Data protection in recruitment: ICO weighs in.

Information Commissioner's Office issues guidance on employee recruitment. What do you need to know?

Data minimization

• Avoid asking for personal information at the start of the recruitment process if you don’t need it until later on. For example, if you only need a copy of the successful candidate’s degree certificate, it’s not fair to ask all candidates to provide this;
• Consider whether it’s fair to get information about candidates from other sources. In most circumstances, it is only appropriate to vet the candidate who is offered the job.
• You must not collect more information than you need to achieve your purpose. When collecting information for recruitment, you should tailor your application forms to ensure that candidates only provide the information you need. You could also make it clear what information you don’t need them to provide.
• In general, you should not use information: in ways the candidate would not reasonably expect; which you have not told them about; or which may have adverse effects for them
• If you are using tests or assessments, you should pseudonymise candidates’ information, where possible
• In general, you should not keep information beyond the statutory period in which a legal claim can potentially be brought. It’s also unlikely that you need to keep all the information you hold for the purpose of defending potential legal claims. You must only keep information if you can justify why this is necessary.

Special category information

• Just because a candidate has deliberately made their special category information publicly available does not mean it’s fair or lawful to use it for recruitment purposes. Candidates are unlikely to expect you to use their information in this way.
• You should not make assumptions about a person’s suitability for a particular role based on their special category information (eg their race, political views, sexual orientation, or gender). This is the case even if the person has deliberately made this information publicly available. However, if you consider this information to be significantly relevant to the role you are recruiting for, you can still use it as long as you do so fairly. For example, by giving candidates an opportunity to explain or comment at interview.

Transparency and purpose specification

• You should not use the person’s information in ways they would not reasonably expect. If you plan to use their information for reasons not linked to recruitment, you must inform them and have a lawful basis for your processing.
• You should inform candidates about the selection criteria you will apply to their information in order to shortlist them.
• You should inform candidates about the selection criteria you will apply to their information in order to shortlist them.
• You should not keep information about candidates ‘just in case’ you might use it, or because you might decide to recruit more workers in future. You should only keep candidates’ information if this is fair. This means that you: genuinely intend to use the information; informed candidates about this; and explained how long you will keep their information for.

Accuracy

• You must take all reasonable steps to ensure the personal information you collect for recruitment purposes is not incorrect or misleading as to any matter of fact. You must keep candidates’ information accurate and up-to-date. For example, if a candidate’s contact details change, you must update your records. You could provide candidates with a contact on the application form in case they need to update their details.
• If you discover that the information you have is incorrect or misleading, you must take steps to rectify or erase it as soon as possible. - If you obtain information from third-party sources, it’s important that you’re confident that these sources are reliable

DPIA

You must carry out a DPIA before undertaking any processing likely to result in a high risk to candidates’ interests, rights and freedoms.

For recruitment, this may include:

• Using systematic and extensive profiling with significant effects (eg using recruitment tools to profile candidates or predict behaviour); - using innovative technology (eg using automated decision-making or profiling or AI to help you make recruitment decisions);
• Processing special category or criminal offence information on a large scale; or collecting personal information from sources other than the candidate, without providing them with privacy information.
• Automated decision-making and profiling for recruitment and selection
• You can use automated systems to assist you with recruitment decisions, provided that they are not solely automated, and there has been meaningful human involvement in the decision.
• You must do a DPIA if you plan to use solely or partly automated decision-making and profiling for recruitment purposes as both activities are high risk. You must:
• Consider whether the automated method is necessary and proportionate in the circumstances;
• Consider whether you can use less privacy-intrusive alternatives instead;
• Be selective about when to use these methods and to what extent;
• Ensure your software does not introduce biases, in particular those that target or discriminate against candidates based on their protected characteristics;
• Ensure you don’t discriminate against someone on the basis of their special category information; and
• Carefully monitor and assess the operation of any software you plan to use
• You must manage risks of bias and discrimination in any system you use and be able to mitigate the risks before you use automated decision-making and profiling for recruitment purposes

Third party software:

Even if you have not developed the software yourself, you must still understand the data protection implications of its use, and whether it presents a risk to candidates. You must cover this in your DPIA

Ask the provider for information on:

• the demographic groups a model was trained on;
• whether any underlying bias has been detected or may emerge; and
• any algorithmic fairness testing that has been conducted.

You should regularly review your AI system and have measures in place to check for bias or discrimination.

In particular, you should regularly review the efficiency and algorithmic fairness of the software for people with protected characteristics and special category information.

You must also make reasonable adjustments for people who have a disability. Where there is a risk of bias or unfair treatment, you must use alternatives to automated processing, or mitigate these risks.

Human Involvement:

You must build meaningful human involvement into each stage of the process in which recruitment decisions are being made about candidates. This means that any decisions about whether to progress a candidate to the next stage are made by a human

If a human has no power to overturn the AI recommendations, the recruitment decision has been made by solely automated means, and there has been no meaningful human involvement. This is the case even if the human has reviewed the information.

You should Ensure that:

• a human reviews any solely automated outputs that you may use to determine whether a candidate is selected or eliminated from the recruitment process;
• a human has the power to disagree with the AI recommendations or predictions, and can overturn them;
• where there are a number of candidates with similar qualifications and experience, the decision about who to interview is made by a human, although you can consider the recommendations made by the software;
• you don’t attach disproportionate weight to the AI recommendations; and
• you have trained staff on how to consider AI-driven or solely automated decisions, without attaching undue weight to them, and they are able to reach their own conclusions.

You should keep a record of each time a human reviewer overrides an automated recruitment decision. This will help you evaluate both the system you use and the effectiveness of the human involvement.

Solely automated

• You must not make decisions based on solely automated decision-making and profiling unless you’re able to rely on an exception (consent, authorized by law; human intervention) and you have safeguards in place
• You must provide meaningful details about the logic involved and the significance and likely consequences for the candidate.
• You must provide people with an explanation about how your automated system uses their information. You are not required to disclose your source code or any algorithmic trade secrets.
• People have the right to challenge any solely automated recruitment decision which significantly affects them and request human intervention. You should have simple ways in place to allow them to do this.
• You should record and monitor the number of challenges made by candidates on the grounds of fairness. This helps you assess how effectively your AI software enables you to comply with data protection law. You should address unfair outcomes in a timely way (without impacting the recruitment)