Skip to main content

As Artificial Intelligence continues to impact every aspect of society, business, and personal interactions, there is a growing concern for the security of AI systems and the privacy of data. The main privacy concerns surrounding AI are the potential for data breaches and unauthorized access to personal information. The Privacy Principles for AI system addresses these concerns

In a survey carried out on American residents by an independent market research organization, Propeller Research results showed that nearly half of the U.S. population (45%) are very concerned about their data being exploited, breached, or exposed. 

In addressing some of these concerns and ensuring that there is privacy when dealing with personal data, OWASP Foundation launched a guide in February 2023 that will provide clear and actionable insights on designing, creating, testing, and procuring secure and privacy-preserving AI systems.

Privacy principles for AI systems as published by OWASP

Use Limitation and Purpose Specification

Data collected and used as a training set for one purpose should not be used for another purpose. For example, if personal data is collected for User verification, it should not be used for user targeting. This ensures that the data is used only for the purpose that was specified during data collection. Only through the consent of users and approval of the law of authority can there be an exception.

Fairness

The processing of data must be done in fairness. GDPRโ€™s Article 5 refers to fair processing and EDPSโ€™ guideline defines fairness as the prevention of โ€œunjustifiably detrimental, unlawfully discriminatory, unexpected or misleadingโ€ processing of personal data AI Algorithms shouldnโ€™t be trained with data sets that will produce discriminatory results.

Data Minimization and Storage Limitation

This principle implies that the amount of data collected for a training model should be minimal and not beyond the required amount. It also means that this data should be deleted once it is no longer needed. Irrelevant data should not be collected and access to this dataset set should be minimal. These data must be kept and used anonymously.

Transparency

Transparency in data privacy means that models and datasets should be clear and easy to understand. Users should be aware of what data is being collected, how it will be processed, and the rights they have over their data. It should also be understandable by internal stakeholders as well (such as model developers, internal auditors, privacy engineers, domain experts, and more). Users should not be manipulated but kept informed when there is a change in personal data processing.

Consent

The Principle of Consent requires that the approval of the data subject must be obtained before their data is collected and processed. Consent must be clearly and freely stated, It must be recorded and protected. This consent freely given can also be freely withdrawn at any time by the user.

Consent as a Privacy Principles for AI Systems
Photo by Andrea Piacquadio- Pexels

Privacy Right

Data Subjects should have the right to access their data, make corrections to it, request for the deletion of their data, and ultimately object to the usage of their data in a particular training model. Processing of personal data should always be lawful.

Data Accuracy

All data to be used as a training set should be accurate and from a reliable source. Inaccurate data would result in a faulty algorithm and can cause unintended consequences. Effective measures and processes should be put in place to periodically check the accuracy of personal data and make corrections/erase the data where necessary. 

Conclusion

Privacy Principles for AI Systems are very important as they protect fundamental human right, promote trust in AI technologies and provide fairness and accountability in decision-making process. Users should be given a choice and control over their data. These Principles of Privacy should be followed by organizations and industries to ensure that the privacy of users’ personal data is kept secure and not exploited by threat actors.

About the author: