According to the European Commission’s Artificial Intelligence for Europe, “Artificial intelligence (AI) is already part of our lives – it is not science fiction.” From smart speakers to customer service, AI has found its way into our homes and businesses. One area of business where AI use is emerging is records and information management [RIM]. As opportunities to use AI in RIM increase, what privacy implications, what unnecessary classification or retention, and what laws or regulations can information governance and privacy professionals expect to find in the future?

As the amounts of data increase, so does the headache in trying to manage such data. AI systems and software can assist RIM professionals to capture and classify their records and information through the use of auto-classification tools. These tools implement AI through defined, encoded rules based on keywords or phrases to classify and sort the input information. Self-learning or machine learning technologies, AI systems that enable computers to learn from their environment without being explicitly programmed, can increase the efficiency and accuracy of auto-classification of information.

While these tools do speed up the classification and sorting processes, they are not foolproof. Some oversight is needed to make sure that the AI systems are correctly classifying information as records or non-records. Additionally, a mislabeled record can result in over-retention, leading to discovery or breach concerns. Because AI software can require integration of multiple systems or third-party vendors, data security risks can also increase.[1] If RIM professionals use AI software to classify their information, they will need to implement policies and procedures to conduct this oversight and review these procedures regularly, just as they would their records retention schedules and data protection practices.

As this area of business and way of life increases, so too does the need for regulated governance. Currently, there is no specific AI legislation in relation to information governance or data protection. The EU’s General Data Protection Regulation “applies to the processing of personal data wholly or partly by automated means”[2]; however, it only regulates automated processing, or the use of AI in automated decision making, by requiring data controllers to inform the data subject and allow her/him the right to object to processing or decisions based solely on automated processing.[3] Similarly, Illinois’ Artificial Intelligence Video Interview Act only requires disclosure to and consent from applicants by employers using AI analysis in job interviews.[4] Both the EU and the US have seen the need to increase their AI communities and workers, but neither have yet to enact legislation specific to AI usage in information management.[5]

Governments and data protection authorities are beginning to see the need for more concrete guidance in the area of AI. The United Kingdom’s Information Commissioner’s Office recently published Guidance on AI and Data Protection which provides more comprehensive guidelines for companies using AI to implement good practices in the area of data protection. Specifically, the ICO Guidance addresses the “need to align your internal structures, roles, and responsibilities maps, training requirements, policies and incentives to your overall AI governance and risk management strategy.”[6] The ICO Guidance also recommends human oversight. “[H]uman reviewers must be involved in checking the system’s recommendation and should not just apply the automated recommendation to an individual in a routine fashion”.[7] These recommendations may prompt businesses to implement their own AI policies and procedures before such requirements become more concrete.

As AI becomes a common facet of doing business, will AI be the new undiscovered frontier that RIM professionals need to consider when creating and implementing records retention schedules? Those are the voyages of RIM professionals. Their mission: to explore new ethical issues surrounding AI, to seek out new aspects of RIM practices, and to boldly manage information where no one else can.

Contact Zasio today for information on how AI systems can affect your RIM and data protection practices.

[1] Information Commissioner’s Office, Guidance on AI and Data Protection, How should we assess security and data minimization in AI? What’s different about security in AI compared to ‘traditional’ technologies?.

[2] Regulation (EU) 2016/679 General Data Protection Regulation (2)(1).

[3] Id. at (13)-(15), (21).

[4] 820 ILCS 42/15.

[5] European Commission Artificial Intelligence for Europe; Ex. Ord. No. 13845. Establishing the President’s National Council for the American Worker.

[6] Information Commissioner’s Office, Guidance on AI and Data Protection, What are the accountability and governance implications of AI?, How should we approach AI governance and risk management?.

[7] Id. How do we ensure individual rights in our AI systems?, What is the role of human oversight?

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.