- Introduction
- KEY RISKS IDENTIFIED
- RECOMMENDATIONS
- MEVITAE'S AUDIT
AI Recruitment: What ICO Reveals
Introduction
AI can transform recruitment for the better, both in efficiency and effectiveness, but only if deployed ethically and in compliance with data protection law. The UK’s Information Commissioner's Office (ICO) recently released its outcomes report on AI in recruitment, highlighting both the potential and the risks of using AI in hiring. The report follows audits of AI recruitment tool providers and focuses on privacy, fairness, and compliance with UK data protection law, which is based on the EU’s GDPR.
The report is valuable reading even for companies without a UK presence, as the issues identified are pervasive across all organizations implementing this new technology. The ICO’s recommendations aim to help organisations harness AI’s benefits while protecting candidate rights and maintaining trust. HR and data privacy professionals are urged to read the full report here: AI tools in recruitment: Audit outcomes report.
KEY RISKS IDENTIFIED
The ICO’s audit identified several key risks in the use of AI for recruitment. Some AI tools were found to filter candidates based on protected characteristics or to infer sensitive information such as gender or ethnicity (this not only risks discrimination but also causes reliance on inaccurate data). Transparency was another major concern, as many candidates were scarcely aware of how their data was being used, particularly when information was collected from public sources or repurposed for different uses. Privacy notices provided to candidates were frequently insufficient and some tools collected significantly more personal data than necessary, sometimes without the knowledge or consent of the individuals involved.
These risks are by no means new and have been identified for example by the European Commission prior to the EU’s AI Act, and by various US states that have implemented or are implementing their own AI legislation. The UK does not yet have a law equivalent to the EU’s AI Act, instead relying on existing laws such as the UK GDPR. However, we expect this report will be influential as Parliament considers the introduction of similar legislation.
RECOMMENDATIONS
Specifically, the ICO’s seven recommendations were:
- Monitor for bias and accuracy in AI systems, especially when using special category data.
- Be transparent with candidates about how their data is used and how AI decisions are made.
- Minimise data collection and set clear retention periods.
- Complete and update Data Protection Impact Assessments (DPIAs) to assess and mitigate privacy risks.
- Clearly define roles (controller or processor) for each processing activity.
- Provide explicit instructions to AI providers acting as processors and check compliance.
- Document lawful bases for processing, especially for special category data.
For employers, the ICO emphasises the need to carefully vet AI recruitment tools and providers, ensuring that contracts are clear and that candidates receive accessible privacy information. Employers should also regularly review Data Protection Impact Assessments (DPIAs) and ensure candidates have the ability to challenge automated decisions.
For AI providers, the focus should be on maintaining transparency, minimising data collection, and ensuring robust security measures. Providers should clearly document their processing roles, support recruiters in meeting compliance requirements, and actively monitor and address issues related to bias and accuracy in their systems.
The ICO offers a free toolkit to help organizations reduce data privacy risks caused by AI systems – see: AI and data protection risk toolkit | ICO.
MEVITAE'S AUDIT
The ICO has also been conducting targeted consensual audits of potentially high-risk AI providers. MeVitae achieved overwhelmingly high assurance ratings from the ICO in its AI Data Protection Audit Report – see: MeVitae - Executive summary.
Find out more about MeVitae’s pioneering solutions that faithfully incorporate the ICO’s guidance and help you stay compliant as new AI legislation continues to take shape:
-
MeVitae’s talent screening solution stands out by bringing ethical hiring and data privacy to the fore:
-
MeVitae’s trusted anonymized recruiting software and workforce analytics optimize fairness and compliance your automated and manual hiring processes:
-
MeVitae’s highly customizable solutions integrate into virtually any ATS or HCM.
Start Building a Fairer Workplace With Us
Dive into the future of work with our expertly crafted solutions. Experience firsthand how MeVitae’s AI-driven solutions can make a difference. Request a demo or consultation now.