11. Internal review and next steps

11.1    Legal review of AI use case

This section must be completed by a qualified legal adviser. Ensure any supporting legal advice is available for the remaining review steps. Repeat this step if there are significant changes.
The response to this section should include:

  • the statement ‘I am/am not satisfied that the AI use case and the use of data meet legal requirements’
  • comments (optional)
  • name and position of legal adviser
  • date.

11.2    Risk summary table

In the table below, list any risks identified in section 3 (the threshold assessment) or subsequently as having a risk severity of ‘medium’ or ‘high’. Also list any instances where you have answered ‘no’ in any of the questions in sections 4 to 10.

As you proceed through internal review (section 11.3) and, if applicable, external review (section 11.4), list any agreed risk treatments and assess residual risk using the risk matrix in section 3. 

Risk summary table 
Risk Risk treatments Residual risk 
[Example] [Example] [Example] 

 

11.3    Internal review of AI use case

An internal agency governance body designated by your agency’s Accountable Authority must review the assessment and the risks outlined in the risk summary table.

The governance body may decide to accept any ‘medium’ risks, to recommend risk treatments, or decide not to accept the risk and recommend not proceeding with the AI use case.

List recommendations of your agency governance body below.

11.4    External review of AI use case

If, following internal review (section 11.3), there are any residual risks with a ‘high’ risk rating, consider whether the AI use case and this assessment would benefit from external review. 

If an external review recommends further risk treatments or adjustments to the use case, your agency must consider these recommendations, decide which to implement, and whether to accept any residual risk and proceed with the use case.

If applicable, list any recommendations arising from external review below and record the agency response to these recommendations.

The assessment should answer the following questions about the external review.

  • Has your AI use case been subject to external review? Answer yes, no or not applicable. 
  • Who conducted the external review?
  • What date was an external review last completed?
  • What are the external review recommendations? 
  • For each recommendation, what is the agency response? 

Connect with the digital community

Share, build or learn digital experience and skills with training and events, and collaborate with peers across government.

Join the Digital Profession