Lawful basis

Contents

In brief: lawful basis

Article 6 of the UK GDPR sets out the lawful bases for processing. Organisations must identify a lawful basis for your use of personal information in the context of ADM, including when it uses profiling.

Prior to the DUAA amendments to the ADM provisions, in addition to identifying a lawful basis under article 6, organisations carrying out ADM had to identify a relevant exception for such processing under the pre-DUAA article 22(2).

Under the post-DUAA ADM provisions, where ADM is based only on personal data (ie with no special category data), organisations no longer have to do so.

Before the DUAA amendments to the ADM provisions, processing involving ADM could only take place in scenarios of:

contractual necessity;
consent; or
authorisation by law.

This meant that, in practice, it was difficult to rely on an article 6 lawful bases other than consent or contract.

The DUAA amendments to the ADM provisions mean that it is now easier to rely on other lawful bases when processing for ADM ³⁹.

It is important to note that where organisations are basing ADM entirely or partly on processing of special category data, they will still need to identify a condition for doing so in article 22B. Organisations also need to satisfy one of the conditions in article 9 of the UK GDPR whenever they are processing special category data. Article 22B indicates which article 9 conditions are relevant in when using ADM.

Our findings about lawfulness

Employers weren’t clear in their privacy information, DPIAs or records of processing about which lawful basis they were relying on when using automation or ADM in their hiring processes. This was often due to conflicting or missing information within their DPIAs (see above on DPIAs).

As a result, there was a general lack of information and clarity about the application of the UK GDPR to specific processing activities. We saw this especially in multi-stage recruitment processes, in which automation might be applied to some stages (eg CV screening) but not others (eg interviews).

We generally found that organisations were not identifying an appropriate lawful basis under article 6 and then, additionally, identifying whether a relevant exception applied under article 22. Instead:

where organisations recognised that they were using ADM under article 22, they were conflating these two assessments and selecting a lawful basis based on the article 22(2) exception they intended to rely on; or
where organisations incorrectly determined that their processing fell outside the scope of article 22 (in line with our findings about the application of meaningful human involvement above), they had identified a lawful basis under article 6 but had not separately identified a relevant article 22(2) exception.

Most employers were relying either on contract or consent from candidates as their lawful basis for processing candidates’ personal information with automated recruitment tools.

Where employers were relying on legitimate interests as their lawful basis for automated processing, we generally found that they had completed a legitimate interest assessment (LIA).

Discussion

When relying on consent to process personal data, the UK GDPR requires that it is:

freely given,
specific,
informed, and
an unambiguous indication of the person’s wishes.

We told the employers we spoke to that consent was unlikely to be an appropriate lawful basis or article 22(2) exception at most stages of the recruitment process. This is because candidates might feel that if they refuse to allow the employer to process their personal information to inform an automated decision, it will prevent them from progressing in the recruitment process. It is therefore unlikely that their consent would be considered ‘freely given’.

It may also be difficult to show that candidates have given ‘specific’ and ‘informed’ consent because the technical complexity of ADM means they may not fully understand what they are agreeing to, what risks it may entail, or may not have enough time to review the information properly.

Case study

An employer conducts behavioural assessments to shortlist candidates for interview. They state that the lawful basis they rely on is consent. The candidate email and privacy notice do not make it clear what the person is consenting to other than some form of assessment. For example, there is no explanation of what personal information the assessment collects or how it is used. While a ‘not consenting’ option is provided, it is not clear from the email to candidates that consent is otherwise being applied and can be withdrawn at any time.

If the candidate refuses their consent, they must provide a reason for this via email. The recruitment team will then call the candidate to establish the reason. Under the UK GDPR, people do not need to provide a reason for not consenting to the processing of their personal information or for withdrawing consent.

Consent is not an appropriate lawful basis in this instance, because the employer hasn’t obtained valid consent. Valid consent must be freely given, specific, informed and unambiguous

However, there may be narrow situations in which consent is the appropriate lawful basis or additional condition under the ADM provisions during the recruitment process. The onus is on employers to evidence that the test for valid consent set out above has been met in those situations. Consent may be more appropriate where an employer can demonstrate that a candidate really does have a free choice to give or refuse consent. For example, this might be hiring for a specialist role in which automated testing of specific skills is routinely used and expected. Employers looking to rely on consent may need to take steps to:

ensure that candidates do not feel any pressure to consent, and
ease candidates’ concerns over the consequences of refusing consent.

For example, employers could:

offer a clear alternative that doesn’t involve ADM and does not rely on consent; and
ensure that selecting this option doesn’t disadvantage the candidate.

We also told the employers we spoke to our view that contract is unlikely to be an appropriate lawful basis or additional condition to rely on for processing to shortlist, test or interview candidates.

While the organisation will be processing the eventual employee’s personal information, they don’t know who that person is at this point, and there is therefore no contract in place with them.

These stages also necessarily involve using the personal information of more than just the person they might eventually offer the job to. The contract lawful basis is about the specific person that’s party to the contract. The organisation doesn’t yet know who they will have an employment contract with. But they do know that they won’t be entering into a contract with the majority of the applicants.

Employers can therefore only rely on the contract lawful basis when:

they have made the candidate a conditional or unconditional job offer; and
the candidate has accepted.

Our positions on consent and contract have been available in our draft data protection and recruitment guidance since 2023 ⁴⁰, which is due to be updated shortly.

Example

An employer’s privacy policy states that, for processing, it relies on the lawful bases of:

contract;
legal obligation;
legitimate interests; and
vital interests.

Its recruitment privacy notice states that it relies on:

contract; and
legitimate interests.

Its ROPA states that, for recruitment processing, it relies on:

consent;
contract;
legal obligation; and
legitimate interests.

It is unclear which specific lawful basis it relies on, and when, for ADM.

Due to the changes introduced by DUAA, it is now feasible for organisations carrying our ADM to rely on legitimate interests where that ADM does not involve any special category data.

In our view, legitimate interests is likely to be the most appropriate lawful basis for employers to rely on in practice when using ADM in recruitment contexts. It better reflects the fact that ADM is a useful tool for employers when they are conducting recruitment campaigns, particularly when processing large numbers of applications. It also requires employers to demonstrate that they have considered the impact of ADM on the rights and freedoms of candidates, and that this impact doesn’t outweigh the benefits to employer’s legitimate interest in using ADM.

Legitimate interests is therefore likely to strike the best balance between allowing employers to ensure they are processing personal information for ADM lawfully whilst providing safeguards for the rights and freedoms of candidates going through a recruitment process.

Expectations

We expect employers to review the lawful bases they are currently relying on to process personal information or recruitment in ADM in accordance with the views set our above. If they are currently relying on contract or consent, we expect them to consider whether this is appropriate in their specific circumstances, or whether it would be more appropriate to rely on legitimate interests. Employers that continue to rely on consent or contract must be able to clearly explain why these are appropriate in their specific case, given our views set out above.

The ICO’s position on ADM and lawful basis is set out in more depth in our ADM and profiling guidance.

Whilst it is not a legal requirement for employers to complete an LIA when relying on the legitimate interests basis, we would expect employers to do so in order to be able to articulate how they have balanced their legitimate interest in using ADM against the rights and freedoms of candidates.

³⁹ The DUAA amendments to the ADM provisions mean that all but one lawful basis can apply to processing that involves ADM. The DUAA introduces a new lawful basis of “recognised legitimate interests”. Organisations cannot use this as their lawful basis for ADM processing. However, all other lawful bases are available.

⁴⁰ Data protection and recruitment