Legal Aspects Of Recruitment

This week, the UK's Information Commissioner's Office (ICO) released its "Recruitment Rewired" report (see link in comments), and it’s a massive wake-up call for our industry here in the UK. If your Talent Acquisition team uses AI to sift, score, or rank candidates, the regulatory playbook has officially changed. For years, the industry has leaned on the "Human-in-the-Loop" defence to avoid the strict rules of Automated Decision-Making (ADM). The ICO has just closed that loophole. Here is the TL;DR on what HR and TA leaders need to know right now: ➡ 𝗧𝗵𝗲 "𝗥𝘂𝗯𝗯𝗲𝗿-𝗦𝘁𝗮𝗺𝗽" 𝗜𝗹𝗹𝘂𝘀𝗶𝗼𝗻 𝗶𝘀 𝗗𝗲𝗮𝗱 • If an AI gives a candidate a "Red" fit score and a hiring manager simply clicks 'reject' without a meaningful review of that specific application, the ICO classifies this as a solely automated decision. Token human involvement no longer protects you from ADM regulations. ➡ 𝗧𝗵𝗲 𝗣𝗶𝘃𝗼𝘁 𝘁𝗼 𝗟𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝗜𝗻𝘁𝗲𝗿𝗲𝘀𝘁𝘀: • Thanks to the Data (Use and Access) Act 2025, there is a clearer path forward. The ICO explicitly advises moving away from "Consent" (which is rarely 'freely given' by desperate job seekers) and instead relying on "Legitimate Interests" to process high-volume AI hiring. ➡ 𝗧𝗵𝗲 𝗔𝗿𝘁𝗶𝗰𝗹𝗲 𝟮𝟮𝗖 "𝗖𝗮𝘁𝗰𝗵" • You are allowed to use fully automated sifting, but you must implement strict safeguards. If an AI rejects a candidate, you must explain the logic, give them the right to contest the decision, and offer the right to request a manual human review. ➡ 𝗩𝗲𝗻𝗱𝗼𝗿 𝗕𝗶𝗮𝘀 𝗶𝘀 𝗡𝗼𝘄 𝗬𝗼𝘂𝗿 𝗟𝗶𝗮𝗯𝗶𝗹𝗶𝘁𝘆 • You can no longer hide behind your tech provider if an algorithm discriminates. The ICO expects employers to demand bias testing results during procurement, run their own independent fairness trials, and actively monitor recruitment outcomes for ongoing bias. Ignorance of the algorithm is not a legal defence. ➡ 𝗗𝗣𝗜𝗔𝘀 𝗮𝗿𝗲 𝗡𝗼𝗻-𝗡𝗲𝗴𝗼𝘁𝗶𝗮𝗯𝗹𝗲 • Pointing to your tech vendor’s privacy policy is no longer sufficient. Employers are accountable, and if your Data Protection Impact Assessment doesn't explicitly map out these new AI safeguards and bias mitigations, you are exposed. 𝗛𝗲𝗿𝗲'𝘀 𝗺𝘆 𝘁𝗮𝗸𝗲: The ICO is not trying to kill volume hiring or innovation. They are giving the industry permission to automate, but demanding absolute transparency and fairness in return. More on this soon...

Most Common CV Mistakes Part 1… I just saw a CV with someone’s full bank account number on it. I had to put whatever was in my hands down and stare at the screen for a minute. In fact a minute of silence for the CV. This wasn’t just any applicant. This was someone genuinely excited about the role, who spent time crafting their application, who included a thoughtful cover letter. And they also included: • Their complete home address (down to the gate code) • “Married with 3 children” • Full bank details • Their ID number • Three referees with personal phone numbers and home addresses Look, I get it. You want to be thorough. You want to show you’re organized and have nothing to hide. Maybe an older template told you this was “professional.” But here’s what kept me up last night: that CV is now in our system. And I am 100% sure that, that CV has been sent to a lot of hiring managers, recruiting agencies and has been used to apply for a lot of job postings he sees online. The uncomfortable truth we don’t talk about: Not every “HR Manager” emailing you is real. Not every job posting is legitimate. And your CV can end up on the dark web faster than you think. I’ve seen identity theft cases start with information from a CV. I’ve had candidates call me in tears because someone used their details to open credit accounts and other fraudulent acts. I’m not trying to scare you. I’m trying to protect you. Because every time I see a CV like this, I think: “What if this landed in the wrong inbox?” If you’re job hunting right now, do me a favor. Open your CV. Read it like a scammer would. What could someone do with that information? Then delete anything that makes you uncomfortable. Your next employer will ask for what they need, when they need it, through secure channels. Until then? Keep your guard up. The job market is hard enough without having to worry about identity theft too. Anyone else seeing this? How do we get this message out there? If this helped even one person update their CV, it was worth posting. Please share. TO BE CONTINUED….. #JobSearch #CareerAdvice #DataPrivacy #HR #JobSeekers #IdentityTheft #CyberSecurity #Recruitment

Background Checks on Job Applicants: A GDPR Perspective Opinion 2/2017 on data processing at work, adopted in June 2017 by the Article 29 Data Protection Working Party, was still more or less clear in highlighting the limitations for using publicly available data, including from social media. However, in today's competitive job market, conducting background checks on applicants has become a crucial step for employers. Here are some considerations: Legal Basis for Online Research and Social Network Checks: Under GDPR, the processing of personal data is generally prohibited unless a legal basis is established. For background checks, this could be consent from the applicants (Art. 6(1)(a) GDPR) or the necessity for the employment relationship (Art. 6(1)(b) GDPR). Additionally, Section 26(1) BDSG may apply if the processing is essential for the employment decision. Pre-Employment Screening Based on Consent: Consent for data processing must meet the requirements of Art. 7 GDPR, ensuring it is freely given, specific, informed, and unambiguous. Given the inherent power imbalance in employer-applicant dynamics, obtaining genuine consent can be challenging. Moreover, consent can be revoked at any time (Art. 7(3) GDPR), posing a risk for employers relying solely on this basis. Is Googling Applicants Allowed? The use of publicly available data from search engines like Google is contentious. Generally, accessing publicly available data can be permissible if it does not infringe on the applicant’s privacy rights and serves a legitimate interest (Art. 6(1)(f) GDPR). Employers must ensure that only job-relevant information is processed. So stick away from special categories of personal data! Automated Background Checks Using Software (Scraping): Automated systems that gather data from various online sources to create profiles must also comply with GDPR. The legal basis here may include legitimate interest (Art. 6(1)(f) GDPR) or explicit consent (Art. 9(2)(e) GDPR) for processing sensitive data. If profiling (Art. 22(1) GDPR) occurs, explicit consent is typically required. Transparency and Information Obligations: Employers must inform applicants about the data processing activities, ideally before they begin (Art. 14 GDPR). Transparency can positively influence the balancing of interests required by GDPR. Additionally, it is crucial to delete this data as soon as it is no longer needed for its intended purpose to comply with the data minimization and storage limitation principles of GDPR. #GDPR #DataPrivacy

So it's official. The EU AI Act has come into force. And guess what... recruitment is classed as a 'high risk' AI area ⚠️ I've had a quick read to see what this means for us recruiters. I'm not a legal expert (and this obviously isn't legal advice), but here's what I've found so far... Firstly, the EU AI Act will apply 'where the output produced by the AI system is used in the EU'. Whilst it's not clearly defined, some lawyers are advising that if using AI systems to source, screen or select candidates who are located in the EU, it's possible that the Act applies, even if your organisation is located outside the EU. Secondly, AI systems that are used to place targeted job advertisements, to filter or screen job applications, or to evaluate candidates, will all fall into the Act's 'high risk' category. This means most applications of AI in recruitment will be subject to the Act's strictest set of rules. In practice, employers using AI to source, screen and select candidates will therefore have to comply with certain rules within two years: ⚠️ Complete a 'Fundamental Rights Impact Assessment' before using any AI tools in this way. ⚠️ Appoint someone suitably trained and qualified to oversee these AI systems. ⚠️ Inform people when they are interacting with an AI tool, such as a chatbot. ⚠️ Ensure that data they input into the AI tool is relevant and representative. ⚠️ Follow certain instructions, keep certain records, report certain incidents and more. This is in addition to the requirements that the Act places on AI suppliers, which include meeting certain data quality criteria and registering their tools on an EU AI database. Plus, there are some applications of AI that are totally off limits. ❌ These include using AI to infer emotions or to determine people's physical characteristics. These rules will actually be enforced sooner, in just six months' time. As will the general requirement for all staff who use AI systems to have 'a sufficient level of AI literacy'. Don't comply? The highest fines reach up to €35 million, or 7% of company worldwide turnover - which for some firms could be even higher. 🤯 This is the world's first piece of comprehensive AI legislation, and it's going to take a long time before we work out exactly how it will be applied. My initial thought is that there's some sensible stuff in here. To take one example, I know a lot of recruiters who manage AI tools but don't have any experience in AI, so I think it makes total sense they should be trained properly. But the big question on my mind right now is whether the Act will encourage organisations to use AI responsibly, or just discourage them from using it at all? 🧐 Only time will tell! I will continue my research in this area with even greater interest as companies start to implement the requirements. Want to be involved in my academic study into the use of AI tools by recruiters? Watch this space for more info coming very soon!.. 👀 (views my own)

Can we stop normalizing this? 🚫 Employers asking for Social Security Numbers and other sensitive personal information during the application stage. Job seekers should not be required to hand over their SSN, date of birth, or other vital identifiers just to apply for a job. Unless you're making an offer or running a background check post-interview, there is no justifiable reason to request this information upfront. This practice: 🔒 Poses a serious identity theft risk ⚠️ Erodes trust between candidates and companies 🛑 Creates unnecessary barriers in an already broken job market If you need to verify identity for a background check — fine. Do it after you’ve made a conditional offer. That’s how legitimate, secure, and respectful hiring works. Let’s protect people’s data. Let’s fix the process. Job seekers deserve better. #HiringPractices #DataPrivacy #RecruitmentEthics #JobSearch #IdentityProtection #HRStandards #CyberSecurity #JobSeekersRights #RespectTheProcess

Background checks. Sensitive data. Zero DPDP compliance. The most sensitive personal data comes from your hiring process. 📌 Criminal records. 📌 Financial history. 📌 Past employment. 📌 Address verification. 📌 Education certificates. And almost no Indian company has a DPDP-compliant process for any of it. Here is the legal reality your HR team doesn't know: Your company = Data Fiduciary. Your BGV vendor = Data Processor. Your candidate = Data Principal with enforceable rights under DPDP. Every obligation that applies to your customer data — applies here too. The 5 gaps I find in almost every BGV process I review: 1️⃣ Consent was never properly obtained. Most companies collect a generic clause inside the offer letter. Under DPDP — consent for a background check must be specific to that purpose, informed about what will be verified and with which sources, and separate from the employment acceptance. "I accept this offer" is not consent to a criminal record check. 2️⃣ No signed DPA with the BGV vendor. You have a commercial agreement with your BGV vendor. Under DPDP — that vendor relationship requires a Data Processing Agreement with breach notification timelines, deletion obligations, sub-processor controls, and Data Principal rights flowing down. A commercial agreement and a DPA are not the same document. 3️⃣ Candidate rights are completely unaddressed. Under DPDP, your candidate has the right to access what data was collected about them, from which sources, and what the report concluded. Most HR teams have no process for this. No one has asked before — but it is now a legal right, not a courtesy. 4️⃣ BGV reports are retained indefinitely. The candidate joined — or didn't. The report is still in your HRMS, your email, your recruiter's drive — years later. Under DPDP — personal data must be deleted once the purpose is fulfilled. The purpose of a background check is the hiring decision. Once made — the legal basis for retaining the report ends. 5️⃣ Cross-border transfers nobody mapped. Most BGV vendors verify employment and academic records through international databases. That is a cross-border data transfer. Under DPDP Section 16 — your company is responsible for it. Not your vendor. Does your BGV vendor's contract specify which countries your candidate's data flows to? _____________________________ The background verification industry processes thousands of sensitive personal data records every month in India. Almost none of it is DPDP-compliant. And the liability doesn't sit with the BGV vendor. It sits with the company that initiated the check and is the Data Fiduciary. Does your company have a signed DPA with your BGV vendor? ___________________ I help companies build DPDP-compliant hiring data processes — from candidate consent to vendor DPAs to rights response frameworks. Book 1:1 call to find out where you stand. (Link in comment.)

Is a criminal record/DBS check conducted for all employees? A question I am regularly asked by clients evaluating us as a supplier. Do you conduct DBS checks? If you do, should you be? We do run a background check for employment on prospective employees, including references and right to work in the UK, but our checks do not extend to a criminal records check. Be aware, access to Standard, Enhanced, and Enhanced with Barred List(s) DBS checks is only available to employers who are entitled by law to ask an individual to reveal their full criminal history, including spent convictions (excluding protected cautions and convictions that will be filtered from a criminal record check). This is known as asking ‘an exempted question’. An exempted question applies when the individual will be working in specific occupations, for certain licenses or specified positions. These are covered by the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975. Knowingly requesting a higher-level check than the legislation allows is unlawful and likely to be a breach of the Data Protection Act 2018 and other relevant legislation.   A job applicant has no legal obligation to reveal spent convictions. If an applicant has a conviction that has become spent, the employer must treat the applicant as if the conviction has not happened. Refusal to employ a rehabilitated person on the grounds of a spent conviction is unlawful under the the Rehabilitation of Offenders Act. Consider your services, the types of data being processed and the access controls you have in place, do you deem that this meets a requirement to conduct or request this level of information from your employees?

Are you letting bots run your recruitment? You might want to review your processes, because the UK’s framework for automated decision-making (ADM) has just undergone a major revamp. In the latest episode of the pod, I look at the ICO’s new draft guidance on ADM alongside its highly revealing "Recruitment Rewired" report. The Data (Use and Access) Act (DUAA) has flipped the UK GDPR’s approach to ADM from a "prohibition with exceptions" to a "right of challenge with safeguards." This is arguably the most significant change in the DUAA. You can now carry out many solely automated decisions on almost any lawful basis—including legitimate interests. But before controllers get too comfortable, the ICO’s Recruitment Rewired report shows exactly where companies are getting this wrong. — The ICO looked at employers using AI chatbots, psychometric games, and CV scanners. Many claimed they weren't actually doing ADM. They argued their AI tools were merely providing "decision support" because a human hiring manager ultimately pressed the final button. But the ICO looked at the reality of the process. Tools were assigning candidates a traffic-light score. Hiring managers carefully reviewed the "greens", but routinely rubber-stamped the "reds" without a second look. As the ICO's new draft guidance states: if a human is simply applying the outcome of an automated system without active evaluation, that is not "meaningful human involvement." It is a solely automated decision. -- The report also highlights a classic lawful basis headache. Employers were clumsily trying to wedge this automated screening into "consent" or "contract." As we know, consent in an employment context is notoriously fragile due to power imbalances. And you can't really have a contract with ten thousand applicants you haven't offered a job to yet. This is where the DUAA changes actually help facilitate ADM in recruitment. The draft guidance confirms that post-DUAA, "legitimate interests" is now the most appropriate lawful basis for this kind of processing. -- Note, however... The ICO’s report covers a period before the DUAA took effect. But as the draft guidance clarifies, the new Article 22C safeguards essentially codify the old Article 22 requirements. If these companies were failing under the old system, they’d be failing under the new one today. And boy were they failing... Privacy notices were vague or lazily linked out to the software vendor's policies. DPIAs were absent, outdated, or missing basic risk assessments. -- The DUAA has undeniably made it easier to justify rolling out automated systems. But remember: • The structural requirements for fairness, transparency, and human intervention have been recodified, not eliminated. • If you really want to use automation into your recruitment processes, make sure you aren't outsourcing human judgment to machines. • Meaningful LIAs and DPIAs can help avoid this.

I always LOVE getting guidance from regulators...this time it comes from the Commission d’accès à l’information du Québec (CAI)! 🎉 The CAI has shared new guidelines on what personal information #employers can collect during #recruitment. Here's the scoop: Recruitment: *Employers can't just collect any PI they want, even if candidates provide consent. 🚫 *Recruiters should ask, "Do we really need this PI to evaluate the application?" 🤔 *At this stage, you can ask for the following: name, phone number, email, academic details, professional achievements, skills, and interests. 📋 *Keep application forms simple and avoid asking for too much. Consider different forms for different positions ✍️ *Don't ask for references before the interview. 🛑 *These apply to the employer (direct recruiter) and third-party recruitment agencies. Interview: *You can check ID but you can't make a copy. 🆔 *Avoid questions about age, gender, religion, ethnic origin, marital status, pregnancy, sexual orientation, etc., unless it's crucial for the job. ❌ *#Psychometric tests should be valid and job-related. Protect this info and only use it if necessary! 🧠 Artificial Intelligence: *Let candidates know if #AI is used to sort applications or assess them. 🤖 *Ensure staff using AI are trained and know its limits. 📚 *Give candidates a chance to review AI-based decisions. 📝 *Do a Privacy Impact Assessment (#PIA) before using AI. 🔍 *Don't use AI to assess emotional or psychological states during video interviews. 🎥 Background Check: *#Criminal background checks must be job-related and need explicit consent. 🕵️♂️ *Don't keep copies of criminal records if the offence isn't related to the job. 🗑️ Hiring: *Now you can collect necessary PI like date of birth, social insurance numbers, address, bank info, and a photo for benefits, pay, and other employment-related activities. 🏦 *Remember to #delete or anonymize the data of unsuccessful candidates when you no longer need it or as per legal requirements. 🗂️ Plus, the CAI has given strict guidance on collecting employee #biometrics for identity verification. 🛡️