On 12 May, a short piece of secondary legislation comes into force that attracted almost no attention when it was laid before Parliament.
SI 2026/425 does not itself regulate AI. What it does is require the Information Commissioner’s Office (ICO) to prepare a statutory code of practice on AI and automated decision-making under the Data Protection Act (DPA) 2018, covering both AI development and use, with a mandatory children’s data component.
The SI is, in effect, a commission. The ICO must now write the most consequential AI governance document the UK has produced. What it chooses to say – and how enforceable it makes it – will shape how organisations across the public and private sectors build, buy, and deploy AI systems for decisions that matter.
What the SI does – and does not do
SI 2026/425 does not itself impose new obligations on organisations using AI. It requires the ICO to prepare a code. Once finalised, that code will carry statutory weight under the DPA 2018: courts and the ICO must take it into account in any enforcement or legal proceeding. Departure from it will require justification.
The scope is broad: AI development and use, automated decision-making as defined under the amended UK GDPR, and – explicitly – children’s personal data. One notable carve-out: the review panel constituted under section 124B is prohibited from considering or reporting on any aspect of the code relating to national security.
The ICO already has substantial non-statutory AI guidance – its advisory resources on AI and data protection, the AI and automated decision-making (ADM) and profiling guidance, the AI and data protection risk toolkit, the biometrics strategy. The new code consolidates and formalises that work. The difference is not just procedural: statutory weight is what gave the ICO’s Children’s Code its teeth. The same logic applies here.
Why the timing matters
Three things have converged to make this code more consequential than it might otherwise have been.
The first is the Data (Use and Access) Act 2025. The DUAA amended Article 22 of the UK GDPR – the automated decision-making regime – removing the general prohibition on solely automated decisions with significant effects and replacing it with a conditions-based approach. That reform created real legal uncertainty about where the new lines sit. The code is now the primary instrument for resolving it in practice.
The second is the ICO’s own recent work. On 31 March 2026, the ICO published a report and draft guidance on automated decision-making in recruitment, drawing on evidence from over 30 employers. The central finding: most employers did not recognise that they were making solely automated decisions. Many assumed a person nominally sitting in the process was enough. The ICO’s position is that it is not. Human involvement must be meaningful – the reviewer must have the authority, discretion, and relevant information to change the outcome, not just endorse it. Where that standard is not met, the process is treated as solely automated regardless of appearances.
Human involvement must be meaningful – the reviewer must have the authority, discretion, and relevant information to change the outcome, not just endorse it.
The third is the absence of horizontal AI legislation. The UK government has deliberately avoided a domestic AI Act, opting instead for a regulator-led, principles-based framework in which existing sector regulators – the ICO, Ofcom, the Competition and Markets Authority (CMA), the Financial Conduct Authority (FCA) – apply AI principles within their own statutory remits. With no UK AI statute expected before 2027 at the earliest, the ICO’s code is filling the governance gap left by that decision. For AI-driven decisions in recruitment, welfare, credit, and public services, this code may be the closest thing to binding AI governance rules the UK produces in the near term.
The children’s data obligation
The SI’s mandatory inclusion of guidance on children’s personal data is the most structurally significant component, and the one most likely to be underestimated.
The ICO’s Age Appropriate Design Code – the Children’s Code – was the first instrument of its kind globally. It reshaped how platforms design services for under-18s in ways that rippled well beyond the UK: Australia, Canada, and Ireland all cited it in developing their own children’s digital frameworks. The new AI and ADM code, particularly its children’s provisions, is likely to follow a similar path.
AI systems used in school admissions, attendance monitoring, and assessment sit within it. So does algorithmic content recommendation and profiling of minors. AI used in child welfare decisions and social services referrals sits within it. Age-assurance systems themselves – which use automated inference to determine whether a user is a child – raise questions the code will need to address.
For TMR’s readers in Australia and New Zealand, the timing is relevant. Australia’s Privacy Act introduces mandatory transparency obligations for automated decision-making from 10 December 2026. The ICO’s code, though it will not be finalised by then, will be in active development and consultation. Regulators who engage with it early have sight of what a best-practice statutory standard looks like before their own frameworks mature.
The hard questions the code will need to answer
The ICO is not starting from scratch. Its years of non-statutory guidance give it a credible foundation. But statutory weight demands answering questions that advisory documents can defer. There are four that stand out.
Meaningful human involvement. The DUAA reform turns on whether a human is “meaningfully” involved in a decision. The recruitment report found that a rubber-stamp review does not meet that standard. A human must have genuine authority to change the outcome, access to the relevant information, and sufficient time to exercise judgement. Translating this into a workable standard across high-volume contexts – recruitment, welfare assessments, lending decisions – is the code’s most contested challenge. The ICO has signalled the bar is high; the code will need to make it precise.
Explainability. Article 22C safeguards include the right to an explanation of decisions made by automated means. But many AI systems cannot produce explanations that hold up to scrutiny – as Ofqual’s exam-marking ruling illustrated, the inability to explain a significant decision is not a technicality but a governance failure. The code needs to set a floor for what counts as a sufficient explanation. Without one, the right exists on paper but is largely unenforceable.
Bias and fairness monitoring. The ICO’s existing guidance addresses fairness; the code needs clearer expectations around bias testing across the model lifecycle, ongoing monitoring, and accountability for discriminatory outcomes – including where the AI system is procured from a third party rather than built in-house. The recruitment report found that many DPIAs lacked the detail and specificity needed to comply. That is a systemic gap, not an outlier.
Public sector AI. The ICO’s 2025–26 plan of action names central government ADM as a priority. The Department for Work and Pensions (DWP) uses algorithmic tools to inform significant decisions about benefits and compliance. The code will set governance standards for public sector AI in practice, even though the government has been careful not to impose them by direct legislation. That is a significant exercise of regulatory authority through a soft vehicle – and one worth watching.
What the ICO gets right, and where the risks are
The ICO’s decision to develop sector-specific guidance – recruitment first, then broader application – is a pragmatic response to an almost impossibly wide remit. It concentrates development resources on the area where its own evidence base is strongest and enforcement risk is most immediate.
The statutory backing matters for a second reason beyond enforceability. The Children’s Code’s influence outside the UK derived partly from its content, but also from the fact that it was law. Other jurisdictions could point to it as a functioning model, not just a set of aspirations. The AI and ADM code will carry similar credibility.
Until the code is finalised, organisations face a period in which statutory obligations are live while the authoritative guidance on how to meet them is still being written.
Two risks stand out. The first is interpretive dilution. The government’s “pro-innovation, sector-led” posture creates pressure to keep obligations light, particularly on firms using AI at scale. The ICO will face tension between writing a code that is genuinely protective and one that industry finds commercially workable. How it handles that tension will define the code’s practical value.
The second is timing. The code is not yet drafted. Until it is finalised, organisations face a period in which statutory obligations – the Article 22C conditions, the DUAA safeguards – are live, but the authoritative guidance on how to meet them is still being written. For organisations trying to build compliant AI systems now, that is a real gap.
The wider signal
The ICO’s new code sits at the intersection of three problems regulators in every jurisdiction are working through simultaneously: how to govern AI without dedicated AI legislation; how to protect children in algorithmic systems; and how to make explainability a real requirement rather than a paper right.
Outside the UK, the practical implication is straightforward. What the ICO writes into a statutory code will become a reference point – for Australian regulators developing ADM obligations under the Privacy Act, for New Zealand’s Privacy Commissioner, and for Canadian counterparts navigating fragmented AI governance. The UK is, again, writing a code that others will read carefully even when they are not bound by it.
SI 2026/425 comes into force on 12 May 2026. The ICO has not yet announced a timeline for the code’s consultation or publication.
