Privacy

The organisation shall implement privacy by design principles in all AI systems, ensuring privacy considerations are embedded from initial planning through system retirement. This includes establishing and maintaining comprehensive privacy policies, conducting privacy impact assessments, defining clear privacy roles and responsibilities, and integrating privacy requirements into project management processes. The organisation shall establish privacy governance structures, maintain documentation of privacy decisions, regularly review privacy controls for effectiveness, and ensure special categories of personal data are processed only when strictly necessary and with appropriate safeguards. Senior management shall demonstrate commitment to privacy through resource allocation and oversight of privacy initiatives.

The organisation shall implement operational processes for the responsible collection, use, storage, and disposal of personal data in AI systems. This includes maintaining data inventories, implementing data classification schemes, managing data retention schedules, and ensuring appropriate data handling throughout the information lifecycle. The organisation shall obtain and maintain records of consent for data processing, provide individuals with access to their data, implement processes for handling data subject requests, and ensure data quality standards are maintained. Clear procedures for data minimisation, purpose limitation, and secure disposal shall be established and followed.

The organisation shall establish processes to monitor compliance with privacy requirements, detect and respond to privacy incidents, and ensure continuous improvement of privacy controls. This includes conducting regular privacy audits, monitoring data processing activities, managing privacy incidents, ensuring supplier compliance with privacy requirements, and maintaining business continuity plans that address privacy considerations. The organisation shall implement privacy metrics, conduct regular assessments, comply with breach notification requirements, and demonstrate ongoing compliance with applicable privacy regulations through documented evidence.

The organisation shall implement appropriate technical mechanisms and privacy-enhancing technologies in AI systems to protect personal data and ensure privacy by default. This includes implementing encryption for data at rest and in transit, role-based access control mechanisms, data minimisation techniques, anonymisation and pseudonymisation methods, and secure deletion capabilities. The organisation shall ensure these mechanisms are appropriate for the sensitivity of the data, regularly tested for effectiveness, and updated as privacy-enhancing technologies evolve. This includes how technical controls are documented, validated, and integrated into the system architecture to provide defense in depth for privacy protection.