On June 5, 2025, the UK’s Information Commissioner’s Office (“ICO”) launched its new AI and biometrics strategy. The strategy aims to increase its scrutiny of AI and biometric technologies focusing on three priority situations, namely where: stakes are high; there is clear public concern for the technology; and regulatory clarity can provide immediate impact.

The ICO identified three areas of focus in its strategy:

1. Transparency and explainability, i.e., when and how the technologies affect people;
2. Bias and discrimination, particularly where the technologies have been trained on “flawed, incomplete or unrepresentative information”; and
3. Rights and redress, i.e., making sure that systems are accurate, appropriate safeguards are in place to protect people’s rights, and that there are ways to challenge and correct outcomes that result in harm.

The ICO’s previous work

The ICO’s new strategy builds on its previous work on both AI and biometric technologies. Past work includes, among other things: the ICO’s AI Tools in recruitment audit outcomes report; its consultation series on Generative AI; and its guidance on AI and data protection (discussed in our previous blogpost here). The ICO has also published biometric data guidance and conducted various studies on the privacy implications of biometric technologies.

The ICO’s strategy in more detail

The ICO has set out a “plan of action” to “ensure that organisations can develop and deploy AI and biometric technologies with confidence and that people are safeguarded from harm”. The plan touches on a wide range of AI regulatory issues and includes the following objectives:

1. Provide certainty on the responsible use of AI and automated decision making (“ADM”) under data protection law. This will include consulting on ADM and profiling guidance by autumn 2025 and developing a statutory code of practice on AI and ADM to address the issues of transparency and explainability, bias and discrimination and rights and redress.

2. Ensure high standards of ADM in central government. The ICO plans to support scaling up of the responsible use of AI across central government, including through setting out regulatory expectations and learning from early adopters of ADM within the government.

3. Establish clear expectations for the responsible use of ADM in recruitment. The ICO will increase focus on the use of ADM by major employers and recruiters, particularly with respect to transparency, discrimination and risks to redress, and intends to hold employers and recruiters to account for failure to respect people’s rights, through for example publishing findings.

4. Scrutinise foundation model developers to ensure they protect people’s information and prevent harm. This involves seeking assurances from developers regarding the safeguarding of personal information, setting clear regulatory expectations to strengthen compliance where needed, and taking action in the event a model causes harm or is at risk of causing harm.

5. Support and ensure the police’s use of rights-respecting and proportionate Facial Recognition Technology (“FRT”). The ICO’s biometric strategy will focus on the use of FRT by police forces, and in particular it plans to: publish guidance on the governance and use of FRT by police forces in compliance with data protection law, audit police forces using FRT, and advise the government on changes to the law in the area.

6. Consider emerging AI risks. The ICO will ramp up focus on the data protection implications of agentic AI, including through engaging with industry and publishing a Tech Futures report examining accountability and redress. It also plans to establish a high threshold of lawfulness for AI systems that “infer subjective traits, intentions or emotions based on physical or behavioural characteristics”, continuing to survey use cases and act where systems cause harm.

This blog was drafted with the assistance of Emilia De Rosa, a trainee in the London office.