DPA to carry out automated decision-making.
We provide individuals with a privacy notice when obtain their personal data indirectly.
We only collect the minimum amount of data needed and have a clear retention policy for the data we use for the automated decisions we take about individuals.
We tell our customers about the automated decision-making we carry out which impact them significantly.
We respond within twenty-one days to notifications received from individuals requiring us to reconsider the decision or make a new decision on a different (non-automated) basis, by specifying what steps we intend to take to meet their notification.

As a model of best practice

We have additional checks in place for our automated decision-making systems to protect any vulnerable groups (including children).
We carry out a privacy impact assessment to consider and address the risks before we start any new automated decision-making.
We inform individuals what information we use to make solely automated decisions, and where we get this information from.
We use anonymized data in our solely automated individual decision-making.
We don’t use sensitive personal data in our automated decision-making systems unless that processing meets one of the conditions Schedule 3 of the DPA.
We have a simple way for people to ask us to reconsider an automated decision.
We have identified staff in our organisation who are authorised to carry out reviews and change decisions.
We regularly check our systems for accuracy and bias and feed any changes back into the design process.

In brief

What is automated individual decision-making?
What does the DPA say about automated individual decision-making?
What do you need to do under the DPA?
Are there circumstances when you do not need to comply with an individual’s notice relating to automated processing?
What else do you need to consider?
Can you charge a fee for responding to a notice to stop automated decision making?
How long do you have to respond to a notice relating to automated decision making?
Can you extend the time for a response to a notice relating to automated decision making?
Can you ask an individual for ID before responding to a notice relating to automated decision making?

What is automated individual decision-making?

The DPA does not define automated decision making, but it means a decision made by automated means without any human involvement.

Examples of this include:

creditworthiness, e.g. in a decision relating to a bank loan;
the individual’s performance at work; or a recruitment aptitude test which uses pre-programmed algorithms and criteria.

Automated individual decision-making does not have to involve profiling, but it often will do.

Automated individual decision-making and profiling can lead to quicker and more consistent decisions. But they can also represent significant risks for individuals. Section 12 of the DPA is designed to address these risks.

What does the DPA say about automated individual decision-making?

The DPA restricts you from making solely automated decisions, including those based on profiling, that have a significant effect on individuals.

Individuals have the right to require – at any time - that decisions which affect them substantially are taken on a different basis than a solely automated basis.

For something to be solely automated there must be no human involvement in the decision-making process. A decision with a mere token human involvement, such as where a human simply takes over the automated decision without any substantive appraisal, will still be deemed to be automated for purposes of the DPA.

The restriction only covers solely automated individual decision-making that produces legal or similarly significant effects. These types of effect are not defined in the DPA, but the decision must have a serious negative impact on an individual to be caught by this provision.

A legal effect is, for instance, something that adversely affects someone’s legal rights. Similarly, significant effects are more difficult to define but would include, for example, automatic refusal of an online credit application, and e-recruiting practices without human intervention.

What do you need to do under the DPA?

If you engage in solely automated individual decision-making with significant effects on an individual, you must:

notify the individual as soon as practicable; and
allow the individual within twenty-one days to require that the decision is reconsidered or that a new decision is taken on a different basis.

Within twenty-one days from receiving the individual’s notice, you must then inform the individual in writing of the steps you are taking to comply with their notice.

Are there circumstances when you do not need to comply with an individual’s notice relating to automated processing?

An individual’s notice to require you to reconsider or redo a decision that was taken solely on an automated basis does not apply if one each of the following listings of conditions is met:

the decision is taken in the course of:

(a) considering whether to enter into a contract with the individual

(b) entering into such a contract, or

and,

(a) the decision grants a request from the individual; or

(b) steps have been taken to safeguard the legitimate interests of the individual including allowing the individual to make representations.

Example

An individual applies for a loan with their bank. The bank uses automated decision-making to evaluate the customer’s credit worthiness.

Where the loan is approved, the exemption applies, as the decision met two of the required conditions, namely being taken in the course of considering whether to enter into a contract with the individual (1a), and granting a request (the loan) from the individual (2a).

Where the loan is denied, the exemption will only apply where the second condition, 2b), is met. This may be that the logic of the decision is explained to the individual and an avenue is provided for the individual to challenge the decision and have it re-evaluated.

What else do you need to consider?

You should be able to:

provide meaningful information about the logic involved in the decision-making process, as well as the significance and the envisaged consequences for the individual;
use appropriate mathematical or statistical procedures;
ensure that individuals can:
obtain human intervention:
express their point of view; and
obtain an explanation of the decision and challenge it;
put appropriate technical and organisational measures in place, so that you can correct inaccuracies and minimize the risk of errors; and
secure personal data in a way that is proportionate to the risk to the interests and rights of the individual, and that prevents discriminatory effects.

Can you charge a fee for responding to a notice to stop automated decision making?

There is no fee for a notice to reconsider or remake a decision on a different basis than a solely automated basis.

How long do you have to respond to a notice relating to automated decision making?

When an individual notifies you that they require that a decision solely made on an automated basis must be reconsidered or remade, you have twenty-one days to let them know what steps you are taking to comply with their notice.

Can you extend the time for a response to a notice relating to automated decision making?

No, there is no extension of the twenty-one day time period for letting an individual know what steps you are taking to comply with their notice relating to automated decision making.

Can you ask an individual for ID before responding to a notice relating to automated decision making?

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.

You must let the individual know without undue delay if you need more information from them to confirm their identity. You do not need to comply with the request until you have received the additional information.

Relevant provisions

Data Protection Act (2021 Revision)

Section 12: Rights in relation to automated decision making

Further guidance

ICO: Guidance on automated decision making and profiling

Article 29 Working Party: Guidelines on automated individual decision making and profiling

Previous Next