Privacy & Information Security Law Blog

On November 6, 2024, the UK Information Commissioner’s Office (“ICO”) published a report following consensual audit engagements conducted between August 2023 and May 2024 with developers and providers of artificial intelligence (“AI”) powered sourcing, screening, and selection tools used in recruitment (the “Report”). The Report covers the outcomes of the audits and a series of recommendations for recruiters, and for developers and providers of recruitment AI tools, that aim to better protect the data privacy rights of candidates. The Report details how the audits identified good practices in several areas, but also areas that could be improved, such as a lack of accuracy testing and unnecessary collection of personal data. ICO auditors made 296 recommendations and 42 advisory notes across all engagements.

The recommendations contained in the Report relate to key areas and principles of data protection compliance such as transparency, data minimization and purpose limitation, and the roles of controller and processor. Examples of such recommendations include:

• Recruiters must ensure that they inform candidates of how AI tools will process their personal information. They should do this by providing detailed privacy information, or ensuring that this is provided by the AI provider;
• AI providers should assess the minimum personal information required to develop, train, test, and operate AI tools; and
• AI providers and recruiters should complete a data protection impact assessment (“DPIA”) early in the development of an AI tool and prior to the relevant data processing activities. Even when acting as a processor, a provider should consider completing a DPIA to fully assess and mitigate risks.