Cyber & IT Supervisory Forum - Additional Resources

Establish and document protocols (authorization, duration, type) and access controls for training sets or production data containing personally sensitive information, in accordance with privacy and data governance policies. Monitor internal queries to production data for detecting patterns that isolate personal records. Monitor PSI disclosures and inference of sensitive or legally protected attributes: Assess the risk of manipulation from overly customized content. Evaluate information presented to representative users at various points along axes of difference between individuals (e.g., individuals of different ages, genders, races, political affiliation, etc.). Use privacy-enhancing techniques such as differential privacy, when publicly sharing dataset information. Collaborate with privacy experts, AI end users and operators, and other domain experts to determine optimal differential privacy metrics within contexts of use. Did your organization implement accountability-based practices in data management and protection (e.g., the PDPA and OECD Privacy Principles)? What assessments has the entity conducted on data security and privacy impacts associated with the AI system? Did your organization implement a risk management system to address risks involved in deploying the identified AI solution (e.g., personnel risk or changes to commercial objectives)? Does the dataset contain information that might be considered sensitive or confidential? (e.g., personally identifying information) If it relates to people, could this dataset expose people to harm or legal action? (e.g., financial, social or otherwise) What was done to mitigate or reduce the potential for harm?

Organizations can document the following: Transparency & Documentation

142