Why the ICO’s automated decision making guidance matters for UK offices
The Information Commissioner’s Office is consulting on new ICO automated decision making guidance 2026 that will directly affect office operations. For a UK office manager running hybrid workplaces with AI scheduling, visitor screening and performance dashboards, this draft guidance will define what counts as an automated decision and when you must build in human involvement. The consultation, which runs alongside the ICO’s wider work on AI and data protection and is expected to close on 29 May 2026, covers how organisations use personal data and solely automated tools for decisions that significantly affect a data subject, including profiling in recruitment, performance management and workplace access. The ICO consultation page confirms the scope, timetable and questions for respondents.
The ICO’s draft guidance clarifies that an automated decision is one where an algorithm determines the outcome without meaningful human review, and this includes profiling for security scoring, risk‑based models and automated allocation of shifts or desks. Under the UK GDPR, Article 22 on automated individual decision‑making and profiling requires specific safeguards, and the ICO is now spelling out how those ADM provisions apply to common office systems such as visitor management, expense automation and room booking tools. For office managers, this means every workflow that uses personal data for automated decisions, including profiling of staff behaviour or visitors, must be mapped, risk assessed and aligned with data protection and data privacy requirements, with clear references to the ICO consultation text in any internal briefing.
The consultation sits alongside the Parliamentary Business and Trade Committee inquiry into workplace AI, which increases the legal and reputational stakes for any decision that relies on automated tools. The Committee’s call for evidence, which opened in early 2026 with a published deadline for submissions, focuses on how AI affects employment, surveillance and decision making in offices and other workplaces. The ICO has signalled that recruitment, performance evaluation and workplace monitoring will be early enforcement priorities, so your recruitment report, access control logs and performance dashboards will all be in scope. With a growing majority of UK employees now using workplace AI tools in some form but relatively few receiving formal training, office managers cannot assume that vendors or HR will handle compliance with this guidance on their own.
The three clauses reshaping scheduling, screening and monitoring
The first clause office managers should flag in the ICO automated decision making guidance 2026 is the requirement for meaningful human involvement in high impact decisions. Where a solely automated decision could significantly affect a data subject, such as denying visitor access, assigning unpopular shifts or triggering a performance report, the ICO expects a human to review the underlying data and rationale before the decision is final. That means your team cannot rely on an automated decision from an AI scheduling engine or visitor scoring tool without a named person accountable for the outcome and able to override it. In practice, this might mean a facilities lead reviewing any red‑flag from a visitor management platform like Proxyclick or Envoy before a visitor is refused entry.
The second key clause is transparency, which requires clear guidance for staff and visitors on when automated decision making is used, what personal data feeds it and how cookies or essential cookies contribute to profiling. In practice, this means updating privacy notices on visitor kiosks, desk booking apps and performance dashboards, and explaining how data access, data protection and data privacy controls work in language that non lawyers can understand. For example, a visitor kiosk notice might state: “We use automated checks to assess visitor risk scores using your name, email address and visit history; a member of our security team will review any high‑risk result before access is refused.” For multi site organisations following recognised legitimate business practices, this transparency duty extends to explaining when legitimate interests or public interest are the legal bases for including profiling in security or utilisation analytics.
The third clause is the right to contest, which gives individuals the ability to challenge automated decisions and request human review under Article 22 UK GDPR rules. This right applies to recruitment decisions, visitor bans, expense rejections and performance flags that rely on ADM style scoring, so you will need a clear code of practice, a documented process and a response service level for handling such challenges. As a concrete example, many office managers are now adding a vendor contract clause that requires suppliers to explain any high impact automated decision in plain English and to provide a manual review route within a fixed timeframe, for instance: “For any solely automated decision that may significantly affect an employee or visitor, the supplier will provide a written explanation of the decision logic and enable human review within five working days.” As central London office demand evolves, highlighted by large AI vendors taking significant desk space, the combination of this ICO draft guidance and the Parliamentary inquiry will push landlords, occupiers and vendors to harden their governance around automated decision tools used in shared buildings.
What office managers should do before the consultation closes
Office managers do not need to be legal specialists to respond effectively to the ICO automated decision making guidance 2026 consultation. Start by listing every system in your toolstack that uses automated features for decision making, including profiling, such as AI driven scheduling, visitor management, expense automation and recruitment screening, then identify where solely automated outcomes currently occur without human involvement. For each workflow, document what personal data is processed, which Article 6 UK GDPR legal basis you rely on, whether legitimate interest or public interest is claimed and how you explain this to each data subject. Turning this into a simple register or spreadsheet will make it easier to reference in your consultation response and in any future ICO audit.
Next, work with HR, IT and your DPO to stress test ADM provisions in contracts with vendors, especially for recruitment platforms, performance tools and expense systems that generate any recruitment report or risk score. When assessing modern expense management software, for example, you should evaluate how automated decision rules, cookies and essential cookies are configured, how data access is logged and whether the provider offers clear draft guidance style documentation on data protection and data privacy. Use this review to propose concrete changes in your consultation response, such as requiring vendors to expose their code logic for high impact decisions or to provide configurable thresholds for meaningful human review, and consider naming specific tools like Workday, SAP Concur or HiBob in your internal notes so colleagues can see where changes are needed.
Finally, prepare for enforcement by drafting internal guidance, a short report template for contested decisions and a simple article style explainer for staff about how ADM and automated tools operate in your office. Align this with your existing code of conduct, your recognised legitimate business interests framework and your brand governance practices across multiple teams, so that automation in visitor experience, scheduling and monitoring feels consistent rather than ad hoc. The offices that will thrive under the new regime will be those where AI handles the repetitive work while humans stay firmly in charge of the decisions that shape people’s working lives, not the square footage but the Monday morning friction, and where the ICO consultation and Parliamentary inquiry are treated as practical roadmaps rather than abstract policy debates.