u/Existing_Scallion_66

Most people missed this. On 12 May, UKSI 2026/425 came into force. No ministerial press release, no fanfare. It's a short statutory instrument, but what it does is significant: it places a legal duty on the Information Commissioner to write the UK's first statutory code of practice on AI and automated decision-making.

This is not a voluntary guidance document. Once finalised, it will carry the same legal weight as the Children's Code.

Courts must take it into account. The ICO must have regard to it in enforcement decisions.

The ICO's draft ADM guidance (the precursor to the formal code) is currently open for consultation. That closes at 23:59 on 29 May 2026.

Who is affected?

If your organisation uses AI to do any of the following, you're likely in scope:

• CV screening or recruitment shortlisting
• Credit or insurance decisions
• Fraud detection
• Employee performance monitoring
• Customer segmentation or pricing

The headline change: The Data (Use and Access) Act 2025 reforms reframe the rules from a prohibition with narrow exceptions to a right of challenge with safeguards. That's broadly a liberalisation, but the conditions are where it gets complicated.

The bit that will catch organisations out: Human involvement must be active and genuine. The draft guidance is explicit that a "token gesture" review does not take a decision outside the ADM rules. If a manager clicks approve after a few seconds, that's not meaningful human involvement. The ICO is aware this pattern is widespread.

Practical actions before 29 May:

1. Read the ICO's draft ADM guidance
2. Map your AI use cases against the "meaningful human involvement" test honestly
3. Review your DPIAs for ADM systems
4. Respond to the consultation if you operate in recruitment, financial services, or process children's data

Full breakdown here: https://www.theprofessor.info/insights/ico-ai-code-of-practice-uksi-2026

Happy to answer questions in the comments.