Automated individual decision making (Section 38)
At a glance:
- The Act has provisions on:
- automated individual decision-making (making a decision solely by automated means without any human involvement);and
- profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
- The Act applies to all automated individual decision-making and profiling.
- Subject to section 23(2)(g), the controller shall, at the time of collecting the personal data, ensure that the data subject concerned is informed ofthe existence of automated decision making, including profiling, and information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
What is automated individual decision-making and profiling?
Automated individual decision-making is a decision made by automated means such as online or by a computer without any human involvement.
Examples of this include:
- an online decision to award a loan; and
- a recruitment aptitude test which uses pre-programmed algorithms and criteria.
“profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
Data subjects have the right not to be subject to a decision based solely on automated processing which significantly affect them (including profiling). Such processing is permitted where:
· it is necessary for entering into or performing a contract with the data subject provided that appropriate safeguards are in place;
· it is authorised by law; or
· the data subject has explicitly consented and appropriate safeguards are in place.
Any automated processing of personal data intended to evaluate certain personal aspects relating to an individual should not be based on special categories of personal data.
Furthermore, the information to be provided by the controller under section 23 (collection of personal data) should include information as to the existence of processing for a decision of the kind referred to subsection in 38 (1) and the envisaged effects of such processing on the data subject.
In addition, the controller should implement suitable measures to safeguard the data subject's rights, freedoms and legitimate interests.