AI and biometrics strategy update - March 2026

Give organisations certainty on how they can use AI and ADM responsibly under data protection law

In June 2025, we published our commissioned research into the public perceptions of the use of automated decision-making (ADM) in recruitment processes. This research provides a better understanding of how ADM is currently perceived and experienced by the public, and what the main concerns and expectations are, at a time of considerable technological change in recruitment practices.

We are working on our ADM and profiling guidance and will be publishing draft guidance for consultation in the coming months.

Our draft ADM guidance will inform parts of our AI and ADM code of practice. This will provide clear and practical good practice guidance, giving organisations certainty on how to develop and deploy AI in ways that uphold people’s rights and build public confidence. The government is currently developing the secondary legislation which will require the ICO to produce the code of practice, and which it committed to during the passage of the Data (Use and Access) Act 2025. In the meantime, preparation work for the development of the code is ongoing.

Ensure high standards of automated decision-making in central government, ensuring decisions that affect people are fair and accountable

We are engaging with various central government departments, including early adopters such as the Department for Work and Pensions (DWP), to support the responsible scaling of technologies using ADM with appropriate safeguards. Our engagement is ongoing and we will issue public communications on our conclusions and regulatory expectations later this year.

Set clear expectations for the responsible use of automated decision-making in recruitment

We have engaged, on a voluntary basis, with organisations in the private and public sectors who may be using ADM as part of their recruitment processes.

Insights from this work are feeding into a report setting out our findings and recommendations on the use of ADM in recruitment, and our broader ADM guidance. The report will be published alongside the guidance in the coming months.

ICO Chief Executive Officer Paul Arnold spoke at the Modernising Employment All-Party Parliamentary Group discussion on The AI Shift: Rethinking Work, Skills and Hiring in October, highlighting how transparency and robust safeguards are critical when using ADM in recruitment.

Scrutinise foundation model developers to ensure they are protecting people’s information and preventing harm

We are currently engaging with 11 major AI foundation model developers – building evidence around their approaches to data protection compliance and seeking assurances around the steps they are taking to mitigate data protection harms. We are also developing further policy positions, building on the areas we addressed in our 2024 generative AI consultation series.  We will publish these positions in the coming months to provide greater regulatory certainty for developers.

We’ve also commissioned research into data protection harms in AI foundation model training and development. The research covers the types, scale and severity of harm across the entire foundational model lifecycle and is being used to support our work in this area.

Support and ensure the proportionate and rights-respecting use of facial recognition technology by the police

In June 2025, we published our research on understanding the UK public’s views and experiences of biotechnologies, with a particular focus on facial recognition technology (FRT) use by the police. The research showed that while the public generally accepts police use of FRT, this acceptance is contextual and conditional on appropriate safeguards, accuracy, and responsible use.

In August 2025, we published a blog by Emily Keaney, Deputy Commissioner setting out how we are stepping up scrutiny of police use of FRT, accompanying an executive summary of the South Wales Police and Gwent Police audit report.

We've recently published the audit executive summaries of Essex Police and Leicestershire Police alongside a second blog from Emily Keaney reminding people why data protection lies at the heart of responsible FRT use.

An audit of West Yorkshire Police is ongoing with Greater Manchester Police in April 2026. Following the completion of our audit programme, we will report on our findings and recommendations.

In February 2026, we published our response to the Home Office consultation on a new legal framework for law enforcement use of biometrics, facial recognition and similar technologies.  This is part of our commitment to provide ongoing, expert advice to government. 

Anticipate and act on emerging AI risks

We published our emerging technology report into agentic AI in January 2026, highlighting ways agentic AI could transform lives and advising that technological advancements should not come at the cost of data privacy. The report sets out our early thoughts on data protection implications of the technology.