AI and Automated Decision-Making Privacy Policy

The AI and Automated Decision-Making Privacy Policy defines mandatory privacy requirements for artificial intelligence, profiling, scoring, recommendation, decision-support and automated decision-making activities involving PII. Its scope includes AI-enabled systems, applications, models, services, workflows, decision engines, analytics models and automated decision-making processes that use, infer, generate, disclose or otherwise process PII within the PIMS scope. It also covers PII used for training, testing, validation, tuning, monitoring, production inference, output review, performance measurement, incident investigation and model retirement. The policy applies across controller, joint controller, processor and subprocessor contexts, including AI-related vendors, processors, subprocessors, data-sharing recipients and international transfer routes. The policy’s purpose is to ensure that AI, profiling and automated decision-making activities involving PII are identified, documented, risk-assessed, transparent, contestable, monitored and controlled through the PIMS without creating duplicate AI-specific governance artifacts. It explicitly states that it does not create a full AI governance framework, AI management system, AI inventory, model inventory, model risk register, fairness register, algorithm register, AI incident register, AI committee, model owner role, AI system owner role, legal-advice workflow or separate AI approval form. Instead, it requires AI-related privacy obligations to be evidenced through existing canonical evidence objects: REG02, REG04, REG06, REG07, REG08, REG09, REG10 and REG12. Operationally, the policy requires Process Owners / Business Owners to determine whether new or materially changed systems, workflows or business processes use AI, profiling, scoring, recommendation, decision-support or automated decision-making involving PII and to record the determination in REG02. Before AI-related PII processing begins, the policy requires documentation of processing purpose, PII categories, PII principal categories, data sources, inferred or derived data categories, output categories, recipient categories, lawful basis and retention linkage. For profiling, scoring, recommendation, decision-support or automated decision-making used in production, the decision context, expected effect on PII principals, human involvement and rights route must be documented in REG02 and REG04. Risk governance is a central part of the policy. Before launching or materially changing AI-related PII processing, the Privacy Lead / PIMS Manager must complete privacy risk screening and record the DPIA decision in REG04. Where processing involves profiling, automated decisions, large-scale evaluation, special-category data, criminal offence data, vulnerable PII principals, employee assessment, children, behavioral monitoring, location data, biometric data, high-impact scoring or significant effects, the Data Protection Officer / Privacy Advisor must review the privacy risk and record advice in REG04. If high residual privacy risk remains after planned treatment, Top Management must approve, reject or require further treatment before production use, with the decision recorded in REG04 and REG12. The policy also establishes controls for transparency, meaningful information, minimization, rights handling, monitoring, vendors and enforcement. Privacy notice content must describe AI-related purpose, data categories, output categories, recipient categories, rights route and contact route, with notice versions recorded in REG07. Human review, objection and contestability routes are required for AI-related decisions with legal, eligibility, access, employment, financial, educational, service, safety or similarly significant effects. Vendors and processors must be governed through REG08, with international transfers routed through REG09. Monitoring criteria must cover input changes, output changes, rights issues, adverse privacy outcomes, unauthorized use and complaint trends, with quarterly review for active high-impact AI-related PII processing and nonconformities or corrective actions recorded in REG12.