When decisions are made about you without people being involved, this is called ‘automated individual decision-making and profiling’ or ‘automated processing’, for short.

In many circumstances, you have a right to prevent automated processing.

This guidance describes your rights under two kinds of automated processing:
• automated individual decision-making, and
• profiling.

Automated individual decision-making

This refers to decisions made without any human involvement, for example:

• an online decision after you have applied for credit, or
• a recruitment aptitude test using pre-programmed algorithms and criteria.

Profiling

Profiling means your personal data is used to analyse or predict such things as:

• your performance at work
• your economic situation, or
• your health, personal preferences and interests.

It can be useful for organisations and individuals in many sectors, including healthcare, education, financial services and marketing.

Profiling occurs in some automated individual decision-making.

Profiling information can be gathered from various sources, such as internet searches, buying habits, social networks and lifestyle data from mobile phones.

Your rights regarding automated processing

You have the right:

• not to be subject to a decision that is based solely on automated processing if the decision affects your legal rights or other equally important matters (eg automatic refusal of an online credit application, and e-recruiting practices without human intervention)
• to understand the reasons behind decisions made about you by automated processing and the possible consequences of the decisions, and
• to object to profiling in certain situations, including for direct marketing.

How you can ask an organisation to prevent automated processing or to explain decisions made by automatic processing

Organisations must not make decisions based solely on automated processing if the decision affects your legal rights or other equally important matters unless the decision is:

• necessary for the purposes of a contract between you and the organisation
• authorised by law (eg to prevent fraud or tax evasion), or
• based on your explicit consent.

So you should not have to request them to stop. However, you do have the right at any time to ask an organisation not to subject you to automated processing in the three circumstances described above. You can also ask them to tell you why a decision has been made in this way and how it will affect you.

A request can be verbal or in writing. We recommend you follow up any verbal request in writing because this will allow you to explain your concern, give evidence and state your desired solution. It will also provide clear proof of your actions if you decide to challenge the organisation’s initial response.

What should you do if you disagree with the outcome or remain dissatisfied?

If you are unhappy with how the organisation has handled your request, you should first make a complaint to it.

Having done so, if you remain dissatisfied you can make a complaint to the ICO.

You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first.

What the organisation  should do

Organisations should let you know if they are carrying out automated processing and tell you what information they are using. They should give you relevant information about the reasoning involved in the decision-making as well as the expected consequences for you. You should be given real examples of the type of possible effects.

Organisations should make sure they only carry out automated processing that affects your legal rights (or any other equally important matter) if it is:
• necessary for the purposes of a contract between you and the organisation
• authorised by law (for example, to prevent fraud or tax evasion), or
• based on your explicit consent.

Where an organisation is allowed to make decisions based solely on automated processing, it should offer simple ways for you to:

• express your view on the decision
• get an explanation of the decision
• request human intervention in the decision-making process, and
• challenge a decision.

It must also tell you about the circumstances in which you can object to profiling.
If you have asked an organisation not to make an automated decision, it should tell you in writing whether or not it agrees with you and give reasons.

How long should the organisation take?

An organisation has one month to respond to your request not to be subject to an automated decision. In certain circumstances, it may need more time to consider your request and can take up to an extra two months. If it’s going to do this, it should let you know within one month that it needs more time and why. For more on this, see our guidance on Time Limits.

Can it charge a fee?

In most circumstances, no. An organisation can only charge a fee if the request is, as the law states “manifestly unfounded or excessive”. If this is the case, the organisation may ask for a reasonable fee for costs associated with the request.