At a glance
- Part 3 provides safeguards for individuals against the risk that a potentially damaging decision is taken by solely automated means, ie without human intervention.
- You may not take a significant decision based solely on automated processing unless that decision is required or authorised by law. A ‘qualifying significant decision’ is defined as a decision which significantly affects or produces an adverse legal effect on an individual and is authorised by law.
- Currently, solely automated decision-making that leads to an adverse outcome is rarely used in the law enforcement context and is unlikely to have many operational implications.
Individuals have the right not to be subject to a decision when:
- it is based on automated processing; and
- it produces an adverse legal effect or a significantly affects the individual.
You must ensure that individuals are able to:
- obtain human intervention;
- express their point of view; and
- obtain an explanation of the decision and challenge it.
To qualify as human intervention, you must ensure that you carefully analyse the decision and consider all the available input and output data, rather than just a token review. This should be carried out by someone who has the authority and competence to change the decision.
Part 3 of the Act does not mention profiling in the context of automated decision-making but the Law Enforcement Directive 2016/680 provides that:
“profiling that results in discrimination against natural persons on the basis of personal data which are by their nature particularly sensitive in relation to fundamental rights and freedoms should be prohibited under the conditions laid down in Articles 21 and 52 of the Charter (Charter of the Fundamental Rights of the European Union).”
Profiling and automated decision-making can be combined activities of the same process, or can be carried out separately. There may be cases of automated decisions made with (or without) profiling and profiling which may take place without making automated decisions. The profiling which applies in this section has to involve some form of automated processing.
Profiling as defined in the Act is any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict their:
- performance at work;
- economic situation;
- personal preferences;
- location; or
Profiling based on special categories of data (or sensitive categories in the Act) which results in discrimination against individuals is prohibited.
The right does not apply when a decision does not have an adverse legal or similarly significant effect on someone.
An automated processing system could include an IT database of criminal records or prosecution histories, where data is input or accessed by staff via automated means.
‘Automated decision making’ only comes into play where the controller takes a ‘significant’ decision based solely upon automated processing, often without any human interaction. This is a decision that produces an adverse legal effect concerning the individual or otherwise affects the individual.
You should inform an individual if you make a ‘qualifying significant decision’ about them.
The individual has 21 days to request for you to review the decision, or take a new decision not based solely on automated means. You must consider the request including any information provided by the individual. You need to respond to the data subject within 21 days of receipt of their request and outline the steps you have taken as well as the outcome.
The Act does not specify how an individual must make a request, so they can make it verbally or in writing. Therefore, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes.