The Information Commissioner’s Office (ICO) has published a report on how automated decision-making (ADM) can be used fairly and responsibly in recruitment, together with advice on how employers can ensure that they stay on the right side of data protection laws.

The report coincides with the publication of updated guidance from the ICO (discussed here) on how organisations generally must comply with the new rules on ADM following the passage of the Data (Use and Access) Act 2025.

The use of ADM in recruitment was identified early on as an area requiring particular focus from the ICO given the extent to which businesses increasingly use automation in various aspects of their recruitment processes. As the report explains, this growth has been accompanied by concern in some circles about the level of transparency from employers about how ADM is used, the extent to which its use might reflect and reinforce existing biases, and nervousness about inaccurate outputs and unfair outcomes.

As a result, the ICO embarked on a project to assess how employers are currently using ADM and the extent to which it complies with data protection law.

Its findings – set out in a recent report – are that employers are using automated recruitment processes with “varying levels of sophistication and intensity” and that, more broadly, “employers have more work to do to ensure that the use of automated recruitment tools respect people’s information rights”.

In particular, the ICO notes the following:

• Employers must more thoroughly assess the level of meaningful human involvement in their processes. The ICO points out that some employers make the mistake of thinking that tools are merely supporting decisions, rather than making decisions themselves (which would likely bring them within the scope of the ADM provisions of the UK GDPR). At the same time, where employers do include meaningful human involvement, the ICO cautions that they must apply it consistently to all candidates within a hiring stage.

• Employers must improve their transparency measures to ensure that they adequately inform candidates about the use of ADM, including any solely automated decisions, in the recruitment process. They must also apply the safeguards specified in the ADM provisions of the UK GDPR;

• Employers should fully assess the fairness of their processing and consider whether the outcomes result in bias or discrimination;

• Employers should “carefully consider” whether to carry out a Data Protection Impact Assessment to assess more thoroughly the level of risk to individuals arising from the processing of their data and take appropriate steps to mitigate those risks; and

• Employers should review the lawful bases they rely on to process personal information, as the ICO explains that consent is unlikely to be an appropriate lawful basis because “candidates might feel that if they refuse to allow the employer to process their personal information to inform an automated decision, it will prevent them from progressing in the recruitment process. It is therefore unlikely that their consent would be considered ‘freely given’”. Therefore, the ICO recommends that legitimate interests is the more appropriate basis and, as a result, employers should consider carrying out a Legitimate Interests Assessment.

In the light of the report’s findings, the ICO has stated that it intends to update its guidance on recruitment and selection later this year.

In the meantime, the report can be read in full here.