ICO publishes guidance regarding regulatory expectations on the use of automated decision-making in recruitment

The ICO acknowledges that ADM recruitment tools can provide benefits for employers and candidates and seeks to frame its guidance in support of innovation. However, it also highlights the risks posed by such tools, including the introduction of biases to the recruitment process.

The ICO’s key findings in the Report include the following: 

• Employers often rely solely on ADM recruitment tools without effective human oversight.
• Employers do not consistently apply safeguards to manage ADM processes, such as by ensuring that candidates can challenge recruitment decisions.
• Many employers do not provide transparent information to candidates to enable candidates to understand how their personal data is processed or how ADM is used in the recruitment process.
• Many employers either fail to complete data protection impact assessments (DPIAs) before processing candidates’ personal information or produce DPIAs that lack adequate risk mitigation.

The Report outlines the ICO’s expectations for organisations using ADM recruitment tools, including the following: 

• Organisations must implement adequate safeguards enabling candidates to contest automated decisions and request human intervention.
• Organisations must ensure that there is meaningful and genuine human involvement in recruitment decisions.
• Organisations must be transparent and provide individuals with information regarding ADM at various stages during the recruitment process, including when an individuals’ personal data is first collected, when an individual makes a subject access request and when the organisation engages in ADM.
• Organisations should review their practices to ensure that they consistently treat candidates fairly and engage with developers to test bias.
• In accordance with data protection laws, organisations must carry out and maintain comprehensive DPIAs where personal data processing via ADM is likely to result in a high risk to individuals’ rights and freedoms.

On March 31, 2026, the ICO launched a further consultation on updates to its existing ADM guidance (the Updated ADM Guidance). The Updated ADM Guidance intends to help organisations understand and meet relevant obligations regarding ADM (and the use of profiling) and follows the introduction of the Data (Use and Access) Act 2025. The public consultation on the Updated ADM Guidance is open until May 29, 2026.

The press release is available here, and the Report can be viewed here.