In many cases, this will have been the case. If you are unsure, consult with colleagues who might have been involved in such a process, as well as the further resources for a reminder on the content of the checklist.

Depending on the specific digital components you may have already been required to conduct some forms of impact assessments, such as privacy impacts assessments or data protection impact assessments. These assessments can serve as a great starting point when you are looking to assess the full range of human rights potentially impacted by the project. For example, while some privacy aspects might be covered it might not address certain impacts related to discrimination but it can benefit the futrher analysis that some aspects of the digital component have already been assessed.

Sensitive data is data that reveals certain specific features or information of an individual, this includes:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Health data, including information about a person’s sex life
- Sexual orientation

It is also important to note here that AI can be applied to infer and generate sensitive information about people from various sources of non-sensitive data.

It is important to note that people often are unable to fully understand how data is collected, what kind of data is stored and how, exactly, that data is used. A simple digital checkbox to provide consent might not imply that the individual has been informed and fully understood his or her consent. Research shows that many individuals do not feel in control over the data that is collected about them, see more in further resources.

As such, in relation to medium- to high-risk applications of digital components it is particularly relevant to ensure that data subjects have fully understood what data is collected.

Considering the difficulties in achieving adequate informed consent from data subjects, it can be an important exercise to reflect on how, exactly, such consent has been achieved.

To follow the principle of 'data minimisation' means that data collected, used or stored should be adequate, relevant and limited to what is necessary for the intended purposes. While it is common that data anonymisation is used to lower the risks to the right to privacy, it is also important to emphasise the need for data minimisation. This is partly because (pseudo-)anonymised personal data can be re-identified by combining that data with other data.

AI can be used to re-identify the individuals that are linked to anonymised 'individual data' by combining a vast amount of data sources and data points. As such, the risks to the right to privacy can remain even after data has been anonymised. It is therefore important to consider whether such risks have been taken into account, and if so, what measures have been put in place.

There are many forms of AI applications, some of the most common include:

- Image and object recognition: The analysis of large data sets to automate the recognition, classification, and context associated with an image or object. This includes the likes of face recognition but also analysis of vast amounts of satellite photos in order to predict migration patterns.

- Text and speech analysis: The analysis of data sets to recognize, process, and tag text, speech, voice, and make recommendations based on the tagging. This may include text-to-speech technologies that can help blind individuals with accessibility of written content.

- Risk assessment: The analysis of large data sets to identify patterns and recommend courses of action and in some cases trigger specific actions. This may include e.g. automated credit risk scoring by banks, or recidivism risks in a justice system.

- Content generation: The analysis of large data sets to categorize, process, triage, personalize, and serve specific content for specific contexts. This may include e.g. automatically generated news media pieces based on AI review of other news sources.

- Process optimization & workflow automation: The analysis of large data sets to identify anomalies, cluster patterns, predict outcomes or ways to optimize; and automate specific workflows. This may include e.g. chatbots that can help to assess which users are in need of more extensive assistance and those who can be redirected to FAQ parts of a website.

- Other: This option is included in order for you to have the opportunity to explain which kind of AI application is used in your project.

AI tools are only as good as the data they rely on. It is therefore important to continuously assess whether the data is valid, reliable, current, sufficient etc. Existing data that is biased or discriminatory is going to produce results that are bias or discriminatory. It may be necessary to discuss the question of bias with the developer of the digital component in order to respond to the question.

Similar to the previous question, it may be necessary to discuss the question of bias with the developer of the digital component in order to respond to the question. See further resources for more information about blindspots in AI application.

There are many aspects to this question. It may include considering the potential gender discrimination in the predictions made by an AI model, as well as considerations of the gender digital divide and what that divide means for the outcomes of the project and the use of the digital components. See further resources for further information about different aspects related to gender that should be considered in the project implementation of a digital component.

Since the application of many digital components depend on the possibility to collect, store, treat, alter and share data, and many also increase the possibilities to do just that, it is important to understand the regulatory context that the digital component will be applied in, in order to identify possible risks. If data protection regulation is in place and enforcement is efficient, that lowers the risk of data related activities.

See further resources for more information about data protection legislation in a variety of countries.

In order to better be able to assess human rights impacts, it is beneficial to start by investigating the existence of other similar projects in the same geographical context, and then see what impacts they might have had. Please consider specifically whether the same specific digital components have been used or launched.

In order to respond to this question, it might be necessary to assess whether any reports have been published by the project itself, or whether there are news media or civil society reports about the project or digital component.

Assessing unintended negative consequences includes considering worst case scenarios of the implementation of the digital components, in order to be able to take early preventive and mitigation measures to avoid potential impacts. This necessarily includes considering impacts outside of the target group and intended users. Such an assessment should consider both the unintended consequences related to the intended use, but also the unintended use and application of the digital components themselves.

It is important that particular attention is paid to vulnerable and marginalised groups, since they are often at higher risks of being severely affected by adverse impacts of a project or digital component. It is therefore important to first of all identify who the vulnerable groups in the particular context are. Vulnerable groups may include children, women, religious or ethnic minorities, persons with disabilities, and migrants among others, but it is important to make an individual assessment of vulnerabilities based on the local realities.

Important to note, also, that vulnerability is not static. Instead, it always depend on the context. As such, vulnerability of individuals or groups refers to being “at a higher risk of being unable to anticipate, cope with, resist and recover from project-related risks and/or adverse impacts.”

Responding no to the question might be relevant, for example, if the project concerns a purely internal digitalisation project within a government agency, for it to improve certain administrative processes. If those processes concern decision-making that are important for individuals, however, the answer is instead a Yes.

The list is not exhaustive and there may, depending on the context, be other vulnerable groups that have been identified as potentially impacted by the project. If so, please select the "other" option and write down the vulnerable group you have identified.

The digital component can be for the benefit individuals or it can be targeted at e.g. an organisation. An example of the former is for example a digital education platform or an e-registration system for migrant workers, with which the workers themselves interact. An example of the latter is an AI model that helps with the effectiveness of administrative processes and which no external individual interacts with.

If the digital product or service is meant for individuals there is increased need to focus on their ability to access and use the product or service. Consider therefore whether it is meant for an institution or for individual persons.

As long as the digital component will have rightsholders interacting with it, It will be important to consider whether it is developed to take into consideration the accessibility or the component itself. This can include considerations around: costs, language barriers, literacy levels among users, digital capacity, discrimination, and more.

Further questions to ask:
- Is the necessary physical infrastructure in place (e.g. broadband access)?
- Is the connectivity sufficiently stable?
- Is it affordable to most people or only to some (incl. cost of hardware as well as data tariffs?
- Is everyone (of the intended user group) aware of the product or service, so that they can use it?
- Do the intended users have the ability to use the product or service?
- Are there additional social or cultural barriers restricting access for certain societal groups?

See further resources for more information about accessibility, including specifically, AAAQ criteria: Available; Affordable, Acceptable; Accessible; Quality

Stakeholders can both be internal (various project staff and functions) or external. External stakeholders include government actors and project partners involved in the development or use of the digital component, as well as civil society organisations, academic institutions and rightsholder groups. Engagement can take many forms, such as: focus groups, in-person or virtual interviews, public hearings.

Intended users include individuals who are the primary target group for the digital component. This will largely depend on the type of digital component, but may for example include those who will register using a new e-registration system.

In order to assess, for example, issues around accessibility or a lack of trust in the service itself (e.g. because of doubts of around data protection) it will also be important to engage with those not using the component. This can for example include individuals who could have used a new e-registration system but actively decided against it.

If the intended users are staff at a public unemployment service, that are helped in their decision-making by an AI model, those seeking support are not the users of the system, but are still rightsholders who may have their rights impacted, As such, they ought to be engaged.

In order to achieve meaningful stakeholder engagement, it is important to not only engage with governments and state agencies and relevant experts, but also to engage directly with those who are at risk of having their human rights impacts or their representatives, when direct engagement is not possible or appropriate.

This will be the case when the engagement has not only concerned information sharing, but where the project has been open to input from external stakeholders on digital component and its potential impacts.

Consider what concerns were raised and assess whether any measures have been taken to prevent or mitigate those impacts.

This can include specific reports on the digital component in question, but also larger reports that also include information about the digital component, the potential impacts identified and other related activities. It is important to provide information that is relevant to external stakeholders, which is why it is important to cover all of the topics mentioned in the reporting.

A grievance mechanism is a mechanism available for individuals who have concerns or complaints, and provides a way for them to submit those complaints to the entity managing the grievance mechanism. They can be constructed in many different ways, and the importance is not the design but the effectiveness (see further resources for more information on effectiveness of grievance mechanisms). Grievance mechanisms can be designed as telephone hotlines, basic email accounts, chat service, as well as physical mailboxes, among other things. Similar to previous questions around users and non-users, it is important that a wide range of rightsholders can access and use the grievance mechanism, so as to not bar them from submitting their concerns or complaints.

Grievance mechanisms are important for a variety of reasons. They can assist in the identification of potential human rights risks and impacts, they can function as an early "warning mechanism", and they can also serve to provide access to remedy to those rightsholders who have had their human rights adversely impacted by the digital components in question.