Data governance: Personal data protection

This sub-guideline is part of the guideline Data governance. Refer to the main guideline for context and an overview.

This sub-guideline looks at data protection regulations, specific types of sensitive data, and broader data privacy issues in the context of AI systems.

Personal data protection refers to practices, policies and legislation designed to safeguard individuals’ personal data from unauthorized access, misuse or exposure. It encompasses various measures to ensure that personal data is collected, stored, processed and shared in a way that respects individuals’ privacy and complies with relevant laws and regulations.

Most countries have data protection regulations that govern how personal data is used. In all cases, parliaments must comply with relevant local regulation(s) by adopting or adapting the measures and processes required by law.

While the exact rules will vary in each case, such regulations generally impose the following requirements:

• Personal data must be used fairly, lawfully and transparently.
• Personal data must be used for specified, explicit purposes.
• Personal data must be used in a way that is adequate, relevant and limited to only what is necessary.
• Personal data must be accurate and, where necessary, kept up to date.
• Personal data must be retained for no longer than is necessary.
• Personal data must be handled in a way that ensures appropriate security, including protection against unlawful or unauthorized processing, access, loss, destruction or damage.

There may be stronger legal protections for more sensitive information, such as the following:

• Race and/or ethnic background
• Political opinions
• Religious beliefs
• Trade union membership
• Genetics
• Biometrics (where used for identification)
• Health
• Gender
• Sexual orientation

In today’s increasingly digitized society, there is a growing risk of data being wrongly shared, stolen or leaked, and of inaccuracies perpetuating through multiple systems. In the context of AI, some of the issues that must be addressed include the following:

• Exposure to privacy breaches and security incidents: Data breaches might cause parliament to suffer long-lasting reputational damage and legal consequences, including fines, lawsuits and other regulatory sanctions.
• Overcollection and mismanagement of data: Collecting more data than necessary can heighten the risk of breaches and privacy violations, as well as increase the complexity of data-management processes.
• Bias: The use of AI can introduce biases into decision-making processes, leading to unfair treatment of, and discrimination against, individuals based on their data.
• Intrusive surveillance: When data is used unethically for intrusive surveillance of individuals’ personal life or for behaviour profiling, parliament runs the risk of both legal action and reputational damage.

The Guidelines for AI in parliaments are published by the IPU in collaboration with the Parliamentary Data Science Hub in the IPU’s Centre for Innovation in Parliament. This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International licence. It may be freely shared and reused with acknowledgement of the IPU. For more information about the IPU’s work on artificial intelligence, please visit www.ipu.org/AI or contact [email protected].