ICO issues new guidance for employers using AI to screen CVs

On 31 March, the Information Commissioner's Office (ICO) published new guidance targeting employers who use AI to screen CVs and score job applicants. The updated rules under the Data (Use and Access) Act 2025 make it easier to deploy automated hiring tools, but only if you stop treating human oversight as a box-ticking exercise. The regulator engaged with more than 30 employers and found that many are unlawfully rubber-stamping AI rejections without realising they are breaking the law.

ICO issues new hiring-AI guidance

The ICO's latest report clarifies how the Data (Use and Access) Act 2025 changes the rules for automated decision-making in recruitment. Previously, the UK GDPR heavily restricted solely automated decisions that had a significant impact on individuals. The new Act, which saw key provisions come into force in February, removes this general ban for standard personal data. This allows businesses to use AI for CV screening under broader legal bases like legitimate interests.

But there is a trap. The ICO found that many employers believe their AI tools are just "supporting" decisions because a human clicks the final reject button. The regulator states that unless the human has the authority, time, and competence to actively challenge the AI's score, it counts as a solely automated decision. Simply rubber-stamping an algorithmic recommendation does not meet the legal standard for human involvement. If your process is deemed solely automated, you must apply strict new safeguards, including explicit transparency and a formal mechanism for candidates to contest their rejection.

Why your ATS setup is suddenly a liability

The danger here is that most UK SMEs are running automated decision-making without realising it. If you buy an off-the-shelf Applicant Tracking System that auto-ranks candidates, and your hiring manager simply glances at the bottom tier and hits "reject all", you are legally making solely automated decisions.

The ICO is explicitly hunting for this exact behaviour. I think this is where most mid-sized businesses will get caught out. They assume the software vendor handles the compliance, but the liability for how the tool is used in practice sits entirely with the employer. You cannot outsource your data protection duties to your software provider.

Under the new rules, you face a binary choice. You either need to force your staff to genuinely review every AI recommendation, which defeats the efficiency purpose of buying the software in the first place. Or, you need to formally declare that you use automated decision-making and build a compliant process for candidates to appeal their automated rejections. Hiding behind a vague privacy policy while letting an algorithm quietly filter your inbox is no longer a viable option.

Three things to check

1. Audit your screening workflow. Look at how your hiring managers actually use your recruitment software. If they are bulk-rejecting candidates based purely on an AI-generated match score without reviewing the underlying CVs, you are conducting automated decision-making.
2. Update your privacy notices. A generic line about "using technology to assist recruitment" isn't enough anymore. You must explicitly state if automated decisions are made, explain the logic behind the system, and outline the likely impact on the candidate.
3. Build an appeal mechanism. If you choose to rely on solely automated screening to handle high application volumes, you must set up a clear, documented process. Candidates need a straightforward way to contest the AI's decision and request a manual review by a human with the authority to overturn it.