AUTOMATED DECISION MAKING
AUTOMATED DECISION MAKING
POPI protects data subjects from being subjected to automated decision making which results in legal consequences for the person, or which substantially affects the person.
For this protection to apply, the decision must be based solely on the basis of the automated processing of the personal information with the intention of providing a profile of the person. The profile will then be used to make some type of decision which has serious implications for the person. Examples of this include profiling to make decisions regarding work performance, credit worthiness, reliability, location, health, personal preferences, or conduct.
It is important to understand what automated decision making is. A manual decision is a decision made by a natural person, whereas an automated decision is made without human intervention. Where a decision is based partly on manual processing, it is not automated.
Automated decision-making is allowed where the decision is made in connection with the conclusion or execution of a contract, and the request of the data subject in terms of the contract has been met or where appropriate measures have been taken to protect the data subject’s legitimate interests.
Automated decision-making is also allowed where this is governed by a law or code of conduct in which appropriate measures are specified for protecting the legitimate interests of the data subject.
These measures must provide an opportunity for a data subject to make representations about any decisions which are made in this way and require you to provide the data subject with enough information about the underlying logic of the automated processing to enable him or her to make proper representation.
Where you employ an artificial intelligence system for automated decision-making, be aware of the rest of the provisions which may apply. For example, if you intend processing any unique identifiers for any other purpose than intended at collection with the aim of linking the information with information processed by other responsible parties, you must obtain regulatory pre-authorisation.
In this instance, “unique identifier” can be any identifier that uniquely identifies a data subject in relation to you as the responsible party, for example, an identity number or employee number.
You should ensure that you consider what information will be processed by the AI system as well as how the system will use this, to ensure you meet all data protection compliance requirements.
WHAT MUST YOU DO?
Determine whether you are making an automated decisions and if yes, whether you are using personal information to make those decisions. Check to see whether the decision made has a significant effect on the person or leads to legal obligations, for example work performance, credit worthiness, reliability, location, health, personal preferences, or conduct. If not, then you are not making an automated decision that is regulated by data protection law.
Where you determine that you are employing automated decision making which falls under POPI, you need to ensure that you are justified in this and have suitable measures in place to ensure compliance.
Carry out a personal information impact assessment to consider and address the risks before you start any new automated decision making or profiling.
You should furthermore ensure you identify and manage the risk associated with data inputs as assumptions for a decision-making process and the potential effects that the decision making may have on the data subjects.
Ensure that you have a clear procedure to manage objections to the results of automated decisions. This should include procedures which ensure the right to object and request human intervention in the decisions.
From a technical perspective, there should be a way to exclude individual records from automated processing, objections fields should be included and persistent overrides of automated outcomes should be implemented.