The ICO exists to empower you through information.

Who is the toolkit for?

The toolkit will be most helpful to you if your organisation is at the beginning of your data analytics project lifecycle. It will help you to recognise some of the central risks to the rights and freedoms of individuals created by the use of data analytics. It is designed to be a basic introduction to some of the risks to individuals that data analytics may create or exacerbate. 

Since many of the risks that may arise from your application of data analytics are contextspecific, we cannot include an exhaustive or definitive list of issues to consider. Assessing the risk in the context of your processing activity forms part of your responsibility as a controller. You should not view this toolkit as a pathway to absolute compliance with data protection law, but as a starting point for what you will need to consider.

This toolkit is designed for you to consider risks, rights and freedoms in the context of data protection law. It is not a comprehensive analysis of every factor you will need to consider when implementing a data analytics system. Although there are links between the fairness principle of data protection law to ethics and equality you will need to consider these and other elements separately to ensure you are compliant with any additional obligations you may have, such as the public sector equality duty.

What happens after I have used the toolkit?

Once you have used the toolkit, a short report will be created that suggests practical actions you can take and provides links to additional guidance you could read that will help you improve your data protection compliance.

Whilst this toolkit will help you start to think about your data protection obligations, it should not be used as a substitute for consulting your data protection officer (DPO) about your data analytics project. Your DPO should inform and advise in greater depth on your obligations. Therefore, if you have not consulted your DPO, use this toolkit as a guide on what to ask them about your data analytics project.

Some DPOs may also find this toolkit useful in helping them to think about how to safeguard individual rights and freedoms when their organisations are commissioning, designing, and implementing data analytics. It is important that these considerations take place at the beginning of the process so that they can be built into a data analytics solution, rather than as an afterthought.

What do you mean by ‘data analytics’?

In this toolkit, we define data analytics as: “the use of software to automatically discover patterns in data sets (where those data sets contain personal data) and use them to make predictions, classifications, or risk scores.”

Integral to data analytics as defined in this way are algorithms, which are a set of mathematical instructions or rules that are given to computer systems to complete tasks.

Increasingly, organisations are using a specific category of advanced algorithm – referred to as artificial intelligence or AI – to complete tasks. AI can be defined as the theory and development of computer systems able to perform tasks normally requiring human intelligence. The ICO has produced two pieces of guidance – the explaining decisions made with AI guidance in partnership with the Alan Turing Institute and the guidance on the AI auditing framework – on the challenges that AI poses to individuals, which supplements this toolkit.

We recognise that not all cases of data analytics as defined above will use AI and, therefore, this toolkit is designed to be helpful whether or not you are using AI as part of your data analytics project.