Summary
The transition from analogue to digital mail has challenged old systems for record-keeping and the archiving of mail and important documents. A report indicates that more than 25 per cent of all important information in public administration “is lost” as a result of inadequate archival procedures.
That is why the company Simplifai has developed a digital archive employee – called DAM for the Norwegian acronym – to help administrators in the public sector record and archive documentation sent via e-mail. DAM works as a form of decision support for administrators. The goal is to automate this work as much as is safely possible, in the hope that this ensures all important items are archived correctly.
In the sandbox, Simplifai and the Data Protection Authority have looked into whether data protection legislation permits public administration organizations to implement machine learning to record and archive e-mails. In collaboration with the Norwegian Water Resources and Energy Directorate (NVE), they have explored how public bodies can make informed choices when purchasing intelligent solutions, such as DAM.
Conclusions
- Legal basis. Public bodies do have a legal basis for using DAM for decision support in connection with archiving and record-keeping. There is, however, some uncertainty concerning whether this legal basis extends to the use of personal data in the further development of the model (continual learning), unless the personal data is anonymized. The use of DAM also complies with national working environment regulations. The Data Protection Authority recommends technical and organizational measures, such as guidelines that prohibit or limit the use of private e-mails.
- Data protection by design. This project has revealed a considerable need for guidance on how the public sector can ensure data protection by design when procuring intelligent solutions. The project has resulted in general recommendations for the steps a public-sector body can take: Gather information, consider whether machine learning is appropriate for the specific need and make demands.
Going forward
Work on this project has highlighted a considerable need for guidance and tools to meet the requirements for data protection by design when procuring solutions where the data controller is obligated to ensure data protection by design.
The sandbox project recognizes the need for more actors to come together to increase knowledge of data protection by design in public procurement. It would also be useful to have practical examples of requirements the public sector can make in competitive bidding processes involving technology based on machine learning.
And – to make it easier to use machine learning to solve the challenges associated with record-keeping and the archiving of documentation in time, the sandbox project recommends new archive legislation to regulate this responsibly.
What is the sandbox?
In the sandbox, participants and the Norwegian Data Protection Authority jointly explore issues relating to the protection of personal data in order to help ensure the service or product in question complies with the regulations and effectively safeguards individuals’ data privacy.
The Norwegian Data Protection Authority offers guidance in dialogue with the participants. The conclusions drawn from the projects do not constitute binding decisions or prior approval. Participants are at liberty to decide whether to follow the advice they are given.
The sandbox is a useful method for exploring issues where there are few legal precedents, and we hope the conclusions and assessments in this report can be of assistance for others addressing similar issues.