AI in recruitment: ICO highlights poor practices as UK overhauls automated decision-making rules

Are your hiring managers quietly letting an algorithm bin hundreds of job applications while claiming a human is technically in charge?

This week on the Privacy Partnership Podcast, Rob unpacks a massive structural shift in the UK’s framework for Automated Decision-Making (ADM). We dive into two major new releases from the ICO: the highly revealing Recruitment Rewired report and the newly updated draft guidance on ADM and profiling.

With the Data (Use and Access) Act (DUAA) taking effect, the UK GDPR’s approach to ADM has fundamentally changed—moving from a strict "prohibition with exceptions" to a more flexible "right of challenge with safeguards." Robert explains why this is arguably the most significant change under the DUAA, how it actually reduces friction for controllers by opening up Legitimate Interests as a lawful basis, and why the compliance burden hasn't disappeared, but rather shifted.

We also look at where companies are still getting this horribly wrong. Although the ICO's Recruitment Rewired report covers a period before the DUAA took effect, the new draft guidance makes clear that the new Article 22C safeguards essentially codify the old rules. If you were failing then, you are failing now.

In This Episode, We Cover:

The DUAA ADM Overhaul: How Articles 22A-22D change the game for controllers, making it easier to deploy AI decision-making without relying on clumsy lawful bases.

The "Meaningful Human Involvement" Trap: Why having a human "rubber-stamp" an AI's red-light rejection score is still a solely automated decision under the law.

Lawful Basis Headaches: Why Consent and Contract are terrible fits for automated CV screening, and how Legitimate Interests (and the required LIA) is now the clear path forward.

Transparency & DPIA Failures: A look at the worst practices the ICO found, including vague privacy notices, missing safeguards, and a solo legal team member signing off on a DPIA without consulting the DPO.

Key Quotes:

"The DUAA has undeniably made it easier to justify rolling out automated decision-making systems... But the structural requirements for fairness, transparency, and human intervention haven't vanished—they've just been recodified."

"If a human is simply applying the outcome of an automated system without actively evaluating the person's information, that is not meaningful human involvement."

Resources & Links:

Read the ICO’s Draft Guidance on Automated Decision-Making, including profiling: [Link to ICO Website]

Read the ICO’s Recruitment Rewired Report: [Link to ICO Website]

Learn more about the Data (Use and Access) Act (DUAA) changes to the UK GDPR.

About the Host:
Robert Bateman is a privacy expert, analyst, and the host of the Privacy Partnership Podcast.

Subscribe & Review:
If you enjoyed this episode, please subscribe to the Privacy Partnership Podcast on Apple Podcasts, Spotify, or your favorite podcast app. Leave us a rating and review to help other privacy professionals find the show!