Use of AI technologies by public bodies: is this compliant with the UK GDPR?

Adil Hussain
Adil Hussain

Published: February 13th, 2023

6 min

On 19 January 2023, Mr Stephen Bonner, Deputy Commissioner at the Information Commissioner's Office (ICO), responded to concerns raised in relation to the use of Artificial Intelligence (AI) used by local authorities. As a result, some in the public sector will undoubtedly question the data protection implications associated with the increased use of AI and how public bodies, such as local authorities, can ensure they remain compliant with the UK General Data Protection Regulation (UK GDPR). This article explores the response provided by the ICO and gives insight as to the practical steps public bodies can take to safeguard their data subject's data.

Use of AI in the public sector

In recent years, AI has become increasing more commonplace and popular for use in the public sector, particularly amongst local authorities. In the wake of increasing budget constraints and a challenging economic market, AI can be seen as a more cost-effective, efficient solution to human decision making. Used effectively, AI is recognised in its ability to assist with specific tasks that are usually thought to require human intelligence.

During the covid pandemic, AI and other forms of automated decision making (ADM) received widespread media attention, due to the controversy surrounding the assessment of pupil exam results. More recently, studies suggest that a collection of local authorities are using algorithmic 'risk assessment' tools to determine eligibility for benefits and to calculate welfare entitlements.

Whilst it is recognised that AI can offer significant benefit to the public sector, there are risk factors that need to be considered, to ensure effective implementation and use from an information governance perspective.

Enquiry by the ICO

An enquiry was initiated by the ICO in response to concerns by individual data subjects, as to the way in which their data was being handled, and compliance with the principles laid out in the UK GDPR more generally. The ICO's enquiry was said to involve consultation with a wide range of technical suppliers, a sample of local authorities and the Department of Works and Pensions, has increased the ICO'S understanding of the development, purpose and functions of algorithms and similar systems being used by local authorities. The ICO's blog post explains that 11 local authorities were selected as a "representative sample based on geographical location and those with the largest benefits workload."

In response to this enquiry, Mr Bonner made the following statement:

"In this instance, we have not found any evidence to suggest that claimants are subjected to any harms or financial detriment as a result of the use of algorithms or similar technologies in the welfare and social care sector. It is our understanding that there is meaningful human involvement before any final decision is made on benefit entitlement. Many of the providers we spoke with confirmed that the processing is not carried out using AI or machine learning but with what they describe as a simple algorithm to reduce administrative workload, rather than making any decisions of consequence."

In summarising the ICO's position, Mr Bonner recognised that the Commissioner embrace upcoming technological changes, provided the data protection rights of individual data subjects can be maintained, and data is processed in a lawful, fair, and transparent manner.

Compliance with the UK GDPR

In their blog post, the ICO also recognises that there are a number of practical steps local authorities, and other public bodies, need to take to ensure they are compliant with the UK GDPR. To add to the steps outlined by the ICO, it is beneficial to also highlight the following:

  • Public bodies should be clear on the lawful basis they intend to rely on for the processing of personal data via AI. Article 22 of the UK GDPR states;

    • "The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."

    • This is particularly relevant where public bodies looks to rely on consent by a data subject, as the lawful basis for using AI and other ADM. In doing so, public bodies must question whether, or not, consent can genuinely be provided. If not, then arguably consent should not be relied on as a lawful basis for processing personal data via AI or other ADM.

  • Where processing special category data is anticipated (such as health data), public bodies must also demonstrate a further condition for lawful processing, in accordance with the requirements of Article 9 of the UK GDPR.

  • Public bodies should give thought to the rights afforded to data subjects in domestic legislation and ensure it has suitable solutions in place, should a data subject choose to exercise those rights. For example, once informed of the use of AI to produce ADM, a data subject should have one month to request the controller to reconsider or take a new decision which is not based solely on ADM.

  • Finally, we wish to reiterate the importance of creating an appropriate audit trail of decision making and risk assessment, through producing a Data Protection Impact Assessment (DPIA), for any use of AI or data analytics.

A copy of the ICO's full response in relation to the use of AI by local authorities can be read here: Blog: Addressing concerns on the use of AI by local authorities | ICO

Should you require any assistance in relation to appropriate implementation of AI or ADM within your organisation and/or conducting an audit of your existing AI or ADM processes, please do not hesitate in contacting our GPI team at, where we will be more than happy to assist you with matters or concerns you have.

How can we help?

Complete the form opposite, let us know a few details, and one of our team will get back to you shortly. Or you can call us or request a callback.

0800 689 3206 - Monday - Friday: 09:00 - 17:00

Request a call back

© 2024 Forbes Solicitors is the trading name of Forbes Solicitors LLP Offices in Preston, Manchester, Salford, Blackburn, Blackpool, London and Leeds UK Main Office: Rutherford House, 4 Wellington Street (St Johns), Blackburn, Lancashire, BB1 8DD • Vat No: 174 394 344 Forbes Solicitors is authorised and regulated by the Solicitors Regulation Authority (SRA No. 816356). Details of the SRA’s Standards and Regulations can be found here. Authorised and regulated by the Financial Conduct Authority.

This website has implemented reCAPTCHA v3 and your use of reCAPTCHA v3 is subject to the Google Privacy Policy and Terms of Use.