<!doctype html> <!--[if lte IE 8 ]><html lang="en" class="ie8"><![endif]--> <!--[if lte IE 9 ]><html lang="en" class="ie9"><![endif]--> <!--[if (gt IE 9)|!(IE)]><!--> <html lang="en"> <head prefix="og: http://ogp.me/ns#"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="initial-scale=1.0, width=device-width"> <title>Rights related to automated decision making including profiling | ICO</title> <meta name="DC.Subject" content="Rights related to automated decision making including profiling" /> <meta name="DC.Date" content="Sunday, November 17, 2024" /> <meta name="DC.Creator" content="" /> <meta name="DC.Publisher" content="ICO" /> <meta name="DC.Title" content="Rights related to automated decision making including profiling" /> <meta name="DC.PageID" content="5705" /> <meta property="og:title" content="Rights related to automated decision making including profiling" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/rights-related-to-automated-decision-making-including-profiling/" /> <meta property="og:description" content="" /> <meta property="og:image" content="" /> <meta name="twitter:title" content="Rights related to automated decision making including profiling" /> <meta name="twitter:description" content="" /> <meta name="robots" content="index" /> <link rel="shortcut icon" type="image/x-icon" href="/media2/lhphq55z/favicon.ico" /> <link rel="stylesheet" type="text/css" href="/css/site.css?v=2vrG7eADocFkX9vchR9h5gTORmu6STTHxmyTWJsW9nw" /> </head> <body id="top" class="bg-white min-h-screen "> <a class="flex items-center justify-center px-3 py-2 bg-secondary text-white text-xl sr-only focus:relative focus:w-full focus:h-fit" href="#main-content"> <span class="font-serif text-serif-base pr-2">Skip to main content</span> <span class="icon icon-arrow-down"></span> </a> <header class="w-full fixed md:static z-10 md:z-auto print:hidden"> <div class="bg-primary"> <div class="lg:container px-4 py-3.5 md:flex"> <div class="md:pr-8"> <a href="/"> <div class="bg-left bg-contain bg-no-repeat h-8 w-20 inline-block md:hidden" style="background-image: url('/media2/qkcg1rdf/logo-small.svg?width=80&amp;height=32&amp;v=1db03b868bf60c0');"></div> <div class="bg-left bg-contain bg-no-repeat h-24 w-40 hidden md:inline-block" style="background-image: url('/media2/myukqaa2/ico-header-logo.svg?width=160&amp;height=96&amp;v=1db03b866f17e90');"></div> <span class="sr-only">Home</span> </a> </div> <div class="grow items-stretch hidden md:flex"> <div class="font-serif text-center md:text-left text-white text-serif-base md:flex items-end md:pl-8 border-secondary border-dotted md:border-l-2"> <span>The ICO exists to empower you through information.</span> </div> </div> <div class="flex flex-col items-end md:pl-8"> <script type="application/json" id="language-settings"> {"cookieDomain":"ico.org.uk","options":[{"text":"English","href":"https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/rights-related-to-automated-decision-making-including-profiling/","icon":"icon-lang-en","value":"English"},{"text":"Cymraeg","href":"https://cy.ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/rights-related-to-automated-decision-making-including-profiling/","icon":"icon-lang-cy","value":"Welsh"}]} </script> <div id="language-toggle"></div> <div class="grow flex items-end"> <button type="button" id="search-toggle" class="absolute rounded p-2 top-3 right-12 md:hidden hover:bg-secondary" aria-controls="search"> <span id="search-icon" class="block icon icon-search text-white text-xl"></span> <span class="sr-only">Search</span> </button> <div id="search" class="motion-safe:transition-all motion-safe:duration-200 hidden md:block w-full sm:w-fit max-h-0 md:max-h-fit overflow-hidden md:overflow-auto"> <form action="https://icosearch.ico.org.uk/s/search.html" method="GET" id="search-form" class="pt-3.5 md:pt-0"> <input type="hidden" name="collection" value="ico-meta" /> <input type="hidden" name="profile" value="_default" /> <div class="flex"> <label for="search-query" class="sr-only">Search</label> <input type="search" name="query" id="search-query" class="grow min-w-0 px-2 py-1 border-t border-b border-l border-r-0 border-white/50 focus:border-white focus:ring-0 rounded-l bg-secondary motion-safe:transition-colors hocus:bg-white text-white hocus:text-black sm:w-60 md:w-48" /> <button type="submit" class="text-transparent bg-secondary rounded-r p-2 border-t border-b border-r border-white/50"> <span class="block text-white text-xl icon icon-search"></span> <span class="sr-only">Search</span> </button> </div> </form> </div> </div> </div> </div> </div> <div class="bg-secondary"> <div class="lg:container md:px-4"> <button type="button" id="navbar-toggle" class="absolute rounded p-2 top-3 right-3 md:hidden hover:bg-secondary" aria-controls="navbar"> <span class="block icon icon-menu text-white text-xl"></span> <span class="sr-only">Menu</span> </button> <nav id="navbar" class="bg-secondary motion-safe:transition-all motion-safe:duration-200 hidden md:block max-h-0 md:max-h-fit overflow-hidden md:overflow-auto"> <ul class="border-primary border-dotted border-t-2 md:border-t-0 md:flex md:flex-wrap"> <li class="md:flex"> <a href="/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-grey md:hover:border-t-theme-grey"> <span>Home</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> <li class="md:flex"> <a href="/for-the-public/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-green md:hover:border-t-theme-green"> <span>For the public</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> <li class="md:flex"> <a href="/for-organisations/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-yellow md:hover:border-t-theme-yellow bg-primary md:border-t-theme-yellow"> <span>For organisations</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> <li class="md:flex"> <a href="/make-a-complaint/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-orange md:hover:border-t-theme-orange"> <span>Make a complaint</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> <li class="md:flex"> <a href="/action-weve-taken/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-red md:hover:border-t-theme-red"> <span>Action we&#x27;ve taken</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> <li class="md:flex"> <a href="/about-the-ico/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-blue md:hover:border-t-theme-blue"> <span>About the ICO</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> </ul> </nav> </div> </div> </header> <main id="main-content" class="pt-20 md:pt-0 md:mt-7 mb-3 md:mb-4"> <div class="lg:container px-4 mb-4 print:hidden"> <nav aria-label="breadcrumb"> <ul class="-mx-1 flex flex-wrap text-sm"> <li class="mx-1"> <span class="after:content-['/'] after:ml-1"> <a href="/for-organisations/" class="text-link hover:underline">For organisations</a> </span> </li> <li class="mx-1"> <span class="after:content-['/'] after:ml-1"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/" class="text-link hover:underline">UK GDPR guidance and resources</a> </span> </li> <li class="mx-1"> <span class="after:content-['/'] after:ml-1"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/" class="text-link hover:underline">Individual rights - guidance and resources</a> </span> </li> <li class="mx-1"> <span class="after:content-['/'] after:ml-1"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/" class="text-link hover:underline">A guide to individual rights</a> </span> </li> <li class="mx-1"> <span>Rights related to automated decision making including profiling</span> </li> </ul> </nav> </div> <div class="lg:container px-4"> <div class="border-dotted border-b-2 border-neutral-200 pb-2 sm:pb-3.5 md:pb-6 mb-2 sm:mb-3.5 md:mb-5"> <div class="md:flex md:items-center"> <h1 class="py-0.5 font-serif leading-none sm:border-l-10 sm:pl-3 text-serif-2xl sm:text-serif-3xl border-theme-yellow">Rights related to automated decision making including profiling</h1> <div class="md:pl-2 md:ml-auto mt-2 md:mt-2 print:hidden"> <a href="#0" id="download-options-toggle" class="font-serif text-serif-base text-link flex items-center"> Download options <span class="hidden">(Opens download panel)</span> <i class="inline-block icon icon-download text-xl text-white bg-pink-600 rounded-full p-2 ml-2"></i> </a> </div> </div> <div class="download-container bg-pink-600 mt-5 rounded-lg motion-safe:transition-all motion-safe:duration-200 overflow-hidden max-h-0 hidden" id="download-options-container"> <form method="post" action="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/rights-related-to-automated-decision-making-including-profiling/" class="p-3 text-white md:flex md:items-center" target="_blank"> <input type="hidden" name="currentUrl" value="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/rights-related-to-automated-decision-making-including-profiling/" /> <input type="hidden" name="nodeId" value="5705" /> <input type="hidden" name="formId" /> <input type="hidden" name="recordId" /> <fieldset class="md:flex md:items-center"> <legend class="font-serif text-serif-base contents">Pages</legend> <ul class="flex mt-1 md:mt-0 ml-2"> <li class="md:ml-2"> <input type="radio" name="pages" id="pages-all" value="all" class="hidden appearance-none cursor-pointer peer" checked> <label for="pages-all" class="cursor-pointer rounded p-2 pr-3 flex justify-center items-center peer-checked:bg-pink-700 text-sm md:text-base"> <i class="icon icon-book mr-2 text-base md:text-lg"></i>All pages </label> </li> <li class="ml-2"> <input type="radio" name="pages" id="pages-this" value="this" class="hidden appearance-none cursor-pointer peer"> <label for="pages-this" class="cursor-pointer rounded p-2 pr-3 flex justify-center items-center peer-checked:bg-pink-700 text-sm md:text-base"> <i class="icon icon-file-blank mr-2 text-base md:text-lg"></i>This page </label> </li> </ul> </fieldset> <fieldset class="md:ml-10 md:flex md:items-center mt-3 md:mt-0"> <legend class="font-serif text-serif-base contents">Format</legend> <ul class="flex mt-1 md:mt-0 ml-2"> <li class="md:ml-2"> <input type="radio" name="types" id="types-pdf" value="pdf" class="hidden appearance-none cursor-pointer peer" checked> <label for="types-pdf" class="cursor-pointer rounded p-2 pr-3 flex justify-center items-center peer-checked:bg-pink-700 text-sm md:text-base"> <i class="icon icon-file-pdf mr-2 text-base md:text-lg"></i>PDF </label> </li> </ul> </fieldset> <div class="ml-auto mt-3 md:mt-0"> <button class="btn bg-primary flex items-center text-base md:text-lg"> Download <i class="icon icon-download text-white ml-2 text-lg"></i> </button> </div> </form> </div> </div> <div class="grid grid-cols-4"> <div class="col-span-4 md:hidden border-b-2 border-dotted border-neutral-200 flex justify-between pb-2 mb-4 cursor-pointer print:hidden" id="multipage-nav-toggle"> <p class="text-sm text-primary justify-start">Contents</p> <div class="justify-end"> <span class="icon icon-search text-primary" id="multipage-search-button"></span> <span class="icon icon-pointer-down text-primary"></span> </div> </div> <aside class="col-span-4 md:col-span-1 hidden md:block motion-safe:transition-all motion-safe:duration-200 overflow-hidden md:overflow-auto max-h-0 md:max-h-fit mb-6 md:mb-0" id="multipage-nav"> <form id="multipage-search" class="mb-3 flex" method="get"> <label for="multipage-search-input" class="sr-only">Search this document</label> <input type="search" name="search" value="" class="w-full py-2 px-2 text-sm bg-slate-100 border-r-0" id="multipage-search-input" /> <button type="submit" title="Search" class="icon icon-search px-2 bg-slate-100 border border-solid border-l-0 border-slate-700"> </button> </form> <nav> <ul> <li> <div class="mb-2 pb-2 border-b-2 border-dotted border-neutral-200"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5616"> <span>A guide to individual rights</span> </a> </div> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-be-informed/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5661"> <span>Right to be informed</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-of-access/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5669"> <span>Right of access</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-rectification/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5674"> <span>Right to rectification</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-erasure/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5678"> <span>Right to erasure</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-restrict-processing/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5683"> <span>Right to restrict processing</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-data-portability/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5690"> <span>Right to data portability</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-object/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5700"> <span>Right to object</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/rights-related-to-automated-decision-making-including-profiling/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid bg-neutral-100 text-neutral-600 border-theme-yellow pl-[10px]" data-id="5705"> <span>Rights related to automated decision making including profiling</span> </a> </div> </li> </ul> </li> </ul> </nav> </aside> <div class="col-span-4 md:col-span-3 md:pl-10"> <div class="mb-10"> <div class="umb-block-grid" data-grid-columns="12;" style="--umb-block-grid--grid-columns: 12;"> <div class="umb-block-grid__layout-container"> <div class="umb-block-grid__layout-item" data-content-element-type-alias="richTextBlock" data-content-element-type-key="d7ec1d8a-2a00-439e-95b4-9f3537f5ece4" data-element-udi="umb://element/727fd36edd5746bba225b17e570a012c" data-col-span="12" data-row-span="1" style=" --umb-block-grid--item-column-span: 12; --umb-block-grid--item-row-span: 1; "> <div class="prose prose-sm md:prose-base prose-h2:font-serif sm:prose-h2:border-l-10 sm:prose-h2:pl-3 sm:prose-h2:-ml-3 sm:prose-h2:relative sm:prose-h2:left-[-10px] prose-h3:font-serif sm:prose-lead:border-l-10 sm:prose-lead:pl-3 sm:prose-lead:-ml-3 sm:prose-lead:relative sm:prose-lead:left-[-10px] prose-hr:my-4 prose-h2:border-theme-yellow-light prose-lead:border-theme-yellow-light prose-theme-yellow sm:ml-[10px] sm:pl-3"> <h2>At a glance</h2><ul> <li>The UK GDPR has provisions on: <ul> <li>automated individual decision-making (making a decision solely by automated means without any human involvement); and</li> <li>profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.</li> </ul> </li> <li>The UK GDPR applies to all automated individual decision-making and profiling.</li> <li>Article 22 of the UK GDPR has additional rules to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them.</li> <li>You can only carry out this type of decision-making where the decision is: <ul> <li>necessary for the entry into or performance of a contract; or</li> <li>authorised by domestic law applicable to the controller; or</li> <li>based on the individual’s explicit consent.</li> </ul> </li> <li>You must identify whether any of your processing falls under Article 22 and, if so, make sure that you: <ul> <li>give individuals information about the processing;</li> <li>introduce simple ways for them to request human intervention or challenge a decision;</li> <li>carry out regular checks to make sure that your systems are working as intended.</li> </ul> </li> </ul><h2>Checklists</h2><h3>All automated individual decision-making and profiling</h3><div class="rt-block rt-letter"> <p><strong>To comply with the UK GDPR...</strong></p> <p><span>☐ </span>We have a lawful basis to carry out profiling and/or automated decision-making and document this in our data protection policy.</p> <p><span>☐ </span>We send individuals a link to our privacy statement when we have obtained their personal data indirectly.</p> <p><span>☐ </span>We explain how people can access details of the information we used to create their profile.</p> <p><span>☐ </span>We tell people who provide us with their personal data how they can object to profiling, including profiling for marketing purposes.</p> <p><span>☐ </span>We have procedures for customers to access the personal data input into the profiles so they can review and edit for any accuracy issues.</p> <p><span>☐ </span>We have additional checks in place for our profiling/automated decision-making systems to protect any vulnerable groups (including children).</p> <p><span>☐ </span>We only collect the minimum amount of data needed and have a clear retention policy for the profiles we create.</p> <p><strong>As a model of best practice...</strong></p> <p><span>☐ </span>We carry out a DPIA to consider and address the risks before we start any new automated decision-making or profiling.</p> <p><span>☐ </span>We tell our customers about the profiling and automated decision-making we carry out, what information we use to create the profiles and where we get this information from.</p> <p><span>☐ </span>We use anonymised data in our profiling activities.</p> </div><h3>Solely automated individual decision-making, including profiling with legal or similarly significant effects (Article 22)</h3><div class="rt-block rt-letter"> <p><strong>To comply with the UK GDPR...</strong></p> <p><span>☐ </span>We carry out a DPIA to identify the risks to individuals, show how we are going to deal with them and what measures we have in place to meet UK GDPR requirements.</p> <p><span>☐ </span>We carry out processing under Article 22(1) for contractual purposes and we can demonstrate why it’s necessary.</p> <p>OR</p> <p><span>☐ </span>We carry out processing under Article 22(1) because we have the individual’s explicit consent recorded. We can show when and how we obtained consent. We tell individuals how they can withdraw consent and have a simple way for them to do this.</p> <p>OR</p> <p><span>☐ </span>We carry out processing under Article 22(1) because we are authorised or required to do so. This is the most appropriate way to achieve our aims.</p> <p><span>☐ </span>We don’t use special category data in our automated decision-making systems unless we have a lawful basis to do so, and we can demonstrate what that basis is. We delete any special category data accidentally created.</p> <p><span>☐ </span>We explain that we use automated decision-making processes, including profiling. We explain what information we use, why we use it and what the effects might be.</p> <p><span>☐ </span>We have a simple way for people to ask us to reconsider an automated decision.</p> <p><span>☐ </span>We have identified staff in our organisation who are authorised to carry out reviews and change decisions.</p> <p><span>☐ </span>We regularly check our systems for accuracy and bias and feed any changes back into the design process.</p> <p><strong>As a model of best practice...</strong></p> <p><span>☐ </span>We use visuals to explain what information we collect/use and why this is relevant to the process.</p> <p><span>☐ </span>We have signed up to [standard] a set of ethical principles to build trust with our customers. This is available on our website and on paper.</p> </div><h2>In brief</h2><ul> <li><a href="#ib2">What is automated individual decision-making and profiling?</a></li> <li><a href="#ib3">What does the GDPR say about automated individual decision-making and profiling?</a></li> <li><a href="#ib4">When can we carry out this type of processing?</a></li> <li><a href="#ib5">What else do we need to consider?</a></li> <li><a href="#ib6">What if Article 22 doesn’t apply to our processing?</a></li> <li><a data-id="5618f454-40b0-4e81-986d-fa1d55f9ee00" href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/automated-decision-making-and-profiling/" title="Automated decision-making and profiling">In detail</a></li> </ul><h3><a id="ib2"></a>What is automated individual decision-making and profiling?</h3><p>Automated individual decision-making is a decision made by automated means without any human involvement.</p><p>Examples of this include:</p><ul> <li>an online decision to award a loan; and</li> <li>a recruitment aptitude test which uses pre-programmed algorithms and criteria.</li> </ul><p>Automated individual decision-making does not have to involve profiling, although it often will do.</p><p>The UK GDPR says that profiling is:</p><blockquote> <p>“Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”</p> <p>[Article 4(4)]</p> </blockquote><p>Organisations obtain personal information about individuals from a variety of different sources. Internet searches, buying habits, lifestyle and behaviour data gathered from mobile phones, social networks, video surveillance systems and the Internet of Things are examples of the types of data organisations might collect.                             </p><p>Information is analysed to classify people into different groups or sectors, using algorithms and machine-learning. This analysis identifies links between different behaviours and characteristics to create profiles for individuals. There is more information about algorithms and machine-learning in our paper on <a href="https://ico.org.uk/media/for-organisations/documents/2013559/big-data-ai-ml-and-data-protection.pdf">big data, artificial intelligence, machine learning and data protection</a>.</p><p>Based on the traits of others who appear similar, organisations use profiling to:</p><ul> <li>find something out about individuals’ preferences;</li> <li>predict their behaviour; and/or</li> <li>make decisions about them.</li> </ul><p>This can be very useful for organisations and individuals in many sectors, including healthcare, education, financial services and marketing.</p><p>Automated individual decision-making and profiling can lead to quicker and more consistent decisions. But if they are used irresponsibly there are significant risks for individuals. The UK GDPR provisions are designed to address these risks.</p><h3><a id="ib3"></a>What does the UK GDPR say about automated individual decision-making and profiling?</h3><p>The UK GDPR restricts you from making solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals.</p><blockquote> <p>“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”</p> <p>[Article 22(1)]</p> </blockquote><p>For something to be solely automated there must be no human involvement in the decision-making process.       </p><p>The restriction only covers solely automated individual decision-making that produces legal or similarly significant effects. These types of effect are not defined in the UK GDPR, but the decision must have a serious impact on an individual to be caught by this provision. </p><p>A legal effect is something that affects someone’s legal rights. Similarly significant effects are more difficult to define but would include, for example, automatic refusal of an online credit application, and e-recruiting practices without human intervention.</p><h3><a id="ib4"></a>When can we carry out this type of processing?</h3><p>Solely automated individual decision-making - including profiling - with legal or similarly significant effects is restricted, although this restriction can be lifted in certain circumstances.</p><p>You can<strong> only</strong> carry out solely automated decision-making with legal or similarly significant effects if the decision is:</p><ul> <li>necessary for entering into or performance of a contract between an organisation and the individual;</li> <li>authorised by law (for example, for the purposes of fraud or tax evasion); or</li> <li>based on the individual’s explicit consent.</li> </ul><p>If you’re using special category personal data you can <strong>only </strong>carry out processing described in Article 22(1) if:</p><ul> <li>you have the individual’s explicit consent; <strong>or</strong></li> <li>the processing is necessary for reasons of substantial public interest.</li> </ul><h3><a id="ib5"></a>What else do we need to consider?</h3><p>Because this type of processing is considered to be high-risk the UK GDPR requires you to carry out a Data Protection Impact Assessment (DPIA) to show that you have identified and assessed what those risks are and how you will address them.</p><p>As well as restricting the circumstances in which you can carry out solely automated individual decision-making (as described in Article 22(1)) the UK GDPR also:</p><ul> <li>requires you to give individuals specific information about the processing;</li> <li>obliges you to take steps to prevent errors, bias and discrimination; and</li> <li>gives individuals rights to challenge and request a review of the decision.</li> </ul><p>These provisions are designed to increase individuals’ understanding of how you might be using their personal data.</p><p>You must:</p><ul> <li>provide meaningful information about the logic involved in the decision-making process, as well as the significance and the envisaged consequences for the individual;</li> <li>use appropriate mathematical or statistical procedures;</li> <li>ensure that individuals can: <ul> <li>obtain human intervention;</li> <li>express their point of view; and</li> <li>obtain an explanation of the decision and challenge it;</li> </ul> </li> <li>put appropriate technical and organisational measures in place, so that you can correct inaccuracies and minimise the risk of errors;</li> <li>secure personal data in a way that is proportionate to the risk to the interests and rights of the individual, and that prevents discriminatory effects.</li> </ul><h3><a id="ib6"></a>What if Article 22 doesn’t apply to our processing?</h3><p>Article 22 applies to solely automated individual decision-making, including profiling, with legal or similarly significant effects.</p><p>If your processing does not match this definition then you can continue to carry out profiling and automated decision-making.</p><p>But you must still comply with the UK GDPR principles.</p><p>You must identify and record your <a href="#" title="Special category data">lawful basis for the processing</a>.</p><p>You need to have processes in place so people can <a data-id="7753f374-a792-4a4a-8be4-bddd4de4e59e" href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/" title="Individual rights">exercise their rights</a>.</p><p>Individuals have a right to object to profiling in certain circumstances. You must bring details of this right specifically to their attention.</p> </div> </div> <div class="umb-block-grid__layout-item" data-content-element-type-alias="furtherReadingBlock" data-content-element-type-key="349dc532-9e3f-4f24-9fa4-2e5b86aa0eda" data-element-udi="umb://element/fc26f0b5efbd4732b88c122d6ed2463b" data-col-span="12" data-row-span="1" style=" --umb-block-grid--item-column-span: 12; --umb-block-grid--item-row-span: 1; "> <further-Reading x-href="https://www.legislation.gov.uk/eur/2016/679/contents" x-target="_blank" x-title="Relevant provisions in the UK GDPR - Article 4(4), 9, 12, 13, 14, 15, 21, 22, 35(1)and (3)" x-location="External link"></further-Reading> </div> <div class="umb-block-grid__layout-item" data-content-element-type-alias="richTextBlock" data-content-element-type-key="d7ec1d8a-2a00-439e-95b4-9f3537f5ece4" data-element-udi="umb://element/251e5b34660848258c3af25a1ec0fda4" data-col-span="12" data-row-span="1" style=" --umb-block-grid--item-column-span: 12; --umb-block-grid--item-row-span: 1; "> <div class="prose prose-sm md:prose-base prose-h2:font-serif sm:prose-h2:border-l-10 sm:prose-h2:pl-3 sm:prose-h2:-ml-3 sm:prose-h2:relative sm:prose-h2:left-[-10px] prose-h3:font-serif sm:prose-lead:border-l-10 sm:prose-lead:pl-3 sm:prose-lead:-ml-3 sm:prose-lead:relative sm:prose-lead:left-[-10px] prose-hr:my-4 prose-h2:border-theme-yellow-light prose-lead:border-theme-yellow-light prose-theme-yellow sm:ml-[10px] sm:pl-3"> <div class="rt-block rt-green"> <p><strong>In more detail – ICO guidance</strong></p> <ul> <li>We have published detailed guidance on <a data-id="5618f454-40b0-4e81-986d-fa1d55f9ee00" href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/automated-decision-making-and-profiling/" title="Automated decision-making and profiling">automated decision-making and profiling</a>.</li> <li><a href="/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/accountability-framework/transparency/" title="Transparency">Privacy notices transparency and control</a></li> <li><a rel="noopener" href="/media2/migrated/2013559/big-data-ai-ml-and-data-protection.pdf" target="_blank" title="Big data, artificial intelligence, machine learning and data protection">Big data, artificial intelligence, machine learning and data protection</a></li> </ul> </div><div class="rt-block rt-amber"> <p><strong>In more detail – European Data Protection Board</strong></p> <p>The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the EU version of the GDPR.</p> <p>WP29 has adopted <a href="http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612053">guidelines on Automated individual decision-making and Profiling</a>, which have been endorsed by the EDPB.</p> <p>Other relevant guidelines published by WP29 and endorsed by the EDPB include:</p> <p><a href="http://ec.europa.eu/newsroom/document.cfm?doc_id=44137">WP29 guidelines on Data Protection Impact Assessment</a></p> EDPB guidelines are no longer be directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues. </div><div class="rt-block rt-green"> <p><strong>Further reading – ICO guidance</strong></p> <p>The <a href="/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/accountability-framework/individuals-rights/#automated" title="Individuals’ rights" data-anchor="#automated">Accountability Framework</a> looks at the ICO’s expectations in relation to rights related to automated decision making including profiling.</p> </div> </div> </div> </div> </div> </div> <nav class="print:hidden inline-flex flex-col items-start gap-5"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-object/" class="group text-primary"> <div class="flex items-center"> <i class="icon icon-arrow-left text-4xl"></i> <span class="pl-3 flex flex-col"> <span class="text-lg font-semibold">Previous</span> <span class="text-sm underline underline-offset-4 decoration-dotted decoration-1 group-hover:decoration-solid">Right to object</span> </span> </div> </a> </nav> </div> </div> </div> </main> <a href="#top" id="button-top" class="transition-opacity duration-500 flex items-center justify-center fixed right-4 bottom-4 z-10 rounded-full outline outline-white w-8 h-8 bg-primary opacity-0 hidden print:hidden"> <span class="icon icon-arrow-up text-white"></span> <span class="sr-only">Back to top</span> </a> <footer class="sticky top-[100vh] print:hidden"> <div class="lg:container px-4 border-t-2 border-dotted border-neutral-200 mt-6"> <div class="py-3"> <button onClick="window.print()" class="flex items-center group"> <i class="icon icon-printer text-lg text-white rounded-full p-1 bg-neutral-400"></i> <span class="ml-2 text-sm text-link group-hover:underline">Print this page</span> </button> </div> </div> <div class="bg-neutral-100"> <div class="lg:container px-4"> <div class="py-5 flex"> <div class="hidden md:block flex-auto"> <ul class="grid gap-4 grid-cols-4"> <li> <div class="mb-3"> <a href="/for-the-public/" class="font-serif text-serif-base text-link hover:underline">For the public</a> </div> <ul class="text-sm text-neutral-600 -mt-1"> <li class="mt-1"> <a href="/for-the-public/official-information/" class="hover:underline">Official information</a> </li> <li class="mt-1"> <a href="/for-the-public/nuisance-calls/" class="hover:underline">Nuisance calls</a> </li> </ul> </li> <li> <div class="mb-3"> <a href="/for-organisations/" class="font-serif text-serif-base text-link hover:underline">For organisations</a> </div> <ul class="text-sm text-neutral-600 -mt-1"> <li class="mt-1"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/" class="hover:underline">UK GDPR guidance and resources</a> </li> <li class="mt-1"> <a href="/for-organisations/foi/" class="hover:underline">Freedom of information</a> </li> <li class="mt-1"> <a href="/for-organisations/eir-and-access-to-information/" class="hover:underline">EIR and access to information</a> </li> <li class="mt-1"> <a href="/for-organisations/direct-marketing-and-privacy-and-electronic-communications/" class="hover:underline">Direct marketing</a> </li> <li class="mt-1"> <a href="/for-organisations/advice-and-services/" class="hover:underline">Advice and services</a> </li> </ul> </li> <li> <div class="mb-3"> <a href="/action-weve-taken/" class="font-serif text-serif-base text-link hover:underline">Action we&#x27;ve taken</a> </div> <ul class="text-sm text-neutral-600 -mt-1"> <li class="mt-1"> <a href="/action-weve-taken/enforcement/" class="hover:underline">Enforcement action</a> </li> <li class="mt-1"> <a href="https://icosearch.ico.org.uk/s/search.html?collection=ico-meta&amp;profile=decisions&amp;query" class="hover:underline">Decision notices</a> </li> <li class="mt-1"> <a href="https://ico.org.uk/action-weve-taken/audits-and-overview-reports/" class="hover:underline">Audits</a> </li> </ul> </li> <li> <div class="mb-3"> <a href="/about-the-ico/" class="font-serif text-serif-base text-link hover:underline">About the ICO</a> </div> <ul class="text-sm text-neutral-600 -mt-1"> <li class="mt-1"> <a href="/about-the-ico/who-we-are/" class="hover:underline">Who we are</a> </li> <li class="mt-1"> <a href="/about-the-ico/what-we-do/" class="hover:underline">What we do</a> </li> <li class="mt-1"> <a href="/about-the-ico/media-centre/" class="hover:underline">Media centre</a> </li> <li class="mt-1"> <a href="/about-the-ico/jobs/" class="hover:underline">Careers</a> </li> <li class="mt-1"> <a href="/about-the-ico/modern-slavery-statement/" class="hover:underline">Modern Slavery Statement</a> </li> </ul> </li> </ul> </div> <div class="hidden md:block flex-auto mx-8 border-l-2 border-dotted border-neutral-400"> </div> <div class="flex-auto"> <div class="font-serif text-serif-base text-link mb-3">Follow us</div> <ul class="flex flex-col sm:flex-row md:flex-col sm:flex-wrap sm:gap-x-4 gap-y-2 text-sm text-neutral-600"> <li class="sm:flex-auto md:flex-none"> <a class="flex items-center hover:underline" href="https://twitter.com/iconews" target="_blank"> <img class="rounded-full mr-2" src="/media2/g1plb1os/twitter.svg?width=24&amp;height=24&amp;v=1db03b86976f0f0" width="24" height="24" alt="Icon for the Twitter @ICONews social link" /> <span>Twitter @ICONews</span> </a> </li> <li class="sm:flex-auto md:flex-none"> <a class="flex items-center hover:underline" href="http://www.youtube.com/user/icocomms" target="_blank"> <img class="rounded-full mr-2" src="/media2/z3vdkkxj/youtube.svg?width=24&amp;height=24&amp;v=1db042ab32beee0" width="24" height="24" alt="Icon for the YouTube social link" /> <span>YouTube</span> </a> </li> <li class="sm:flex-auto md:flex-none"> <a class="flex items-center hover:underline" href="http://linkedin.com/company/information-commissioner&#x27;s-office" target="_blank"> <img class="rounded-full mr-2" src="/media2/cgdpvn4n/linkedin.svg?width=24&amp;height=24&amp;v=1db042ab2dda7d0" width="24" height="24" alt="Icon for the LinkedIn social link" /> <span>LinkedIn</span> </a> </li> <li class="sm:flex-auto md:flex-none"> <a class="flex items-center hover:underline" href="http://facebook.com/ICOnews" target="_blank"> <img class="rounded-full mr-2" src="/media2/g2nhkyjv/facebook.svg?width=24&amp;height=24&amp;v=1db03b86b4b62d0" width="24" height="24" alt="Icon for the Facebook social link" /> <span>Facebook</span> </a> </li> <li class="sm:flex-auto md:flex-none"> <a class="flex items-center hover:underline" href="/about-the-ico/media-centre/e-newsletter/"> <img class="rounded-full mr-2" src="/media2/thzeryz5/envelope.svg?width=24&amp;height=24&amp;v=1db03b86a1d4310" width="24" height="24" alt="Icon for the Subscribe to our e-newsletter social link" /> <span>Subscribe to our e-newsletter</span> </a> </li> </ul> </div> </div> </div> </div> <div class="bg-secondary"> <div class="lg:container px-4"> <div class="py-3 md:hidden"> <div class="font-serif text-center md:text-left text-white text-serif-base md:flex items-end md:pl-8 border-secondary border-dotted md:border-l-2"> <span>The ICO exists to empower you through information.</span> </div> </div> </div> </div> <div class="bg-primary"> <div class="lg:container px-4"> <div class="pt-2"> <ul class="-mx-3 flex flex-wrap text-white text-sm md:text-base"> <li class="mx-3 my-1"> <a href="/global/contact-us/" class="hover:underline">Contact us</a> </li> <li class="mx-3 my-1"> <a href="/global/privacy-notice/" class="hover:underline">Privacy notice</a> </li> <li class="mx-3 my-1"> <a href="/global/cookies/" class="hover:underline">Cookies</a> </li> <li class="mx-3 my-1"> <a href="/global/accessibility/" class="hover:underline">Accessibility</a> </li> <li class="mx-3 my-1"> <a href="/about-the-ico/who-we-are/wales-office/" class="hover:underline">Cymraeg</a> </li> <li class="mx-3 my-1"> <a href="/global/request-publications/" class="hover:underline">Publications</a> </li> <li class="mx-3 my-1"> <a href="/global/disclaimer/" class="hover:underline">Disclaimer</a> </li> <li class="mx-3 my-1"> <a href="/global/copyright-and-re-use-of-materials/" class="hover:underline">&#xA9; Copyright</a> </li> </ul> </div> <div class="py-5"> <div class="md:flex md:items-center"> <div class="pr-4 mb-2 md:mb-0"> <img class="w-10" src="/media2/r34b3hma/ogl.png?width=40&amp;height=16&amp;v=1db03b8684a57d0" width="40" height="16" alt="" /> </div> <div class="prose prose-sm prose-white"> <p>All text content is available under the <a href="http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/">Open Government Licence v3.0</a>, except where otherwise stated.</p> </div> </div> </div> </div> </div> </footer> <script type="text/javascript" src="https://cc.cdn.civiccomputing.com/9/cookieControl-9.9.min.js"></script> <script type="application/json" id="cookie-settings"> {"apiKey":"dbf86e044f3ab8c4df852af5c7c6ceb2dd7678dd","necessaryCookies":[".AspNetCore.Antiforgery.*","language"],"statement":{"description":"For more detailed information, see our","name":"Cookies page","url":"https://ico.org.uk/global/cookies/","updated":"04/09/2024"},"text":{"title":"Cookies on the ICO website","intro":"We use some essential cookies to make this site work. We\u0027d like to set analytics cookies to understand how you use this site. We may use services from Vimeo and YouTube that may also use cookies.","acceptSettings":"Accept non-essential cookies","rejectSettings":"Reject non-essential cookies","necessaryTitle":"Essential cookies","necessaryDescription":"These cookies are necessary for core functionality, such as security and network management. They always need to be on.","closeLabel":"Save and close","cornerButton":"Cookie options","on":"On","off":"Off"},"optionalCookies":[{"name":"analytics","label":"Analytics cookies","description":"We use Silktide to measure how you use the ICO website. These cookies collect information about how you got to the site, the pages you visit and how long you spend on each page, and what you click on."},{"name":"videoPlayer","label":"Video player cookies","description":"We use services from Vimeo and YouTube to show you embedded videos on the ICO website. Vimeo and Google may use cookies to receive information about the videos you watch for analytics and advertising purposes."}]} </script> <script type="text/plain" id="silktide-settings">12d0c703744ea255b679f823daf1645f</script> <script type="text/javascript" src="/js/index.js?v=TYEGb_GH5SkF5NJRh7cZpx-oDut7QIjlT7FB7jistDU"></script> </body> </html>