The need to recruit faster in a competitive market, the need to minimise costs in the recruitment process, and the need to secure the best candidate quickly, makes the use of AI an appealing option for any employer including public bodies. But there are pitfalls for the unwary write David Leach and Charlotte Smith.
The use of automated recruitment processes is becoming more common for all employers, and new Articles 22A – 22D of the UK GDPR (introduced by the Data (Use and Access) Act 2025) arguably provide more freedom to employers to deploy such technology.
Nonetheless, the ICO announced in March 2026 that the use of automated decision-making in recruitment would be a key regulatory focus of their work. In addition, public bodies face additional legal restrictions and public scrutiny given the nature of their functions.
This article looks at the principal data protection risks and issues for a public body considering the use of automated tools in recruitment (including screening, shortlisting, testing, profiling and decision-support/decision-making).
Data Protection Impact Assessments (DPIAs)
Before procuring tools for automated recruitment processes, employers must consider if a DPIA should be carried out. Under the UK GDPR, a DPIA is required where processing is likely to result in a high risk to individuals, which commonly includes the use of automated evaluation/profiling for employment-related decisions. You will need to engage stakeholders as appropriate and ensure that your data protection officer is involved in the DPIA process.
Identifying the Lawful Basis
A clear, documented lawful basis is always required when processing personal data (Article 6 of the UK GDPR). For public authorities, “legitimate interests” is generally not available when processing in the performance of their tasks but could be a consideration in when carrying out recruitment processing as an employer. Consent will rarely be valid for core recruitment processing by a public authority due to power imbalance and the lack of genuine choice.
Where processing includes special category personal data (for example, disability information or health data inferred from assessments), a UK GDPR Article 9 condition must also apply, supported as required by a condition under the Data Protection Act 2018 (DPA 2018) and an appropriate policy document.
Transparency
Lawfulness, fairness and transparency is a principle of the UK GDPR and applies to all employers processing personal data. But public bodies face duties to be transparent in any event as a nature of their function, and therefore transparency is key when deploying automated recruitment processes in the public sector.
Candidates must receive concise, intelligible and accessible privacy information, in the form of a privacy notice, before or at the point of data collection. In addition to obligations under the UK GDPR, public bodies may receive freedom of information requests asking about the authority's use of AI, which could be a general request or in relation to a specific recruitment process.
Human Review
If decisions producing legal or similarly significant effects are based solely on automated processing, specific safeguards apply. Employers should provide a meaningful opportunity for human intervention, allow candidates to express their point of view and to contest decisions, and ensure that any human review is active, informed and authoritative.
Accountability
It is important to demonstrate compliance with data protection law which supports the GDPR principle of accountability. This can be done by ensuring internal processes and documentation are robust.
This will include the use of DPIAs, updating the record of processing activities to capture this new processing activity, carrying out due diligence on suppliers involved the automated recruitment processing and ensuring data processing agreements with suppliers are compliant with UK GDPR Article 28. For public bodies, you will also need to consider equality impact assessments too.
In addition, staff training on fair recruitment and data protection may need to be refreshed to take into account automated processes.
Equality and Fairness Considerations
Recruitment by a public authority must be fair, objective and non-discriminatory. When implementing automated recruitment processes, authorities must consider obligations in equality law by assessing and removing risks of indirect discrimination. This should be a consideration at the point of procuring the relevant system and whenever using automated recruitment processing.
Risks of Non-Compliance
Non-compliance can result in various actions including regulatory action from the ICO (investigation, fines, and enforcement notices), claims by candidates (in data protection and employment law), reputational harm, and operational disruption. A public body may not only face data protection and/or employment law action but could also face broader challenges on the basis of equality law or other principles of public law.
Conclusion
Used well, automated recruitment can help public bodies manage volumes, improve consistency and free up HR teams to focus on candidate experience. But in
the public sector, the bar is higher: decisions must be transparent, explainable and demonstrably fair, with robust governance to withstand scrutiny from candidates, auditors and regulators. AI has its place in assisting, but is never a panacea to be used without due consideration.
David Leach is Senior Associate specialising in employment law and Charlotte Smith a Technology and Data specialist at Sharpe Pritchard LLP.
