Privacy notice for an AI-powered survey and feedback session

Introduction

We were recently contacted by a new client that specialises in public policy advisory. 

Partnering with a local UK council and three other technology suppliers, the client was coordinating a large-scale survey of thousands of council residents and other users of council-supplied services. Selected participants would also be invited to attend focus groups, where they would provide more detailed feedback. 

To comply with its obligations under UK GDPR, the client had prepared a draft privacy notice for participants and asked us to help with reviewing it to ensure it clearly met the requirements of the UK GDPR. 

Challenge

Unlike a traditional survey, the project relied on several AI-enabled tools provided by the client’s technology partners. For example, one AI tool would transcribe participants’ comments in near real time and display them to other participants, who would then vote on those thoughts live. Another AI system would analyse those voting results and model potential outcomes based on voting patterns. 

The UK data protection regulator, the ICO, emphasises in its official guidance that where AI systems are used to process personal data, organisations must take particular care to explain clearly how and why that processing takes place. Reflecting this level of transparency in the privacy notice required a detailed understanding of how each AI system operated in practice.

In addition, five different organisations were involved in delivering the survey. This made it essential to determine which organisations acted as controllers and which acted as processors. These distinctions needed to be accurately reflected in the privacy notice, both to meet transparency obligations and to ensure the client did not inadvertently assume responsibility for data protection compliance where it was not required. Achieving this required getting to the bottom of all the processing that was to occur when the survey launched. 

Solution

By the time the client contacted us, the survey was close to going live. To meet our client’s objectives and timeline, we had to move quickly and ask targeted questions that would allow us to get to the level of detail required for the privacy notice but wouldn’t waste the client’s time. 

As such, we prepared a focused set of questions that would likely be asked by any hypothetical participant reading the privacy notice. By approaching the issues from the perspective of the data subject, it was easier to keep the questions focused to what was really relevant: what the content of the privacy notice should be. 

Once the client had answered those questions, we swiftly reworked the existing privacy notice and were able to do so with minimal back and forth, meeting the client’s imminent deadline with confidence. 

If you need assistance with the UK GDPR or AI technologies more generally, please don’t hesitate to reach out to us here.