UK ICO makes recommendations on AI in recruitment

Key findings from the Report included:

• Accuracy and bias monitoring: Many providers monitored the accuracy and bias of their AI tools and took corrective actions. However, some lacked accuracy testing, and certain features could lead to discrimination by allowing recruiters to filter out candidates based on protected characteristics.
• Excessive data collection: Some tools collected more personal information than necessary, including by scraping data from job networking sites and social media and combining it to form databases used to market vacancies to candidates. This was often carried out without the knowledge of recruiters or candidates. That said, some providers did enable recruiters to tailor the AI model to their needs such that personal data collection was minimised.
• Controller vs. processor roles: Several AI providers incorrectly identified themselves as processors rather than controllers, leading to non-compliance with data protection principles. In other scenarios, contractual allocation of responsibilities was vague and unclear.
• Transparency and trust: Some providers were transparent about their AI models and shared detailed information online to build trust. 

The ICO made almost 300 tailored recommendations during the course of the audit process. In the report the ICO summarised seven key recommendations for AI providers and recruiters including:

• Fairness: ensure personal information is processed fairly by monitoring for fairness, accuracy, and bias issues in AI and its outputs and taking appropriate actions to address them. Special category data used to monitor for bias and discrimination must be accurate and adequate enough to fulfil this role and of course, should be processed in accordance with data protection law;
• Transparency and explainability: recruiters should inform candidates about how their personal information is processed by AI, including what personal data is processed, the logic involved in making predictions or producing outputs and how they use personal data in developing the AI. Allocation of responsibility between AI provider and recruiter for providing the privacy information should be contractually defined and AI provider should provide to the recruiter the technical information necessary regarding the AI logic;
• Minimisation and purpose limitation: AI providers should determine the minimum personal information necessary (to develop, train, test, operate the AI) and for what period it is required. They should also identify the purpose for processing and compatibility with original purposes. Recruiters should then ensure they do not exceed those requirements;
• DPIAs: complete data protection impact assessments (DPIAs) where processing is likely to result in a high risk to people and do so early in AI development, prior to processing. Update DPIAs as the AI develops. AI providers acting solely as processors should also consider completing DPIAs for example to assess and mitigate privacy risks;
• Data controller vs data processor: clearly define and document roles for each specific processing activity;
• Processing instructions: recruiters should provide explicit and comprehensive written processing instructions to AI providers acting as their data processors, and periodically checking compliance. AI providers acting as processors should comply with recruiter instructions; and
• Lawful basis and conditions: identify and document the lawful basis for each instance of personal information processing as well as any additional condition required to process special category personal data. 

The ICO also published a list of questions for companies to consider before procuring an AI tool to address the key findings and cover the key recommendations in the Report.

The AI tools in recruitment report is available here, and the list of questions can be found here.