Purpose & alignment

This policy ensures that all data used in AI training, testing, and operation complies with legal and ethical requirements for privacy and security. It aligns with ISO/IEC 42001, NIST AI RMF (GOVERN & MAP), the EU AI Act Article 10 (Data & record-keeping), and UK GDPR principles (Art. 5 & 6).

Scope of application

• Applies to all data used in AI models — structured, unstructured, synthetic, or real.
• Covers datasets collected, licensed, or obtained through third parties or public sources.
• Includes training data, inference inputs, model outputs, logs, and metadata.
• Applies to employees, contractors, and service providers handling AI-related data.

Core privacy principles

1. Lawfulness, fairness & transparency (Art. 5(1)(a)): Data must be processed legally and users must be informed clearly.
2. Purpose limitation (Art. 5(1)(b)): Used only for stated and compatible AI purposes.
3. Data minimisation (Art. 5(1)(c)): Collect only data necessary for the AI task.
4. Accuracy (Art. 5(1)(d)): Maintain data quality and correct inaccuracies promptly.
5. Storage limitation (Art. 5(1)(e)): Retain data only as long as required for AI or legal purposes.
6. Integrity & confidentiality (Art. 5(1)(f)): Apply technical and organisational security controls.
7. Accountability (Art. 5(2)): Document compliance through auditable records and evidence IDs.

Lawful basis for processing

All AI data must be processed under a valid lawful basis as defined by UK GDPR / DPA 2018 Article 6. Acceptable bases for AI activities include:

• Contractual necessity: to provide requested AI services (e.g., support bots, analysis).
• Legal obligation: compliance with statutory data reporting or auditing requirements.
• Legitimate interest: when AI is used for business efficiency or security purposes after balancing tests.
• Consent: explicit for sensitive categories or optional AI features.
• Public interest: for research or regulatory reporting aligned with ethical standards.

Data types & sources

• Personal data: names, emails, user IDs — minimised and pseudonymised where possible.
• Sensitive data: racial or health attributes — only with explicit consent and DPO approval.
• Technical data: logs, telemetry, API calls — used for bias monitoring and model debugging.
• Generated data: embeddings, model outputs — classified and stored under AI evidence rules.

Retention & deletion

• AI training data: retained for model life + 2 years or as legally required.
• Operational logs & audit trails: ≥ 5 years for high-risk systems (EU AI Act Art. 12).
• Data subject records: as per GDPR Art. 30 processing records requirements.
• Secure deletion certified through hash verification and evidence record EV-ID.

Data subject rights (DSRs)

• Access (Art. 15): Users can request details of AI-related data held about them.
• Rectification (Art. 16): Incorrect data must be corrected within 30 days.
• Erasure (Art. 17): Delete data unless retention is legally mandated.
• Restriction & objection (Art. 18 & 21): Users may pause processing or opt out of profiling.
• Portability (Art. 20): Provide structured export of personal data on request.

Security controls & access

• Data stored using AES-256 encryption at rest and TLS 1.3 in transit.
• Access controlled through RBAC (IAM roles: Developer, Compliance, Auditor).
• Regular penetration tests and vulnerability scans on data pipelines.
• Audit logs maintained for all access, modification, and exports.

Governance & DPIA process

• All new AI projects must complete a Data Protection Impact Assessment (DPIA).
• DPO reviews risk ratings and mitigations before approval.
• DPIAs and Risk Profiles linked to Evidence Repository with EV-IDs.
• Annual privacy audit per ISO 42001 §9 and UK ICO Accountability Framework.

Implementation checklist

• DPIA template in use for all AI projects.
• Data register maintained with retention and deletion status.
• DSR workflow integrated into Zoho Desk for tracking.
• Encryption and access controls audited quarterly.
• Annual privacy training completed by all employees.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 15 Nov 2025 • This page is general guidance, not legal advice.