Skip to main content
Hafan

Key findings: how are employers automating their recruitment processes?

Contents

Understanding the findings 

Our findings are a snapshot of how employers are using automated recruitment tools. However, we intend them to be informative for a wider audience. We remain committed to further engagement with and evidence-gathering from stakeholders. 

It is also important to note what these findings do not cover. In this report, we do not:

  • identify specific employers or tools, since we’ve taken an industry-wide approach; or
  • describe actual examples of harm faced by people, since our work focused on organisational processes and did not cover outcomes. 

We do, however, identify potential harms.

Overall deployment of automated recruitment

We found that employers used automated recruitment processes with varying levels of sophistication and intensity. Some were experimenting with limited use cases or pilots. Others were considering expanding further into AI adoption with more sophisticated tools. Some employers we initially contacted explained that they had withdrawn from automated recruitment because they no longer had a business need for it. 

Employers that spoke to us explained that automated recruitment happened at various stages of their hiring processes and for various roles. They obtained and used tools for specific types of recruitment and not universally for every candidate. We saw tools used primarily in two types of recruitment:

  • Roles where there are traditionally many applicants, to increase efficiency and reduce time to hire.
  • Graduate or early career roles where applicants might not have much experience or a varied CV, to assess skills and potential to excel in the role.

Employers tended to employ automated recruitment early in the recruitment process, before direct human interaction, for tasks such as:

  • scoring and ranking candidates’ competencies and skills from written applications and CVs;
  • assessing candidates’ skills and fit for roles based on performance in AI-powered behaviour games or psychometric assessments;
  • scoring candidates’ competencies and skills from written responses to interview questions and transcriptions of in-person or video interviews; and
  • evaluating the language, tone and content of candidates’ speech in video interviews to predict their personality types.

Example

A company runs an annual early careers recruitment drive for its apprentice and graduate schemes. It receives around 10,000 applications for 100 roles. To assess the potential of these candidates, the company asks all those who meet the role requirements (eg the right to work in the UK) to complete an assessment. This assessment is designed to measure personality traits seen as desirable for the role. The company believes that this enables recruiters to fairly assess candidates who do not necessarily have relevant experience.
 
We did not see examples of employers using AI to process biometric data, such as emotion detection in video interviews.

We also saw the use of binary choice questions, known as ‘kill questions’. Employers used these at the beginning of the process to automatically filter out applicants they could not employ. These questions included: 

  • whether the applicant had the legal right to work in the UK; and
  • whether they had other qualifications or skills considered a requirement for the role. 

Candidates could only answer ‘yes’ or ‘no’. 

The outcome of these binary screening questions does not constitute a decision. In the context of ADM, a ‘decision’ refers to a conclusion or outcome reached after consideration or analysis, which may impact or influence actions taken or engage a data subject’s rights. An automated system built to filter out candidates without the necessary rights, qualifications or skills produces an outcome by enforcing a static rule. It does not do so through any consideration, evaluation or analysis of that candidate’s information. 

Employers reported that using automated recruitment brought significant benefits, including:

  • improvements in time it takes to hire;
  • more engaged candidates who performed better during the final stages of recruitment; and
  • improved employee retention due to initial filtering of the ‘right’ candidates.  

Key data protection findings

This is an area of rapid technological adoption, with different aims and expectations present among candidates, businesses and wider stakeholders. Our findings suggest a complex picture.

Our overall finding is that employers have more work to do to ensure that the use of automated recruitment tools respects people’s information rights. This was also the overall finding in our 2024 audit of AI in recruitment 23, which focused on developers. 

Here, we break down the key takeaways from each section of the report. Within each full section, we provide numerous case studies and examples to illustrate the practical challenges and guide understanding. We also provide some discussion and set out our expectations. 

Meaningful human involvement

Our key finding is that employers must more thoroughly assess the level of meaningful human involvement in their processes. Some may incorrectly assess that their tools are being used as decision support decisions when those tools could, in fact, be being used to make decisions. Because of this, we are concerned that across the economy there may be gaps in the application of safeguards that protect people’s rights under data protection law.

Where organisations intended to take their processing out of the scope of the ADM provisions, we observed a tension between using tools to make the hiring process efficient and ensuring there was meaningful human involvement:

  • in each decision;
  • about each candidate; and
  • at each stage of the process. 

This tension was most noticeable when employers were rejecting unsuccessful or unsuitable candidates. 

Transparency and safeguards

Most privacy information we reviewed wasn’t specific enough to sufficiently inform candidates about how their personal information was being processed or the use ADM. Candidates would know about the use of automated recruitment tools, as these were self-evident as part of the process. However, employers often provided: 

  • only general information about the tools;
  • only references to a third-party privacy policy; or
  • both of the above. 

Many employers didn’t consider that ADM was taking place. As a result, the privacy information they provided didn’t fully inform candidates about its presence. They also didn’t provide meaningful information about the logic involved or the likely consequences for people. 

Because employers did not consider that ADM was taking place, they had not put in place the safeguards specified within the ADM provisions. This is concerning where our assessment of their processing was that it was, in fact, within the scope of the ADM provisions. However, we did find that many employers otherwise had standard procedures in place to contest recruitment decisions and provide human intervention. These are a good basis on which to build.

Fairness, bias and discrimination 

Many employers we spoke to hadn’t fully assessed the fairness of their processing or considered whether the outcomes resulted in bias or discrimination. There were outliers: a few employers undertook regular bias reviews on outcomes and ensured that developers had undertaken fairness testing. We encourage these measures being more widely adopted. 

DPIAs 

Not all employers had completed a full DPIA before processing personal information. Of those DPIAs we reviewed, many did not meet all of the minimum requirements as laid out in article 35. This is consistent with our finding that employers need to more thoroughly assess the level of risk to people as a result of their processing, and take appropriate steps to mitigate those risks.  

Lawfulness 

We found that it was often unclear: 

  • which lawful basis employers relied on for automated recruitment; and
  • at which stage of the process they applied this basis.

Many employers relied on consent and/or contract, which are unlikely to be an appropriate basis for processing personal information in most recruitment contexts. We explain this further below.

In initial engagements, we didn’t specifically request information from employers about the lawful basis (or ADM exception) they used. This was to avoid confusion in relation to the changes introduced by DUAA. 24 Our reasoning was that controllers may be in the process of updating or assessing their compliance in this area of legal change. Nonetheless, we provide our incidental findings in this report to help guide industry following the commencement of DUAA.

 

23 AI tools in recruitment 

 24 DUAA amended article 22 so that the restrictions on processing personal data for ADM (ie that such processing could only take place where based on explicit consent, necessary for contract or required or authorised by law) now only apply to article 22A processing where it is based, partly or entirely, on special category data.