UK Parliament Mandates ICO Code of Practice on AI and Automated Decision-Making

Parliament laid The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026 (SI 2026/425) before Parliament on 21 April 2026. The Regulations come into force on 12 May 2026 and were made by the Secretary of State on 16 April 2026. SI 2026/425 is a final instrument, not a consultation draft, and has cleared all parliamentary stages.

The controlling authority is section 124A(1) and (2) of the Data Protection Act 2018, as inserted by the Data (Use and Access) Act 2025. Section 124A requires the Information Commissioner's Office (ICO) to prepare and publish a statutory Code of Practice covering the use of artificial intelligence and automated decision-making systems where personal data are processed. Section 124B(11) provides supplementary powers to make procedural regulations. SI 2026/425 requires the ICO to prepare a Code covering: processing of personal data by AI systems; automated decision-making within the meaning of Article 22 UK GDPR; and the integration of AI outputs into decisions that materially affect data subjects.

Controllers and processors operating AI systems that process personal data subject to UK GDPR will need to align their practices with the Code once the ICO publishes it. The Code will be a statutory code carrying significant evidential weight: a departure from its provisions is a factor the ICO may weigh in enforcement proceedings, including in setting monetary penalties under section 155 of the Data Protection Act 2018. Organisations building or deploying AI tools in recruitment, credit scoring, insurance pricing, content moderation, healthcare triage, and public-sector service delivery face the highest exposure given the volume of automated decisions affecting data subjects in those domains.

SI 2026/425 does not itself set the content of the Code. The ICO must now draft and consult on the Code under section 124B of the DPA 2018, which requires it to consult the Secretary of State, the Human Rights Commission, and others before finalising. No commencement date for the Code itself has been set. Organisations should monitor ICO publications and consider submitting responses to the forthcoming Code consultation to influence requirements that will govern their AI practices.

Prokopiev Law Group advises on AI regulatory compliance, data protection law, and automated decision-making governance; our dedicated partner network includes data protection specialists and AI legal advisers across the UK and EU. We are available to advise controllers, processors, AI developers, and public authorities on adapting their AI systems and decision-making processes to the forthcoming Code and the broader UK AI regulatory environment. Our work includes: AI regulatory analysis, UK GDPR compliance, automated decision-making assessments, data protection impact assessments, ICO enforcement defence, AI governance frameworks, DPA 2018 compliance.

Source: The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026, SI 2026/425, legislation.gov.uk, https://www.legislation.gov.uk/uksi/2026/425/made. Confirmed 28 April 2026.

The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.