Transparency data

Privacy notice (Survey on AI Assurance Methods)

Published 10 October 2022

1. The CDEI AI Assurance Survey and your personal data

This privacy notice explains who the CDEI are, the personal data the CDEI collects, how the CDEI uses it, who the CDEI shares it with, and what your legal rights are.

2. About the CDEI

For the purposes of the Data Protection legislation, the Department for Digital, Culture, Media and Sport (DCMS) is the controller of the personal data you provide us with in response to this survey.

We collect and process your personal data in accordance with applicable law. This includes, without limitation, the EU General Data Protection Regulation (2016/679) and the UK Data Protection Act 2018, together with other applicable UK and EU laws that regulate the collection, processing and privacy of your personal data.

We have appointed a data protection officer (DPO) within DCMS who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice or how we are handling your data, please contact the CDEI using the details set out below.

Centre for Data Ethics and Innovation:

E-mail: cdei@cdei.gov.uk

If you are unhappy with how the CDEI has handled your data, please contact the DPO:

Email: dpo@dcms.gov.uk

3. Personal data we will collect

The personal information we ask to collect and process is provided to us directly by you in the survey, other than your email address which will be collected automatically by our survey platform. This may include:

• Name
• Organisation
• Role
• Email
• Your responses

When responding to this survey, please do not share any more personal data than is being requested.

4. What is the legal basis for processing my data?

To process this personal data, our legal reason for collecting or processing this data is: Article 6(1) e:

It is necessary to perform a public task (to carry out a public function or exercise powers set out in law, or to perform a specific task in the public interest that is set out in law).

The lawful basis that we rely on to process your personal data will determine which of the following rights are available to you. Much of the processing we do in DCMS will be necessary to meet our legal obligations or to perform a public task. If we hold personal data about you in different parts of DCMS for different purposes, then the legal basis we rely on in each case may not be the same.

5. How will the CDEI use any personal data including survey responses you provide?

The CDEI will keep your responses in strict confidence in accordance with this privacy policy. Your data will be anonymised before publishing, and you will not be identifiable in any published results.

The CDEI will use your personal data and responses solely for research purposes and to produce anonymous, statistical research findings and insights.

6. What will happen if I do not provide this data?

The CDEI is seeking to understand current industry engagement with AI assurance. Specifically, this research aims to identify key barriers and enablers to using AI assurance techniques (i.e., impact assessment, certification, performance testing etc.) and technical standards.

This survey will allow us to capture industry views to accurately identify barriers and enablers to using AI assurance. The outcomes of this survey will directly influence the next stage of CDEI’s work, which aims to develop guidance that will address the challenges identified in this survey and encourage increased adoption of AI assurance across industry.

Without input from industry actors, we will have a limited understanding of industry views on AI assurance which in turn reduces our ability to create effective guidance that is sufficiently useful for industry.

7. Data Sharing

We will not transfer your personal data outside of the UK.

We will let you know if we are going to share your personal data with other organisations – and whether you can say no. You can ask us for details of agreements we have with other organisations for sharing your information.

If you write to us on a subject that is not our policy area, and the response needs to come from another government department, we will transfer your correspondence, including the personal data, to that department.

You can also ask us for details of any circumstances in which we can pass on your personal data without telling you. This might be, for example, to prevent and detect crime or to produce anonymised statistics.

8. Will my data be used for automated decision making or profiling?

We will not use your data for any automated decision making. If we need to do so, we will let you know.

9. Data security

Your information is securely stored within our own secure network. We have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

10. How long we keep your personal information

The CDEI will only retain your data in a way that can identify you for a maximum of 12 months.

11. Your data protection rights

Under data protection law, you have rights including:

• Your right of access - You have the right to ask us for copies of your personal information.
• Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
• Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
• Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
• Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
• You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. If your request is complex, we have the right to extend this to up to 3 months. If we have to do this, we will let you know.

Please note some of the above rights are not absolute and we will let you know if an exemption applies if you wish to avail of your rights.

Please contact us at cdei@cdei.gov.uk if you wish to make a request.

12. How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at the above contact details.

The contact details for the data controller’s Data Protection Officer (DPO) are:

Data Protection Officer

The Department for Digital, Culture, Media & Sport

100 Parliament Street

London

SW1A 2BQ

Email: dpo@dcms.gov.uk

If you’re unhappy with the way we have handled your personal data and want to make a complaint, please write to the department’s Data Protection Officer or the Data Protection Manager at the relevant agency. You can contact the department’s Data Protection Officer using the details above.

You can also complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have used your data.

Information Commissioner’s Office,

Wycliffe House,

Water Lane,

Wilmslow Cheshire,

SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

13. Changes to our privacy notice

We may make changes to this privacy policy. In that case, the ‘last updated’ date at the bottom of this page will also change. Any changes to this privacy policy will apply to you and your data immediately.

If these changes affect how your personal data is processed, DCMS will take reasonable steps to let you know.

This notice was last updated on 10/10/2022.