The right of subject access allows an individual access to information about the reasoning behind any decisions taken by 'automated means'.
The Act complements this provision by including rights that relate to automated decision taking. Consequently:
- an individual can give written notice requiring you not to take any automated decisions using their personal data;
- even if they have not given notice, an individual should be informed when such a decision has been taken; and
- an individual can ask you to reconsider a decision taken by automated means.
These rights can be seen as safeguards against the risk that a potentially damaging decision is taken without human intervention.
The number of organisations who take significant decisions about individuals by wholly automated means is relatively small – there is often some human intervention in making the decisions. However, it is sensible to identify whether any of the operations you perform on personal data constitute “automated decisions”. This will help you decide whether you need to have procedures to deal with the rights of individuals in these cases.
In general terms this right allows individuals to have a decision which was made by automatic means and that has significantly affected them to be reconsidered by a person. Section 10 of the Data Protection Act provides this right.
If a written notice is received, a response is required within 21 days stating the steps that the organisation intends to take to comply.
There are however certain “exempt decisions”.
This right does not apply when the decision was taken by the organisation
- with a view to entering into a contract with the person
- for the performance of such a contract
- to comply with a legal obligation
As with the other rights, this right to have a decision re-taken by a person rather than by automated means is enforceable by a court order, although any order issued by the court must not affect the rights of any person other than the individual or the organisation.