Saltar al contenido principal
Back to blog
AI EthicsGovernance

From Principles to Practice: an ethical-operational framework for AI in public administration

April 7, 20264 min readOptimTech
Share:

Why move from ethical principles to operational controls

Good-practice documents and codes of ethics are useful for guidance, but they don’t guarantee compliance or reduce real-world risks. For a public entity, operationalizing ethics means adopting verifiable controls that address legal obligations (GDPR, ENS RD 311/2022, EU AI Act), commitments to transparency with citizens, and the need to maintain continuity of service.

This text proposes a practical —not theoretical— framework to turn principles into concrete measures that can be incorporated into municipal AI projects: from impact assessment to contractual clauses and technical controls.

Six key operational controls

1. Governance: roles, responsibility and registry

Concrete action:

  • Define an AI responsible person (RACI model) and a technical-legal committee to review projects.
  • Maintain a registry of AI systems in production (name, purpose, risk category, responsible person), useful for compliance with the EU AI Act and public transparency.

Benefit: clarity about who makes decisions and how they are documented.

2. Risk assessment and DPIA

Concrete action:

  • Carry out a risk assessment before deployment: identify data processed, impact on fundamental rights, and risk classification (per the EU AI Act).
  • For processing that significantly affects people, perform a Data Protection Impact Assessment (DPIA) in accordance with the GDPR.

Benefit: informed decisions about necessary mitigations (e.g., data minimization, quality controls).

3. Data governance and minimum principles

Concrete action:

  • Apply management practices: catalog sources, define data owners, pseudonymize, keep minimum retention, and ensure training data quality controls.
  • For sensitive or personal data, document the legal basis and technical measures (in line with GDPR and ENS).

Benefit: reduces bias, data leaks and legal risks.

4. Transparency and operational explainability

Concrete action:

  • Publish public technical sheets (model cards) that state purpose, limitations, main data, performance metrics and use cases.
  • Implement logging of automated decisions that allows auditing outcomes and explaining decisions to a citizen.

Benefit: greater public trust and the ability to respond to complaints.

5. Human oversight and process design

Concrete action:

  • Define human intervention points (human-in-the-loop): when and how an operator reviews or overrides an automatic output.
  • Establish escalation procedures for uncertain cases and mandatory training for operators.

Benefit: prevents automated decisions that could violate rights or cause serious errors.

6. Monitoring, continuous testing and incidents

Concrete action:

  • Implement control metrics (accuracy, group bias, error rate) and automatic alerts when they degrade.
  • Incident response plan: isolation, forensic audit and public communication when appropriate.

Benefit: early detection of failures and compliance with notification obligations.

Contracts and public procurement: recommended operational clauses

When contracting AI solutions (Law 9/2017 applicable), include clauses that allow:

  • Access to technical documentation and log records for audit.
  • Obligations to comply with ENS RD 311/2022 and with applicable requirements of the EU AI Act.
  • Rights to rectify/update models and data, and conditions on subcontracting and supply chain.
  • Technical and security SLAs, and penalties for operational breaches that affect citizens’ rights.

These clauses translate ethical and regulatory requirements into verifiable contractual obligations.

Practical rollout: 90-day plan (immediate action)

Priority actions for 90 days:

  1. Create the AI systems registry and appoint an AI responsible person.
  2. Execute an initial risk screening for the three most impactful ongoing projects.
  3. Include in the next procurement a basic clause for log auditing and ENS compliance.

This tactical plan enables a shift from intent to control in a short period and without large investments.

Final notes and practical resources

  • Align these measures with ENS RD 311/2022 for security aspects and with the GDPR for data protection.
  • Anticipate EU AI Act requirements for high-risk systems: comprehensive documentation, data quality management and conformity procedures.
  • Modular tools and platforms (such as OptimGov Ready) can accelerate implementing the systems registry and impact assessment processes, but organizational and legal control must always reside within the public entity.

Takeaway / Recommended action: in the next two weeks, appoint an AI responsible person, inventory your models and run a risk screening on the most critical project — that single action reduces regulatory exposure and lets you prioritize operational measures.