Skip to content
secruna
Get a Demo
ICO Code — statutory under DPA 2018 ss. 121-129
ICO Statutory AI + ADM Code of Practice

UK regulator-ready answers on every AI decision — before the ICO asks.

The ICO is enforcing UK data-protection law against AI systems right now — fines, public-register entries, mandatory remediation orders. The ICO Code on AI and Automated Decision-Making is statutory under sections 121-129 of the Data Protection Act 2018; non-compliance is admissible evidence against you in ICO enforcement action and in court. Secruna maps your AI inventory to the Code so you can answer ICO questions before they become enforcement letters. 22 IGPs across seven themes — lawful basis, transparency, Article 22 ADM specifics, DPIA for AI, fairness + bias, data subject rights, children + high-risk processing.

Book a 30-min ICO Code scope call
Why the ICO Code is the AI regulation that bites first

Three reasons UK firms need a current ICO posture — today.

UK data-protection law applies to every firm running AI that processes personal data. The ICO is the enforcer. The Code translates the obligation into operational expectations; the enforcement actions translate them into cash.

Statutory weight

The ICO Code of Practice on AI and Automated Decision-Making is statutory under sections 121-129 of the Data Protection Act 2018. The Code is admissible evidence in ICO enforcement action and in court — the judge can rely on it to decide whether you complied.

Active enforcement

Recent ICO enforcement has targeted retailers and recruitment firms running automated decision-making. Penalties combine financial fines, public-register entries, and mandatory remediation orders. The ICO acts on individual complaints and on its own initiative.

Wide scope

Every UK firm running AI that makes decisions about individuals is in scope: banks doing credit scoring, HR-tech screening CVs, fintech onboarding, healthcare triage, retailers personalising offers. If your AI sees personal data, the Code applies.

The five-step path

What you have to do when the ICO asks, in order.

The same five gates apply to every framework Secruna covers, including the ICO Code. Start at step one — the rest only make sense once you know which AI systems are in scope.

  1. 1

    Inventory the ADM

    List every AI system and identify the decisions taken solely by automated means with legal or similarly significant effect. The list is the gating artefact for Theme 3 — without it, Article 22 obligations are unmeasurable.

  2. 2

    Discover

    Connect cloud accounts, identity provider, GitHub, data warehouses and the model-registry surface. Secruna’s discovery worker collects the AI inventory once and reuses it across every framework. The first scan typically surfaces ROPA gaps, missing DPIAs and undocumented Article 22 decisions.

  3. 3

    Map to the ICO Code

    The rule-book matcher evaluates each of the 22 ICO Code IGPs against the latest AI inventory and posture artefact, assigning a verdict — compliant, non-compliant, requires-attention, not-applicable. Verdicts cite the signal that drove them so the DPO or ICO investigator can trace evidence back to source.

  4. 4

    Close the gaps

    The §3 Gaps surface lists every non-compliant IGP with the signal that drove the verdict. Remediate at your own cadence; verdicts re-evaluate on every discovery run. The gap list is the same list the ICO asks for when an enforcement action lands.

  5. 5

    Generate + answer

    One click produces the evidence pack PDF and CSV. The audit trail captures the last 90 days of platform activity. Filename: secruna-ico-ai-adm-code-evidence-{tenant}-{date}.pdf. Hand to the DPO at the internal review or to the ICO investigator when the enforcement letter lands.

Theme 1 — Lawful basis and accountability

Article 6 + 9 + 30 — the foundation seam.

What the ICO Code asks. Every AI processing activity must have an identified UK GDPR Article 6 lawful basis. Where special-category data is involved (health, biometric, ethnic origin), an additional Article 9 condition is required. A DPO (or equivalent accountable person) oversees AI systems. The Article 30 ROPA includes AI systems and automated decisions — purpose, lawful basis, data categories, retention, recipients, ADM logic + significance.

What counts as compliant. A lawful-basis register with one entry per AI system; an Article 9 condition register where special-category data flows; named DPO oversight with sign-off cadence; ROPA updated to capture AI processing including the ADM logic disclosure.

What Secruna ships for Theme 1. Four rules covering lawful-basis identification, the Article 9 condition register, DPO oversight and ROPA updates. The AI inventory feeds the ROPA refresh; verdict rows cite the AI-system entry that drove them.

See this in your dashboard at: /inventory?framework=ico_ai_adm_code&theme=LB with the lawful-basis register state per tenant.

Theme 2 — Transparency and right to be informed

Privacy notice + ADM logic + significance — the disclosure seam.

What the ICO Code asks. The privacy notice describes AI use in plain English (UK GDPR Articles 13 / 14). Where solely automated decisions are taken, the data subject is given meaningful information about the logic involved and the significance + envisaged consequences. Vague references to “proprietary models” do not meet the obligation.

What counts as compliant. A plain-English AI section in the privacy notice; layered disclosure with click-through detail; ADM decision-rationale embedded in the outcome letter; consequence-language template on every ADM outcome notification.

What Secruna ships for Theme 2. Three rules covering the privacy-notice AI section, the ADM logic disclosure and the significance + consequences disclosure.

See this in your dashboard at: /inventory?framework=ico_ai_adm_code&theme=TR with privacy-notice state per tenant.

Theme 3 — Article 22 ADM specifics

Identification + exception + human intervention + contest — the right-to-contest seam.

What the ICO Code asks. Article 22 UK GDPR — the data subject has the right not to be subject to a solely automated decision with legal or similarly significant effect, unless one of the Article 22(2) exceptions applies (contract necessity, authorised by law, explicit consent). Meaningful human intervention must be available on request; the data subject can contest the decision.

What counts as compliant. An ADM register; a documented Article 22(2) exception basis per decision type; a meaningful human-intervention path (an authorised operator with authority to change the decision); a contest path with outcome tracking.

What Secruna ships for Theme 3. Four rules covering ADM identification, the Article 22(2) exception basis, meaningful human intervention (reusing the Plan 75 HITL queue), and the right to contest. A specialised ADM-contest workflow is scaffolded as Plan 141.

See this in your dashboard at: /inventory?framework=ico_ai_adm_code&theme=ADM with the ADM register + contest state per tenant.

Theme 4 — DPIA for AI

DPIA before deployment + review on change — the risk-assessment seam.

What the ICO Code asks. A Data Protection Impact Assessment is required before deploying an AI system likely to result in high risk to rights and freedoms — the ICO has signalled that most operational AI systems processing personal data meet this threshold. The DPIA must cover bias, discrimination and data-accuracy risks. The DPIA is reviewed on material change to the system.

What counts as compliant. A DPIA workflow integrated into the AI system go-live gate; DPO consultation evidence attached to every DPIA approval; an AI-system DPIA template with explicit bias / discrimination / accuracy sections; a DPIA refresh trigger on every material model change.

What Secruna ships for Theme 4. Three rules covering DPIA-before-deployment, bias / discrimination / data-accuracy coverage, and the DPIA-review-on-change trigger. The DPIA template ships per Plan 90; full DPIA-versus-AI-system linking is a Plan 90 follow-up.

See this in your dashboard at: /inventory?framework=ico_ai_adm_code&theme=DPIA with the DPIA register per tenant.

Theme 5 — Fairness and bias

Bias testing + special-category attributes + adverse impact — the fairness seam.

What the ICO Code asks. Bias testing on training data and model outputs; documented methodology and pre-set thresholds. Special-category attributes (race, sex, etc.) are handled per the ICO guidance with a documented Article 9 condition (typically Article 9(2)(g) substantial public interest). Outputs are periodically reviewed for adverse impact on protected groups; detected impact triggers investigation.

What counts as compliant. A pre-deployment fairness audit on every customer-facing AI system; sensitive-attribute access controls; outcome-disparity dashboard with named owner; quarterly adverse-impact review fed back to the AI governance committee.

What Secruna ships for Theme 5. Three rules covering bias testing, special-category attribute handling and adverse-impact review. Bias testing (F.01) is tenant-attested in v1 — Secruna provides the evidence-capture surface but the statistical fairness analysis is the customer’s. A bias-testing surface is scaffolded as Plan 140.

See this in your dashboard at: /inventory?framework=ico_ai_adm_code&theme=F with the bias-testing evidence per AI system.

Theme 6 — Data subject rights for AI

Access + rectification + erasure — the individual-rights seam.

What the ICO Code asks. A Subject Access Request touching an AI decision must include an explanation of the decision, the logic involved and the significance. Incorrect personal data fed to the AI is correctable. Training data is subject to standard erasure rights, with documented Article 17(3) exceptions; the retraining cadence respects erasure requests.

What counts as compliant. A SAR-handling playbook with an AI-decision explanation template; a rectification path tied to the AI feature store; a training-data erasure ticket workflow with retraining cross-reference.

What Secruna ships for Theme 6. Three rules covering the right of access, rectification and erasure for AI systems and training data.

See this in your dashboard at: /inventory?framework=ico_ai_adm_code&theme=DSR with the data-subject-rights state per AI system.

Theme 7 — Children and high-risk processing

Children’s data + Age-Appropriate Design Code — the high-risk seam.

What the ICO Code asks. Where the AI system processes the personal data of children (under 18 in the UK), additional protections apply: lawful basis is scrutinised more closely, parental consent for under-13s, age-appropriate disclosure, high transparency. Services likely to be accessed by children must align with the 15 standards of the ICO Age-Appropriate Design Code, including data-minimisation and no-profiling-by-default.

What counts as compliant. An age-gate + parental-consent flow for under-13 users; plain-language disclosure designed for the age group; Age-Appropriate Design Code self-assessment for every consumer-facing AI feature; no-profiling-by-default toggle on services with a likely-child audience.

What Secruna ships for Theme 7. Two rules covering children-data protections and Age-Appropriate Design Code alignment.

See this in your dashboard at: /inventory?framework=ico_ai_adm_code&theme=CH with the children-data state per AI system.

UK + EU AI Pack

Three frameworks. One AI inventory.

The ICO Code is the UK regulator-of-record for AI decisions about people. The EU AI Act covers the same ground for EU-deployed AI systems. DORA covers ICT operational resilience including the AI inventory used for the Article 28 register. Because every AI signal Secruna collects is shared across all three frameworks, the marginal cost of adding another framework is close to zero.

ICO AI + ADM Code (this page)

UK firms running AI that decides about people. 22 IGPs across seven themes. Statutory under DPA 2018 ss. 121-129; admissible evidence in ICO enforcement + court.

EU AI Act

Risk-tiered EU AI regulation in force since 2 August 2026. Penalties up to EUR 35M or 7% of turnover. See EU AI Act detail →

DORA

Every EU financial entity since 17 January 2025. Art. 28 register reuses the AI inventory. See DORA detail →

See where your ICO Code posture stands.
In 30 minutes.

A 30-minute scope call confirms which AI systems are in scope, maps them to the 22 ICO Code IGPs, and identifies which controls you can evidence from existing signals today and which need a tenant-supplied attestation. You leave the call with a concrete gap list and a path to an ICO-ready evidence pack.

Book a 30-min ICO Code scope callSee the EU AI Act page

Or call our UK lead — we’re on +44 20 0000 0000. (Placeholder — see TODO at the top of this file; the real number lands once the founder confirms it.)