Automated individual decision making (Section 38)
At a glance:
||automated individual decision-making (making a decision solely by automated means without any human involvement); and|
||profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.|
||The Act applies to all automated individual decision-making and profiling.|
What is automated individual decision-making and profiling?
Automated individual decision-making is a decision made by automated means such as online or by a computer without any human involvement.
Examples of this include:
* an online decision to award a loan; and
* a recruitment aptitude test which uses pre-programmed algorithms and criteria.
“profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
What does the Act say about automated individual decision-making and profiling?
Data subjects have the right not to be subject to a decision based solely on automated processing which significantly affect them (including profiling). Such processing is permitted where:
Any automated processing of personal data intended to evaluate certain personal aspects relating to an individual should not be based on special categories of personal data.
|| it is authorised by law; or|
|| the data subject has explicitly consented and appropriate safeguards are in place.|
Furthermore, the information to be provided by the controller under section 23 (collection of personal data) should include information as to the existence of processing for a decision of the kind referred to subsection in 38 (1) and the envisaged effects of such processing on the data subject.
In addition, the controller should implement suitable measures to safeguard the data subject's rights, freedoms and legitimate interests.