MeVitae achieves outstanding ICO audit results
On the 25th to the 27th of October, MeVitae welcomed the Information Commissioner’s Office (ICO) audit to review the organisation’s processing of personal data. The outstanding report published today serves as a testimony to our commitment to protecting the privacy rights of our clients who entrust MeVitae with their personal data.
The ICO is responsible for enforcing and promoting compliance with the UK General Data Protection Regulation (UKGDPR), the Data Protection Act 2018 (DPA18), and other data protection legislations. Holding the regulatory power to undertake agreed or compulsory audits, the ICO determines whether organisations have implemented policies and procedures to manage the processing of personal data and whether this processing is carried out accordingly, making recommendations for required changes when necessary. The ICO considers auditing as a constructive process that “plays a key role in assisting organisations in understanding and meeting their data protection obligations”.
Although Artificial Intelligence offers opportunities that could bring marked improvements for society, shifting the processing of personal data to these complex systems comes with inherent risks. To verify that we are reliably protecting information resources, and to ensure the confidentiality, availability, and integrity of all personal data, our team reached out to the ICO. Under section 129 of the DPA18, the ICO was able to carry out a consensual audit to assess the extent to which the AI systems employed by MeVitae comply with data protection legislation. Focusing on the processing of personal data exclusively within MeVitae’s blind recruiting solution, the audit consisted of the following areas:
Governance: The assessment of privacy management and governance procedures, ensuring senior management understand and address the risks associated with the use of AI.
Transparency: The evaluation of whether privacy policies are clear and easy for members of the public to access, and whether individuals are provided with appropriate tools to manage how the organisation uses their personal data.
Lawful Basis: The assessment of compliance with the following UK GDPR lawful basis wherever data is processed: consent, contract, legal obligation, vital interest, public task, legitimate interest.
Contracts and 3rd Parties: The assessment of whether the written contract complies with the requirements as set out by the UK GDPR.
Data Minimisation: The assessment of whether protections are in place to prevent any data other than that necessary to compile the training data sets being collected.
Individual Rights: The evaluation of compliance with the following UK GDPR rights – the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and rights in relation to automated decision making and profiling.
Staff Training: The assessment of whether all employees receive appropriate training about the companies’ information security and privacy policies.
DP Risk Management: The assessment of whether appropriate and effective action has been taken to mitigate or manage any risks identified.
Security and Integrity: The assessment of the security controls used to maintain the confidentiality, integrity, and availability of personal data with relation to data subjects and AI systems.
Trade-Offs: The evaluation of whether and how risk based approaches have been taken to navigate and analyse potential ‘trade-offs’ between data protection considerations and individual rights, and other competing values/ interests.
Statistical Accuracy: The assessment of whether reasonable actions have been taken to ensure the accuracy of any personal data, whether the source and status of the data is clear, and whether careful consideration has been made for any challenges to the accuracy of information.
Discrimination and Bias: Considering whether any processing of data, be it to train new AI systems, or to make predictions using an existing one is lawful.
Human Review The evaluation of whether there are procedures, policies and registers in place that ensure human review is conducted, when appropriate, by competent individuals and that results of human reviews are actioned and do not have adverse impacts.
The ICO audit provides assurance ratings for the assessed parameters as either high, reasonable, limited, or very limited. MeVitae scored ‘high’ for eleven out of the thirteen assessments, including lawful basis, discrimination and bias, and human review, with the remaining two as ‘reasonable’. These amazing results highlight our recognition of, and commitment to, the importance of data protection and individual rights. Going forwards, we hope these results will enable us to continue building and developing the trust of our current and future clients.
“At MeVitae we take our obligations under UKGDPR incredibly seriously and have worked hard to ensure that we are fully compliant with all relevant legislation and best practice,” said Luke Jew, Research Manager at MeVitae. “The ICO audit process was a great way of not only externally confirming our compliance but also of helping find out the few areas we could improve our processes. We would like to thank the team from ICO, in particular Colin Farrell, for such a professional, helpful and friendly experience!”
To read the full report, click here.
About MeVitae
Founded in 2014, MeVitae is the world’s first cognitive recruitment system: combining people science and technology for organisations to make smarter, faster, and fairer, hiring decisions, mitigating cognitive and algorithmic biases. In just a few years, MeVitae has helped companies around the world to become more diverse, transformational, and inclusive.