ICO publishes ADM report in HR, warns businesses to align with DUAA changes

The Information Commissioner's Office (ICO) has published a blog article calling on businesses to review their use of automated decision-making (ADM) in recruitment to ensure compliance with the UK's updated data protection legislative framework. Following the introduction of the Data (Use and Access) Act 2025 (DUA Act), the ICO has published a report setting out its expectations for organisations using ADM in their hiring processes.

The key findings section of the report highlights that while ADM can improve efficiency and handle high volumes of applications quickly, it poses significant risks of unfairness or bias if used unlawfully. The ICO found that employers deploy such tools with varying levels of sophistication, primarily for high-volume roles or graduate recruitment. The findings indicate that many employers have more work to do to respect information rights. In particular, the ICO is concerned that organisations must more thoroughly assess the level of meaningful human involvement in their processes. The ICO also found that most privacy information provided to candidates was insufficiently specific about how ADM was being used. Furthermore, many employers had not fully assessed their processes for bias or discrimination, while others had failed to complete required Data Protection Impact Assessments (DPIAs) before processing personal information.

The report also highlights confusion about selecting the right lawful basis for processing. Many companies relied on consent or performing a contract as a legal basis, which the ICO remarks is unlikely to be appropriate in most recruitment contexts. 

The ICO has also published a consumer-focused blog explaining what jobseekers need to know about ADM use in recruitment processes.

In a related article, Privacy International (PI) has published recommendations to improve the transparency and explainability of algorithmic decisions in the workplace. Following years of investigating the impact of algorithmic management and surveillance on workers, PI highlights how a lack of information negatively affects those managed by these systems. While the recommendations are framed for gig-economy platforms, they apply to any system that manages workers algorithmically.

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.