When decisions are made about you without people being involved, this is called ‘automated individual decision-making and profiling’ or ‘automated processing’, for short.

In many circumstances, you have a right to prevent automated processing.

This guidance describes your rights under two kinds of automated processing:
• automated individual decision-making, and
• profiling.

Automated individual decision-making

This refers to decisions made without any human involvement, for example:

• an online decision after you have applied for credit, or
• a recruitment aptitude test using pre-programmed algorithms and criteria.

Profiling

Profiling means your personal data is used to analyse or predict such things as:

• your performance at work
• your economic situation, or
• your health, personal preferences and interests.

It can be useful for organisations and individuals in many sectors, including healthcare, education, financial services and marketing.

Profiling occurs in some automated individual decision-making.

Profiling information can be gathered from various sources, such as internet searches, buying habits, social networks and lifestyle data from mobile phones.

Your rights regarding automated processing

You have the right:

• not to be subject to a decision that is based solely on automated processing if the decision affects your legal rights or other equally important matters (eg automatic refusal of an online credit application, and e-recruiting practices without human intervention)
• to understand the reasons behind decisions made about you by automated processing and the possible consequences of the decisions, and
• to object to profiling in certain situations, including for direct marketing.

How you can ask an organisation to prevent automated processing or to explain decisions made by automatic processing

Organisations must not make decisions based solely on automated processing if the decision affects your legal rights or other equally important matters unless the decision is:

• necessary for the purposes of a contract between you and the organisation
• authorised by law (eg to prevent fraud or tax evasion), or
• based on your explicit consent.

So you should not have to request them to stop. However, you do have the right at any time to ask an organisation not to subject you to automated processing in the three circumstances described above. You can also ask them to tell you why a decision has been made in this way and how it will affect you.

A request can be verbal or in writing. We recommend you follow up any verbal request in writing because this will allow you to explain your concern, give evidence and state your desired solution. It will also provide clear proof of your actions if you decide to challenge the organisation’s initial response.

What should you do if you disagree with the outcome or remain dissatisfied?

If you are unhappy with how the organisation has handled your request, you should first make a complaint to it.

Having done so, if you remain dissatisfied you can make a complaint to the ICO.

You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first.

How should I raise my concern about how an organisation has handled my information?

You can use the template letter below to help you raise your concerns.

[Your full address]
[Phone number]
[The date]

[Name and address of the organisation]
[Reference number (if provided within the initial response)]

Dear [Sir or Madam / name of the person you have been in contact with]

Information rights concern
[Your full name and address and any other details such as account number to help identify you]

I am concerned that you have not handled my personal information properly.

[Give details of your concern, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.]

I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.

If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.

You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me on the following number [telephone number].


Yours faithfully
[Signature]

What the organisation  should do

Organisations should let you know if they are carrying out automated processing and tell you what information they are using. They should give you relevant information about the reasoning involved in the decision-making as well as the expected consequences for you. You should be given real examples of the type of possible effects.

Organisations should make sure they only carry out automated processing that affects your legal rights (or any other equally important matter) if it is:
• necessary for the purposes of a contract between you and the organisation
• authorised by law (for example, to prevent fraud or tax evasion), or
• based on your explicit consent.

Where an organisation is allowed to make decisions based solely on automated processing, it should offer simple ways for you to:

• express your view on the decision
• get an explanation of the decision
• request human intervention in the decision-making process, and
• challenge a decision.

It must also tell you about the circumstances in which you can object to profiling.
If you have asked an organisation not to make an automated decision, it should tell you in writing whether or not it agrees with you and give reasons.

How long should the organisation take?

An organisation has one month to respond to your request not to be subject to an automated decision. In certain circumstances, it may need more time to consider your request and can take up to an extra two months. If it’s going to do this, it should let you know within one month that it needs more time and why. For more on this, see our guidance on Time Limits.

Can it charge a fee?

In most circumstances, no. An organisation can only charge a fee if the request is, as the law states “manifestly unfounded or excessive”. If this is the case, the organisation may ask for a reasonable fee for costs associated with the request.