Data collected and processed using artificial intelligence and other digital technologies is subject to UK GDPR.

Key Messages

  • processing of personal data must comply with the UK GDPR;

  • a Data Protection Impact Assessment (DPIA) must be carried out before decisions to process ‘high risk’ data are made;

  • ‘high risk’ data includes special category data (e.g. racial or ethnic origin, health, trade union membership) and the processing of data for the purposes of profiling that results in an opportunity or benefit (e.g. performance management);

  • staff and learners affected by a digital technology should be consulted as part of the impact assessment process and their views and needs should influence decisions;

  • DPIAs should align with impact assessments for equalities, workload, wellbeing and health and safety risk assessments;

  • the NASUWT and recognised workforce unions should be actively involved in impact assessment processes. This should form part of digital technology agreement arrangements which commit to negotiating with unions regarding the introduction and use of AI and digital technologies.

The UK General Data Protection Regulation (UK GDPR) places duties on organisations regarding the collection and processing of data. This includes data collected and processed using AI and digital technologies.

The UK GDPR sets seven key principles for the collection and processing of data:

  1. lawfulness, fairness and transparency;

  2. purpose limitation;

  3. data minimisation;

  4. accuracy;

  5. storage limitation;

  6. integrity and confidentiality (security); and

  7. accountability. [1]

The UK GDPR gives individuals rights relating to the collection and use of their data.

Data subjects (this includes learners, staff, parents and ex-learners) have ‘key subject rights’. These are the rights:

  • of access;

  • to rectification;

  • to erasure;

  • to restrict processing;

  • to data portability;

  • to object; and

  • rights in relation to automated decision-making and profiling.

The UK GDPR makes a distinction between personal data (e.g. name, date of birth email address, salary) which is data that enables a natural person to be identified directly or indirectly and special category data.

Special category data is sensitive data.

It includes data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, health, trade union membership or sex life. [2]

The distinction between personal data and special category data is important because the law sets out the specific circumstances when personal and special category data can be processed.

There must be a lawful basis for processing personal data.

In the case of special category data, there is also the need to establish a separate condition for processing the data.

Article 9 of the UK GDPR sets ten conditions where it might be lawful to process special category data. [3]

The Information Commissioner’s Office (ICO) guidance clarifies that one of the ten conditions, the ‘substantial public interest’ condition covers values and principles relating to ‘public good’.

There are twenty-three ‘substantial public interest’ conditions. [4]

These include equality of opportunity or treatment, racial and ethnic diversity at senior levels, safeguarding of children and individuals at risk and support for individuals with a particular disability or medical condition.

Data Protection Impact Assessments (DPIAs)

A Data Protection Impact Assessment (DPIA) must be conducted for processing that is likely to result in a high risk to the rights and freedoms of individuals.

The processing of special category data is considered ‘high risk’.

The processing of data for profiling to help make decisions about someone’s access to service, opportunity or benefit is also considered ‘high risk’. [5]

This includes the use of profiling for recruitment purposes, as well as the use of profiling in performance evaluations that provide an opportunity or benefit, for instance evaluations that are used to make decisions about pay progression or promotion.

The ICO clarifies that even if there is no apparent legal requirement to do so, a DPIA will help to identify and minimise data protection risks and demonstrate accountability and build trust and engagement.

A DPIA must

  • describe the nature, scope, context and purposes of the processing;

  • assess the necessity, proportionality and compliance measures for the processing;

  • identify and assess risks to individuals; and

  • identify any additional measures to mitigate those risks.

The UK GDPR states that the impact assessment should take into account the rights and legitimate interests of data subjects and other persons concerned [6]. This means that consultation forms part of the DPIA process.

This means that the NASUWT and the wider workforce should be consulted and their views should inform decisions about the processing of data and measures to mitigate and manage any risks.

Further information

NASUWT advice
Further advice

Footnotes
[1] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/
[2] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/  
[3] Ibid
[4] Paragraphs 6 to 28 of Schedule 1 on the DPA 2018.
[5] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/
[6] https://www.legislation.gov.uk/eur/2016/679/article/35