Start free trial of Lex HR →

UK opens call on personal vs non‑personal data for AI

DSIT has launched a call for evidence on how personal and non‑personal data rules should apply to AI and data‑intensive tech, affecting HR and people‑analytics use of workforce data.

16 July 2026

The Department for Science, Innovation and Technology has opened a call for evidence on how regulation should treat personal and non‑personal data in the context of AI and other data‑intensive technologies.

Published on 15 July 2026, the consultation asks for practical examples and options for guidance or reform that would clarify whether — and how — existing rules ought to apply to different categories of data used to develop, train and operate models. The department set a submissions deadline of 9 September 2026 and published a companion privacy notice explaining how responses will be processed.

DSIT framed the exercise as an attempt to reduce uncertainty about legal status when data are combined, transformed or used for model training. The call explicitly invites evidence from organisations and researchers that routinely handle workforce datasets, saying it will consider whether current frameworks for personal data, anonymisation and data sharing remain fit for purpose as analytic techniques and generative models become more widespread.

For employers and HR teams the stakes are practical. People‑analytics, recruitment platforms and internal training models frequently rely on large pools of employee information that are sometimes pseudonymised, aggregated or otherwise treated as non‑personal. Clarification on what regulators consider sufficiently de‑identified — and on when re‑identification risk makes data subject to UK GDPR — would directly affect how HR departments share data with vendors, train models on workforce records and conduct cross‑border transfers.

The call sits alongside the government’s broader push to streamline data flows for innovation while retaining privacy safeguards. In recent years the United Kingdom has leaned on the Data Protection Act 2018 and retained EU‑derived UK GDPR principles; ministers and regulators have also signalled interest in guidance that recognises technical realities of machine learning without eroding individuals’ rights. DSIT’s consultation acknowledges those tensions and seeks examples where the line between personal and non‑personal data is ambiguous in practice.

Legal and compliance teams contacted by HR leaders are likely to treat the consultation as a prompt to review vendor contracts, data‑sharing agreements and model training pipelines. If DSIT opts to recommend statutory change or prescriptive guidance, organisations could face new documentation, audit or governance requirements for datasets used to build or fine‑tune models. Conversely, non‑binding guidance would still carry weight for auditors and regulators assessing lawful bases for processing.

What the department has not set out is any draft text for immediate amendment to the Data Protection Act or UK GDPR, nor has it indicated a preferred policy outcome. The call asks for options and evidence rather than proposing specific legislative changes, and it does not commit to timelines or enforcement approaches should new rules or guidance follow. The consultation also does not detail how conflicts between innovation objectives and individual rights will be adjudicated in practice, leaving open questions about impact assessments, independent auditing and acceptable thresholds for de‑identification.

The next two months will test how many employers and people‑analytics vendors step forward with concrete case studies that expose regulatory friction points. For HR leaders the exercise is more than academic: it is an opportunity to shape whether workforce data used to power recruitment, retention and internal mobility tools will be treated as personal data requiring strict safeguards, or as non‑personal inputs that can circulate more freely for model development. DSIT’s conclusions, expected after the consultation period, could recalibrate how organisations govern the data that increasingly drives decisions about people at work.

Sources
  1. Data regulation in the age of AI and other data-intensive technologies: call for evidence
  2. Data flows you can trust privacy notice