11. Internal review and next steps

11.1    Legal review of AI use case

If the threshold assessment in section 3 results in a risk rating of ‘medium’ or ‘high’, your AI use case must undergo legal review to ensure that the use case and associated use of data meet legal requirements.

The nature of the legal review is context dependent. Without limiting the scope of legal review, examples of potentially applicable legislation, policies and frameworks are outlined at Attachment A of the Policy for the responsible use of AI in government.

If there are significant changes to the AI use case (including changes introduced due to recommendations from internal or external review), then the advice should be revisited to ensure the AI use case and associated use of data continues to meet legal requirements.

11.2    Risk summary table

To complete the risk summary table, list any: 

  • risks assessed in section 3 (the threshold assessment) as ‘medium’ or ‘high’ 
  • instances where you have answered ‘no’ to questions in sections 4 to 10. You are encouraged to identify risk treatments in relation to these, however, you do not need to assign a residual risk rating to those risks
  • additional risks that have been identified throughout the assessment process 
  • risk treatments identified during internal review (section 11.3) and, if applicable, external review (section 11.4) – using the risk matrix in section 3 to assess residual risk.

11.3    Internal review of AI use case

This requires an internal agency governance body designated by your agency’s Accountable Authority to review the assessment and the risks outlined in the risk summary table. 

The governance body may decide to accept any ‘medium’ risks, to recommend risk treatments, or decide not to accept the risk and recommend not proceeding with the AI use case. You should list the recommendations of your agency governance body in the text box provided.

11.4    External review of AI use case

If, following internal review (section 11.3), there are any residual risks with a ‘high’ risk rating, your agency should consider whether the AI use case and this assessment would benefit from external review. This external review may recommend further risk treatments or adjustments to the use case.

In line with the APS Strategic Commissioning Framework, consider whether someone in the APS could conduct this review or whether the nature of the use case and identified risks warrant independent outside review and expertise. 

Your agency must consider recommendations of an external review, decide which to implement, and whether to accept any residual risk and proceed with the use case. If applicable, you should list any recommendations arising from external review in the text box provided and record the agency's response to these recommendations.

Attachment

Next page

Connect with the digital community

Share, build or learn digital experience and skills with training and events, and collaborate with peers across government.

Join the Digital Profession