ICO crackdown on AI recruitment part of three-year vision to save businesses £100 million

A close up image of a smartphone with the ICO webpage displayed on screen
(Image credit: Shutterstock)

The UK’s Information Commissioner’s Office (ICO) will renew its focus on regulating algorithmic biases as part of a three-year plan to tackle digital injustices and raise data awareness among businesses.

Branded ICO25, the ICO said the broad “package of actions” will help to save businesses around £100 million over the next three years. It aims to support businesses by releasing a catalogue of learning materials, a database of ICO-approved advice, and an ICO-moderated platform for organisations to discuss compliance matters and share advice.

As part of the roadmap, the ICO is applying a fresh focus on regulating algorithmic biases in the benefits system alongside the of role artificial intelligence (AI) in recruitment. There are fears, in particular, that AI-powered recruitment and hiring may discriminate against neurodiverse job applicants as well as candidates from ethnic minorities.

The use of AI in recruitment has been heavily criticised over the potential to discriminate against certain groups of people, largely due to a marked lack of diversity when such systems are being developed.

Commenting on the strategy, Peter van der Putten, Director AI Lab, Pegasystems and assistant professor in AI at Leiden University said the ICO was right to focus on the impact of AI on material decisions, such as whether you get access to financial support or whether you're hired for a role.

“AI is an invaluable technology that is already being used by government departments, banks, insurers, telcos, utility providers and more to improve customer service for millions of consumers, but these companies cannot let AI go unchecked," he said.

"Improper use of AI in this context is particularly harmful for vulnerable groups, but it is important to realise that virtually anyone can be a victim of unwanted bias, and deserves fair and explainable automated decisions. Take age or gender discrimination for instance.

“That is because AI is as biased as the data and logic used to create it. Even if its designers have the best intentions, errors may creep in through the selection of biased data for machine learning models as well as prejudice and assumptions in built-in logic. Therefore, organisations need to make sure that the data, models and logic being used to create their algorithms is absent of prejudice as much as possible, AI powered decisions are continuously monitored for bias and material automated decisions come with complementary automated explanation facilities."

The ICO's crackdown in this area comes alongside the ongoing support of children’s privacy and a crackdown on nuisance marketing.

“Certainty and flexibility remain the two pillars of what I offer to business today, and in how we will support the successful implementation of a new data protection law,” Information Commissioner John Edwards will say in a speech later today.

“Certainty in what the law requires, coupled with a predictable approach to enforcement action that allows businesses to invest and innovate with confidence. And the flexibility to reduce the cost of compliance.

“That support for business and public sector is important in itself, but it is ultimately a means to an end. We help business to help people.”


The challenge of securing the remote working employee

The IT Pro Guide to Sase and successful digital transformation


Clarifying the £100 million figure, Edwards will say that “flexibility” the ICO refers to is related to the cost of compliance, in light of the fact he's tasked the regulator with saving businesses £100 million over the next three years in the form of opportunities for better understanding data law.

Edwards will also say he understands these new focuses represent a big change in the way the ICO approaches matters, and that some things may not work out as intended. “The proposals I set out today involve trying different approaches. Some may work well, some may not work, some may need tweaking,” he will say. “But it is absolutely clear to me that in a world of increasing demand, and shrinking resources, we simply cannot keep doing what we’ve been doing and expect the system to improve.”

The Information Commissioner also promised to use the “most punitive regulatory tools” at the organisation’s disposal against those who seek to target and exploit vulnerable groups.

The ICO has been previously criticised for failing to investigate major data privacy cases in recent years. It has also been accused of failing to allocate an adequate proportion of staff to tech privacy, fuelling fears that major breaches would go uninvestigated.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.