GDPR for HR | UK ICO audits AI recruitment tools and the English High Court defines controllers in DSARs

UK ICO publishes recommendations on AI tools in recruitment 

The Information Commissioner's Office (ICO) recently carried out consensual audits of several organisations that develop or provide artificial intelligence (AI) tools for use in recruitment. In November, it published its outcomes report that summarised the findings. The audit and report aim to enhance the protection of job seekers' data rights, following concerns that AI tools can present risks to job seekers' data rights if measures are not in place to ensure personal information is being used lawfully and fairly.

It is an essential read for organisations that provide or use AI tools in a recruitment context. The audit focused on 10 areas, including data minimisation, bias mitigation with AI, and privacy trade-offs within AI.  

Audit concerns

Examples of concerns identified in the audit include: 

• Collection and retention of data which goes beyond that which is necessary.
• Unfair processing of data; for example, the ability to exclude candidates from the selection process on the basis of certain protected characteristics, inferences about gender and ethnicity based on candidates' names.
• Lack of transparency about the processing.
• Misunderstandings of whether the AI provider was a data controller or processor of job seekers' personal data, resulting in lack of compliance with the relevant data protection obligations; and
• The need for risk assessments understand the impact of processing on individuals' privacy rights.

Problem areas identified in the audit are then paired with a helpful selection of good practice examples and almost 300 practical recommendations.

ICO recommendations

Those involved with data rights requests, including the increasingly-popular data subject access requests (DSARs), were given a specific mention. The ICO recommended AI providers and recruiters should consider how the requests will be handled within the AI tools, how to communicate these requests between recruiter and AI providers and other third parties, and how to document the processes involved.

The ICO is explicit about the report's intentions. "Our report signals our expectations for the use of AI in recruitment", it said. "AI providers and recruiters should follow the recommendations."

Organisations that use (or propose to use) AI tools as part of their recruitment practices would be wise to review their AI practices alongside the ICO's latest recommendations to ensure they align. If AI businesses can get this right, they have the scope to build trust and market reputation in their AI tools with both recruiters and jobseekers – and there is potential for commercial benefit beyond legal compliance. 
 

Who's the data controller for DSARs: the organisation, senior officers or both? 

The High Court, in the recent case of Savva v Leather Inside Out and Others, considered whether two senior officers – trustees – and a consultant of a charity were capable of being data controllers, in addition to or instead of the charity itself,  for the purposes of Article 15 of the UK General Data Protection Regulation. No documents were provided in response to a DSAR submitted by a former employee claiming unfair dismissal, either during the one-month response period or subsequently. 

In order to decide whether the trustees and consultant were acting as agents of the charity or independently in their personal capacities, the High Court considered the definitions of "data controller" and "data processor".  

The High Court determined that the former employee – the claimant –  had failed to put forward factual evidence that any of trustees or the consultant were acting as anything other than agents of the charity, as the data controller. However, the High Court was clear that officers could potentially be data controllers in their personal capacity. There is no automatic immunity associated with an officer's position or status, which means their role and associated responsibilities are limited to that of an agent of the organisation regardless of the circumstances. 

High Court lessons

There are important takeaways from this case. Data protection responsibilities within an organisation need to be considered carefully, particularly in settings where data protection roles may overlap. For example, in relation to trusts, the ICO states "the controller will be the trustee (or trustees if there is more than one) who make decisions about the processing of personal data". 

Data protection responsibilities need to be under regular review and staff kept aware of their individual obligations. 

If an organisation faces data protection-related claims that target specific individuals, careful analysis of the facts will be needed to evidence their individual data protection obligations, including what capacity they were acting; for example, as an agent, data processor or data controller of the organisation. 
 

Upcoming and recent events

GDPR for HR Event

12 February 2025 | 17:15 – 19:30

A look back at the privacy developments over the last 12 months and ahead on the horizon in 2025, as well as at the practical impact of changes on the processing of HR-related data. The in-person event will be a great opportunity to network with like-minded HR professionals.

Before closing the year with a well-deserved festive holiday break, why not take a moment to register for this event to ensure a compliant start to 2025?  We look forward to seeing you there. 

Register now >   

In-House Lawyer Talks 2024 | Data protection law: changes, trends and hot topics

In this webinar, we looked at the Data (Use and Access) Bill, and ICO priorities and enforcement trends.

Watch the recording >

We wish you a festive holiday and a wonderful New Year's!