In brief – what does the Data Protection Act say about automated decision taking?
The right of subject access allows an individual access to information about the reasoning behind any decisions taken by automated means. The Act complements this provision by including rights that relate to automated decision taking. Consequently:
- an individual can give written notice requiring you not to take any automated decisions using their personal data;
- even if they have not given notice, an individual should be informed when such a decision has been taken; and
- an individual can ask you to reconsider a decision taken by automated means.
These rights can be seen as safeguards against the risk that a potentially damaging decision is taken without human intervention. We explain below what is meant by automated decision taking and how the rights work in practice.
The number of organisations who take significant decisions about individuals by wholly automated means is relatively small – there is often some human intervention in making the decisions. However, it is sensible to identify whether any of the operations you perform on personal data constitute “automated decisions”. This will help you decide whether you need to have procedures to deal with the rights of individuals in these cases.
In more detail…
When do the rights arise (what is an automated decision)?
The rights in respect of automated decisions only arise if two requirements are met. First, the decision has to be taken using personal data processed solely by automatic means.
An individual applies for a personal loan online. The website uses algorithms and auto credit searching to provide an immediate yes/no decision on the application.
A factory worker’s pay is linked to his productivity, which is monitored automatically. The decision about how much pay the worker receives for each shift he works is made automatically by reference to the data collected about his productivity.
So the rights explained here do not apply to any decision involving human intervention. Many decisions that are commonly regarded as “automated” actually involve human intervention.
An employee is issued with a warning about late attendance at work. The warning was issued because the employer’s automated clocking-in system flagged the fact that the employee had been late on a defined number of occasions. However, although the warning was issued on the basis of the data collected by the automated system, the decision to issue it was taken by the employer’s HR manager following a review of that data. So the decision was not taken by automated means.
The second requirement is that the decision has to have a significant effect on the individual concerned.
In the above example on monitoring the productivity of a factory worker, it is obvious that a decision about how much pay he is entitled to will have a significant effect on him.
So these rights do not apply to decisions that only affect the individual to a trivial or negligible extent.
An individual enters an online “personality quiz”. She answers questions about herself on a website, which uses her responses to automatically generate a personality profile for her. The individual’s data is not retained and the profile is not sent to anyone else. The automated decisions on which the personality profile is based do not have a significant effect on the individual.
Are all automated decisions subject to these rights?
No. Some decisions are called “exempt decisions” because the rights do not apply, even though they are taken using solely automated means and do significantly affect the individual concerned.
are authorised or required by legislation; OR
are taken in preparation for, or in relation to, a contract with the individual concerned
are to give the individual something they have asked for; OR
are where steps have been taken to safeguard the legitimate interests of the individual, such as allowing them to appeal the decision.
What rights do individuals have?
The Act gives individuals three rights in relation to automated decision taking.
The first is the right to prevent such a decision being taken. You must not take an automated decision if an individual has given notice in writing asking you not to.
The second right applies where no such notice has been given. An organisation that takes an automated decision must inform the individual concerned that it has done this. It must do so as soon as is practicable in the circumstances.
The third right relates to the options available to an individual on receiving this information. If an individual is unhappy that an automated decision has been taken, they have 21 days to ask you to reconsider the decision or to take a new decision on a different basis. In most cases, both these options are likely to involve a review of the automated decision.
An individual complains to a credit provider because his online application for credit was declined automatically. The application was declined because the information provided by the individual did not match pre-defined acceptance criteria applied by the automated system. The credit provider undertakes manual underwriting checks to review the original decision.
If a court is satisfied that you have failed to comply with these rights, it may order you to do so.