Responsibly buying AI

How to build equality & data protection into your AI commissioning and procurement processes. A guide for councils in England.
How to build equality & data protection into your AI commissioning and procurement processes: a guide for councils in England
View allArtificial Intelligence articles
View allCyber articles
LGA, ICO, EHRC and LOTI

Using this guide

This guide is structured around the specific roles involved in the commissioning and procurement of AI within councils in England. To effectively utilise this resource, users should navigate using the sidebar to locate questions and prompts tailored to their particular role in the process.

What is this guide about?

This guide provides councils in England with questions to help them comply with the Public Sector Equality Duty (PSED) and data protection law when procuring artificial intelligence (AI) based technology or contracting out part of their public functions to an organisation that uses AI-based technologies. This guide applies to the procurement of any goods or services that include AI-based technologies.

Other public sector bodies subject to the PSED and data protection law may also find it useful.

The scope of this guidance includes any AI-based technologies, algorithms or algorithmic systems that are procured or commissioned by a council, which can have a significant impact on citizens, or those which influence the creation or delivery of policies and services. Reference to the procurement or commissioning of ‘AI-based technologies’ throughout this document encompasses:

  • technologies a council has bought for its staff to use (goods)
  • technologies a council has contracted out to a private sector company to use or build on its behalf (services).

This guide has been co-developed by the Local Government Association (LGA), London Office of Technology and Innovation (LOTI), the Equality and Human Rights Commission (EHRC) and Information Commissioners Office (ICO). We also appreciate the valuable contributions of the Crown Commercial Services, Socitm, Solace, Government Digital Service and other central and local government partners to this work.

It has been developed using a role-focused approach to provide questions and prompts for various officers and roles involved in the commissioning and procurement of AI in local government. Some of the questions have been adapted from the UNESCO Ethical Assessment Template; others from relevant EHRC and ICO guidance.

By following its content, users of this guide should be able to:

  • Thoroughly assess the equality impact and data protection risks before starting but also throughout the procurement or commissioning process and take evidenced decisions in relation to that.
  • Feel confident to probe AI-based technology providers on the equality and data protection relevant considerations they made when developing and testing their technology, how these feed into further training, and how future training and learning will happen
  • Build equality and data protection requirements into the design of their tendering and contract arrangements so councils get the information they need to design a successful procurement process, adequately monitor the impacts of using the technology, and ensure contracts and contract monitoring processes allow them to maintain equitable, lawful and safe use.
  • Understand that these considerations and assessments are not static and that due consideration for equalities and data protection risks must occur throughout the lifecycle of a contract and use of AI-based technologies. This includes where AI is introduced during a contract variation, upgrades to products, or when new features are added.

Who is this guide for?

AI-based technologies are fast-changing and complex, yet we know that: 

  • The use of AI-based technologies has increased over the last few years and is set to continue exponentially.
  • Councils typically procure the AI-based technologies they use as opposed to developing them in-house.

Our research and stakeholder engagement with the sector, the LGA State of the Sector Survey, as well as the Ada Lovelace Institute Spending Wisely report, show that staff involved in commissioning and procuring AI-based technologies need more support to:

  • properly question AI private sector companies on their products
  • understand equality and data protection risks before deciding to buy products
  • build clauses in contracts to enable them to track the actual impact of an AI product or service.

This guide does not replace other, more detailed, specialist or regulator guidance, but it provides practical prompts and questions you can use to robustly consider the Public Sector Equality Duty and data protection law compliance throughout the procurement and contract management processes of AI-based technology.

This guide not only supports compliance, but also provides you with a framework to: 

  • consider whether an AI-based technology is likely to deliver positive benefits to all your staff and/or citizens and will not lead to unlawful discrimination, advance equality of opportunity between people who fall within protected characteristics under the Equality Act 2010, and foster good relations between communities who engage with public services
  • help councils seek the necessary evidence to report on the actual benefits to their workforce, communities, and society as a whole after the decision to produce an AI-based technology has been made
  • encourage staff who are considering using an AI-based technology to engage with specialist teams – procurement team, an EDI officer and the DPO or information governance team – as soon as possible and throughout the commissioning, procuring and contracting processes.

Reminder 

When reading this guide and undertaking your equality and data protection impact assessments, it is a genuine possibility and legitimate outcome that you do not move ahead with the procurement or commissioning of a particular technology, because you are unable to reduce, mitigate or manage the risks you have identified.

What does the PSED require?

The PSED requires public authorities such as councils to have ‘due regard’ to the need to:

  • eliminate discrimination, harassment, victimisation, and any other conduct that is prohibited by or under the Equality Act 2010
  • advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it
  • foster good relations between persons who share a relevant protected characteristic and persons who do not share it. 

These are often referred as the three aims of the PSED. 

Public bodies should have due regard to the three aims of the PSED in their day-to-day business. Having due regard means that: 

  • you have made yourself fully aware of the potential equality implications of a policy
  • you have used this understanding to inform your decision making. 

Legal cases involving the PSED have established that:

  • Assessing the equality impact of policies and decisions including a decision to commission out an AI-based technology, is a keyway to demonstrate compliance with the PSED.
  • The responsibility for ensuring that the equality impact of policies is thoroughly assessed and monitored lies with public authorities. This is the case even when they contract out a public function such as processing data using AI-based technologies to a third-party organisation.

With the expanding use of AI, it is important that councils understand how this may impact people with different protected characteristics. These technologies can improve the efficiency, availability, and effectiveness of public services. They also have the potential to create inequalities and make existing inequalities worse. As such, if a council is considering a policy that involves procuring AI and other data-driven technologies, they must:

  • Assess how using these technologies may impact people with different protected characteristics as early as possible and before they decide to procure them. Where possible and appropriate, you may want to involve your EDI officer in developing your equality considerations using your organisations’ Equality Impact Assessment (EqIA) template.

Tip

We all have protected characteristics. Understanding the impact your policy proposal could have on people who have different characteristics may not always be easy. If you lack evidence or feel unsure about the validity of your equality considerations, seek the views of internal and external stakeholders with different protected characteristics. Focus particularly on people who may be impacted positively or negatively by your policy. You may also wish to learn about what other similar organisations have found. Stakeholder engagement may save you a lot of time and effort and help you gather the evidence you will need to robustly assess the likely impact of your policy. 

  • present their equality considerations to decision-makers so they can assess the suitability of progressing with the procurement based on the risks and benefits you have identified in your assessment
  • monitor the technology on an ongoing basis, once implemented and update your equality considerations. 

For more information on how to conduct robust EqIAs, please look at the 10-step guide published by the EHRC for public bodies in England.

Reminder

Case law indicates that it is good practice to keep a record of how equality in policy and decision making has been considered (see Technical guidance on the PSED: England). This will be particularly important should your organisation be challenged, including in court. Many organisations choose to publish their equality considerations in an EqIA. Others publish their equality considerations within committee papers along with records of the decisions made. Publishing your equality considerations will enable your organisation to be transparent and accountable for the decisions it makes and maintain trust with the people it serves and employs.

What does data protection law require?

In an AI context, data protection law applies to personal data issues e.g. when organisations use personal data to train, fine-tune, or deploy an AI-based technology, and when they use AI-based technologies to process personal data or make decisions about people on that basis. As a starting point, data protection law – specifically the UK GDPR, which needs to be read alongside relevant data protection legislation including, the Data Protection Act (2018) – requires:

  • A valid lawful basis to process personal data, which must be determined before you begin processing personal data, based on your purpose and relationship with the individual whose personal data you will process.
  • Compliance with the seven key principles of the UK GDPR – these lie at the heart of the data protection law and fundamentally inform everything that follows.
  • A DPIA when the personal data processing is likely to result in a high risk to the rights and freedoms of individuals. Examples of such processing include the use of innovative technologies, such as AI.
  • You must have appropriate measures and records in place to be able to demonstrate your compliance. You must be able to demonstrate that you have appropriately assessed and mitigated risk following data protection principles.

The ICO has published extensive guidance to explain the requirements of the UK GDPR and Data Protection Act (2018) including the data protection audit framework and specific AI-guidance to support this. A DPIA is a necessary way to demonstrate your compliance. In the context of AI-based technologies, a DPIA should begin by including:

  • a systematic description of the processing activities, including data flows and the stages when AI processes personal data, including any solely automated decisions that may produce significant effects on individuals
  • an explanation of any relevant variation or margins of error in the performance of the system which may affect the data protection law fairness principle
  • a description of the scope and context of the processing, including the data processed, the number of data subjects involved, the source of the data, and the extent to which individuals are likely to expect the processing. 

A DPIA is a foundational document for data protection compliance. It is also a powerful tool for understanding the benefits and risks of deploying an AI-based technology, identifying who you need to consult, and setting out roles and responsibilities. You should involve your Data Protection Officer (DPO) at the earliest possible stage of procuring an AI-based technology and in developing a DPIA.

Tip

As an iterative document, which you can adapt to your own organisation’s needs, a DPIA can be used to build and sustain organisational knowledge of AI-based technologies. Publishing your DPIA is also an effective way to support transparency to data subjects (individuals) when coupled with clear accessible and timely privacy information. To streamline the process, please consider integrating your Data Protection Impact Assessment (DPIA) with either an Equality Impact Assessment (EqIA) or into an Algorithmic Impact Assessment (AIA, see below), provided all DPIA and PSED requirements are met.

Full information on how to conduct a robust DPIA in the context of AI-based technologies is available in the ICO’s AI guidance and DPIA advice.

Further considerations

The Procurement Act 2023

Councils will need to ensure that the considerations noted in this guidance are made at the appropriate point of the procurement process and full consideration is given to the legal requirements laid out in the new Procurement Act. Officers should engage with procurement and legal professionals in their organisation to ensure this. 

Human Rights considerations

The Human Rights Act 1998 requires that everyone who works in public authorities must act in a way that is compatible with the Act. The close relationship between equality and human rights means it could be efficient to think about them together when developing policies. Therefore, you may also want to consider and gather evidence on whether your policy can have a potential impact on: 

  • groups of people sharing a characteristic that is not specifically protected under the Equality Act 2010, for example, people living in different geographical areas, children on free school meals, asylum seekers, refugees, or single parents
  • human rights as set out under the Human Rights Act 1998, for example, the right to family life or to be free from torture and degrading treatments.

Ethical practices

While this guide does not specifically address ethics, ethics as a system of moral principles has overlap with both PSED and data protection’s statutory principles, as you assess equity of access, equity of treatment and protection of people's rights and freedoms as outlined in the Human Rights Act 1998. Some organisations have an ethics board or processes to support ethical decision making. For delivery of health and social care services, you may employ a Caldicott Guardian. Any existing ethical processes within your organisation should be brought into the processes for commissioning, procuring, and delivering services using AI-based technologies.

Algorithmic Impact Assessment

While not required by law in the UK, you may benefit from undertaking an Algorithmic Impact Assessment (AIA) that promotes investigation into AI-specific and automated decision making risks or otherwise integrating elements of AIAs into organisational DPIA and EqIA templates. If you work with international organisations, especially from the EU member states, you may need to consider an AIA.

Exemptions for sensitive data

In addition to special category data, a council should consider what extra protections it should put in place for other sensitive data such as social care provision data. These extra protections should be determined depending on the risk of the data and service area where the technology could be deployed. For example, a council which is processing data, such as that related to abuse monitoring, should consider legal conditions for these activities. The ICO has specific guidance on the legal conditions for processing sensitive data, as required by law, including data related to health and social care.

How to use this guide

This guide is separated into six sections to reflect the different roles we have identified as key to the commissioning and procurement of AI in councils.

The first and second sections are aimed at all officers involved in purchasing and contracting out AI-based technologies and should be used at all stages of the commissioning process. They provide prompts and questions to help all officers consider and review the equality and data protection impact of using the AI-based technology throughout the commissioning cycle, from inception to post-implementation.

The third section is aimed at commissioners and project managers. The prompts and questions will help inform their thinking on commissioning a particular AI-based technology in the pre-tender stage and on organising the project team before they take the decision to purchase an AI-based technology or contract out a third-party organisation to operate such technology on their behalf.

The fourth section is aimed at procurement officers. The prompts and questions help them build equality and data protection in their contract specifications, tender and interview questions.

The fifth section is aimed at supporting council officers who are reviewing bid answers. The prompts and questions help ensure equality and data protection considerations are asked in the bid assessment process.

The sixth section is aimed at contract owners. The prompts and questions help them build equality and data protection clauses into contract and service agreements. This is so they can get the data they need from their AI providers to continue monitoring the equality and data protection impact of using the technology they bought.

Please note that the questions in this guide are not a comprehensive list of compliance questions. They are intended to guide and prompt you as you undertake a case-specific assessment of the AI-based technology you are procuring. For more comprehensive guidance on compliance requirements in terms of AI please consult the online resources of the EHRC and the ICO.

Questions and prompts for all staff to assess equality impact

Under the PSED, public authorities must assess the potential impact of a new policy on people with protected characteristics under the Equality Act 2010. They must do so before making the decision to implement the new policy and continue monitoring its equality impact after implementation. 

While you are not legally obliged to consider other characteristics not listed in the Equality Act, your council may want you to consider the impact on other characteristics such as people who are care experienced, or socio-economically deprived. You should speak to a subject matter expert in your organisation such as an EDI officer if you are unsure of additional considerations that may need to be made.

If you are considering contracting out an AI-based technology, you will need to collect robust and sufficient evidence to support the questions and prompts laid out here. The evidence you collect to answer these can be quantitative or qualitative and will help you establish whether your proposal to commission an AI-based technology:

  • could have either a positive or negative impact on people with protected characteristics
  • is relevant to one or more of the three aims of the PSED.

Considering the below questions may lead you to decide that AI-based technology is not suitable for your needs at this time, or you may need to reconsider your objectives and approach.

  • Could the use of the AI-based technology contravene actions prohibited by the Public Sector Equality Duty? Could using this AI-based technology lead to direct or indirect discriminationharassment, victimisation, or any other conduct prohibited by the Equality Act 2010?
  • How will service users and employees be affected? Could using AI-based technology affect how service users or employees access services or participate in activities relevant to your policy area?
  • Could the use of the AI-based technology disproportionately impact people with particular protected characteristics? Such as those who have a low level of access to services, participation in public life or other activities.
  • How will it impact your communities? Could it create or worsen disadvantages and inequalities in your community? Could it remove or minimise disadvantages and inequalities in your community? Could it lead to prejudice, community tensions, conflicts, isolation, or segregation? Could it help tackle prejudice and promote understanding between people with different protected characteristics? Could using AI-based technology affect how people perceive or interact with others?
  • How does the AI-based technology impact on people with protected characteristics? Does using AI-based technology consider the needs of people who share a relevant protected characteristic? Could the AI system have a greater negative impact for people who belong to more than one marginalised or disadvantaged group? For example, individuals such as Black women, disabled children, or elderly Muslim women may face compounding harms due to the intersection of characteristics such as age, race and religion, especially where those characteristics are already linked to social or structural disadvantages.

If your evidence shows that your proposal to commission an AI-based technology may have an impact on people with a particular protected characteristic, we strongly recommend you seek their views, either directly or by consulting with organisations that represent their interests. A public body cannot avoid complying with the PSED by claiming that it does not have enough time or resources to do so. The methods and degree of engagement should be proportionate to the size and resources of the body and the significance of the issue. This should be recorded.

Examples of engagement may include:

  • meeting with a stakeholder group that represents people with a particular protected characteristic
  • a focus group with relevant voluntary or community organisations
  • a full public consultation or face-to-face consultation event.

Reminder

In addition to the need to engage with those affected as part of your equality's duty, certain council actions trigger statutory consultation requirements. These consultations are legally mandated and dictate specific engagement processes. If you are unsure whether a statutory consultation is necessary, please consult your organisation's legal professionals.

For more information on carrying out engagement in councils see the LGAs guide to engagement: New Conversations.

The amount of time and resources a public body puts into considering the equality impact of a particular policy must be proportionate to its potential impact on people with different protected characteristics and its relevance to the three aims of the PSED.

For example, decisions an organisation makes about procuring AI-based technologies to manage traffic will have less relevance to the PSED and people with protected characteristics than decisions to procure technologies to identify potential criminal behaviours or vulnerable citizens (e.g. homelessness, poverty, Not in Education, Employment or Training). More time and effort should therefore go into considering the potential impact of the latter.

When you do not anticipate that using the AI-based technology you seek to procure can lead to unlawful discrimination but is still likely to have a negative impact on advancing equality of opportunities and/or good relations between people with different protected characteristics under the Equality Act 2010, you must consider the actions your council could take to:

  • mitigate any negative impact using the AI-based technology may lead to for people with protected characteristics
  • meet the needs of disabled people specifically - these actions are called reasonable adjustments and are covered under a separate specific duty in the Act.

Finally, you may want to consider positive action measures your council could take to alleviate disadvantage or under-representation or meet the particular needs of those who share a protected characteristic and ensure that they have the same opportunity to use/benefit from the technology you seek to procure.

In doing so, we would encourage you to think about the actions and adjustments you should make and which ones you could reasonably expect AI providers to:

  • have made in developing the technology they are selling to you, or
  • make as part of their contracting arrangements with you.

Deciding which actions and adjustments you expect AI providers to have made/make will help you build your contract specification, tender, interview questions and thereafter your contract arrangements.

Example

A council has implemented service reductions in its call centre. To mitigate the impact on its residents the council wants to procure an AI-based technology to provide a chatbot function on their website that enables residents to find information about the various services the council provides. The council carried out and developed an EqIA at various stages of this project including when service reductions were first suggested, and during the procurement of the chatbot tool. The service reduction EqIA highlighted that the council needed to keep in place a reduced number of staff to support particular groups who research shows rely on call centres to be able to access council support and information, such as older and disabled residents. The procurement EqIA also highlighted the potential negative impact of the chatbot function for residents whose first language is not English.

The project team decides to build questions around this in the vendor interviews it carries out with four potential suppliers. The project team draws up a set of questions related to equality considerations that went into the design of the AI model, as well as the data protection considerations. Two vendors in the interviews are unable to answer questions about what the Public Sector Equality Duty means or questions about the diversity of the data the model has been trained on. One vendor cannot answer questions about whether the data being processed by the model will stay within UK jurisdiction, and states there is a risk that when capacity on the system is reached that data may be stored outside of the UK or EU GDPR jurisdiction for short periods of time. The council decides not to progress with either of these three vendors. The fourth vendor is awarded the contract and the project team collaborated with the AI provider to integrate translation software with their chatbot. This enabled users to ask questions and receive responses in their preferred language. This action ensures people whose first language is not English, are able to access the same support as other residents. As per contract arrangements, information on satisfaction rates disaggregated by languages is collected by the AI provider in a data protection-compliant way and shared with the council on a monthly basis. Any issues are discussed between the two parties and resolved as best as possible.

For more information on conducting robust EqIAs, the EHRC has produced a 10-step guide for public authorities in England.

Question and prompts for all staff to assess data protection impact

Depending on the context, the use of AI-based technology is highly likely to involve a type of personal data processing that can result in a high risk to individuals’ rights and freedoms and will therefore trigger the legal requirement for you to undertake a DPIA. You should assess this on a case-by-case basis, and the earliest stage of procurement is an ideal time to do this. 

Considering these questions may lead you to decide that AI-based technology is not suitable for your needs at this time, or you may need to reconsider your objectives and approach. If you proceed with procurement and identify a high risk that you cannot sufficiently mitigate then you are legally required to consult with the ICO before any processing takes place. If your DPIA identified a high risk, but you have taken measures to mitigate this risk, you do not need to consult the ICO.

Reminder

A DPIA is not a box-ticking exercise. You need a robust description of the nature, scope, context, and purposes of any processing of personal data by the AI-based technology. For a complete, general guide on AI and DPIAs, see the specific section of the ICO’s guidance.

  • Why and how are you going to use an AI-based technology to process personal data? You should begin by clearly understanding your aims and why you intend to procure an AI-based technology. This could incorporate existing documentation, such as project proposals. This is an ideal time to engage your DPO. To help understand the risks, some questions you should consider include:
    • Does the AI-based technology involve processing of special categories of personal data?
    • Is there any systematic monitoring of publicly accessible areas on a large scale?
    • Is there solely automated processing, including profiling, on which decisions are made that produce legal or similarly significant effects?
    • Is this a new technology or novel application of an existing AI-based technology?
    • What are the intended outcomes for individuals or wider society, as well as for your organisation?
       
  • What is the nature, scope, context, and purpose of any processing of personal data? This can be a challenging task due to the complex nature of both AI-based technologies and councils. Data flow diagrams are an important tool here. You need to clearly describe the data processed, the number of data subjects involved, the source of the data in this way, and the extent to which individuals are likely to reasonably expect the processing of their data in this way. You can reproduce technical information from an external provider to help with this process but remember that the proposed supplier may not be the original developer of the AI-based solution. Specific questions you may want to ask include:
    • Do your agreements and contacts leave space for the expectation of the supplier to use any personal data for its own purposes, including potentially training their AI-based technology?
    • Is personal data leaving or entering your organisation, and if so, what is the destination or source? Will the data be subject to any international transfers?
    • Is solely automated decision-making taking place that produces any effects on individuals? Is human review meaningful? Being documented? Are human reviewers adequately trained, and do they have the authority to override decisions?
       
  • Have you thoroughly consulted everyone? It is good practice for your DPO to be involved in your procurement process from the start. Under the accountability principle of the UK GDPR, as a controller you are responsible for understanding how the AI-based technology works to comply with the data protection law and should be able to explain this to consultees. Your DPO should work collaboratively with data scientists or AI engineering teams. Your DPO should be mindful of obligations of the law enforcement and intelligence service processing regimes. You should also seek and document the views of individuals whose personal data you process, or their representatives, on the intended processing of your AI-based technology. For example, you should consider if the processing involving AI would require seeking appropriate consent from the users. You may not engage with them if it would be disproportionate or impractical, but you still must be transparent about it to them. Questions to ask include:
    • Is the DPO engaged from the start of the procurement process and the development of the DPIA?
    • Have independent domain experts who have a deep understanding of the context in which the AI-based technology deployed been consulted?
    • To what extent have local residents or their representatives been consulted about the impact of the AI-based technology?
    • Is there a diverse, well-resourced team supporting this procurement process, including data scientists, engineering teams, senior management, the DPO and commissioners?
       
  • Have you assessed the necessity and proportionality of the processing? You should consider if processing personal data using AI-based technology is necessary and proportionate to the purpose for which you require it. You should consider, and document, whether you could achieve the same goals without the processing of personal data involved in the proposed use of the AI-based technology. Of course, this will be case specific. This may also lead you to conclude that procuring AI-based technology is not suitable for your intended purpose, nor poses a sensible solution to a problem. Some key questions to ask yourself include:
    • Do individuals expect their data to be processed in this way, and have you done any engagement to check, where it is proportionate and practical?
    • Are the relevant rights and freedoms of product users fairly balanced and does this AI-based technology complement or replace human decision-making?
       
  • Have you identified and assessed the risks to individuals? You should document and score each risk you identify. Beyond rights and freedoms, you should carefully consider the potential impact of other material and non-material damage or harm on individuals. You should also consider legal frameworks in this context, such as the Equality Act 2010 and PSED. If the data special category or a high volume, this will increase the overall risk for whether the use of AI is safe and proportionate. Question you should consider include:
    • Does the processing involve special category or criminal offence data, or include the data of children?
    • Are there concerns over this type of processing or any security flaws in the AI-based technology, such as model inversion attacks?
    • Has the supplier clearly communicated and addressed the potential fairness, accuracy (including bias issues) in their AI-based technology? Do they continue to monitor the risks?
    • Does the training data, including any fine-tuning data controlled by the council, reproduce or introduce any biases?
    • What is your relationship with the individual data subjects? How will you tell individuals what is happening with their data?
       
  • Have you identified measures to reduce risk? For every risk you identify, you should also identify measures to reduce or eliminate the level of assessed risk. You should ensure that your DPO is involved in this process You must consult the ICO if you cannot sufficiently reduce the risks identified. Questions you may want to consider include:
    • Are the individuals or teams responsible for the development, testing, validation, deployment, and monitoring of AI-based technology adequately trained and understand the data protection (and other legal) implications of the processing?
    • What technical and organisational measures are in place to support the deployment of this AI-based technology?
    • How will you ensure data quality and data minimisation?
    • How will you respond to data subject access requests?
    • What protections do you need to establish to ensure that the data is kept securely and with an appropriate amount of control by you?
    • How will you prevent function creep, or a situation where success in one context or use case of the AI-based technology may encourage people to think that it can be used in other circumstances without a proper review of how proportionate and legally compliant that new use may be?

Questions and prompts for commissioners and project managers

Before you make the decision to commission AI-based technology, you must consider the rationale for doing so, including whether such technology is suitable and proportionate to the outcomes you wish to achieve.

You will need to assess the equality impact and data protection risks of commissioning or procuring AI-based technology and we recommend you use a EqIA and DPIA. There is crossover between these assessments so that you will not need to start from scratch with each. To streamline assessments, we propose that local authorities merge their DPIA and EqIA and voluntarily undertake an AIA.

You should review and revise these assessments throughout the procurement process, and early use of them will help you to decide on some of the specifics that should be included in the tender. These specifics might be a particular standard of cyber security, expected accreditations of bidders, or facilities for the council to review the AI-based technology during the assessment of bidders.

You should consider the following questions and prompts and integrate your answers into any EqIA or DPIA you complete. Considering the following questions may lead you to decide that an AI-based technology is not suitable for your needs at this time, or you may need to reconsider your objectives and approach. 

  • What is the problem you are trying to address and what outcomes do you need to achieve? Is there non-algorithmic or non-AI options which may be used to achieve the same goal? If you choose AI-based technology, you will need to explain why that option is favoured.
  • What is the rationale behind choosing this specific AI-based technology? Do you have evidence of its success in similar circumstances? If your proposed use is novel, you should factor this into your risk assessments (e.g. DPIA and EqIA), consider safeguards such as undertaking reviews of its use more often, engagement with impacted individuals and shortened contract terms or break clauses
  • What personal data do you expect the AI to process? Does it include special category or criminal offence data? If the data is special category or a high volume, this will increase the overall risk for the use of AI-based technology. High-risk in your processing may be mitigated by shorter review periods or pilot periods with more limited data, your DPO should be consulted on this.
  • How will you ensure data quality and data minimisation? Can you reduce the volume or improve the quality of data that you control and introduce to an AI system?
  • Do you understand the personal data you will need to process as part of the deployment? Is it proportionate to the purpose of the AI-based technology? How will you respond to rights such as to restrict, deletion or access of data? Data flow diagrams may help.
  • Do the individuals impacted by the AI-based technology share particular protected characteristics defined by the Equality Act 2010? If so, you are expected to have greater safeguards to protect those individuals from bias and unfair outcomes. You may need to involve more professionals, such as an equality or ethics specialist, or undertake more regular reviews of the activities.
  • How much of a choice will people have in terms of having their personal data processed by or to train the AI-based technology? Can users opt out of personal data processing? Can users challenge, correct, or reverse the AI-driven output? If so, how and to what extent? If you decide to procure and use the AI-based technology, the above expectations need to be described in the tender and built into processes for when the contract is live.
  • Would individuals expect you to use their data in this way? What information do you already provide to individuals in privacy notices and similar policies? Have you done any engagement to check or learnt from other authorities that have tried this approach? If not, you may need to plan more engagement.
  • Who will be using this AI-based technology within your organisation or service users? What is the level of competency for both service users and staff? For example, if service users will be using the technology, you may anticipate that the majority will not need any particular competency to use it. However, users with little IT competency may need training on how to use the technology and users with specific disabilities are likely to need reasonable adjustments. What training will you need to provide to each user group, internal and external? Do you need to consult internal stakeholders, legal experts, or technical experts?

Tip

Council staff using AI-based technologies should feel confident to challenge the AI outputs and exercise effective human oversight in order to adequately monitor and mitigate risks. If the outputs of an AI-based technology are not systematically monitored, evaluated and at times challenged, then you may be undertaking solely automated decision making. When the decision making leads to legal or similarly significant effects such as unlawful discrimination, your processing has higher data protection risks. A lack of adequate safeguards may severely impact the rights and freedoms of individuals and lead to legal or significant effects for them. The ICO has guidance on automated decision making and you should discuss this issue with your DPO in the early stages of the procurement process before the tender is finalised. The guidance may be updated following the passage of the DUA Bill, so we advise consulting the ICO website for updates.

  • How will using the AI-based technology affect individuals? Who is likely to benefit from this technology and who may experience negative outcomes or be denied opportunities? What characteristics protected under the Equality Act 2010 are at stake? Are there any other characteristics you should be considering here? Consider the perspective of individuals (staff and/or service users), the organisation, and society. This information must form part of your EqIA and can also be recorded in your DPIA.
  • How will personal data be collected, used, stored, shared, deleted, anonymised and who is responsible for those actions? What responsibilities for the AI-based technology supplier do you need to establish in the contract to ensure that the data is kept securely and with an appropriate control by you? Control will include whether the data can be used for training the AI-based technology during the contract or in the future, and whether this is solely for the benefit of the council or if the newly trained AI will be purchased/used by others.
  • Is there an expectation for the supplier to use the data for purposes beyond what a user is expecting, including future training the AI-based technology? This must be decided before award and documented in the contract. Successful decommissioning of an AI-based technology without people losing control of their personal data should be planned in advance (for example if a developer has trained an AI-based technology on their personal data in a way that encodes it but does not delete the model following decommissioning). You might find it useful to refer to a flow diagram or another way of describing data flows, including documenting whether any other party is expected to access and use the data. Your proposed supplier may not be the original author of the algorithm. You must understand and clearly state in the contract who has access to the personal data and for what use.
  • Will the data be stored outside the UK? Speak to your DPO early, as it may be appropriate to specify the locations of data (data sovereignty) in the contract, which may impact the cost.
  • Are there concerns over this type of processing or security flaws? If you decide to continue with the tender, what expectations will you set with bidders and how will you draft contracts to help reduce risk and clearly describe the responsibilities of the supplier?
  • What evidence do you want from the prospective suppliers to allow you to consider whether their standards are appropriate from a regulatory point of view? Do you expect bidders to comply with an approved code of conduct or certification scheme? This should be written into the tender and evaluation documents.
  • How will you measure success? What information will you need to identify and evidence that using the AI-based technology is delivering the intended outcomes/benefits?
  • What information will you need to ensure personal data is handled in ways that people would reasonably expect and not used in ways that could lead to negative impacts, undermining of their rights and freedoms including unlawful discrimination, inequalities, community tensions, isolation, or segregation? You should consider these needs when drafting the tender, awarding the contract, and drafting the contract. People should not lose control of their personal data.
  • It is good practice to aim for a diverse project team, especially in terms of – but not limited to – sex, gender, age, race, colour, language, religion and belief, national origin, ethnic origin, social origin, disability, and sexual orientation. Consider how does team diversity reflect the complexity and diversity of the population groups expected to be affected by the AI-based technology or using it. How could this introduce biases?

Reminder

The bidder may try to protect its intellectual property rights by asking officers to sign a non-disclosure agreement (NDA) before sharing the details of the AI-based technology. While an NDA or a similar confidentiality clause in a contract, may identify information you both consider to be confidential and which you do not want to be made public, you cannot contract out of your statutory obligations under the Freedom of Information Act (FOIA). You should make your bidders aware of this at the outset of a procurement exercise, and in any contract agreement documents, it is good practice to make your bidders aware that any information they provide (as part of the tendering process, or an ongoing relationship, or with respect to any agreed contracts) may, potentially, be disclosable under FOIA. This helps manage their expectations about what might happen to the information they provide to you. Exemptions, however, such as section 43 (commercial interests) or section 41 (information provided in confidence) may apply in relation to the information. See ICO guidance on commercial interests and information provided in confidence for more information in relation to those exemptions and contracting and consulting with third parties.

  • How will you assign responsibility for answering these questions and the council’s decision-making during pre-tender, tender, implementation, and contract monitoring stages? Consider the diversity of the decision-making team and the measures you expect to meet or the activities or actions that you will not tolerate.
  • How will you ensure effective business continuity practices and processes exist and are implemented if the specific AI-based technologies fail or shut down? There should be relevant questions within the tender. You also will need to ensure that suitable contract clauses reflect the standards you expect. In this context it makes sense to consider the security principle of data protection and any risks to the confidentiality and integrity of the data, or whether any groups of users are more likely to be negatively affected during an incident.
  • Are there widely accepted evaluations, such as functional tests, to assess potential risk areas for the AI-based technology? Is the testing methodology robust? Could a supplier game the results of this test? How will you document risk and justify your decisions based on those risks?
  • You will be using AI-based technology to achieve specific outcomes. Even if that use is initially successful, as the time passes, the AI-based technology may no longer be performing well in new circumstances or when it interacts with new data. Therefore, the continued use may necessitate the adaptation of the AI-based technology or stopping its use. You need to consider this before tender and build suitable checks into the contract and processes, such as regular retraining of the AI-based technology, or break clauses.
  • How will you prevent function creep, or a situation where success in using the AI-based technology in one context may encourage people to think that it can be used in other circumstances without a proper review of how proportionate and successful that new use may be? If you consider using the personal data for a compatible purpose, a compatibility test should be carried out and results recorded in your DPIA. It is also something to consider as part of your EqIA and you may want to introduce a specific decision-making process for any potential further use. Successful decommissioning of an AI-based technology without people losing control of their personal data should be planned in advance (for example if a developer has trained an AI-based technology on their personal data in a way that encodes it but does not delete the model following decommissioning). For further information on this see ICO guidance.

Questions and prompts for procurement officers

Councils will differ on how they have devolved their procurement functions. We use the term ‘procurement officers’ to include any staff involved in (1) producing the contract specification and invitation to tender and (2) asking bidders questions relevant to equality and data protection to shortlist and select the successful supplier.

The questions and prompts below will help procurement officers to build equality and data protection considerations throughout the tasks listed above in (1) and (2). 

Considering these questions may lead you to decide that AI-based technology is not suitable for your needs at this time, or you may need to reconsider your objectives and approach.

  • Has a DPIA and an EqIA been undertaken or at least started? Have they raised issues that need to be managed in the contract specification and tender? Has any new evidence emerged on the potential equality impact and data protection risks of using the AI-based technology your council is considering? Evaluating and mitigating equality and data protection risks is a continuing process. As such, if new relevant evidence emerges including from tenderers, staff involved in procuring AI-based technology must review and update the Council’s EqIA and DPIA.
  • What is the relevance of equality to the subject matter of the contract? The relevance of equality to the subject matter of the contract will help determine whether and the extent to which it should form part of the contract specification. 

Tip

Where equality considerations are central to the service they are normally regarded as a core requirement of the contract specification. For example, the provision of AI-based technologies to enable older and disabled people to live independently in their home as long as possible. Equality considerations may also be relevant where they are not the main requirement of the contract. For example, a contract for providing a chatbot service may also specify that the service caters for people who do not speak English as a first language or those who are with different types of impairments. You may wish to deal with relevant equality issues that are not the main requirement through the contract conditions and through any assurance of the performance carried out. The inclusion of such conditions needs to relate to the performance of the contract and be proportionate and where relevant, adhere to other legal requirements. Your analysis on the relative weighting of these equality issues should guide your thinking on this. 

  • How will you set out what the successful bidder will have to do in relation to equality in your contract specification?
  • Does the potential supplier have the relevant capability within the organisation to assess equality and data protection risks for this type of AI-based technology?
  • Can you partially complete a contract data protection schedule that will identify for the bidders the expected processing of personal data? Speak to a Data Protection Officer for advice.
  • What type of due diligence do you need to undertake on potential bidders? You will either need, or direct the commissioner or project manager to liaise, with officers responsible to ensure compliance with equality and data protection laws as there are likely to be questions that should be asked at the bidding stage. This is particularly important when procuring AI-based technologies as receiving and assessing information on how the AI-based technology works may be a long process.
  • How will data be collected, used, shared, stored, and deleted and who is responsible for those actions? Will the data be subject to international transfers? What responsibilities for the supplier do you need to list in the tender and the contract to ensure the processing of personal data in accordance with data protection?
  • Is there an expectation for the supplier to use the data for its own purposes, including potentially training the AI-based technology? This must be decided before award and documented in the contract. Your proposed supplier may not be the original developer of the AI-based technology. You must understand and clearly state in the contract who has access to the personal data and for what use.
  • The AI will be used to achieve specific outcomes. If that use is successful, the AI may no longer be reflective of the new circumstances. Continued use may not be suitable without adapting or stopping its use. You need to consider this before tender and build suitable checks into the contract and processes, such as regular retraining of the AI-based technology, or break clauses. Successful decommissioning of an AI-based technology without people losing control of their personal data should be planned in advance (for example consider seeking legal advice if a developer has trained an AI-based technology on their personal data but does not delete the model following decommissioning).
  • The tender should ask how the AI-based technology will be trained and whether the supplier expects to access and use the data from the council, for example, to further train the AI. You may wish to state what is acceptable to you, or you may wish to see the state of the market offering before deciding. Your consideration of this will come through the DPIA and EqIA as you assess whether using the data for training the AI or for the suppliers’ own purposes is likely to be appropriate.
  • How will you ensure effective business continuity practices and processes exist and are implemented if the specific AI-based technologies fail or shut down? There should be questions within the tender, and you will need to ensure that suitable contract clauses cover the standards you expect. This is an area where you are considering the data protection risk of the availability or integrity of the data, and whether any protected groups are more likely to be negatively affected during an incident.
  • Consider asking bidders to provide you with their own EqIA and DPIA as part of the tender process. Doing so will help you assess their content and quality when shortlisting bidders and awarding the contract. Incorporating these into the award process will evidence the council’s commitment to equality and compliance with data protection laws.
  • Consider publishing your contract specification and invitation to tender alongside the council’s EqIA and DPIA. Doing so should help the council build trust with its communities through demonstrating that it considers the data protection, and equality impacts of the AI-based technologies it wishes to buy in a transparent and accountable way. You should make this clear when publishing the tender and ensure any confidentiality and transparency clauses in the contract reflect this.

Questions and prompts to ask bidders

You can build these questions into your tender and bid assessment process. The questions below are guidance for the council officers assessing bidder answers. 

Accreditation and documentation

Bidders may have produced their own assessments in the form of DPIAs, EqIAs, AIAs for their AI-based technology. Not all providers will have carried out these assessments, but you can reasonably request them to compare to your own risk assessments. Questions you can include:

  • Can you provide a copy of the Data Protection Impact Assessment (DPIA) you completed for development of the AI-based technology? If not, why not? Review the DPIA completed for AI development and check it against the one that has been carried out for this tender. Consider whether the bidder has covered all the areas. Seek advice from your DPO, as well as any relevant AI specialists your council employs or has access to. If you identify a high risk in your DPIA that you feel cannot be mitigated, contact the ICO Innovation Service, DPIA team for support.
  • Can you provide a copy of the equality considerations/Equality Impact Assessment (EqIA) you have completed for the development of the AI-based technology? If not, why not? Review the information provided and check it against the documents such as an EqIA that has been carried out for this tender. Consider whether the bidder has covered all the areas. Seek advice from your EDI officer as well as any relevant AI specialists your council employs.
  • Can you provide a copy of an Algorithmic Impact Assessment (AIA) you completed for development of the AI-based technology? If not, why not? AIAs are optional but you could review and check any AIA as you would with a DPIA or EqIA noted above.

Training data, bias, and data use

AI-based technologies can introduce, preserve and perpetuate pre-existing biases, by learning to replicate bias found in the data on which they are trained. The ICO has produced extensive guidance on this in its Fairness in the AI lifecycle guidance. Discrepancies in sample sizes, with lack of accurate representation of individuals, can raise the risk of bias. Additionally, the speed at which an AI-system can complete a large number of tasks may then result the impact of that bias being amplified. You must take care when evaluating AI-based technology, and when considering evaluations conducted by suppliers, to ensure that the testing methodology is robust, and that the results are reflective of the real-world performance of the AI-based technology. Questions you can ask include:

  • How is personal data used to train the AI-based technology? How often is the AI-based technology trained and what is the source of this data?
  • Is any personal data processed under the contract expected to be used to train the AI-based technology? Will the newly trained AI-based technology be available only to the council or as part of the product for other organisations?
  • Does the use of the AI-based technology require sharing data with third parties? And if so, what is the destination or source? Is such sharing documented and communicated to data subjects?
  • Can the supplier confirm that the AI-based technology is trained on lawfully obtained data?
  • Can the supplier provide a list of controllers, joint-controllers, processors, sub-processors that will be involved in the processing, and the roles and responsibilities each one has?
  • What access to corporate information does an AI supplier need? Is this access necessary and proportionate to what the council wants to do with the AI-based technology?
  • What consideration has been given to the diversity of the AI development and testing team, especially in terms of – but not limited to – sex, gender, age, race, colour, language, religion and belief, national origin, ethnic origin, disability, and sexual orientation, including how this reflects the complexity and diversity of expected user population, and how this could introduce biases?
  • How is the data that is used to train the system well-balanced, and does it reflect the diversity of the targeted or end-user or impacted population? Does this data include information on people with protected characteristics under the Equality Act 2010 either explicitly or by proxy e.g. data of birth as a proxy for age?

Reminder 

It is paramount for organisations to be aware and mindful that the AI-based technology they are planning to buy and/or using may be processing data that can be associated by proxy to characteristics protected under equality law. If that’s the case, they will need to conduct robust equality considerations to ensure that using such technology will not lead to unlawful discrimination as it happened in the Netherlands regarding the Dutch benefit scandal for example.

The ICO advises that organisations should conduct a ‘proxy analysis’ of AI models. This should detect whether any features of the model are proxies of protected characteristics or special category data. For example, if a model detects correlations between welfare benefit fraud risk scores and carers’ days off work, it may unjustifiably lead to women disproportionately being targeted for fraud investigation. This is because women tend to have more caring obligations, so carers’ days off work is operating as a proxy for sex. Having detected a proxy, you should ascertain if you need to remove or adjust the feature to avoid any false correlations. Read more about ‘proxy analysis’ on the ICO website .

  • What processes did you use to test for biases? What processes are in place to continue testing the model for biases during implementation? Will data/results of these tests be made available to the council during the bidding process? Can the supplier test the AI-based technology using scenarios representative of the council use case, to assess the likelihood of bias?
  • What differences can you foresee between the data used for training and the data processed by the AI-based technology during deployment? How do you manage and reduce the possibility of the AI-based technology producing discriminatory outcomes or discrepancies in its performance for different groups?
  • How has the AI-based technology been tested with people with relevant protected characteristics under the Equality Act 2010? What differences were identified in the statistical accuracy rate (or any other performance metric used)? Please describe any difference of this kind. E.g. false positive/ false negative?
  • How did you assess whether the AI-based technology is accessible by those with disabilities e.g. accessible to screen readers, including alternative text for images, colour-blind friendly palettes?
  • If you have identified that using your technology could have a negative impact on people with specific protected characteristics, how have you identified actions or reasonable adjustments to mitigate against this? What actions/reasonable adjustments have you already used and were they effective? If not, which actions are you proposing to put in place during implementation and how will you monitor their effectiveness? What would you suggest if we find that these actions/reasonable adjustments are not effective during implementation? 

Reminder 

The reasonable adjustment duty under the Equality Act 2010 applies to employers as well as service providers, those exercising public functions and associations. Organisations covered by the duty must consider in advance, and on an ongoing basis, what disabled people might reasonably need to access the same opportunities as non-disabled people and put these reasonable adjustments in place. As such councils planning to buy an AI-based technology to deliver one of its public functions or services will need to make sure that it is accessible to disabled employees and users.

Integrity and confidentiality

Councils have a duty to protect the data of service users and staff, when assessing bidders, you want to ensure the AI-based technology is trustworthy and that data is protected. Questions you could use include:

  • What is your process to document how data quality issues have been resolved during the design process? Show evidence.
  • What processes will you implement to ensure that unforeseen risks can be flagged, or spurious decisions contested throughout the lifecycle of the AI-based technology?
  • What fallback systems will be in place to ensure an adequate continuity of essential services if the AI-based technology needs to be temporarily or permanently suspended?
  • Describe any relevant variations or margins of error in the performance of the system which may affect the fairness of the personal data processing and its outcomes.
  • What controls are in place to protect the AI-based technology from adversarial attacks that seek to extract personal data?
  • What is the response process if there is a serious security incident involving the AI-based technology?

Training and usability

It is good to understand from bidders the skill level service users or staff may need to be able to use the AI-based technology and review its outputs. Bidders may be able to offer training to upskill users of the AI-based technology, to support its roll out. Questions you could use include:

  • Is there any training available to help staff or service users to understand the benefits and risks when using this AI-based technology?
  • How much training will officers need to be able to effectively use the AI-based technology and challenge the AI outputs/decisions?
  • Will staff be made aware of the potential for their own human bias towards accepting an AI-based technology output without scrutiny?
  • Can council officers challenge the decision-making of the AI-based technology? If so, how had at what points? How much training will officers need to be able to effectively use and challenge the AI outputs/decisions?

Questions and prompts for contract owners

If you were not involved in the EqIA and DPIA processes, familiarise yourself with them and identify anything that needs to be included in the contract, such as cyber security standards or clauses to ensure you are informed before a supplier begins or amends use of AI. 

You should include relevant clauses, schedules, and specifications into your contract to help your council manage equality and data protection risks associated with using the AI-based technology. Any clauses within the contract should be:

  • proportionate and quantifiable.
  • referred to in the contract notice or tender documentation; and
  • clear and unambiguous, and understood by tenderers and suppliers.

You can also specify performance targets in your contract. When you do, you should be explicit about how you expect the supplier to monitor their performance against these targets. 

The questions below aim to help you think about the equality clauses and performance measures to include in contract arrangements with your AI provider:

  • How will data be collected, used, shared, stored, and deleted and who is responsible for those actions? Will the data be subject to international transfers? What responsibilities for the supplier do you need to list in the tender and the contract to ensure the privacy and safety of personal data?
  • The contract must be clear on what control the supplier has to access and use the data, for example, to further train the AI-based technology.
  • What equality data will the provider gather and provide you with to ensure that using the AI-based tech is:
    • delivering the intended benefits, including for people with specific protected characteristics?
    • is not leading to unlawful discrimination?
    • Is not leading to bias that need to be addressed through additional mitigation actions or reasonable adjustments?

Reminder

Under the PSED, councils are responsible for monitoring the actual equality impact of their policies. In this context, this means that you will be expected to use evidence, including from your AI-based technology provider, to update your equality considerations/ EqIA. As such, it is crucial that you request the right level of disaggregated equality data in your contract arrangements. 

For example, a council considers commissioning an AI-based technology from a provider that states that 95 per cent of people who used their tool were satisfied with it. The council decides to go ahead with commissioning the tool but, as part of its contract arrangements, it requires that the provider collects and reports disaggregated data on satisfaction levels by protected characteristic. By doing so, the council finds that most of those who are not satisfied are Asian women over 75 and living in multi-generational households. By building equality in its contract arrangements, the council now has data it can use to monitor the actual impact of using the AI-based technology and take targeted actions to improve the satisfaction rate further. 

  • How and how often will your AI-based technology provider gather such data? e.g. data will be collected via user surveys and provided to the council on a monthly basis.
  • What actions will the provider be expected to take to deal promptly and sensitively with complaints about discrimination?
  • What actions will the provider be expected to take to mitigate any negative impact you have identified or that may become apparent when the AI-based technology is in use?

Tip

Mitigating actions may include adapting the AI-based technology itself through changing the datasets it is trained on, the algorithm or exploring the use of Privacy Enhancing Technologies and anonymisation techniques

  • Whether and how personal data under the council’s control will be used to train the AI-based technology?
  • Whether you need to put in place any exemptions for sensitive data which is inputted into the AI-based technology?

Tip

In some cases, AI suppliers can set up automatic flagging of high-risk data that is entered into the tool. A supplier employee can then review this. To ensure that it is not processed or seen by an employee of the AI supplier, a line can be written into the procurement contract to issue exemptions to abuse monitoring or third-party automatic flagging.

  • How often the supplier is expected to retrain the AI-based technology?
  • Is there an expectation for the supplier to use the data for its own purposes, including potentially training the AI-based technology? This must be decided before award and documented in the contract. Successful decommissioning of an AI-based technology  without people losing control of their personal data should be planned in advance (for example if a developer has trained an AI-based technology on their personal data in a way that encodes it but does not delete the model following decommissioning). You might find it useful to refer to a flow diagram or another way of describing data flows, including documenting whether any other party is expected to access and use the data. Your proposed supplier may not be the original author of the algorithm. You must understand and clearly state in the contract who has access to the personal data and for what use.
  • Within the lifecycle of your AI-based technology deployment and use, it is possible that you may need to stop or pause using the AI due to a change in circumstances. You should consider this before tender, and build suitable checks into the contract, such as requirements for regular retraining of the AI, or break clauses.
  • Suitable contract clauses should cover the standards you expect for effective disaster recovery and business continuity practices and how they will be implemented if the specific AI-based technologies fail or shuts down. This is an area where you are considering the data protection risk of the availability or integrity of the data, and whether any protected groups are more likely to be negatively affected during an incident.
  • Consider carefully what you expect to happen during a potential incident, such as a cyber-attack. A cyber-attack can cause significant issues in a very short period of time and can take months to fully fix. Your contract clauses need to be clear that you expect immediate and regular notifications from your supplier, whilst recognising that some aspects of the incident may have a limited distribution where the police or the National Cyber Security Centre (NCSC) are involved. You may want to consult the UK government’s Code of Practice for the Cybersecurity of AI.

Ongoing contract management

You must undertake contract monitoring; this can include asking the supplier for updated answers to your due diligence questions and reviewing these against the due diligence answers you received previously (either when the contract was created or during the last annual review). If negative outcomes are occurring or standards have changed in a way that is unacceptable to you, what action will you take with or against the supplier to reduce or change these circumstances?

  • You will need to review and, if necessary, amend your EqIA and your DPIA throughout the life of the contract. This may be when:
    • you reach Minimum Viable Product (MVP).
    • the pilot stage is complete.
    • annual contract review.
    • a change in activity or legislation; and
    • a change to the product or upgrade, for example, to include an AI-based technology (sometimes called ‘slipstreaming’).

Tip

There may be some instances where a council initially procures technology that does not include AI-based components, but during its lifecycle an AI function or component is added as an upgrade. The actions they take may include creating a new EqIA or DPIA for the technology or updating a previous assessment. It is important that contract owners ensure that any commissioned service flags to them any upgrade to their system that might involve AI, and this stipulation could be written into contracts.

You also need to review:

  • whether the expected benefits are being achieved.
  • whether the processing of personal data continues to be fair, lawful, and secure and if not, what action you will take to rectify this.
  • whether there have been any incidents or complaints relating to data protection, failure to provide reasonable adjustments, discrimination, failure to provide users with particular protected characteristics with the same opportunity to access or use your services compared to those who do not share these characteristics. If so, what has been done to rectify these issues and reduce the likelihood of them occurring in the future? This may be an area where you consider penalties against a supplier or ending the contract.
  • whether there is evidence of discrimination occurring through use of the AI-based technology. If so, what has been done to rectify this for the future and to eliminate discriminatory outcomes?
  • Whether the AI-based technology need to change. This may be because of a change in society, or that successful use has changed the situation, and the original technology is no longer statistically accurate for the population it is interacting with.