07.5 Data provenance

The organisation shall define and document a process for recording the provenance of data used in its AI systems over the life cycles of the data and the AI system. This control is essential for maintaining governance and ensuring that AI systems are managed responsibly. It should be applied consistently across all relevant organisational processes and reviewed periodically to remain effective.

Business Requirement The purpose of this control is to safeguard organisational integrity, compliance with legal and regulatory requirements, and to promote trustworthiness in AI systems. It ensures that risks are mitigated and that the organisation’s objectives for responsible AI use are achieved.

According to ISO 8000-2, a record of data provenance can include information about the creation, update, transcription, abstraction, validation and transferring of the control of data. Additionally, data sharing (without transfer of control) and data transformations can be considered under data provenance. Depending on factors such as the source of the data, its content and the context of its use, organisations should consider whether measures to verify the provenance of the data are needed. Organisations should implement this control by establishing clear procedures, assigning responsibilities, and maintaining accurate documentation. Practical steps include integrating this control into existing governance frameworks, training relevant personnel, and monitoring compliance through regular audits.