The ICO has published recommendations for business owners on using AI in recruitment processes lawfully and ethically.
Artificial intelligence (AI) is transforming recruitment by saving time and improving efficiency for businesses of various sizes and across industries. Businesses are using AI tools to source potential candidates, summarize CVs, as well as score applicants. However, the use of AI in hiring comes with significant risks if not implemented responsibly. If not compliant with data protection laws, these tools can lead to unfair exclusion of candidates or privacy breaches, exposing businesses to legal and reputational risks.
UK audits found AI recruitment tools mishandled personal data, as a result, the ICO has issued recommendations for fairer, more transparent practices.
Recent audits conducted by the UK’s Information Commissioner’s Office (ICO) revealed key concerns with AI recruitment tools. Some tools unfairly processed personal information by filtering candidates based on protected characteristics or inferring sensitive information like gender or ethnicity from names. Others collected excessive amounts of personal data, retaining it indefinitely without candidates’ knowledge. Additionally, many tools lacked transparency, failing to explain to candidates how their data was used. In response, the ICO issued several recommendations to AI developers and providers. These recommendations aim to ensure compliance with data protection laws and promote fairness and transparency in AI recruitment practices.
To responsibly adopt AI recruitment tools, businesses should conduct a DPIA before procurement and establish a legal basis for data processing sensitive data.
Business owners considering AI recruitment tools should take proactive steps to ensure responsible adoption. Conducting a Data Protection Impact Assessment (DPIA) is essential to identify and address privacy risks. A DPIA should be completed before procurement and updated as the AI tool evolves. It’s also crucial to establish a lawful basis for data processing, particularly for sensitive data like racial or health information, which requires specific legal conditions.
When using AI in recruitment, it is important to clearly define responsibilities, mitigate bias, and be transparent, limiting data collection and ensuring AI providers comply with data protection laws.
When working with AI providers, define responsibilities clearly by determining whether your business or the provider is the data controller or processor. Ensure contracts specify roles, performance measures, and instructions for compliance with data protection laws. Mitigating bias is another critical step. Request documentation from providers on how they address bias in their tools, and monitor the outputs regularly to ensure fairness. Transparency is equally important. Inform candidates about how the AI processes their data, the logic behind decisions, and their right to challenge automated decisions. Additionally, limit data collection to the minimum necessary for recruitment purposes and avoid tools that retain data indefinitely or for unrelated purposes.
The ICO advises businesses to assess AI recruitment tools by asking questions about data protection, legal basis, bias mitigation, and data minimization to ensure compliance and reduce risk.
To help businesses assess AI tools, the ICO recommends asking key questions during procurement. These include whether the provider has conducted a DPIA, the legal basis for processing data, how bias is mitigated, and how data collection is minimized. Such questions not only ensure compliance but also build trust with candidates and protect your business from potential risks. The ICO’s audits have already led to improvements among AI providers, including enhanced transparency in privacy policies and better measures to reduce bias. By following these guidelines and leveraging the ICO’s resources, businesses can harness the benefits of AI in recruitment while ensuring fairness, transparency, and compliance.
