招聘结果报告中的人工智能

AItoolsinrecruitment

Auditoutcomesreport

November2024

2

Contents

Executivesummary 3

Introduction 4

Keyrecommendations 6

Methodology 9

Impact 12

Summaryoffindings 13

Dataminimisationandpurposelimitation 13

UsingpersonalinformationtotrainandtestAI 18

Accuracy,fairness,andbiasmitigationinAI 20

Transparency 25

Privacytrade-offswithinAI 29

HumanreviewsinAI 32

DPIAsandriskmanagement 34

Informationsecurityandintegrity 38

Managementframeworks 41

Thirdpartyrelationships 47

3

Executivesummary

TheICOhavecarriedoutconsensualauditengagementswithdevelopersandprovidersofartificialintelligence(AI)poweredsourcing,screening,andselectiontoolsusedinrecruitment.WerecognisethattheuseofAItoolsinrecruitmentprocessescanofferbenefitstoemployers,buttheirusecanalsoleadtorisksforpeopleandtheirprivacyandinformation

rights.WeundertookthisworkaspartofourupstreammonitoringofthewiderAIecosystemtounderstandhowthedevelopmentandprovisionofAIrecruitmenttoolscomplieswithUKdataprotectionlaw.

OurauditsfoundareasforimprovementindataprotectioncomplianceandmanagementofprivacyrisksinAIaswellasareasofgoodpractice.Werecommendedactionsbothtoimprovecompliancewithdata

protectionlawandpromotethegoodpracticesinourpublishedguidance.

ManyprovidersmonitoredtheaccuracyandbiasoftheirAItoolsandtookactiontoimprovethem.Howeverwedidwitnessinstanceswherethere

wasalackofaccuracytesting.Additionally,featuresinsometoolscouldleadtodiscriminationbyhavingasearchfunctionalitythatallowed

recruiterstofilteroutcandidateswithcertainprotectedcharacteristics.

Othersestimatedorinferredpeople’sgender,ethnicity,andother

characteristicsfromtheirjobapplicationorevenjusttheirname,ratherthanaskingcandidatesdirectly.Thisinferredinformationisnotaccurateenoughtomonitorbiaseffectively.Itwasoftenprocessedwithouta

lawfulbasisandwithoutthecandidate’sknowledge.

Wewereconcernedtofindtoolsthatcollectedfarmorepersonal

informationthanwasneeded.Insomecases,personalinformationwasscrapedandcombinedwithotherinformationfrommillionsofpeoples’profilesonjobnetworkingsitesandsocialmedia.Thiswasthenusedtobuilddatabasesthatrecruiterscouldusetomarkettheirvacanciesto

potentialcandidates.Recruitersandcandidateswererarelyawarethatinformationwasbeingrepurposedinthisway.

WefoundseveralinstanceswhereAIprovidersincorrectlydefined

themselvesasprocessorsratherthancontrollers,andsubsequentlyhadnotcompliedwiththedataprotectionprinciples.Somehadattemptedtopassallresponsibilityforcompliancetorecruitersusingtheirtool.In

thesecasesthearrangementswereusuallysubjecttovagueorunclearcontracts,thatappearedtobedeliberatelybroadorleftrecruitersinthedark.

However,wealsonotedmanyencouragingpractices.Someproviders

gaverecruiterstheirownbespokeAImodel,thattheycouldtailortotheir

4

ownneedsandwhichavoidedcollectingunnecessarypersonal

information.Othersworkedtobeastransparentaspossible,andshareddetailedinformationonlineabouttheAIandhowitworkedinorderto

buildpeople’strust.

Duringthecourseofourworkwemadealmost300recommendationstoimprovecompliance,allofwhichwereaccepted.Theserecommendationscoveredanumberofrequirementsunderthelawrangingfrom;

•processingpersonalinformationfairlyintheAI;

•explainingtheprocessingclearly;

•keepingpersonalinformationcollectedtoaminimum;

•notrepurposingorprocessingpersonalinformationunlawfully;and

•conductingriskassessmentstounderstandtheimpacttopeople’sprivacy.

BothAIprovidersandrecruitersshouldfollowtherecommendationsinthisreport.

Byhavinghighstandardsofdataprotectioncompliance,organisationsdevelopingandusingAIinrecruitmentcaninnovateanddelivergreatservices,whilebuildingtrustwiththepublic.

Introduction

WehavecarriedoutaprogrammeofconsensualauditengagementswithorganisationsthatdeveloporprovideAItoolsusedinrecruitment.

Recruitmenttoolsauditedwerebroadlyusedforsourcing,screening,andselection.

Sourcingtoolsincluded:

•suggestingpotentialcandidatesthatmatchorbestfitarecruiter’sjobvacancyfromadatabaseofpotentialcandidateprofiles;and

•findingcandidatesthatmayincreasetherecruiter’sworkforcediversity,basedontheirpredictedorinferredgender,ethnicity,age,orotherdiversitycharacteristics.

Screeningtoolsincluded:

•scoringcandidatecompetenciesandskillsfromwrittenapplicationsandCVs;

•predictingacandidate’s‘interest’inajobvacancybasedontheirinteractionswithrecruiters;and

•predictingthelikelihoodofacandidatebeingsuccessfulintherecruiter’sselectionprocess.

Selectiontoolsincluded:

5

•assessingacandidate’sskillsandfittoarolebasedonperformanceinAI-poweredbehaviourgamesorpsychometricassessments;

•scoringcandidatecompetenciesandskillsfromwrittenresponsestointerviewquestionsandtexttranscriptionsofin-personorvideo

interviews;and

•evaluatingacandidate’slanguage,tone,andcontentinvideointerviewstopredicttheirpersonalitytype.

ThisworkcoveredarangeofAIusecasessuchasmachinelearning,

includingnaturallanguageprocessing.WedidnotincludeAIusedto

processbiometricdata,suchasemotiondetectioninvideointerviews,aswehavereviewedandareproducingseparateguidanceon

biometricdata

andneurotech.

WealsodidnotincludetoolsusinggenerativeAIinthis

work,suchasforchatbotsanddraftingjobadvertsorroledescriptions.Although,weareawareoftheincreasinguseofgenerativeAImodelsinrecruitmentandareexploringriskstopeople’sprivacyinotherwork.

Weundertookthisworkaspartofourupstreamengagementand

monitoringofthewiderAIecosystem.Thishelpedustounderstandtheprivacyrisksandpotentialnon-compliancewithUKdataprotectionlawinthedevelopment,provision,anduseofAIrecruitmenttools.

WerecognisethatAIoffersopportunitiesthatcouldbringimprovementsforsociety,suchasefficiency,scalability,consistencyandprocess

simplification.Whenusedinrecruitmentprocesses,AIcanenableorganisationstohandlepotentiallyhighvolumesofapplicationsandprocessthemconsistentlyandinatimelymanner.

However,shiftingtheprocessingofpersonalinformationtothesecomplexandsometimesopaquesystemscomeswithinherentriskstopeopleandtheirprivacy.HumanrecruitersmaybeinfluencedandmakerecruitmentdecisionsbasedonAIoutputs,scores,orpredictionsthatmighthave

limitedscientificvalidity

1

.AsdetailedbytheUKgovernmentintheir

ResponsibleAIinRecruitmentGuide,

AIrecruitmentalgorithmscanbe

unfair,learntoemulatehumanbias,andperpetuatedigitalexclusionof

minorities

2

.TheCentreforDataEthicsandInnovationnotedintheir

IndustryTemperatureCheck

inDecember2022thatAIsystemsholdingvastamountsofpersonalinformationcanbetargetsforcyber-attacksand

1REC.RECrespondstoreportshowingrisktoUKjobsfromAI(27March2024).

/our-view/news/press-releases/rec-responds-report-showing-

risk-uk-jobs-ai

2DepartmentforScience,Innovation,andTechnology.ResponsibleAIinRecruitment

guide(25March2024).

.uk/government/publications/responsible-ai-in-

recruitment-guide

6

interference

3

,especiallyifinformationiskeptandstoredforlongerthannecessary.AIcanprocesspersonalinformationinanuntransparentandunexplainableway,orrelyonconsentthatisnotvalidandinformed.

Furthertothe

NationalAIStrategy

publishedinSeptember2021,theUKgovernmentpublishedan

AIregulationpolicypaper

inMarch2023.Thissetsoutplanstoimplementapro-innovationapproachtoAIregulation,basedontheprinciplesof:

•safety,security,androbustness;

•appropriatetransparencyandexplainability;

•fairness;

•accountabilityandgovernance;and

•contestabilityandredress.

TheseprinciplesarecloselylinkedtothedataprotectionprinciplesintheUKGDPR.Byhavinghighstandardsofdataprotectioncompliance,

organisationsdevelopingandusingAIinrecruitmentcaninnovateanddelivergreatservices,whilebuildingtrustwiththepublic.

Keyrecommendations

Ourauditsfoundsomeconsiderableareasforimprovementindata

protectioncomplianceandmanagementofprivacyrisksinAI.We

recommendedactionsbothtoimprovecompliancewithdataprotectionlawandpromotethegoodpracticesinourpublishedguidance.

OurrecommendationsweretailoredtotheAIusecase,thepersonal

informationprocessed,andthecontextoftheorganisation.Howeverwehavesummarisedthemostcommonareasintosevenkey

recommendations,whicharecrucialtoallorganisationswhendesigningandusingAIrecruitmenttools.

ThesekeyrecommendationsarerelevantfororganisationsthatdeveloporprovideAIrecruitmenttools(AIproviders),andorganisationsthatuseorarethinkingofusinganAItoolintheirrecruitment(recruiters).

AIprovidersandrecruitersshouldfollowourrecommendations,toensureAIrecruitmenttoolscomplywithUKdataprotectionlaw.

Recommendation:Fairness

3CentreforDataEthicsandInnovation.IndustryTemperatureCheck:BarriersandEnablerstoAIAssurance(December2022).

.uk/media/638f3af78fa8f569f7745ab5/Industry_Te

mperature_Check_-_Barriers_and_Enablers_to_AI_Assurance.pdf

7

AIprovidersandrecruitersmustensurethattheyprocesspersonal

informationfairlybyAI.Thisincludesmonitoringforpotentialoractual

fairness,accuracy,orbiasissuesintheAIanditsoutputs,andtaking

appropriateactiontoaddressthese.Dependingonthedecisionsmade

andthelevelofhumaninvolvementasaresult,theaccuracybeingbetterthanrandomisnotenoughtodemonstratethatAIisprocessingpersonalinformationfairly.

Additionally,AIprovidersandrecruitersmustalsoensureanyspecialcategorydataprocessedtomonitorforbiasanddiscriminatoryoutputsisadequateandaccurateenoughtoeffectivelyfulfilthispurpose.Theymustalsoensurethisprocessingcomplieswithdataprotectionlaw.Inferredorestimateddatawillnotbeadequateandaccurateenough,andwill

thereforenotcomplywithdataprotectionlaw.

Recommendation:Transparencyandexplainability

RecruitersmustensurethattheyinformtheircandidateshowtheywillprocesstheirpersonalinformationbyAI.Theyshoulddothisbyprovidingdetailed

privacyinformation,

orensuringthisisprovidedbytheAI

provider.Thisshouldclearlyexplain:

•whatpersonalinformationisprocessedbyAIandhow;

•thelogicinvolvedinmakingpredictionsorproducingoutputs;and

•howtheyusepersonalinformationfortraining,testing,orotherwisedevelopingtheAI.

AIprovidersshouldsupportthe

transparencyandexplainability

oftheirAIbyproactivelyprovidingrelevantAItechnicalinformationordetails

abouttheAIlogictotherecruiter.

AIprovidersandrecruitersmustensurethatcontractsclearlydefine

whichpartyisresponsibleforprovidingprivacyinformationtocandidates.

Recommendation:Dataminimisationandpurposelimitation

AIprovidersshouldcomprehensivelyassess:

•theminimumpersonalinformationtheyrequiretodevelop,train,test,andoperateeachelementoftheAI;

•thepurposeforprocessingandcompatibilitywiththeoriginalpurposeforprocessing;and

•howlongtherequirethepersonalinformationfor.Recruitersshould:

8

•ensurethattheycollectonlytheminimumpersonalinformationnecessarytoachievetheAI’spurpose;and

•confirmthattheyonlyprocessthispersonalinformationforthat

specificlimitedpurposeandtheydonotstore,share,orreprocessitforanalternativeincompatiblepurpose.

Recommendation:Dataprotectionimpactassessments(DPIA)

AIprovidersandrecruitersmust:

•completea

DPIA

earlyinAIdevelopmentandpriortoprocessing,whereprocessingislikelytoresultinahighrisktopeople;and

•updatetheDPIAasAIdevelopsandwhenprocessingchanges.TheDPIAmustinclude:

•acomprehensiveassessmentofprivacyriskstopeopleasaresultofpersonalinformationprocessing;

•appropriatemitigatingcontrolstoreducetheserisks;and

•ananalysisoftrade-offsbetweenpeople’sprivacyandothercompetinginterests.

Evenwhenactingexclusivelyasprocessors,AIprovidersshouldconsidercompletingaDPIAtoassessandmitigateprivacyrisksandevidencetechnicalandorganisationalcontrolsinplace.

Recommendation:Datacontrollerandprocessorroles

AIprovidersandrecruitersmust:

•definewhethertheAIprovideristhe

controller,jointcontroller,ora

processor

foreachspecificprocessingofpersonalinformation;and

•recordthisclearlyincontractsandprivacyinformation.

TheAIprovideristhecontrollerifitexercisesoverallcontrolofthe

meansandpurposeofprocessinginpractice.Forexample,ifitusesthepersonalinformationitprocessesontherecruiter’sbehalftodevelopacentralAImodelthattheydeploytoallrecruiters.

Recommendation:Explicitprocessinginstructions

Recruitersmustsetexplicitandcomprehensivewritten

processing

instructions

fortheAIprovidertofollowwhenprocessingpersonal

informationonitsbehalfasaprocessor.Thisincludesdecidingthe:

9

•specificdatafieldsrequired;

•meansandpurposesofprocessing;

•outputrequired;and

•minimumsafeguardstoprotectpersonalinformation.

RecruitersshouldperiodicallycheckthatAIprovidersarecomplyingwiththeseinstructionsandnotsharingorprocessingpersonalinformationforadditionalalternativepurposes.

AIprovidersmustonlyfollowtherecruiters’explicitinstructionswhentheyprocesspersonalinformationasaprocessorfortherecruiter.TheAIprovidermustnotretainpersonalinformation,shareitwithout

permission,orprocessitfortheirownpurposesbeyondtheirinstructions.

Recommendation:Lawfulbasisandadditionalcondition

AIprovidersandrecruitersmust:

•identifythe

lawfulbasis

theyreliedonforeachinstanceofpersonalinformationprocessingwheretheyarethecontroller,before

processinganypersonalinformation;

•identifyanadditionalcondition,wheretheyareprocessingspecialcategorydata;

•document,describeinprivacyinformation,andrecordincontractsthelawfulbasisandcondition;

•whenrelyingonlegitimateinterests,completealegitimateinterestsassessment;and

•whenrelyingonconsent,ensurethatconsentisspecific,granular,hasaclearopt-in,appropriatelyloggedandrefreshedatperiodicintervals,andaseasytowithdrawasitwastogive.

Methodology

FromAugust2023toMay2024,weconductedconsensualaudit

engagementswithorganisationsthatdeveloporprovideAI-poweredrecruitmenttools.

Thescopeoftheauditscoveredthesekeyareas:

•Privacymanagementframework–toreviewthemanagementframeworksupportingprivacyinAIsystems,including:

ocomprehensiveprivacypoliciesandprocedures;

ocompliancemechanismsandKPIs;

ospecialisedprivacyandAItrainingforkeystaff;and

10

oidentificationofappropriatelawfulbasesandadditionalconditionsforprocessingpersonalinformation.

•Dataminimisationandpurposelimitation–toensurethat

personalinformationisnotrepurposedforAIdevelopmentor

provision,andpersonalinformationprocessedisminimal,adequate,andnotretainedlongerthannecessary.

•Thirdpartyrelationships–toensurethatAIprovidersandrecruitersunderstandandfulfiltheircontrollerandprocessorresponsibilitiesandhaveformalisedtheseincontracts.

•Informationsecurityandintegrity–toconfirmthattechnicalsecuritymeasuresandaccesscontrolsareinplaceandeffectivelyprotectingpersonalinformationduringcollection,intransit,andatrest.

•Transparency–toensurethatpeopleareinformedhowtheirpersonalinformationisprocessedinAIrecruitmenttools.

•DPIAsandriskmanagement–toensurethatdataprotectionimpactassessments(DPIAs)havebeencompletedandincludeacomprehensiveassessmentoftheprivacyriskstopeople,andeffectivemitigationstoreducetheserisks.

•Privacytrade-offswithinAI–toconfirmthatpotentialandexistingtrade-offsinAIsystemsbetweenpeople’sprivacyandothercompetingvaluesorinterestshavebeenassessedandnavigatedcarefully.

•UsingpersonalinformationtotrainandtestAI–toreview

howpersonalinformationhasbeenusedfairlyandtransparentlytodevelopAI.

•Accuracy,fairness,andbiasmitigationinAI–toassesshowpotentialandactualfairness,accuracy,andbiasissueshavebeenmitigatedinAIdevelopmentandaremonitoredeffectivelythroughthelifecycleofAI.

•HumanreviewsinAI–toensurethatAI,itsprocessing,anditsoutputsaresubjecttomeaningfulhumanchecksandformalisedreviews,andissuesaddressedinatimelymanner.

Theauditswereconductedfollowingourdataprotectionauditmethodology.Thekeyelementsofthiswere:

•desk-basedreviewsofrelevantpoliciesandprocedures;

•interviewswithkeyprivacycomplianceandAItechnicalstaff;and

11

•reviewsofevidentialdocumentation,includingAIdesign

documents,systemspecifications,andmanagementinformation.

Wereviewedthesamefocusareasforeachorganisation,sothatwecouldidentifykeythemes.

Thefindingsfromourworkweretakenasa‘snapshotintime’andarebasedonwhatwefoundatthetimeofeachengagement.Organisationsmayhavetakenactionssincetoimprovecomplianceandmitigaterisks.

Eachorganisationreceivedanindividualauditreport.Whereweidentifiedweaknessesoropportunities,wemaderecommendationstoimprove

compliancewithdataprotectionlawandenhanceexistingprocesses.

12

Impact

ICOauditorsmade296recommendationsand42advisorynotesacrossallengagements.Thesewerebrokendownbyareaasfollows:

Followingtheinitialauditengagement,weaskedallorganisationsto

respondtoourrecommendationswithappropriateactions.Organisationsrespondedpositivelyandwerewillingtotakeswiftactiontoimprove

complianceonavoluntarybasis,asfollows:

•97%ofrecommendationswereaccepted,andactionsset.

•3%ofrecommendationswerepartiallyaccepted,andactionsset.

•Norecommendationswererejected.

Wealsoaskedforfeedbackontheauditexperienceandvalueaddedtotheorganisation.Respondentsscoredareasoutof10asfollows:

•9.3forimprovingtheirunderstandingoftherequirementsofUKdataprotectionlaw.

•9.7forimprovingtheirunderstandingofkeyprivacyrisksintheirAItool.

•9.0forhelpingthemtomitigateprivacyrisksintheirAItool.

13

•9.3forhelpingthemtoraiseawarenessofinformationprivacywithseniorleaders.

Organisationsalsoprovidedthefollowingcommentsabouttheirengagementswithus:

“Theprocessiseasytofollowandefficient.”“Itwaswellmanagedandveryprofessional.”“Veryusefulandencouraging.”

“Theauditconfirmedsomeofourpositioningaroundcontrollerandprocessorrelationshipsandencouragedourownthinkingand

research.”

“TheauditdefinitelypromptedustoconsiderourDPIAsandanygapswemighthave.”

Finally,aftertheinitialauditwefollowedupwithcertainorganisationswherethereweresignificantoutstandingrisksorareasofnon-

compliance.Wereviewedprogressandsupportingevidenceinthesekeyriskareasandconfirmedthattheseorganisationshadundertakenworktowardsimplementingtherecommendationswemade.

Summaryoffindings

Thefindingsbelowsummarisethekeyobservations,opportunitiesforimprovement,andgoodpracticewe’veseenduringourprogrammeofaudits.

Dataminimisationandpurposelimitation

DevelopingAIsystemsgenerallyrequireslargeamountsofpersonal

informationtotrainAImodelstoreliablyreproducetasksorproduce

outputs.Thesecanconflictwiththedataprotectionprinciples,particularlydataminimisationandpurposelimitation.Wereviewed:

•whatpersonalinformationtheywereprocessing;

•whetherthiswaslimitedtowhatwasnecessary;and

•whethertheystoreditonlyforaslongasneeded,anddidnotrepurposeitforotherincompatibleuses.

ThisistocomplywithUKGDPRarticles5(1)(a)-(e).

ThemajorityofAIprovidershadconsidereddataminimisationintheirapproachtodevelopingtheirAItool.Generally,AIproviderslimitedtheinformationcollectedfrompeopleto:

14

•theperson’sname;

•contactinformation;

•careerexperience;

•relevantskills;and

•relevantqualificationsorcertifications.

ManyAIprovidersalsoprocessedadditionalinformation,ifinstructedtodosobytherecruiter.

Consider:DesignAI-poweredgamesorassessmenttoolstoonlycollectthecandidate’snameandemailaddress,wherepossible.

Example:AIprovidersmaintainingdatabasesofpotentialcandidateprofilesfrompublicjobnetworkingsitesgenerallyonlycollectedandstoredtheperson’sname,contactinformation,careerexperience,

relevantskills,andrelevantqualificationsorcertifications.

Asmallnumberalsocollectedandstoredlessessentialinformation,suchasphotosoftheperson.WerecommendedthattheseprovidersassesstheminimumpersonalinformationneededtooperateeachAIelement.

MostAIprovidershadassessedtheminimumpersonalinformation

neededtooperatetheirAItooleffectively.Inparticular,fortrainingandtestingtheAIbeforelaunchandmaintainingitafterlaunch.Someof

thesehadrecordedaminimumdataprofileintheDPIAorpolicies,withclearjustificationforwhyeachdatafieldwasessentialornot.

Consider:DevelopAIusingonlypseudonymisedpersonalinformation,oronlyaggregatedinformation,wherepossible.Thisminimisestheriskof

peoplebeingidentifiedorAIlearningfromirrelevantinformation.

Consider:TrainandtestAItoolsusingminimiseddatasetsand

techniquessuchask-foldcross-validation.Thisallowsyoutousedatasetsseveraltimesandimproveaccuracywithoutneedinglargeamountsof

information.

ThemajorityofAIprovidershadrepurposedcandidatepersonal

informationintheirsystemtotrain,test,andmaintaintheirAItool.In

severalcases,theyusedittodevelopotherproductstoo,usuallyby

pseudonymisingoranonymisingcandidateprofiles.Inmanycases,the

providerscouldnotdemonstratethatthissecondaryuseofcandidate

personalinformationwascompatiblewiththepurposeforprocessingthattheyoriginallycollectedtheinformationfor.

15

Consider:CheckpersonalinformationiseffectivelyanonymisedfortheprocessingtofalloutsideUKdataprotectionlaw.De-identifiedor

pseudonymisedinformationisstillsubjecttoUKdataprotectionlaw.

Example:AIprovidersmaintainingdatabasesofpotentialcandidate

profilestypicallypulledthisinformationinbulkfrompublicprofilesonjobnetworkingsites,socialmedia,andotheropen-sourcewebcontent.Whenscrapinglargeamountsofinformationthisway,orpurchasingscraped

informationfromdatavendors,notallproviders:

•coulddemonstratethatthenewuseofinformationwascompatiblewiththeoriginalpurposeforprocessing;and

•alwayshadacontractorwrittenagreementfromjobnetworkingorsocialmediasitesconfirmingthatinformationhadbeencollected

lawfullyandprotectedfromprivacyrisksandpotentialharms.

Werecommendedthatprovidersnotprocesspersonalinformationfora

newpurposeandlawfulbasisthatisincompatiblewiththeoriginal

purposeandlawfulbasisitwascollectedfor.Wealsorecommendedthatthesearrangementsweredocumentedinacontractorwrittenagreement.

Consider:Assesspurposecompatibilitythroughouttheinformationsupplychain,andbuildthisintocontracts,duediligence,andongoingassurancecheckscompletedwithdatavendors,tocomplywiththe

purposelimitationprinciple.

MostAIprovidersreliedontherecruitertosettheretentionperiodfortheircandidateinformation.Thiswasusuallyoneortwoyearsafterthejobrequisitionwasclosedandoftendocumentedinthecontract.

Contractsalsogenerallyincludedaprovisionforcandidateinformationtoberetainedforashortperiodaftertermination,inordertoallowsome

timefortheAIprovidertostopprocessingandtransmittheinformationbacktotherecruiter.

Consider:Checkthatautomatedretentionmechanismsaredeletingpersonalinformationattheendoftheretentionperiodasexpected.

Example:SeveralAIprovidersmaintainingalargedatabaseofpotential

candidateprofileshadrecordedtheirintentiontoretainpersonal

informationintheirdatabaseindefinitely.Theydidnotperiodically‘weed’thatinformationtoremoveanythatmightbeout-of-date,inaccurate,ornolongernecessary.Retaininginformationforlongerthannecessary,or

16

indefinitely,isunlikelytocomplywiththeUKGDPRdataminimisationandstoragelimitationprinciples.

Werecommendedthatpersonalinformationwasonlyretainedaslongasnecessarytofulfiltheintendedpurposeforprocessing,andthatretentionperiodswererecordedclearlyandtransparently.

Consider:Lookforopportunitiesto‘weed’ordeletepersonalinformationthatisnolongerneeded,likelyinaccurate,orout-of-date.

RecommendationstoAIprovidersinclude:

•AssesstheminimumpersonalinformationrequiredtooperateeachelementoftheAI,andconsideralternativesthatachievethesameorasimilaroutcomeusinglessornopersonalinformation.

•Ensureallpersonalinformationprocessedisclearlyadequateandaccuratetofulfiltheintendedpurpose.

•Documenttheapproachtodataminimisation,purposelimitation,andtheotherdataprotectionprinciplesinrelevantpoliciesandAIdevelopmentdocuments,topromoteapro-privacyculture.

•Donotprocesspersonalinformationforanewpurposeandlawfulbasisthatisincompatiblewiththeoriginalpurposeandlawfulbasisitwascollectedfor.Thisincludesretainedinformationand

informationsourcedfromthirdparties,suchaspublicjobnetworkingsites,datavendors,orrecruiters.

•Retain