This relates to the potential for a decision being made as part of the automated structures utilised by your organisation that adversely affects the individual whose data is being used to make that decision. eg Profiling.
You will need to have the appropriate procedures to ensure that this does not happen. This will require certain controls to be utilised during the processing of the data. This is especially true with children’s data.
Everyone has the right not to have automated decisions made on their data when:
- The process is totally automated (ie no human intervention is possible)
- The process results in a legal or similarly significant effect on the individual
This sort of processing is only possible if:
- It is required as a justifiable component of entering into a contractual relationship
- It is required by law
- It is undertaken following specific consent by the individual concerned
If such exceptions exist, then you must have controls to ensure the individual’s rights, freedoms and legitimate interests are not compromised.
Therefore, the measures you put in place must include:
- The ability for human intervention to take place (eg a review of the automated determination by the individual before it is acted upon)
- Allow the individual to express their views – again, before the automated decision is acted upon - so they will need to know about the possibility of such a decision in a timely manner. This might be best done at the time of data entry. (eg a note appearing on screen as data entered by the individual, asking permission to proceed given that certain decisions (give details) may result from taking this forwards...)
- Allow the individual to have an explanation of the decision and permit them to challenge it. Ultimately this ought to lead to a more accurate decision for that person as either they will have other information that has not been considered in the process, or they will have made a mistake and this can be identified thereby ensuring the individual understands better why the decision was made in the first place.
Individuals can exercise these rights verbally or in writing.
You must verify the identity of the person making the request, using “Reasonable Means”.
You should respond to a request without delay and at least within one month of receipt.
You can extend this period by a further two months for complex or numerous requests (in which case you must inform the individual and give an explanation).