The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Who is the toolkit for?

The toolkit will be most helpful to you if your organisation is at the beginning of your data analytics project lifecycle. It will help you to recognise some of the central risks to the rights and freedoms of individuals created by the use of data analytics. It is designed to be a basic introduction to some of the risks to individuals that data analytics may create or exacerbate.

Since many of the risks that may arise from your application of data analytics are context specific, we cannot include an exhaustive or definitive list of issues to consider. Assessing the risk in the context of your processing activity forms part of your responsibility as a controller. You should not view this toolkit as a pathway to absolute compliance with data protection law, but as a starting point for what you will need to consider.

This toolkit is designed for you to consider risks, rights and freedoms in the context of data protection law. It is not a comprehensive analysis of every factor you will need to consider when implementing a data analytics system. Although there are links between the fairness principle of data protection law to ethics and equality you will need to consider these and other elements separately to ensure you are compliant with any additional obligations you may have, such as the public sector equality duty.

What do you mean by ‘data analytics’?

In this toolkit, we define data analytics as: “the use of software to automatically discover patterns in data sets (where those data sets contain personal data) and use them to make predictions, classifications, or risk scores.”

Integral to data analytics as defined in this way are algorithms, which are a set of mathematical instructions or rules that are given to computer systems to complete tasks.

Increasingly, organisations are using a specific category of advanced algorithm – referred to as artificial intelligence or AI – to complete tasks. AI can be defined as the theory and development of computer systems able to perform tasks normally requiring human intelligence. The ICO has produced two pieces of guidance – the explaining decisions made with AI guidance in partnership with the Alan Turing Institute, and the guidance on AI and data protection – on the challenges that AI poses to individuals, which supplements this toolkit.

We recognise that not all cases of data analytics as defined above will use AI and, therefore, this toolkit is designed to be helpful whether or not you are using AI as part of your data analytics project.

How does the toolkit work?

The toolkit begins by asking questions to determine the legal regime you will be processing under and direct you to the appropriate part of the toolkit.

The toolkit will ask you a series of questions separated into four themes; lawfulness, accountability and governance, the data protection principles, and data subject rights. If you need further clarity around a particular question, please tick the ‘more information’ box which contains further detail to help you answer.

After you have answered all of the questions, the toolkit will produce a report containing tailored advice for your data analytics project. Again, complying with these recommendations is not a guarantee that your toolkit will comply with data protection law. It’s crucial you consider the advice we give in the context of your processing, and seek the advice of your organisation’s Data Protection Officer.

The toolkit is anonymous, and the answers you provide are not visible to or retained by the ICO. We therefore advise that you download a copy of the report generated and retain this for future reference.

What happens after I have used the toolkit?

Once you have used the toolkit, a short report will be created that suggests practical actions you can take and provides links to additional guidance you could read that will help you improve your data protection compliance.

Whilst this toolkit will help you start to think about your data protection obligations, it should not be used as a substitute for consulting your data protection officer (DPO) about your data analytics project. Your DPO should inform and advise in greater depth on your obligations. Therefore, if you have not consulted your DPO, use this toolkit as a guide on what to ask them about your data analytics project.

Some DPOs may also find this toolkit useful in helping them to think about how to safeguard individual rights and freedoms when their organisations are commissioning, designing, and implementing data analytics. It is important that these considerations take place at the beginning of the process so that they can be built into a data analytics solution, rather than as an afterthought.

Start now