Making automated decisions during recruitment
Automated decision making (ADM) in recruitment is a key regulatory focus for the Information Commissioner’s Office (ICO). The ICO recognises that the increased automation of recruitment processes using AI brings potential benefits but also raises concerns such as people being incorrectly overlooked for jobs or being discriminated against. The ICO has recently published a report1 setting out its key findings on use of automated recruitment tools by 37 employers, and its expectations for the use of such tools. The report provides valuable guidance on how to obtain the benefits of automated recruitment processes whilst complying with UK data protection law. In this article we take a look at the implications for recruitment businesses.
1 https://ico.org.uk/about-the-ico/what-we-do/recruitment-rewired/
Meaningful human involvement
The UK GDPR applies to ADM namely where a decision is based solely on automated processing, without meaningful human involvement in that decision, and which has legal or similarly significant effects on a person, such as recruitment decisions.
The ICO’s report found that automated recruitment tools are typically used early in the recruitment process e.g. to score and rank candidates’ competencies and skills, for AI psychometric assessment and to predict candidates’ personality type. When using such tools, organisations therefore need to consider whether there is ADM. The ICO makes clear that this requires a thorough assessment of the level of meaningful human involvement in the decisions that are being taken about candidates. Is the tool being used to support decision-making with consistent, meaningful human involvement or, in the case of ADM, is the tool being used to make decisions, without meaningful human involvement, such as where a human merely rubber stamps the decision?
The ICO considers that for an automated tool to be considered as being decision support rather than decision making, a human must make every decision about whether to progress a candidate to the next stage, giving useful guidance in its report on how this should work in practice. On the other hand, tools used to automatically reject candidates using ‘fit’ scores constitute ADM. The ICO expects organisations either to comply with the requirements of data protection law for ADM (see below) or else adapt their processes to ensure there is meaningful involvement in each decision about each candidate.
Lawful Basis, Transparency and Safeguards
The UK GDPR has recently been amended making it easier to carried out ADM (except when using special category data such as health data where ADM is prohibited unless certain conditions are satisfied). Organisations can use almost all the lawful basis set out in the UK GDPR for ADM in recruitment. However, the ICO believes that legitimate interests is likely to be the most appropriate lawful basis warning against using consent or contractual necessity in most cases. Organisations should therefore review their lawful basis for ADM and ensure this is recorded in their candidate privacy notices and records of processing. When relying on legitimate interests, organisations should conduct a legitimate interests assessment to demonstrate that they have balanced their own legitimate interests against the rights and freedoms of candidates.
The UK GDPR imposes certain transparency requirements for ADM meaning organisations must inform candidates in their privacy notices about the use of ADM, provide them with meaningful information about the logic involved and the likely consequences. The ICO says candidates must be provided with information about how the automated tool will be used to make decisions and how accurate the tool is.
Information also needs to be given in candidate privacy notices about the required safeguards under the UK GDPR for ADM that are in place. These safeguards are that individuals must be informed of the decisions made about them; be given the opportunity to make representations about such decisions; to obtain human intervention/human review; and to contest such decisions.
Organisations should review their privacy notices to ensure that they contain the required transparency and safeguards information about their use of ADM. Note that organisations cannot simply refer candidates to the recruitment tool provider’s privacy information since the candidate is to be given information about how the organisation uses the tool in its recruitment process and the organisation is accountable for the decisions made. Organisations should also implement processes to ensure candidates are able to make representations, obtain human intervention and contest decisions.
Fairness, bias and discrimination
The report sets out the ICO’s expectation that organisations assess the fairness of their processing of candidates’ personal data and consider whether the use of automated recruitment tools results in bias and discrimination. Before using automated recruitment tools, organisations should make enquiries to the provider about bias testing and conduct their own trials to ensure bias is limited.
Data Protection Impact Assessment (DPIA)
A DPIA assesses the data protection risks and considers how to mitigate them. A DPIA must be carried out, prior to the processing, where the processing is likely to result in a high risk to people’s rights and freedoms. It is also good practice to carry out a DPIA even where not required. The ICO considers that a DPIA must be carried out before using ADM in recruitment. Where an organisation has already carried out a DPIA for automated recruitment tools, the ICO expects that it be carefully reviewed to ensure that the data protection risks are being appropriately addressed.
Next steps
Compliance with the UK GDPR is important with the ICO having the power to impose significant fines of up to, in some cases, the higher of £17.5 million or 4% of the organisation’s total worldwide annual turnover in the preceding financial year.
If you are using ADM in recruitment, you should check your compliance with data protection law and implement any required remedial steps. You should, in particular, review whether any automated recruitment tools that you regarded as decision support are, in fact, decision making. In its report, the ICO found that many employers wrongly thought that their tools were decision support, when they were being used for ADM, leading to a failure in compliance.
If you are considering using ADM in recruitment, you should carry out a DPIA to ensure that the data protection risks are adequately addressed and should implement any data protection compliance and risk mitigation actions.
Organisations should also keep up to date with relevant ICO guidance relating to ADM. The ICO has opened its consultation on its guidance on automated decision-making, including profiling2 and is in the process of finalising its guidance on automated decision-making and profiling for recruitment and selection.3
Should you require any further information please do not hesitate to contact:
Research shows that the average worker in the UK changes jobs every 5 years. In the fast-paced world of recruitment it is often more frequent. It is therefore particularly important for recruitment agencies to ensure that contractual terms prohibit departing employees from diverting key assets such as clients, candidates and staff to competitor businesses or new start-ups. This can be achieved through carefully drafted restrictive covenants.
Any people-centric business must appropriately incentivise their team to retain the most talented individuals.
This is no more so that in the recruitment sector, where competition for top talent can be fierce and the cost of replacement is expensive.
The Employment Rights Act 2025 introduces new significant statutory rights for workers on zero and low-hours contracts, including reasonable notice of shifts, the right to guaranteed hours and payments for short-notice cancellation of shifts, with corresponding rights for agency workers. This article details the upcoming changes and their likely impact on the recruitment sector.
Our update is designed to bring you the latest news and legal developments relevant to in-house lawyers. If there are any areas you would like more information on or if you have any questions or feedback, please do not hesitate to let us know via our feedback form or get in touch with any member of our team.
Copyright in this publication is owned by Pannone Corporate LLP and all rights in such copyright are reserved. Pannone Corporate LLP is a limited liability partnership registered in England and Wales with number OC388393. Authorised and Regulated by the Solicitors Regulation Authority. A list of members is available for inspection at the registered office, 378-380 Deansgate, Manchester M3 4LY. We use the terms “partner” to refer to a member of the LLP.