At a glance
- Part 3 provides safeguards for individuals against the risk that a potentially damaging decision is taken by solely automated means, ie without human intervention.
- You may not take a significant decision based solely on automated processing unless that decision is required or authorised by law. A ‘qualifying significant decision’ is defined as a decision which significantly affects or produces an adverse legal effect on an individual and is authorised by law.
- Currently, solely automated decision-making that leads to an adverse outcome is rarely used in the law enforcement context and is unlikely to have many operational implications.
In brief
When does the right apply?
Individuals have the right not to be subject to a decision when:
- it is based on automated processing; and
- it produces an adverse legal effect or significantly affects the individual.
You must ensure that individuals are able to:
- obtain human intervention;
- express their point of view; and
- obtain an explanation of the decision and challenge it.
To qualify as human intervention, you must ensure that you carefully analyse the decision and consider all the available input and output data, rather than just a token review. This should be carried out by someone who has the authority and competence to change the decision.
This right does not specifically refer to profiling. However, profiling is defined in section 33 as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict their:
- performance at work;
- economic situation;
- health;
- personal preferences;
- interests;
- reliability;
- behaviour;
- location; or
- movements.
Profiling and automated decision-making can be combined activities of the same process, or can be carried out separately. There may be cases of automated decisions made with (or without) profiling and profiling which may take place without making automated decisions. This right will therefore apply to any profiling which involves some form of automated processing.
The right does not apply when a decision does not have an adverse legal or similarly significant effect on someone.
Example
An automated processing system could include an IT database of criminal records or prosecution histories, where data is input or accessed by staff via automated means.
‘Automated decision making’ only comes into play where the controller takes a ‘significant’ decision based solely upon automated processing, often without any human interaction. This is a decision that produces an adverse legal effect concerning the individual or otherwise affects the individual.
How do we comply?
You should inform an individual if you make a ‘qualifying significant decision’ about them.
The individual has one month to request for you to review the decision, or take a new decision not based solely on automated means. You must consider the request including any information provided by the individual. You need to respond to the individual within one month of receipt of their request and outline the steps you have taken as well as the outcome.
The DPA 2018 does not specify how an individual must make a request, so they can make it verbally or in writing. Therefore, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes.