AI and Data Protection
AI can collect and curate data at a rate that far surpasses anything that has gone before. Data that can now be collected also goes far beyond just names and can include addresses, financial and medical information and even social security numbers. Data is collected in a number of different ways including by way of covert surveillance or unauthorised collection.
So whilst AI may make all sorts of processes much quicker and easier, from the recruitment and hiring process, to accessing in-house systems with facial recognition technology or reviewing employee conduct and performance, it also poses a number of significant risks. In our last article on AI we examined the risks of AI and discrimination and bias, and in this article, we take a look at the issues around data protection, employee displacement and copyright issues.
Data collection and protection
Some AI systems collect data without permission at all or without clearly informing individuals about how their data will be used and stored. The data collected is then sometimes shared or sold, and in worse case scenarios, where there is a data breach, data has been stolen.
Not only does this leave an individual at risk of being targeted by unwanted advertising campaigns and spam but it can also put them at risk of identity theft, and at the very least, undermines any trust and relationship between the individual and the organisation that collected their data. It also raises ethical issues, issues of breach of privacy and compliance issues.
The law
The General Data Protection Regulation (GDPR) governs the collection, use and processing of personal data. GDPR emphasises seven key principles when processing personal data namely lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. If you are using AI, make sure you review your responsibilities under GDPR and understand how this dovetails with AI.
Essential steps
Review your privacy policy
A regular review of your privacy policy is essential. Your policy should include:
- The circumstances in which you collect data. What is the reason and is collection of data absolutely necessary? Only collect the minimum data necessary and have a data management plan that sets out the details of your data collection, use and disposal.
- Check that individuals are clearly informed about if and how their data will be used and how long it will be kept for. Record their consent.
- Make sure there are clear opt-out mechanisms.
- If a third party is managing your data, ensure they are not allowed to share or sell your data.
- Be transparent about all aspects of your data collection, use and storage.
Implement or review security measures
A robust and secure system is essential for data management and this will include physical security measures, access controls, encryption, regular backups and employee training.
In terms of physical security, consider the security of your premises and device protection. Review laptop use, authentication and access. Network security is also essential and you should review encryption and your back-up and recovery processes with your IT provider. Review your data deletion and disposal.
It is good practice to consider carrying out a data protection risk assessment and you may wish or need to appoint a data protection officer (this is mandatory for public authorities and organizations that engage in large-scale processing of personal data).
Employee training is also important, so that everyone understands the risks, the obligations and the procedures to be followed. Finally, you will need to ensure you carry out regular reviews.
In short, whether you are new to AI or already a user, careful consideration needs to be given to all aspects of its use to ensure that your AI data management is done responsibly, transparently and securely.
AI and employee displacement
We reported last year that a significant number of employers have already replaced individuals with AI. This creates either a redundancy situation or the reallocation of roles within the workplace.
Whilst there may be costs savings and productivity benefits, there are a number of areas that employers need to keep in mind:
Employment contracts
First and foremost if you’re redeploying an employee to another role, you must take into account the terms of their contract. It may be that you need to negotiate new terms and conditions, and failure to do so could put you in breach of contract and potentially at risk of an employment claim against you.
If you’re employing new staff, make sure the contract of employment is clear around the use of AI. Define what tasks may or can be done by AI, stipulate your AI data protection and security provisions. Make sure it is clear when and where AI will be used in the employment process (such as in performance reviews, biometric use and misconduct hearings). Make sure you include details of how employees can challenge an AI decision.
Provide proper AI training both from the outset and on an ongoing basis during the course of someone’s employment with you.
In order to avoid redundancy situations, consider retraining employees so that they can be deployed elsewhere but failing that, ensure a fair and proper redundancy process is followed.
Copyright and content issues
AI and copyright law remains a grey area at present. In particular, there are issues about who owns user generated AI material. The Copyright, Designs and Patents Act 1988 provides that original works such as writing, music, art and film are protected by copyright if they result from human creativity.
However, under Section 9 (3) where a work is “generated by a computer in circumstances such that there is no human author,” the person who made the “arrangements necessary for the creation of the work” is deemed to be the author. This means that in the UK, the human who programs or operates the AI system may hold the copyright not the AI itself. However, this is a relatively untested area and may be subject to reinterpretation as technology evolves.
For the end user, it may be difficult to tell to what extent AI generated material includes material that belongs to someone else. There may also be issues with search engines and how they treat AI generated material, for example when published on a website or a blog, and whether it will be downgraded. This in turn, may depend on the quality of the software used, although content created primarily to manipulate search rankings will be a violation of spam policies.
AI is here to stay, and in many ways, it is revolutionary for some working practices. But it is not without its risks and challenges, and it’s essential that employers and businesses have the proper safeguards in place. We will keep you advised of developments and how they may affect you as the details emerge, but if you would like to discuss the above, please call 020 3988 0170 or contact us via our website.
The legal content provided by RSW Law Limited is for information purposes only and should not be relied on in any specific case without legal or other professional advice.
Copyright is owned by RSW Law Limited and all rights in such copyright are reserved.
