Skip to Content
TS-RDC-09 Trust & Stewardship Risk, Data & Compliance CORE Compliance v2.9.7

Digital Ethics & AI Policy

Assesses whether the organization has a forward-looking policy on the ethical use of digital technologies, data analytics, and Artificial Intelligence (AI) to ensure fairness, transparency, and prevent bias. This includes defining the scope of 'digital ethics' to cover targeted fundraising/advertising, profiling, recommender systems, biometric analytics, and design practices that may manipulate behaviour (dark patterns), ensuring moral implications are addressed alongside data protection.

Assessment Questions
  1. Does the organization maintain an AI & Analytics Register that defines risk tiers for all automated decision-making systems?
  2. Can you provide evidence of a completed DPIA and AI Impact Assessment for a recent high-risk system, including equality/bias checks?
  3. What specific controls are in place for human oversight (e.g., decision logs, appeal rights) for automated decisions affecting stakeholders?
  4. How does the organization perform due diligence on third-party AI vendors (e.g., CRM scoring, ad targeting) regarding their ethical standards and bias?
  5. Describe the governance structure (e.g., ethics committee) and how it applies the principle of 'no harm' (Lā ḍarar) to digital projects.
Evidence Requirements
  • The official Digital Ethics & AI Policy document.
  • AI & Analytics Register (mapping to RoPA).
  • Completed DPIAs and AI Impact Assessments (templates + samples).
  • Algorithm change logs / model versioning records.
  • Human override/appeal logs and outcomes.
  • Supplier due diligence packs (DPAs, model cards, bias statements).
  • Records of staff training on digital ethics.
  • Stakeholder-facing AI notice / transparency statement.
Scoring Guidelines
LevelRatingDescription
5 5/5 Comprehensive policy with external assurance/audit; publishes annual AI transparency report; contributes to sector guidance; demonstrated commitment to ethical innovation.
4 4/5 All high-risk systems have DPIA/AIIA before launch; bias tests documented; vendor due diligence standardised; appeals process operational with evidence.
3 3/5 AI Register exists; basic risk tiering defined; initial DPIA/AIIA template adopted; trustee briefing delivered; basic policy in place.
2 2/5 Some awareness of digital ethics and basic data protection compliance, but no formal AI register or risk tiering.
1 1/5 No consideration of the ethical implications of technology use; no policy.

Related Criteria

TS-RDC-01 Multi‑scenario financial stress‑testing documented TS-RDC-02 Complaints & whistle-blowing mechanism TS-RDC-03 Due-diligence on delivery partners TS-RDC-04 Serious-incident reporting & escalation TS-RDC-05 Cyber-security baseline (NCSC Cyber Essentials – UK)
Version
2.9.7 2025-11-05

Discussion (1)

Administrator 2026-03-07 11:07:52.269961

📋 **Version updated: 1.0.0 → 2.9.7** **Changes:** Updated islamic_references from mizan-297.json

Sign in to post a comment.

Back to Criteria