Recruiting the right AI: Key Lessons from the ICO’s Report on AI tools in Recruitment

AI is here to stay. It is a reality of everyday life. This may have benefits, as the ICO’s recent report acknowledges, but it also comes with an inherent risk to privacy.

The ICO conducted an audit with developers and providers of AI recruitment tools from August 2023 to May 2024 and detailed its findings in a report published on 6 November 2024 (available here).

In some respects, the report is not groundbreaking. It should come as no surprise that processing via AI tools is subject to the UK GDPR and Data Privacy Act 2018. Specific ICO guidance on the use of AI and data privacy has been available since March 2023. What the latest report does demonstrate is the continued scale of non-compliance, as well as the challenges faced by the recruitment industry as it seeks to utilise the benefits of AI in an increasingly fast-paced and competitive environment.

Key concerns highlighted in the report include the practice of combining candidate data with data scraped from social media and job networking sites to build vacancy marketing databases (often without candidates’ knowledge), features enabling discrimination, inadequate accuracy and bias testing and unclear, or at times improper, allocation of compliance responsibilities between recruiters and AI providers.

The ICO made 296 recommendations during its audit. The highest number of recommendations related to privacy management framework, closely followed by Data Protection Impact Assessments and risk management. The ICO’s report summarises the most common areas for improvement into seven key recommendations for the design and use of AI recruitment tools:

1. Fairness (including accuracy and addressing bias issues)
2. Transparency and explainability (candidate privacy information)
3. Data minimisation and purpose limitation
4. Data Protection Impact Assessments
5. Data controller and processor roles
6. Explicit processing instructions
7. Lawful basis for processing and (for special category data) additional condition to ensure lawful processing

The report also sets out key observations from the audit, areas for improvement and practical examples, as well as recommendations aimed specifically at AI providers and recruiters.

Note that the ICO’s audit covered sourcing, screening and selection tools, but not AI tools used to process biometric data or using generative AI (e.g., chatbots).

Key takeaways for recruiters

Both AI providers and recruiters have responsibilities to ensure that their use of AI tools complies with data privacy law. Although recommendations rather than specific legal requirements, failing to take note of the practices and standards advocated in the report puts organisations at risk of breaching their legal obligations.

Following the recommendations in the report will require recruiters who use AI tools to perform thorough due diligence on their AI provider’s practices and compliance. This includes checking how the AI provider uses candidate personal data, monitors fairness and accuracy and mitigates potential bias, as well as requesting evidence of the AI provider’s internal privacy compliance checks.

Recruiters using AI tools will also want to check contractual arrangements with their AI provider to ensure controller and processor roles are clearly defined. Each party’s responsibilities, including responsibility for providing privacy information to candidates, should be detailed in the contract.

Other steps recruiters will want to consider off the back of this report include:

• Reviewing (and where necessary updating) candidate privacy policies.
• Ensuring staff are trained in the proper, compliant and fair use of AI tools – the tools reviewed by the ICO were designed and intended to support human decision-making, not make automated decisions.
• Reviewing Data Protection Impact Assessments and ensuring mitigating controls are in place and effective.
• Reviewing and updating records of processing activities (RoPA) for candidate personal data.

For information please contact a member of our Data Protection team or submit an enquiry form, below.