Skip to main content
Hafan

Transparency and safeguards

Contents

In brief: understanding transparency and safeguards

The UK GDPR contains a number of separate provisions that require organisations to be transparent about their use of ADM. These are:

  • the general transparency provisions and the right to be informed that apply to all processing of personal information under articles 13 and 14;
  • he data subject’s right to access under article 15; and
  • the specific requirement in the ADM safeguards to provide people with information about any solely automated significant decision taken about them using their personal information as one of the safeguards within 22C of the ADM provisions.

These are separate provisions, and organisations using ADM must comply with all of them. Organisations must ensure that they have considered all of these provisions when providing transparency to people about ADM, as the information that is sufficient to comply with one may not be sufficient to comply with another.

In practice, this means organisations must provide people with information about their ADM activities at three key points in time:

  • when they first collect people’s information, to comply with transparency provisions and the right to be informed;
  • when people ask for their information, to comply with the right of access (a subject access request);
  • when they engage in ADM, to comply with ADM safeguards.

Organisations must inform people if they are using their data for ADM with legal or similarly significant effects. They must also provide meaningful information about the logic involved and the likely consequences for people 30.

In a recruitment context, this information does not need to be complex or include material that could allow candidates to ‘game the system’. Information that employers should provide to candidates includes:

  • how they use the tool to make decisions;
  • how accurate the tool is; and
  • what safeguards are in place. 

Safeguards protect a person’s rights, freedoms and legitimate interests. When ADM is taking place, they are a requirement. Safeguards mean that a person: 

  • has a right to be informed about the decisions made about them;
  • is given the opportunity to make representations about such decisions;
  • is given the opportunity to obtain human intervention (sometimes referred to as ‘human review’); and
  • is able to contest a decision. 

Further reading

Our findings about transparency and safeguards

First, we found that some privacy information wasn’t specific or visible enough to inform candidates about the presence or use of ADM. Second, we found that employers didn’t always fully apply the safeguards. However, we did note that some employers provided forms of human intervention as part of the recruitment process. 

Transparency 

We saw evidence of good practice, with employers providing relevant information at various stages of the recruitment process. This primarily involved privacy notices provided before a candidate began their application.

It also included, in some cases, information provided during and after the recruitment process (eg in rejection emails). Providing information specific to each person about how a decision was made on their application is an important requirement under the ADM provisions. This gives people affected by specific decisions the necessary context to decide whether to request human intervention or challenge those decisions. 

Several employers also provided recruitment-specific privacy policies which gave more relevant information targeted to candidates.

One employer had taken positive steps to make privacy information available at various points of the recruitment process. This made it continuously available for candidates to consult or refer to. This adds layers of transparency. 

However, we also saw some instances of poor practice. These included employers referring candidates to the recruitment tool provider’s privacy information, rather than their own. This is poor practice because it suggests that accountability for decisions lies with the provider. In reality, accountability lies with the employer using the tool. Referring to the provider’s privacy information also means that candidates lack tailored details about how the employer uses the tool in its recruitment process.

We also saw several instances where employers provided lots of information, but much of it:

  • lacked relevance;
  • was unclear about actual practices; or
  • failed to clearly mention or describe ADM. 

Even when employers mentioned ADM in this context, it was unclear whether they were using these tools to make or support decisions. 

We didn’t see substantial evidence that employers were providing meaningful information about the logic involved or the likely consequences for people. We also didn’t see them providing information about the accuracy of tools.

Overall, employers tended to focus on the general transparency requirements of the UK GDPR under articles 13 and 14, and did not recognise that this was separate to the transparency safeguard within the ADM provisions (see the Safeguards section below for more information).

Case study

An employer uses a tool which: 

  • compares each candidate’s CV and written application with the job profile; and
  • produces an overall score that is used to prioritise candidates for hiring managers.

The employer provides candidates with its recruitment privacy policy, which describes: 

  • the personal information processed;
  • why the employer processes it; and
  • what rights candidates have, including the right to:
    • object;
    • request human intervention;
    • contest the decision;  
    • express their point of view. 

However, the privacy policy states that the screening process ‘may be automated’ and only gives very broad information. No further information is provided to the candidate, either before or after the decision was made.

This information is unspecific and unclear about whether ADM takes place. The privacy policy doesn’t explain: 

  • what tools the employer uses;
  • how these tools work and process personal information; or
  • how they make or support recruitment decisions.

This is insufficient transparency to meet the requirements what must be included in a privacy notice where ADM is taking place. Additionally, since the candidate was not subsequently provided with specific information about the actual decisions made about them, the safeguarding requirements under the ADM provisions were not met.

Safeguards

As explained above, our engagement with organisations largely took place whilst the pre-DUAA ADM provisions were in force. We therefore focused on areas of compliance which would be consistent between the original ADM provisions in article 22, and the new ones in articles 22A to 22D. One example of this is the safeguards. The safeguards set out in article 22C are a clarification of the previous requirements under the pre-DUAA article 22. It is therefore our view that where the safeguarding requirements of article 22C are met, this would likely have been sufficient to meet the safeguarding requirements of pre-DUAA article 22.

As mentioned above, we saw some evidence of good practice in providing information to satisfy the general transparency requirements of the right to be informed under the UK GDPR. However, it was often not sufficient to comply with the more specific requirements of the ADM provisions, which require more specific and detailed information about ADM to be provided as a safeguard. This was likely a result of the two separate requirements being conflated, with many firms believing that the information provided in privacy notices was sufficient to comply with both.

We also didn’t see widespread evidence that candidates were able to make representations, obtain human intervention or contest decisions. This was influenced and complicated by the fact that employers believed they had sufficient meaningful human involvement in place (see the previous section). 

Among employers automatically rejecting lower-scored candidates based on suitability scores, we also found a lack of clear safeguards in place. 

We did find limited examples where employers provided partial safeguards. Two employers offered human intervention to review a recruitment decision. However, this did not appear to represent a right as specified under article 22, given that the employers did not think that ADM was occurring. Instead, they offered it as a more general dispute mechanism.

Case study

An employer requires candidates to complete gamified behavioural assessments. These assessments produce behavioural profiles used to make automated decisions on who to offer interviews to.

In its privacy notice, the employer: 

  • informs candidates that it makes automated decisions;
  • explains their rights, including the right to:
    • object to the ADM;
    • request human intervention; and
    • express their point of view; and
  • includes a link to an online form candidates can use to request human intervention or contest automated decisions.

However, the employer doesn’t point candidates towards the privacy policy at any stage during the recruitment process.

Many of these steps, such as the online form, are positive for compliance. They enable the data subject to understand and engage their rights. 
This isn’t fully compliant with the transparency requirements because the privacy notice does not set out meaningful information about the logic involved, as well as the envisaged consequences of this processing on people. This employer is also not fully complying with the safeguards under article 22C because they have not provided any information about the specific decisions taken about the individual after those decisions have been taken.

 

Case study 

An employer uses a chatbot to perform first-stage screening interviews with candidates. It assesses the interviews using AI to produce an overall score and make solely automated decisions on who to offer a face-to-face interview to.

In the follow-up emails to candidates to inform them whether they have been selected for interview, the employer includes information about the decision taken about the person and also highlights the individual rights available to them, including the right to obtain human intervention in automated decisions. However, the employer doesn’t have any method for handling these requests in practice.

This isn’t compliant with the ADM provisions, since candidates can’t fully exercise their rights. We expect employers to have clear processes set up to handle these requests promptly.

We asked employers how often rejected candidates responded to query or contest a recruitment decision (not necessarily within the scope of article 22). They almost always answered that people rarely did. Our evidence doesn’t allow us to explain why this is.

Our key finding based on the evidence we saw is that employers aren’t putting in place the safeguards required under article 22 of the UK GDPR 31. As explained above, this is likely due to those employers’ view that they have meaningful human involvement in place. As a result, they believe that the ADM provisions don’t apply to them.  

Discussion

A lack of safeguards, combined with evidence of a lack of meaningful human involvement, is a serious concern. 

As stated above, we believe that the intent behind the new ADM provisions is to enable the use of these tools to make decisions. Equally, we note that the emphasis placed on the safeguards in the new article 22C reflects their vital importance.

Trust cannot be built without transparency. Our public perception research found that “transparency is paramount” for candidates. Participants stressed:

  • “the need for transparency regarding the use of ADM in recruitment processes”; and 
  • that “job seekers wanted to know when and how ADM is being used, what data is being processed, and how decisions are made” 32.

This is not only a compliance issue but also risks fundamentally damaging trust in the use of these technologies.

Our stakeholder roundtable also focused on transparency. Stakeholders agreed on the need for clear communication with candidates on: 

  • the use of ADM;
  • the criteria used for scoring; and
  • the feedback given to them. 

The group also suggested that the recruitment process in general is opaque and provides candidates with poor feedback. This may be a contributing factor in our transparency findings. Conversely, they argued that the responsible deployment of automated recruitment tools could and should dramatically improve candidate's experiences.

Example 

An employer sends an unsuccessful candidate an automatically generated rejection email based on the output of the tool it used. The email does not include information on how the candidate might:

  • request human intervention;
  • provide further information to support their application; or
  • challenge the decision.

Candidates are therefore not provided with sufficient information to make the decision a transparent one.

Some roundtable participants argued that organisations should embed this communication in the recruitment process itself (ie as part of the user interface). They argued that privacy notices alone are insufficient as transparency mechanisms.

Our view is that just referring candidates either to a lengthy privacy policy or the privacy policy of the provider whose tool they use are unlikely to comply with the transparency principle or the right to be informed

Where candidates are not separately provided with information about the decisions made about them in a manner more specific than the general privacy information, this is also unlikely to meet transparency and safeguarding requirements.

In this context, we consider it a good approach to provide:

  • layered privacy notices; or
  • just-in-time notifications that tell people what you’re going to do with their information at the point you collect it. 

We also recognise that employers must balance providing meaningful information on the logic behind decisions and how the automated processing works with the risk of allowing candidates to ‘game the system’. Our workshop discussions with trade body members reflected the challenges employers faced with transparency when deciding to use ADM in their recruitment process. Some participants also thought that the public doesn’t understand ADM. As a result, ‘meaningful’ information could still mean very little to candidates. 

During our stakeholder roundtables, participants noted that employers won’t put safeguards in place if they’re not sure whether their processing includes meaningful human involvement. They also discussed the need to ‘normalise’ people knowing and exercising their information rights in a recruitment context. Some compared this with notices that a business is recording a call or that a consumer has the right to a refund. 

Expectations

Transparency needs to improve. Employers must put safeguards in place where the ADM provisions apply (unless they intend to incorporate meaningful human involvement instead). 

We expect employers to begin to improve their transparency processes, including the provision of meaningful information about the logic involved. We also expect developers and employers to review their transparency processes to ensure that the employer’s privacy policy is provided to candidates. 

We strongly support organisations increasing the efficiency and speed of recruitment using automated tools. At the same time, we have a duty to ensure that organisations adopting and deploying these tools: 

  • provide people with transparency; and
  • apply the safeguards specified within the ADM provisions. 

We expect employers to ensure that they have processes in place to provide candidates with information about the automated decisions they are making about them, enable them to make representations about and contest these decisions and request human intervention.

 

 

 30 Draft guidance on Automated decision-making, including profiling

 31 And would therefore also not be complying with article 22C, as the safeguards are consistent with, and a clarification of, those set out in article 22(3).

 32 Understanding public perceptions towards automated decision-making in recruitment