La Privacy e Cybersec per le aziende
Osservatorio a cura del dott. V. Spataro 

Milano, sab 2 dicembre 2023:, Social media non vi temo - Ascolti tra Marketing e AI

   documento 2023-04-11 ·  NEW:   Appunta · Stampa · pdf

IA ICO Response tu GOV


Documento annotato il 11.04.2023 Fonte: GPDP


L'analisi è riservata agli iscritti. Segui la newsletter dell'Osservatorio oppure il Podcast iscrizione gratuita 30 giorni




estimated reading time: 15 min 1

The Information Commissioner’s response
to the Governm ent ’s AI White Paper

About the ICO

1. The Information Commissioner has responsibility in the UK for promoting
and enforcing the UK General Data Protection Regulation (UK GDPR), the
Data Protection Act 2018 (DPA 2018), the Freedom of Information Act
2000, the Environmental Information Regulations 2004 and the privacy
and Electronic Communications Regulations 2003 (PECR), among others.

2. The Commissioner is independent from government and up holds
information rights in the public interest, promoting openness by public
bodies and data privacy for individuals. The Commissioner does this by
providing guidance to individuals and organisations and taking appropriate
action where the law is broken.

3. The Information Commissioner’s Office (ICO) sets out its strategic vision in
the ICO25 plan ,1 which highlights promoting regulatory certainty ,
empowering responsible innovation and safeguarding the public as key


4. The ICO welcomes the opportunity to provide comments on the
Government’s AI White Paper , “A pro -innovation approach to AI
regulation” . Artificial intelligence (AI) is critical to the UK’s prosperity ,
offering transformational potential to improve our lives and livelihoods . We
support t he White Paper’s ambitions to empower responsible innovation
and sustainable economic growth , which ali gn with our own strategic
ambitions set out in ICO25 .

1 -the -ico/our -information/our -strategies -and -plans/ico25 -plan/


The ICO’s role in regulating AI

5. From improving healthcare to tailoring online entertainment, t he uses of AI
with greatest salience for public policy are often powered by personal data.
Personal data may be processed to design, train, test or deploy an AI
system. All these stages of AI development and deployment where
processing of personal data takes place will fall under the ICO’s purview,
as the UK’s data protection regulator.

6. Empowering responsible innovation is one of our ICO 25 priorities and we
believe data protection can help organisations build or us e AI with
confidence while avoiding risks to people’s rights and freedoms. This
includes risks that can lead to physical, mate rial and non -material damage
(see Recitals 83 and 85 of the UK GDPR). As such, the ICO as the data
protection authority in the UK, plays a central role in the governance of AI.

7. AI is a strategic priority for the ICO. The ICO25 2 strategic plan highlights
our current work in this area, including actions to tackle urgent and
complex issues such as AI -driven discrimination. 3 This builds on our
existing work on AI, including:

• our landmark Guidance on AI and Data Protection ,4 which is
regularly updated to address emerging risks and opportunities ;
• our accompanying AI and Data Protection risk toolkit ,5 which won a
Global privacy and Data Protection Award 6 in 2022 ;
• our supplementary guidance on Explaining Decisions Made with AI ,7
co-badged with The Alan Turing Institute;
• our support for AI innovators through our Regulatory Sandbox ,
Innovation Advice and Innovation Hub ;8
• our advice to regulators on how to use AI and personal data
appropriately and lawfully, 9 following a recommendation by the
House of Lords ;10
2 ICO25 strategic plan | ICO 3 The ICO has update d the fairness component of the existing Guidance on AI and Data Protection with the aim
of assisting organisations to tackle such issues. 4 -organisations/guide -to-data -protection/key -dp -themes/guidance -on -ai-and -data -
protection 5 -organisations/guide -to-data -protection/key -dp -themes/guidance -on -ai-and -data -
protection/ai -and -data -protection -risk -toolkit 6 -events/gpa -awards/ 7 -organisations/guide -to-data -protection/key -dp -themes/explaining -decisions -made -
with -artificial -intelligence/ 8 -the -ico/what -we -do/ico -innovation -services 9 how -to-use -ai-and -personal -data.pdf ( 10 AI in the UK: No Room for Complacency (


• our contribution to standard -setting initiatives as a member of the
AI Committee of the British Standard s Institution (BSI); and
• our supervision of organisations using AI, including through both
proactive audits 11 and investigations .12

8. We continue to track developments in AI to ensure that our policy
positions reflect the latest technological opportunities and risks , with new
advic e to developers and users of generative AI published in recent
weeks .13 We conduct horizon -scanning to detect new data protection risks
and opportunities ,14 and run a programme of post -doctoral AI fellowships
that research issues such as AI and dark patterns, and model inference
attacks. 15

9. We have also actively engaged with Government ’s AI proposals in the
context of the Data Protection and Digital Information Bill ,16 House of Lords
consultation on AI governance, 17 provided input to the Department for
Health and Social Care’s call for evidence on equity in medical devices ,18
and the House of Lords Justice and Home Affairs Committee call for
evidence on the use of new t echnologies in the application of the law. 19

The ICO’s work with other regulators

10. The ICO recognises the important role that other UK regulators play in
governing the use and development of AI in different sectors or context s.
We have been at the heart of initiatives to foster greater regulatory
coherence and certainty for organisations developing and using AI, both as
a founding member of the Digital Regulation Cooperation Forum (DRCF)
and as the chair of the Regulators and A I Working Group, which includes
27 UK regulatory authorities.

11. As part of our work at the DRCF we have published two discussion papers
on algorithmic harms and benefits, 20 and the landscape of AI auditing .21
11 A Guide to ICO Audit Artificial Intelligence (AI) Audits 12 ClearView AI Inc. | ICO 13 Generative AI: eight questions that developers and users need to ask | ICO 14 For example, the Emerging Tech produced two reports on biometric technologies that highlight the risks of
Emotion Recognition Technology: Biometrics technologies | ICO 15 You can read more about the ICO’s work on AI here: -the -ico/what -we -do/our -work -
on -artificial -intelligence 16 Data Protection and Digital Information (No. 2) Bill - Parliamentary Bills - UK Parliament 17 UK Parliament consultation: Governance of artificial intelligence | ICO 18 Department of Health and Social Care call for views: Equity in medical devices independent review | ICO 19 House of Lords Justice and Home Affairs Committee call for evidence: t he use of new technologies in the
application of the law | ICO 20 -from -the -drcf -algorithmic -processing -workstream -
spring -2022/the -benefits -and -harms -of-algorithms -a-shared -perspective -from -the -four -digital -reg ulators 21 -from -the -drcf -algorithmic -processing -workstream -
spring -2022/auditing -algorithms -the -existing -landscape -role -of-regulators -and -future -outlook


We have also continu ed to build on that work through our 2022 -2023 work
programme ,22 including the recent publication of the findings from
workshops on transparency in the procurement of algorithmic systems .23

12. The ICO also works with international counterparts and stakeholders , both
bilaterally such as our joint investigation with the Office of the Australian
Information Commissioner into ClearView AI ,24 and through fora such as
the Global privacy Assembly (GPA), 25 the Global Partnership on AI (GPAI)
and the G7 grouping. In addition, we provided input into the EU AI Act 26
and the Council of Europe’s legal framework on AI. 27

The ICO’s views on the AI White Paper

The r ole of regulators
13. The AI White Paper proposes the creation of a central function to oversee
the AI regulatory landscape. We welcome the Government ’s intention to
conven e regulators to deliver activities such as joint regulatory guidance or
a joint regulatory sandbox .
14. We note , however, that it is the regulators themselves that must produce
guidance and advice , in alignment with the laws that they over see
independently of government . Businesses will require confidence that
implement ing any guidance or advice will minimise the risk of legal or
enforcement action by regulators . This need is particularly acute for small
to m edium sized enterpri ses (SMEs ) that may lack the in -house legal
expertise of larger organisations. W e would welcome clarification on the
respective roles of government and regulators in issuing of guidance and
advice as a result of the proposals in the AI White Paper .
15. We encourage the Government to work through regulators to deliver its
ambitions where possible, and in particular, thr ough the Digital Regulation
Cooperation Forum (DRCF) . As noted earlier , the DRCF already plays an
active role in identifying and examining the implications of new AI
applications across our sectors , promoting joined -up regulatory positions in
relation to AI , developing integrated support to AI developers and more.
22 -regulation -cooperation -forum -workplan -2022 -to-
202 3/digital -regulation -cooperation -forum -plan -of-work -for -2022 -to-2023 23 -in-the -procurement -of-algorithmic -systems -
findings -from -our -workshops 24 ICO fines facial recognition database company ClearView AI Inc more than £7.5m and orders UK data to be
deleted | ICO 25 26 -the -ico/consultations/eu -proposed -artificial -intelligence -act/ 27 -the -ico/consultations/council -of-europe -ad -hoc -committee -on -artificial -
intelligence -cahai -multi -stakeholder -consultation/


We look forward to working with the Government as it implements the
White Paper.
Proposed s tatutory duty and suggested AI principles
16. The AI White Paper proposes principles for the regulation of AI and the
eventual introduction of a statutory duty for regulators to have due regard
to the se principles . These principles map closely to those found in the UK
data protection framework .
17. We would wel come close collaboration with the Government to ensure that
the AI White Paper principles are interpreted in a way that is compatible
with the data protection principles , so as to avoid creating additional
burden or complexity for businesses. We offer the following detailed
comments on the principles to help bring about consistency:
• Fairness : We believe that the AI White Paper’s suggested ‘fairness’
principle, much like data protection’s fairness principle, 28 should cover
the stages of developing an AI system, as well as its use. We therefore
suggest that the definition of the principle is amended to read “AI
systems should be designed, deployed and used considering definitions
of fairness which are appropriate to a system’ s development , use(s),
• Contestability and redress : The ‘ contestability and redress’ principle,
states that regulators will be expected to clarify existing routes to
contestability and redress, and implement proportionate measures to
ensure the contestability of the outcome of the use of AI where
relevant. Typically, it is organisations using AI and that have oversight
over their own systems that are expected to clarify routes to, and
implement, contestability. We would welcome clarity around thi s
sentence, and would like to understand whether the scope for
regulators such as the ICO may be better described as making people
more aware of their rights in the context of AI.
• Interactions with UK GDPR Article 22 : Separately, the paper notes
that regul ators are expected, where a decision involving the use of an
AI system has a legal or similarly significant effect on an individual, to
consider the suitability of requiring AI system operators to provide an
appropriate justification for that decision to a ffected parties. We would
like to highlight that where an AI system uses personal data, if UK
GDPR Article 22 is engaged, it will be a requirement for AI system
operators to be able to provide a justification, not a consideration. We
suggest clarifying thi s to ensure this does not create confusion for
industry. 29
28 How do we ensure fairness in AI? | ICO 29 Article 22 is currently being considered in the Data Protection and Digital Information (No. 2) Bill, and may
therefore change as the bill progresses.


18. The AI White Paper acknowledges that there may be instances where the
proposed principles could come into conflict. The expectation outlined in
the paper is that regulators will use their expertise and judgement to
prioritise and apply the principles, sharing information with government
and other regulators about how they are assessing the relevance of each
19. As the AI White Paper principles map closely to the data protection
principles, it will be important for regulators to interpret these in a way
that is compatible with their meaning under UK data protection law. Even
though not all AI systems process personal data, a substantial portion, and
particularly the ones implicit in the Govern ment’s framing of the AI White
Paper principles, will. Maintaining compatibility between the principles will
help min imise unnecessary complexity and burden for businesses.
The format of proposed guidance
20. The AI White Paper proposes that regulators work together to produce
joint guidance for businesses to encourage clarity . Designed well, joint
regulatory guidance could make it easier for businesses to comply with
regulation and develop new ideas and innovative n ew products in their
sector or context.
21. We recom m end that the Government prioritise s research into the type of
guidance a wide range of AI developers would value before proceeding . For
example, i t is likely that sector - or use case -specific guidance will be of
greater usefulness to AI developers than joined -up guidance on each non -
statutory principle . The latter may be too high level , and therefore require
a large degree of interpretation by AI developers , to provide practi cal
guidance on a specific issue that a business faces . Research could surface
the most helpful focus for future guidance .
The d esign of the proposed sandbox
22. The AI White Paper proposes the establishment of a joint regulatory
sandbox , which could bring together cross -sectoral regulatory advice. This
could be valuable for providing clarity to AI developers on how the law will
apply to their use case , facilitating innovation and investment.
23. As with guidance, we rec ommend that the Government prioritise research
into the type of service a wide range of AI developers would value before
proceeding . Based on our experience in operating the ICO’s Regulatory
Sandbox , Innovation Advice and Innovation H ub ,30 we make the following
recommendations on the design of this service:
• Scope of support : We recommend that the scope of any sandbox is
extended to include all digital innovation, not just in relation to AI. In
practice, innov ators’ queries are unlikely to be strictly limited to AI and
30 -the -ico/what -we -do/ico -innovation -services


extend to a much broader famil y of digital technologies that are
overseen by the same regulators. We propose that the benefits and
costs of a ‘digital and AI sandbox ’ are evaluated alongside a narrower
AI sandbox.
• Depth of support : We recommend designing the sandbox to provide
timely advice that aligns with AI development lifecycles, with the aim of
benefitting businesses that are seeking clarity on the law. A slower,
more -intensive testing and trialling environment is likely to be able to
support only a limited number of businesses and be of value primarily
to businesses that need specific regulatory authorisation before launch,
such as in financial services or for medical devices.
• Prioritisation of support : We recommend that support to innovators
is prioritise d in line with international best practice , with a focus on: (i)
the degree of innovation relative to existing products or business
models; (ii) the degree of regulatory barrier s faced or support needed ;
and (iii) the potential for wider economic, social or environmental
benefit .31 This will ensure that resources are targeted to the innov ations
with the greate st impact.
24. We recommend that the Government works closely with the DRCF to
develop its ideas further . With our DRCF partners we are already
undertaking a project running to the end of August 2023 to research,
design and pilot a multi -agency advice service that responds to the needs
of digital innovators. Our research will explore both the format of a service
and the types of issues that are o f concern to digital innovators. We will
also be able to gauge whether the service requested by potential users
relates to topics where there may be an intersection between DRCF
member regulators and other regulators.
Cost implication s of the proposals
25. We support t he intention to provide greater clarity to business es on how AI
regulation applies in their sector or to their use case . Th is will incur
additional costs to cross -economy regulators such as the ICO , which will
now need to prod uce prod ucts tailored to different sectoral contexts in
coordination with other relevant AI regulators. We would welcome further
discussions with government on the funding required to enable these
proposals to succeed.

31 For example, see:



26. The ICO supports the Government’s vision to make the UK the best place
in the world to found and grow an AI business and translate AI’s potential
into growth and societal benefits. The current, thriving AI ecosystem in the
UK is a testament to how innovation -friendly regulatio n already is.

27. We agree an approach to AI governance should be context -specific, risk -
based, coherent , proportionate and adaptable. We support the
development of a set of principles for the regulation of AI and stand ready
to support the Government in ac hieving the delicate balance of improving
coherence while accounting for the intricacies of specific domains and


Testo del 2023-04-11 Fonte: GPDP


i commenti sono anonimi e inviati via mail e cancellati dopo aver migliorato la voce alla quale si riferiscono: non sono archiviati; comunque non lasciare dati particolari. Si applica la privacy policy.

Ricevi gli aggiornamenti su IA ICO Response tu GOV e gli altri post del sito:

Email: (gratis Info privacy)

Nota: il dizionario è aggiornato frequentemente con correzioni e giurisprudenza