The Government has laid regulations before Parliament requiring the Information Commissioner's Office to prepare a statutory code of practice on artificial intelligence and automated decision-making.
The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026 (SI 2026/425) were made on 16 April 2026, laid before Parliament on 21 April, and will come into force on 12 May 2026.
The Regulations, made by the Minister of State at the Department for Science, Innovation and Technology Ian Murray under powers inserted into the Data Protection Act 2018 by the Data (Use and Access) Act 2025, direct the ICO to prepare a code of practice giving guidance on good practice in the processing of personal data in relation to developing and using artificial intelligence, and to automated decision-making.
The code must include specific guidance on the processing of children's personal data.
For the purposes of the Regulations, automated decision-making is defined by reference to the new Article 22C(1) of the UK GDPR and section 50C(1) of the Data Protection Act 2018, both of which were inserted by the Data (Use and Access) Act 2025.
The Regulations also modify the panel requirements under section 124B of the 2018 Act, which governs the independent panel that must be established to consider the code. The modification provides that the panel must not consider or report on any aspect of the code relating to national security.
The Regulations follow new powers granted under the Data (Use and Access) Act 2025, which amended the Data Protection Act 2018 by inserting section 124A, giving the Secretary of State authority to instruct the ICO to prepare codes of practice on any relevant topic.
The move comes as the ICO has been stepping up its work on AI and automated decision-making across several fronts. The ICO has set out plans to develop a statutory code of practice on AI and automated decision-making that will provide clear and practical guidance on transparency and explainability, bias and discrimination, and rights and redress, so that organisations have certainty on how to deploy AI in ways that uphold people's rights and build public confidence.
The ICO is also currently consulting on draft non-statutory guidance on automated decision-making, with responses due by 29 May 2026. Consultation responses are expected to ultimately feed into the draft code of practice, though it is unclear whether updated guidance will appear in the meantime ahead of the statutory code.
The code, once produced, will be of direct relevance to public sector organisations across a wide range of functions. Public bodies routinely use algorithmic and automated tools in areas including benefit assessments, planning decision support, social care triage, housing allocations and recruitment, all of which may engage the automated decision-making rules under the UK GDPR.
The ICO has emphasised that human involvement in automated decisions must be active and not tokenistic, and that the person involved must be "suitably trained and qualified to understand the system's logic, outputs, limitations, and risks." Ad hoc spot checking is not sufficient, and human involvement must come before the decision is applied to a person.
No timeline has yet been set for publication of a draft code. The ICO's ongoing consultation on automated decision-making guidance closes on 29 May 2026. The Regulations themselves do not specify a deadline by which the code must be prepared.
