UK ICO's AI Decision Guidance Targets Hiring | TLY

AI Regulation Tracker  /  Regulator guidance

UK ICO draft guidance: AI hiring tools are automated decisions, and rubber-stamp review will not save you

The Information Commissioner's Office has drafted new guidance on automated decision-making and profiling under the Data (Use and Access) Act, and it names recruitment as an enforcement priority. Employers running AI CV screening are squarely in scope.

UK ICO draft guidance: AI hiring tools are automated decisions, and rubber-stamp review will not save you regulation briefing
The Leveraged Years AI Regulation Tracker

The UK's data regulator has put employers using artificial intelligence in hiring on notice. On March 31, 2026, the Information Commissioner's Office opened a consultation on draft guidance covering automated decision-making and profiling, and paired it with a separate report on how automated decision-making is used in recruitment. The consultation closed on May 29, 2026, and the ICO expects to publish final guidance in the summer of 2026.

The guidance matters because the legal ground has shifted. The Data (Use and Access) Act 2025 rewrote the UK GDPR's treatment of solely automated decisions. The old near-total prohibition on significant automated decisions has been replaced by a permissive, safeguard-led regime, with the tightest restrictions now reserved mainly for decisions that rely on special-category data. The draft ICO guidance is the regulator's attempt to tell organisations what those new safeguards look like in practice, and it replaces the ICO's previous approach.

Recruitment is the test case

The ICO did not choose recruitment at random. Its accompanying recruitment report draws on voluntary engagement with more than 30 employers between March 2025 and January 2026, alongside public-perceptions research and the regulator's earlier audits of AI recruitment vendors. According to Covington's Inside Privacy analysis of the package, a recurring finding is that many employers do not realise that their AI CV-screening and candidate-ranking tools amount to automated decision-making at all. That gap in awareness is the problem the ICO is trying to close before enforcement, not after.

The practical message is direct. If a tool scores, filters, or ranks candidates and shapes who advances, employers should assume it is automated decision-making and processing that carries obligations. The ICO's report points to the basics that follow: a valid lawful basis for the processing, and a complete data protection impact assessment where one is required, which the regulator indicates is likely when automated decision-making is used in recruitment.

It is worth being precise about who carries the risk. Where an employer buys an off-the-shelf screening or ranking product, the buyer is generally the controller and cannot outsource its obligations to the vendor. The employer, not the software company, has to establish the lawful basis, run the impact assessment, and stand behind the safeguards. That makes procurement a compliance decision as much as a purchasing one, and it puts DPOs and technical leads in the room before a tool is bought rather than after a complaint arrives.

Rubber-stamp review will not count

The most quotable warning in the draft concerns human oversight. Organisations have long leaned on the idea that a human "in the loop" converts an automated decision into a human one and sidesteps the stricter rules. The ICO signals that this does not work if the human involvement is nominal. A reviewer who simply approves whatever the system outputs, without the authority, information, or time to reach a different conclusion, is not providing meaningful human involvement. The distinction turns on whether a person can and realistically would overturn the machine, not on whether a name appears at the end of the process. In a high-volume hiring funnel, where a recruiter may glance at thousands of algorithmically ranked profiles, that standard is demanding. It asks employers to show the reviewer had the case-specific information, the competence, and the time to disagree, and that disagreement was a live possibility rather than a formality.

What it does not do

This is guidance, not a new statute, and at this stage it is still in draft. It does not itself create fresh legal duties beyond what the Data (Use and Access) Act and the UK GDPR already impose, and the wording could change before the final version lands. It does not ban AI in hiring, and it does not require employers to abandon automated screening. What it does is set out how the regulator will read the existing law, which is a strong signal of where audits and enforcement attention will fall. Employers should treat a clearly telegraphed ICO priority as close to an operating requirement.

For US firms, the relevance is concrete. Any company recruiting for UK roles or processing UK applicants' data is within the ICO's reach, regardless of where the employer sits. The direction also rhymes with the US trajectory. New York City's Local Law 144 already requires bias audits and candidate notice for automated employment decision tools, and the ICO's focus on lawful basis, impact assessments, and genuine human review points the same way. A single defensible standard for AI hiring, documented, assessed, and subject to real human override, travels well across both markets.

Frequently Asked Questions

What changed with the ICO's automated decision-making guidance?

The ICO consulted on draft guidance, open from March 31 to May 29, 2026, explaining how the Data (Use and Access) Act 2025's new safeguard-led rules for automated decision-making and profiling apply. Final guidance is expected in summer 2026, and it will replace the ICO's earlier approach.

Who does this affect?

Employers, recruiters, and HR teams using AI to screen or rank candidates, plus the DPOs and technical leads who approve those tools and the vendors that supply them. The ICO flagged recruitment as a priority area.

Do AI CV-screening tools really count as automated decision-making?

The ICO's recruitment report indicates many employers do not realise they do, but tools that score, filter, or rank applicants generally fall within scope. Employers should assume they do and put safeguards, a lawful basis, and a data protection impact assessment in place.

Is a human reviewer enough to avoid the rules?

Only if the review is genuine. The ICO warns that rubber-stamp approval is not meaningful human involvement. The reviewer needs the authority, information, and ability to reach and act on a different decision from the one the system produced.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.