Are we any closer to an AI Bill in the UK

What happened

• The Public Authority Algorithmic and Automated Decision-Making Systems Bill is a private members’ Bill which had its first reading in the House of Lords on 9 September 2024
• Its scope includes all algorithmic or automated decision-making systems developed or procured by a public authority
• The Bill sets out key provisions to ensure these types of systems are used transparently, fairly and responsibly
• If the Bill is passed it will mean that public authorities must complete and publish an algorithmic impact assessment to make sure decisions made by their AI systems are responsible and fair
• They will also need to complete and publish an algorithmic transparency record to provide information about the automated decision-making process (including details of human oversight)
• They must also ensure the AI system can generate logs and the logs must be retained 5 years

Why it matters

• The UK has not had any plans to legislate for AI so far
• The EU AI Act is now in force and is expected to set a global standard for AI regulation, influencing how other regions approach AI governance

• If the UK Bill is passed, it will mean that public authorities need to take the following steps before deploying AI systems; (i)Notify the public when decisions are made using algorithmic systems (ii)Provide meaningful explanations to affected individuals about how decisions are made (iii)Monitor outcomes to safeguard against unintended consequences (iv)Validate data accuracy and relevance and (v)Conduct regular audits and evaluations of these systems
• The Bill will promote ‘efficient, fair, accurate, consistent and interpretable decisions’ as well as providing an independent dispute resolution service

Next steps

A second reading of the Bill will include a general debate on all aspects of the Bill although this is yet to be scheduled

What happened

• We depend on digital services for many aspects of our lives
• The Government has decided to designate data centres as Critical National Infrastructure (CNI). This is a welcome move which promotes the importance of data centres
• The UK has around 500 data centres and this is expected to grow significantly to meet the computing needs of AI as well as more routine services
• Recognising data centres as a vital part of the UK’s infrastructure will bring benefits to the sector, in particular justifying greater focus and support at a governmental level
• However, much responsibility will still fall to the providers and consumers of these services
• Security is crucial when it comes to digital services and data centres must be able to securely house sensitive data
• Many already see the digital services sector as a leader in physical security, because practices to manage physical risks are well embedded. However resilience is more important
• Recent outages in data centres, show that availability issues that cause service disruptions create headlines
• The CNI label will include both physical data centres and cloud operators that use the data centres to supply ordinary services
• Risk management in data centres must of course be a collaborative effort, with both operators and clients being mutually dependent

Why it matters

• The Government’s designation of data centres as CNI should lead to greater sharing of intelligence around incidents, and support, when dealing with crisis events
• The changes proposed are not just focused on cyber security issues, but also on improving overall resilience. This can be in relation to extreme weather events as well as other disruptions
• This status alone might not deter cybercriminals. Clear measures will need to be taken to target those who attack critical infrastructure, to send a message that it is off-limits
• This change might also bring more scrutiny upon data centre operators
• Businesses will most likely need to bear the brunt of any implementation costs, barring extraordinary events or civil contingencies.

Further information

The Government issued its booklet on  securing critical national infrastructure in 2023.  This can be found at;

Securing Critical National Infrastructure: An introduction to UK capability (publishing.service.gov.uk)

The Government’s press release in September 2024 describes how Data including vital NHS, financial, and personal smartphone data is set to be safer from cyber attacks, environmental disasters, and IT blackouts as part of government’s drive for economic growth.

Data centres to be given massive boost and protections from cyber criminals and IT blackouts – GOV.UK (www.gov.uk)

What happened

• An individual has been fined for unlawfully accessing personal data from his ex-employer, Enterprise Rent-a-Car
• Between 2009 and 2011 the individual left Enterprise to set up his own personal injury firm but kept in touch with former colleagues and through them, illegally obtained details of individuals involved in road traffic accidents
• He then contacted the individuals offering them legal services
• At one point via his accomplices, he was able to access the internal Enterprise database
• The individual was first summonsed to appear in court in 2016 but had relocated to the US. A warrant was then issued for his arrest and he had to return in 2024
• He was fined £10,000 plus costs of £1,700
• The fine had to be paid within 12 months, or it would default to a 9 months custodial sentence
• The individual’s accomplices had previously been sentenced

Why it matters

• This individual had illegally accessed Enterprise Rent-a-car systems in order to steal data which was used to enrich himself by thousands of pounds
• The fine imposed was large because the scheme involved unauthorised use of individuals’ personal data but it also resulted in them receiving nuisance calls asked them if they would like to make a personal injury claim
• This case was very sophisticated and long running and it involved a breach of trust

Further information

The ICO has provided information at

Porthcawl man sentenced after “brazen” car scam worth hundreds of thousands of pounds | ICO