When decisions are made about you without people being involved, this is called ‘automated individual decision-making and profiling’ or ‘automated processing’, for short.
In many circumstances, you have a right to prevent automated processing.
This guidance describes your rights under two kinds of automated processing:
• automated individual decision-making, and
Automated individual decision-making
This refers to decisions made without any human involvement, for example:
• an online decision after you have applied for credit, or
• a recruitment aptitude test using pre-programmed algorithms and criteria.
Profiling means your personal data is used to analyse or predict such things as:
• your performance at work
• your economic situation, or
• your health, personal preferences and interests.
It can be useful for organisations and individuals in many sectors, including healthcare, education, financial services and marketing.
Profiling occurs in some automated individual decision-making.
Profiling information can be gathered from various sources, such as internet searches, buying habits, social networks and lifestyle data from mobile phones.
Your rights regarding automated processing
You have the right:
• not to be subject to a decision that is based solely on automated processing if the decision affects your legal rights or other equally important matters (eg automatic refusal of an online credit application, and e-recruiting practices without human intervention)
• to understand the reasons behind decisions made about you by automated processing and the possible consequences of the decisions, and
• to object to profiling in certain situations, including for direct marketing.
How you can ask an organisation to prevent automated processing or to explain decisions made by automatic processing
Organisations must not make decisions based solely on automated processing if the decision affects your legal rights or other equally important matters unless the decision is:
• necessary for the purposes of a contract between you and the organisation
• authorised by law (eg to prevent fraud or tax evasion), or
• based on your explicit consent.
So you should not have to request them to stop. However, you do have the right at any time to ask an organisation not to subject you to automated processing in the three circumstances described above. You can also ask them to tell you why a decision has been made in this way and how it will affect you.
A request can be verbal or in writing. We recommend you follow up any verbal request in writing because this will allow you to explain your concern, give evidence and state your desired solution. It will also provide clear proof of your actions if you decide to challenge the organisation’s initial response.
What to do if the organisation does not respond or you are dissatisfied with the outcome
If you are unhappy with how the organisation has handled your request, you should first make a complaint to it.
Having done so, if you remain dissatisfied you can make a complaint to the ICO.
You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first.
How should I raise my concern about how an organisation has handled my information?
You can use the template letter below to help you raise your concerns.
[Your full address]
[Name and address of the organisation]
Dear [Sir or Madam / name of the person you have been in contact with]
Information rights concern
I am concerned that you have not handled my personal information properly.
[Give details of your concern, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.]
I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.
If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.
You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.
Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.
If there is anything you would like to discuss, please contact me on the following number [telephone number].