Description
“Deployment is the process of getting an IT system to be operational in its environment, including installation, configuration, running, testing, and making necessary changes. Deployment is usually not done by the developers of a system but by the IT team of the customer. Nevertheless, even if this is the case, developers will have a responsibility to supply the customer with sufficient information for successful deployment of the model. This will normally include a (generic) deployment plan, with necessary steps for successful deployment and how to perform them, and a (generic) monitoring and maintenance plan for maintenance of the system, and for monitoring the deployment and correct usage of data mining results.”[1]
Main actions that need to be addressed
General remarks
Once you have created your algorithm, you face an important issue. It might happen that it incorporates personal data, openly or in a hidden way.You must perform a formal evaluation assessing which personal data from the data subjects could be identifiable. This can be complicated at times. For example, some AI tools, such as Vector Support Machines (VSM) could contain examples of the training data by design within the logic of the model. In other cases, patterns may be found in the model that identifies a unique individual. In all of these cases, unauthorized parties may be able to recover elements of the training data, or infer who was in it, by analyzing the way the model behaves.If you know or suspect that the AI tool contains personal data (see Purchasing or promoting access to a database section in Actions and tools chapter), you should:
- Delete them or, on the contrary, to justify the impossibility of doing so, completely or partly because of the degradation it would mean for the model (see “Storage limitation” section in “Principles” chapter).
- Determine the legal basis for carrying out the communication of personal data to third parties, especially if special categories of data are involved (see “Lawfulness” subsection in “Lawfulness, fairness and transparency” section).
- Inform the data subjects of the processing above.
- Demonstrate that the data protection by design and by default policies have been implemented (especially data minimization).
- Conduct a Data Protection Impact Assessment (DPIA)
Finally, you must take regular action to proactively evaluate the likelihood of the possibility of personal data being inferred from models in light of the state-of-the-art technology, so that the risk of accidental disclosure is minimized. If these actions reveal a substantial possibility of data disclosure, necessary measures to avoid it should be implemented (see “Integrity and confidentiality” section in “Principles” chapter).
Updating information
If the algorithm is implemented by a third party, you must communicate the results of the validation and monitoring system employed at the development stages and offer your collaboration to continue monitoring the validation of the results. It would also be advisable to establish this kind of coordination with third parties from whom you acquire databases or any other relevant component in the life cycle of the system. If this involves data processing by a third party, you must ensure that access is provided within a legal basis.
It is necessary to offer real time information to the end user about the values of accuracy and/or quality of the inferred information at each stage (see “Accuracy” section in “Principles” chapter). When the inferred information does not reach minimum quality thresholds, you must highlight that this information has no value. This requirement often implies that you shall provide detailed information about the training and validation stages. Information about the datasets used for those purposes is particularly important. Otherwise, the use of the solution might bring disappointing results to the end users, who are left speculating on the cause.
References
1SHERPA, Guidelines for the Ethical Development of AI and Big Data Systems: An Ethics by Design approach, 2020, p 13. At: https://www.project-sherpa.eu/wp-content/uploads/2019/12/development-final.pdf Accessed 15 May 2020 ↑