招聘結(jié)果報告中的人工智能_第1頁
招聘結(jié)果報告中的人工智能_第2頁
招聘結(jié)果報告中的人工智能_第3頁
招聘結(jié)果報告中的人工智能_第4頁
招聘結(jié)果報告中的人工智能_第5頁
已閱讀5頁,還剩92頁未讀, 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進(jìn)行舉報或認(rèn)領(lǐng)

文檔簡介

AItoolsinrecruitment

Auditoutcomesreport

November2024

2

Contents

Executivesummary 3

Introduction 4

Keyrecommendations 6

Methodology 9

Impact 12

Summaryoffindings 13

Dataminimisationandpurposelimitation 13

UsingpersonalinformationtotrainandtestAI 18

Accuracy,fairness,andbiasmitigationinAI 20

Transparency 25

Privacytrade-offswithinAI 29

HumanreviewsinAI 32

DPIAsandriskmanagement 34

Informationsecurityandintegrity 38

Managementframeworks 41

Thirdpartyrelationships 47

3

Executivesummary

TheICOhavecarriedoutconsensualauditengagementswithdevelopersandprovidersofartificialintelligence(AI)poweredsourcing,screening,andselectiontoolsusedinrecruitment.WerecognisethattheuseofAItoolsinrecruitmentprocessescanofferbenefitstoemployers,buttheirusecanalsoleadtorisksforpeopleandtheirprivacyandinformation

rights.WeundertookthisworkaspartofourupstreammonitoringofthewiderAIecosystemtounderstandhowthedevelopmentandprovisionofAIrecruitmenttoolscomplieswithUKdataprotectionlaw.

OurauditsfoundareasforimprovementindataprotectioncomplianceandmanagementofprivacyrisksinAIaswellasareasofgoodpractice.Werecommendedactionsbothtoimprovecompliancewithdata

protectionlawandpromotethegoodpracticesinourpublishedguidance.

ManyprovidersmonitoredtheaccuracyandbiasoftheirAItoolsandtookactiontoimprovethem.Howeverwedidwitnessinstanceswherethere

wasalackofaccuracytesting.Additionally,featuresinsometoolscouldleadtodiscriminationbyhavingasearchfunctionalitythatallowed

recruiterstofilteroutcandidateswithcertainprotectedcharacteristics.

Othersestimatedorinferredpeople’sgender,ethnicity,andother

characteristicsfromtheirjobapplicationorevenjusttheirname,ratherthanaskingcandidatesdirectly.Thisinferredinformationisnotaccurateenoughtomonitorbiaseffectively.Itwasoftenprocessedwithouta

lawfulbasisandwithoutthecandidate’sknowledge.

Wewereconcernedtofindtoolsthatcollectedfarmorepersonal

informationthanwasneeded.Insomecases,personalinformationwasscrapedandcombinedwithotherinformationfrommillionsofpeoples’profilesonjobnetworkingsitesandsocialmedia.Thiswasthenusedtobuilddatabasesthatrecruiterscouldusetomarkettheirvacanciesto

potentialcandidates.Recruitersandcandidateswererarelyawarethatinformationwasbeingrepurposedinthisway.

WefoundseveralinstanceswhereAIprovidersincorrectlydefined

themselvesasprocessorsratherthancontrollers,andsubsequentlyhadnotcompliedwiththedataprotectionprinciples.Somehadattemptedtopassallresponsibilityforcompliancetorecruitersusingtheirtool.In

thesecasesthearrangementswereusuallysubjecttovagueorunclearcontracts,thatappearedtobedeliberatelybroadorleftrecruitersinthedark.

However,wealsonotedmanyencouragingpractices.Someproviders

gaverecruiterstheirownbespokeAImodel,thattheycouldtailortotheir

4

ownneedsandwhichavoidedcollectingunnecessarypersonal

information.Othersworkedtobeastransparentaspossible,andshareddetailedinformationonlineabouttheAIandhowitworkedinorderto

buildpeople’strust.

Duringthecourseofourworkwemadealmost300recommendationstoimprovecompliance,allofwhichwereaccepted.Theserecommendationscoveredanumberofrequirementsunderthelawrangingfrom;

?processingpersonalinformationfairlyintheAI;

?explainingtheprocessingclearly;

?keepingpersonalinformationcollectedtoaminimum;

?notrepurposingorprocessingpersonalinformationunlawfully;and

?conductingriskassessmentstounderstandtheimpacttopeople’sprivacy.

BothAIprovidersandrecruitersshouldfollowtherecommendationsinthisreport.

Byhavinghighstandardsofdataprotectioncompliance,organisationsdevelopingandusingAIinrecruitmentcaninnovateanddelivergreatservices,whilebuildingtrustwiththepublic.

Introduction

WehavecarriedoutaprogrammeofconsensualauditengagementswithorganisationsthatdeveloporprovideAItoolsusedinrecruitment.

Recruitmenttoolsauditedwerebroadlyusedforsourcing,screening,andselection.

Sourcingtoolsincluded:

?suggestingpotentialcandidatesthatmatchorbestfitarecruiter’sjobvacancyfromadatabaseofpotentialcandidateprofiles;and

?findingcandidatesthatmayincreasetherecruiter’sworkforcediversity,basedontheirpredictedorinferredgender,ethnicity,age,orotherdiversitycharacteristics.

Screeningtoolsincluded:

?scoringcandidatecompetenciesandskillsfromwrittenapplicationsandCVs;

?predictingacandidate’s‘interest’inajobvacancybasedontheirinteractionswithrecruiters;and

?predictingthelikelihoodofacandidatebeingsuccessfulintherecruiter’sselectionprocess.

Selectiontoolsincluded:

5

?assessingacandidate’sskillsandfittoarolebasedonperformanceinAI-poweredbehaviourgamesorpsychometricassessments;

?scoringcandidatecompetenciesandskillsfromwrittenresponsestointerviewquestionsandtexttranscriptionsofin-personorvideo

interviews;and

?evaluatingacandidate’slanguage,tone,andcontentinvideointerviewstopredicttheirpersonalitytype.

ThisworkcoveredarangeofAIusecasessuchasmachinelearning,

includingnaturallanguageprocessing.WedidnotincludeAIusedto

processbiometricdata,suchasemotiondetectioninvideointerviews,aswehavereviewedandareproducingseparateguidanceon

biometricdata

andneurotech.

WealsodidnotincludetoolsusinggenerativeAIinthis

work,suchasforchatbotsanddraftingjobadvertsorroledescriptions.Although,weareawareoftheincreasinguseofgenerativeAImodelsinrecruitmentandareexploringriskstopeople’sprivacyinotherwork.

Weundertookthisworkaspartofourupstreamengagementand

monitoringofthewiderAIecosystem.Thishelpedustounderstandtheprivacyrisksandpotentialnon-compliancewithUKdataprotectionlawinthedevelopment,provision,anduseofAIrecruitmenttools.

WerecognisethatAIoffersopportunitiesthatcouldbringimprovementsforsociety,suchasefficiency,scalability,consistencyandprocess

simplification.Whenusedinrecruitmentprocesses,AIcanenableorganisationstohandlepotentiallyhighvolumesofapplicationsandprocessthemconsistentlyandinatimelymanner.

However,shiftingtheprocessingofpersonalinformationtothesecomplexandsometimesopaquesystemscomeswithinherentriskstopeopleandtheirprivacy.HumanrecruitersmaybeinfluencedandmakerecruitmentdecisionsbasedonAIoutputs,scores,orpredictionsthatmighthave

limitedscientificvalidity

1

.AsdetailedbytheUKgovernmentintheir

ResponsibleAIinRecruitmentGuide,

AIrecruitmentalgorithmscanbe

unfair,learntoemulatehumanbias,andperpetuatedigitalexclusionof

minorities

2

.TheCentreforDataEthicsandInnovationnotedintheir

IndustryTemperatureCheck

inDecember2022thatAIsystemsholdingvastamountsofpersonalinformationcanbetargetsforcyber-attacksand

1REC.RECrespondstoreportshowingrisktoUKjobsfromAI(27March2024).

/our-view/news/press-releases/rec-responds-report-showing-

risk-uk-jobs-ai

2DepartmentforScience,Innovation,andTechnology.ResponsibleAIinRecruitment

guide(25March2024).

.uk/government/publications/responsible-ai-in-

recruitment-guide

6

interference

3

,especiallyifinformationiskeptandstoredforlongerthannecessary.AIcanprocesspersonalinformationinanuntransparentandunexplainableway,orrelyonconsentthatisnotvalidandinformed.

Furthertothe

NationalAIStrategy

publishedinSeptember2021,theUKgovernmentpublishedan

AIregulationpolicypaper

inMarch2023.Thissetsoutplanstoimplementapro-innovationapproachtoAIregulation,basedontheprinciplesof:

?safety,security,androbustness;

?appropriatetransparencyandexplainability;

?fairness;

?accountabilityandgovernance;and

?contestabilityandredress.

TheseprinciplesarecloselylinkedtothedataprotectionprinciplesintheUKGDPR.Byhavinghighstandardsofdataprotectioncompliance,

organisationsdevelopingandusingAIinrecruitmentcaninnovateanddelivergreatservices,whilebuildingtrustwiththepublic.

Keyrecommendations

Ourauditsfoundsomeconsiderableareasforimprovementindata

protectioncomplianceandmanagementofprivacyrisksinAI.We

recommendedactionsbothtoimprovecompliancewithdataprotectionlawandpromotethegoodpracticesinourpublishedguidance.

OurrecommendationsweretailoredtotheAIusecase,thepersonal

informationprocessed,andthecontextoftheorganisation.Howeverwehavesummarisedthemostcommonareasintosevenkey

recommendations,whicharecrucialtoallorganisationswhendesigningandusingAIrecruitmenttools.

ThesekeyrecommendationsarerelevantfororganisationsthatdeveloporprovideAIrecruitmenttools(AIproviders),andorganisationsthatuseorarethinkingofusinganAItoolintheirrecruitment(recruiters).

AIprovidersandrecruitersshouldfollowourrecommendations,toensureAIrecruitmenttoolscomplywithUKdataprotectionlaw.

Recommendation:Fairness

3CentreforDataEthicsandInnovation.IndustryTemperatureCheck:BarriersandEnablerstoAIAssurance(December2022).

.uk/media/638f3af78fa8f569f7745ab5/Industry_Te

mperature_Check_-_Barriers_and_Enablers_to_AI_Assurance.pdf

7

AIprovidersandrecruitersmustensurethattheyprocesspersonal

informationfairlybyAI.Thisincludesmonitoringforpotentialoractual

fairness,accuracy,orbiasissuesintheAIanditsoutputs,andtaking

appropriateactiontoaddressthese.Dependingonthedecisionsmade

andthelevelofhumaninvolvementasaresult,theaccuracybeingbetterthanrandomisnotenoughtodemonstratethatAIisprocessingpersonalinformationfairly.

Additionally,AIprovidersandrecruitersmustalsoensureanyspecialcategorydataprocessedtomonitorforbiasanddiscriminatoryoutputsisadequateandaccurateenoughtoeffectivelyfulfilthispurpose.Theymustalsoensurethisprocessingcomplieswithdataprotectionlaw.Inferredorestimateddatawillnotbeadequateandaccurateenough,andwill

thereforenotcomplywithdataprotectionlaw.

Recommendation:Transparencyandexplainability

RecruitersmustensurethattheyinformtheircandidateshowtheywillprocesstheirpersonalinformationbyAI.Theyshoulddothisbyprovidingdetailed

privacyinformation,

orensuringthisisprovidedbytheAI

provider.Thisshouldclearlyexplain:

?whatpersonalinformationisprocessedbyAIandhow;

?thelogicinvolvedinmakingpredictionsorproducingoutputs;and

?howtheyusepersonalinformationfortraining,testing,orotherwisedevelopingtheAI.

AIprovidersshouldsupportthe

transparencyandexplainability

oftheirAIbyproactivelyprovidingrelevantAItechnicalinformationordetails

abouttheAIlogictotherecruiter.

AIprovidersandrecruitersmustensurethatcontractsclearlydefine

whichpartyisresponsibleforprovidingprivacyinformationtocandidates.

Recommendation:Dataminimisationandpurposelimitation

AIprovidersshouldcomprehensivelyassess:

?theminimumpersonalinformationtheyrequiretodevelop,train,test,andoperateeachelementoftheAI;

?thepurposeforprocessingandcompatibilitywiththeoriginalpurposeforprocessing;and

?howlongtherequirethepersonalinformationfor.Recruitersshould:

8

?ensurethattheycollectonlytheminimumpersonalinformationnecessarytoachievetheAI’spurpose;and

?confirmthattheyonlyprocessthispersonalinformationforthat

specificlimitedpurposeandtheydonotstore,share,orreprocessitforanalternativeincompatiblepurpose.

Recommendation:Dataprotectionimpactassessments(DPIA)

AIprovidersandrecruitersmust:

?completea

DPIA

earlyinAIdevelopmentandpriortoprocessing,whereprocessingislikelytoresultinahighrisktopeople;and

?updatetheDPIAasAIdevelopsandwhenprocessingchanges.TheDPIAmustinclude:

?acomprehensiveassessmentofprivacyriskstopeopleasaresultofpersonalinformationprocessing;

?appropriatemitigatingcontrolstoreducetheserisks;and

?ananalysisoftrade-offsbetweenpeople’sprivacyandothercompetinginterests.

Evenwhenactingexclusivelyasprocessors,AIprovidersshouldconsidercompletingaDPIAtoassessandmitigateprivacyrisksandevidencetechnicalandorganisationalcontrolsinplace.

Recommendation:Datacontrollerandprocessorroles

AIprovidersandrecruitersmust:

?definewhethertheAIprovideristhe

controller,jointcontroller,ora

processor

foreachspecificprocessingofpersonalinformation;and

?recordthisclearlyincontractsandprivacyinformation.

TheAIprovideristhecontrollerifitexercisesoverallcontrolofthe

meansandpurposeofprocessinginpractice.Forexample,ifitusesthepersonalinformationitprocessesontherecruiter’sbehalftodevelopacentralAImodelthattheydeploytoallrecruiters.

Recommendation:Explicitprocessinginstructions

Recruitersmustsetexplicitandcomprehensivewritten

processing

instructions

fortheAIprovidertofollowwhenprocessingpersonal

informationonitsbehalfasaprocessor.Thisincludesdecidingthe:

9

?specificdatafieldsrequired;

?meansandpurposesofprocessing;

?outputrequired;and

?minimumsafeguardstoprotectpersonalinformation.

RecruitersshouldperiodicallycheckthatAIprovidersarecomplyingwiththeseinstructionsandnotsharingorprocessingpersonalinformationforadditionalalternativepurposes.

AIprovidersmustonlyfollowtherecruiters’explicitinstructionswhentheyprocesspersonalinformationasaprocessorfortherecruiter.TheAIprovidermustnotretainpersonalinformation,shareitwithout

permission,orprocessitfortheirownpurposesbeyondtheirinstructions.

Recommendation:Lawfulbasisandadditionalcondition

AIprovidersandrecruitersmust:

?identifythe

lawfulbasis

theyreliedonforeachinstanceofpersonalinformationprocessingwheretheyarethecontroller,before

processinganypersonalinformation;

?identifyanadditionalcondition,wheretheyareprocessingspecialcategorydata;

?document,describeinprivacyinformation,andrecordincontractsthelawfulbasisandcondition;

?whenrelyingonlegitimateinterests,completealegitimateinterestsassessment;and

?whenrelyingonconsent,ensurethatconsentisspecific,granular,hasaclearopt-in,appropriatelyloggedandrefreshedatperiodicintervals,andaseasytowithdrawasitwastogive.

Methodology

FromAugust2023toMay2024,weconductedconsensualaudit

engagementswithorganisationsthatdeveloporprovideAI-poweredrecruitmenttools.

Thescopeoftheauditscoveredthesekeyareas:

?Privacymanagementframework–toreviewthemanagementframeworksupportingprivacyinAIsystems,including:

ocomprehensiveprivacypoliciesandprocedures;

ocompliancemechanismsandKPIs;

ospecialisedprivacyandAItrainingforkeystaff;and

10

oidentificationofappropriatelawfulbasesandadditionalconditionsforprocessingpersonalinformation.

?Dataminimisationandpurposelimitation–toensurethat

personalinformationisnotrepurposedforAIdevelopmentor

provision,andpersonalinformationprocessedisminimal,adequate,andnotretainedlongerthannecessary.

?Thirdpartyrelationships–toensurethatAIprovidersandrecruitersunderstandandfulfiltheircontrollerandprocessorresponsibilitiesandhaveformalisedtheseincontracts.

?Informationsecurityandintegrity–toconfirmthattechnicalsecuritymeasuresandaccesscontrolsareinplaceandeffectivelyprotectingpersonalinformationduringcollection,intransit,andatrest.

?Transparency–toensurethatpeopleareinformedhowtheirpersonalinformationisprocessedinAIrecruitmenttools.

?DPIAsandriskmanagement–toensurethatdataprotectionimpactassessments(DPIAs)havebeencompletedandincludeacomprehensiveassessmentoftheprivacyriskstopeople,andeffectivemitigationstoreducetheserisks.

?Privacytrade-offswithinAI–toconfirmthatpotentialandexistingtrade-offsinAIsystemsbetweenpeople’sprivacyandothercompetingvaluesorinterestshavebeenassessedandnavigatedcarefully.

?UsingpersonalinformationtotrainandtestAI–toreview

howpersonalinformationhasbeenusedfairlyandtransparentlytodevelopAI.

?Accuracy,fairness,andbiasmitigationinAI–toassesshowpotentialandactualfairness,accuracy,andbiasissueshavebeenmitigatedinAIdevelopmentandaremonitoredeffectivelythroughthelifecycleofAI.

?HumanreviewsinAI–toensurethatAI,itsprocessing,anditsoutputsaresubjecttomeaningfulhumanchecksandformalisedreviews,andissuesaddressedinatimelymanner.

Theauditswereconductedfollowingourdataprotectionauditmethodology.Thekeyelementsofthiswere:

?desk-basedreviewsofrelevantpoliciesandprocedures;

?interviewswithkeyprivacycomplianceandAItechnicalstaff;and

11

?reviewsofevidentialdocumentation,includingAIdesign

documents,systemspecifications,andmanagementinformation.

Wereviewedthesamefocusareasforeachorganisation,sothatwecouldidentifykeythemes.

Thefindingsfromourworkweretakenasa‘snapshotintime’andarebasedonwhatwefoundatthetimeofeachengagement.Organisationsmayhavetakenactionssincetoimprovecomplianceandmitigaterisks.

Eachorganisationreceivedanindividualauditreport.Whereweidentifiedweaknessesoropportunities,wemaderecommendationstoimprove

compliancewithdataprotectionlawandenhanceexistingprocesses.

12

Impact

ICOauditorsmade296recommendationsand42advisorynotesacrossallengagements.Thesewerebrokendownbyareaasfollows:

Followingtheinitialauditengagement,weaskedallorganisationsto

respondtoourrecommendationswithappropriateactions.Organisationsrespondedpositivelyandwerewillingtotakeswiftactiontoimprove

complianceonavoluntarybasis,asfollows:

?97%ofrecommendationswereaccepted,andactionsset.

?3%ofrecommendationswerepartiallyaccepted,andactionsset.

?Norecommendationswererejected.

Wealsoaskedforfeedbackontheauditexperienceandvalueaddedtotheorganisation.Respondentsscoredareasoutof10asfollows:

?9.3forimprovingtheirunderstandingoftherequirementsofUKdataprotectionlaw.

?9.7forimprovingtheirunderstandingofkeyprivacyrisksintheirAItool.

?9.0forhelpingthemtomitigateprivacyrisksintheirAItool.

13

?9.3forhelpingthemtoraiseawarenessofinformationprivacywithseniorleaders.

Organisationsalsoprovidedthefollowingcommentsabouttheirengagementswithus:

“Theprocessiseasytofollowandefficient.”“Itwaswellmanagedandveryprofessional.”“Veryusefulandencouraging.”

“Theauditconfirmedsomeofourpositioningaroundcontrollerandprocessorrelationshipsandencouragedourownthinkingand

research.”

“TheauditdefinitelypromptedustoconsiderourDPIAsandanygapswemighthave.”

Finally,aftertheinitialauditwefollowedupwithcertainorganisationswherethereweresignificantoutstandingrisksorareasofnon-

compliance.Wereviewedprogressandsupportingevidenceinthesekeyriskareasandconfirmedthattheseorganisationshadundertakenworktowardsimplementingtherecommendationswemade.

Summaryoffindings

Thefindingsbelowsummarisethekeyobservations,opportunitiesforimprovement,andgoodpracticewe’veseenduringourprogrammeofaudits.

Dataminimisationandpurposelimitation

DevelopingAIsystemsgenerallyrequireslargeamountsofpersonal

informationtotrainAImodelstoreliablyreproducetasksorproduce

outputs.Thesecanconflictwiththedataprotectionprinciples,particularlydataminimisationandpurposelimitation.Wereviewed:

?whatpersonalinformationtheywereprocessing;

?whetherthiswaslimitedtowhatwasnecessary;and

?whethertheystoreditonlyforaslongasneeded,anddidnotrepurposeitforotherincompatibleuses.

ThisistocomplywithUKGDPRarticles5(1)(a)-(e).

ThemajorityofAIprovidershadconsidereddataminimisationintheirapproachtodevelopingtheirAItool.Generally,AIproviderslimitedtheinformationcollectedfrompeopleto:

14

?theperson’sname;

?contactinformation;

?careerexperience;

?relevantskills;and

?relevantqualificationsorcertifications.

ManyAIprovidersalsoprocessedadditionalinformation,ifinstructedtodosobytherecruiter.

Consider:DesignAI-poweredgamesorassessmenttoolstoonlycollectthecandidate’snameandemailaddress,wherepossible.

Example:AIprovidersmaintainingdatabasesofpotentialcandidateprofilesfrompublicjobnetworkingsitesgenerallyonlycollectedandstoredtheperson’sname,contactinformation,careerexperience,

relevantskills,andrelevantqualificationsorcertifications.

Asmallnumberalsocollectedandstoredlessessentialinformation,suchasphotosoftheperson.WerecommendedthattheseprovidersassesstheminimumpersonalinformationneededtooperateeachAIelement.

MostAIprovidershadassessedtheminimumpersonalinformation

neededtooperatetheirAItooleffectively.Inparticular,fortrainingandtestingtheAIbeforelaunchandmaintainingitafterlaunch.Someof

thesehadrecordedaminimumdataprofileintheDPIAorpolicies,withclearjustificationforwhyeachdatafieldwasessentialornot.

Consider:DevelopAIusingonlypseudonymisedpersonalinformation,oronlyaggregatedinformation,wherepossible.Thisminimisestheriskof

peoplebeingidentifiedorAIlearningfromirrelevantinformation.

Consider:TrainandtestAItoolsusingminimiseddatasetsand

techniquessuchask-foldcross-validation.Thisallowsyoutousedatasetsseveraltimesandimproveaccuracywithoutneedinglargeamountsof

information.

ThemajorityofAIprovidershadrepurposedcandidatepersonal

informationintheirsystemtotrain,test,andmaintaintheirAItool.In

severalcases,theyusedittodevelopotherproductstoo,usuallyby

pseudonymisingoranonymisingcandidateprofiles.Inmanycases,the

providerscouldnotdemonstratethatthissecondaryuseofcandidate

personalinformationwascompatiblewiththepurposeforprocessingthattheyoriginallycollectedtheinformationfor.

15

Consider:CheckpersonalinformationiseffectivelyanonymisedfortheprocessingtofalloutsideUKdataprotectionlaw.De-identifiedor

pseudonymisedinformationisstillsubjecttoUKdataprotectionlaw.

Example:AIprovidersmaintainingdatabasesofpotentialcandidate

profilestypicallypulledthisinformationinbulkfrompublicprofilesonjobnetworkingsites,socialmedia,andotheropen-sourcewebcontent.Whenscrapinglargeamountsofinformationthisway,orpurchasingscraped

informationfromdatavendors,notallproviders:

?coulddemonstratethatthenewuseofinformationwascompatiblewiththeoriginalpurposeforprocessing;and

?alwayshadacontractorwrittenagreementfromjobnetworkingorsocialmediasitesconfirmingthatinformationhadbeencollected

lawfullyandprotectedfromprivacyrisksandpotentialharms.

Werecommendedthatprovidersnotprocesspersonalinformationfora

newpurposeandlawfulbasisthatisincompatiblewiththeoriginal

purposeandlawfulbasisitwascollectedfor.Wealsorecommendedthatthesearrangementsweredocumentedinacontractorwrittenagreement.

Consider:Assesspurposecompatibilitythroughouttheinformationsupplychain,andbuildthisintocontracts,duediligence,andongoingassurancecheckscompletedwithdatavendors,tocomplywiththe

purposelimitationprinciple.

MostAIprovidersreliedontherecruitertosettheretentionperiodfortheircandidateinformation.Thiswasusuallyoneortwoyearsafterthejobrequisitionwasclosedandoftendocumentedinthecontract.

Contractsalsogenerallyincludedaprovisionforcandidateinformationtoberetainedforashortperiodaftertermination,inordertoallowsome

timefortheAIprovidertostopprocessingandtransmittheinformationbacktotherecruiter.

Consider:Checkthatautomatedretentionmechanismsaredeletingpersonalinformationattheendoftheretentionperiodasexpected.

Example:SeveralAIprovidersmaintainingalargedatabaseofpotential

candidateprofileshadrecordedtheirintentiontoretainpersonal

informationintheirdatabaseindefinitely.Theydidnotperiodically‘weed’thatinformationtoremoveanythatmightbeout-of-date,inaccurate,ornolongernecessary.Retaininginformationforlongerthannecessary,or

16

indefinitely,isunlikelytocomplywiththeUKGDPRdataminimisationandstoragelimitationprinciples.

Werecommendedthatpersonalinformationwasonlyretainedaslongasnecessarytofulfiltheintendedpurposeforprocessing,andthatretentionperiodswererecordedclearlyandtransparently.

Consider:Lookforopportunitiesto‘weed’ordeletepersonalinformationthatisnolongerneeded,likelyinaccurate,orout-of-date.

RecommendationstoAIprovidersinclude:

?AssesstheminimumpersonalinformationrequiredtooperateeachelementoftheAI,andconsideralternativesthatachievethesameorasimilaroutcomeusinglessornopersonalinformation.

?Ensureallpersonalinformationprocessedisclearlyadequateandaccuratetofulfiltheintendedpurpose.

?Documenttheapproachtodataminimisation,purposelimitation,andtheotherdataprotectionprinciplesinrelevantpoliciesandAIdevelopmentdocuments,topromoteapro-privacyculture.

?Donotprocesspersonalinformationforanewpurposeandlawfulbasisthatisincompatiblewiththeoriginalpurposeandlawfulbasisitwascollectedfor.Thisincludesretainedinformationand

informationsourcedfromthirdparties,suchaspublicjobnetworkingsites,datavendors,orrecruiters.

?Retain

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論