Artificial Intelligence

This committee is starting to see submissions which involve the use of artificial intelligence. To date these studies have involved:

  • developing algorithms, and inputting healthcare data into algorithms with a view to training these algorithms to recognise patterns and to make decisions based on data.
    (This subset of artificial intelligence is called 'machine learning.' Machine learning models train on large amounts of data to gradually learn and improve their accuracy rates over time.)

  • developing AI healthcare software.
    (AI healthcare software uses machine learning and data analytics to analyse data, predict outcomes, and make decisions e.g. assessment, diagnosis, treatment.)

  • using licenced AI healthcare software.
    (Licensed AI healthcare software is CE Marked as a Medical Device in the European Union)


Concepts from the European General Data Protection Regulations (GDPR) which can apply in the context of artificial intelligence include: -

  1. Automated Processing, simply explained in the context of AI, is processing data about a person using AI.
  2. Profiling, simply explained in the context of AI, is AI making inferences, predictions, drawing conclusions etc. about a person.
  3. Automated Decision Making, simply explained in the context of AI, means AI makes an assessment which results in a decision affecting a person.
  4. Decision Made Solely Based on Automated Decision Making, simply explained in the context of AI, means the AI makes the assessment which results in a decision affecting a person and there is no human input into this decision.
  5. Decision Made Solely Based on Automated Decision Making which produces legal or similarly significant effects, simply explained in context of AI, means the AI makes an assessment which results in a decision affecting a person which significantly impacts the person.
  6. Decision Made solely Based on Automated Decision Making which produces legal or similarly significant effects, simply explained in the context of AI, means AI makes an assessment which results in a decision affecting a person which significantly impacts the person and there is no human input into this decision.

The interplay between and the application of the above concepts is complex.

When Point 6 applies, in the context of a research study involving AI, the Right to Object under Article 22 of GDPR kicks in.

When Point 6 applies, in the context of a research study involving AI, the Article 6 Legal Basis for processing data will usually be Article 6.1 (a) consent; and the Article 9 Condition for processing healthcare data will usually be article 9.1 (a) explicit consent.

AI may be profiling (point 2) AND making a decision (point 3) or profiling ONLY i.e. making no decision.

Decisions made by AI in a healthcare context tend to significantly affect a person (Point 5) but it is not always the case that there is no human input (Point 6) in the final decision.

There are privacy risks however even if the data is anonymised prior to processing. As with all research studies, the impact of these risks are assessed in a document called a Data Protection Impact Assessment Form.



Please engage with a Data Protection Officer early on when planning a research study which will involve the use of AI.