Data Protection, Equality, Governance, Regulating AI

Ethics

principles of right and wrong that guide behaviour

e.g. avoiding plagarism

Legal Frameworks

laws based on ethics to regulate behaviour

e.g. not sharing someone's private information without consent

Best Practice

going beyond legal requirements to act ethically

e.g. asking for clear permission before collecting personal data

Standards

formal rules that define and enforce best practice

e.g. following guidelines like GDPR to protect personal data

DPA before 2018

• Granted rights to ‘data subjects’:

  • Example: Individuals could request a copy of personal data held about them (Subject Access Request).

• Imposed obligations on organisations:

  • Example: Organisations had to ensure personal data was securely stored

• Introduced the Information Commissioner role:

  • Example: The Information Commissioner could issue fines for noncompliance and maintain a register of data controllers

DPA after 2018

• Expanded rights for data subjects:

  • Example: Introduced the Right to be Forgotten, allowing individuals to request data deletion

• Stricter obligations for organisations

  • Example: Required organisations to notify authorities of data breaches within 72 hours

• Strengthened the role of the Information Commissioner: 

  • Example: Increased fines, up to €20 million or 4% of global turnover, for non-compliance

Why GDPR Compliance Matters

• If you collect personal data about EU citizens (data subjects): You must comply with GDPR, regardless of where your organisation is based

• In the UK: Investigation and enforcement are carried out by the Information Commissioner’s Office (ICO)

• Penalties for Non-Compliance: Major fines – up to 4% of global turnover or €20 million, whichever is higher

• Takeaway: Compliance is essential to avoid significant financial and reputational damage

Rights to Data Subjects

• Consent:

  • Data collection requires informed and freely given consent

  • Individuals can withdraw consent at any time

• Right to Be Forgotten:

  • Individuals can request data deletion

  • Example: Request data deletion

• Right of Access:

  • Individuals can access their personal data held by organisations

  • Example: Request access to your data

• Breach Notification:

  • Organisations must notify individuals and regulators of data breaches

  • Example: 2023 breach information

Personal Data

• Any information relating to a person who can be directly or indirectly identified

• Only applies to natural persons (i.e., living individuals)

• Re-identification is surprisingly easy, even if identifying details are removed

Sensitive Personal Data

• Includes data about protected attributes (e.g., health, race, religion)

• Full list: Protected Attributes

• Requires greater justification for collection

• Must be protected with higher security measures

Personal vs Sensitive Data

sensitive personal data involves stricter rules and protections due to its potential impact on individuals

Principles of GDPR

1. Lawfulness, Fairness, and Transparency:

   1. Comply with other laws and provide evidence of lawfulness

2. Purpose Limitation:

   1. Collect data only for specified, valid reasons and inform individuals

3. Data Minimisation:

   1. Limit data collection to what is relevant and necessary for the stated purposes

4. Accuracy:

   1. Ensure data is up to date and allow individuals to correct inaccuracies

5. Storage Limitation:

   1. Delete data when it is no longer needed

6. Integrity and Confidentiality:

   1. Protect data from unauthorised access or breaches

7. Accountability:

   1. Demonstrate compliance with GDPR by keeping records and documenting actions

Equality Act of 2010

• Replaced previous equality laws to simplify protections

• Protects against discrimination:

  • Direct: Treating someone unfairly due to a protected characteristic

  • Indirect: Policies or practices that disadvantage certain groups

• Monitored by the Equality and Human Rights Commission (EHRC):

  • Make a claim: EHRC Guidance

  • Focuses on digital services and AI impacts

• Linked to GDPR: Ensures fairness and lawfulness in data use

• Example: If an AI system is trained using personal data, it must not only comply with GDPR but also ensure it does not discriminate against protected groups (e.g., based on gender, race, or disability) under the Equality Act. This connection ensures fairness in both data handling and its outcomes

Positive Action (Recommended)

• Steps to improve representation and inclusion

• Examples:

  • Helping individuals overcome disadvantages

  • Meeting specific needs

  • Encouraging underrepresented groups to participate (e.g., through targeted outreach)

Positive Discrimination (Unlawful)

• Treating one group less favourably than another

• Example: Refusing to hire men solely to increase the number of women

Roles in AI Development

• Business owner - defines business goals and requirements

• Data scientist - uses data to train models to meet requirements

• Model validator - uses business goals, regulations, and best practices to test models

• AI operations engineer - deploys and monitors models in running services

AI Lifecycle (Roles)

• Business owner - facts about model purpose and governance

• Data scientist - facts about data transformation, features and performance

• Model validator - facts about fairness, privacy, functionality and verification

• AI operations engineer - facts about performance, drift, learning and monitoring

Factsheets

• Standardised documents providing key details about an AI system's purpose, design, data, and performance, tailored for different stakeholders to ensure transparency and accountability

• Once you’ve gathered all the information, it must be tailored to the needs of different stakeholders, such as clients, risk managers, and auditors

• IBM is standardising the AI lifecycle documentation process through Factsheets

Algorithmic Transparancy

1. The profession is moving towards producing auditable documentation for AI systems, with efforts like the UK's Algorithmic Transparency Standard

2. Challenges remain in defining facts that demonstrate compliance with legal concepts like fairness (transparency and accountability )

3. Active research focuses on developing metrics to evaluate AI systems against regulations and best practices

AI Safety Summit 2023

• Unprecedented Global Coordination: World leaders, including China, came together to discuss AI governance

• AI Expert Panel Established: Tasked with identifying and assessing potential AI risks

• Consensus on Regulation: Agreement that AI requires robust regulatory frameworks

• Government Testing Plans: Commitment to testing AI systems to ensure safety and accountability

Criticisms of AI Summit

• Bias Towards Big Tech:

  • Large tech companies have a disproportionate advantage because:

  • They helped shape the laws, giving them insider knowledge

  • They have the financial resources to navigate compliance

  • They already have established governance processes, unlike smaller organisations

• Standards and Enforcement:

  • No clear agreement on global standards or mechanisms to enforce regulations

• Governance Model: 

  • Should regulation be top-down (government led) or democratic (inclusive and participatory)?

• Role of the Tech Industry:

  • Is it appropriate for the tech industry to shape the very rules that govern their technologies