A dashboard decision at 8.30am
It is Monday morning. An HR manager opens a recruitment dashboard. Overnight, the system has ranked 1,200 applications, rejected hundreds below a score threshold and pushed a shortlist to the top of the screen.
At the same time, a workforce analytics tool has flagged two remote employees as “low productivity” because their active screen time dipped last week. No manager has yet spoken to either employee. No candidate knows why they were filtered out. The software looks neat, efficient and objective.
That is exactly why this issue matters. When AI is used to sift, score, rank, flag or recommend, the legal risk does not sit with the software vendor. It sits with the employer using it.
In 2026, the question for UK employers is no longer whether AI can be used in recruitment or workforce management. It plainly can. The real question is whether it is being used lawfully, transparently and fairly.
The legal answer in 2026
The short answer is yes: UK employers can use AI to shortlist candidates and to monitor staff. But they cannot treat AI as a legal shortcut.
As the CIPD notes, there is no single statute governing AI at work; employers are dealing with a patchwork of employment law, discrimination law, data protection law and regulatory guidance.
The fact that this area is now the subject of a live inquiry by the Business and Trade Committee into artificial intelligence, business and the future of the workforce shows how important and fast-moving it has become.
The biggest legal shift came with the Data (Use and Access) Act 2025. That Act replaced the old Article 22 UK GDPR regime with new Articles 22A to 22D.
In practical terms, the old broad prohibition on significant decisions made solely by automated processing has been relaxed for decisions based on non-special-category personal data.
But that does not mean employers can simply automate high-impact decisions and move on. Mandatory safeguards remain, including informing people about significant decisions, enabling them to make representations, challenge the outcome and obtain human intervention.
Tighter restrictions remain where special category data is involved, and this matters because recruitment decisions often are significant decisions.
The Information Commissioner’s Office has made clear that a decision is based solely on automated processing where there is no meaningful human involvement, and its January 2026 training materials expressly give e-recruiting practices without human intervention as an example of a similarly significant effect.
They also give a recruitment example where a company decides who to interview based entirely on results from an online aptitude test; if no special category data is used, the tighter restriction may not apply, but the Article 22C safeguards still do.
Using AI to shortlist candidates
Where employers get into difficulty is not usually because AI exists in the process. It is because they misclassify what the AI is doing. Many employers tell themselves the system is merely “decision support”.
The ICO’s 2026 recruitment report found that most employers thought meaningful human involvement was present, yet in practice many were likely relying on solely automated decisions.
The legal distinction is simple: a human reviewer must have real authority, competence and discretion to alter the outcome before it is applied. A token click-through or dashboard glance is not enough.
The ICO’s example is particularly instructive. If a manager prioritises “green” candidates, only glances at “red” candidates and rejects them on that basis, that is “rubber-stamping” and falls within solely automated decision-making.
The same report says employers must either build meaningful human involvement into each decision about each candidate or apply the relevant automated decision-making safeguards. In other words, you do not avoid legal risk just because a human pressed the final button.
Transparency is the next major issue. If AI is used in hiring, candidates need more than a vague sentence saying the employer uses “automated tools” or “innovative technology”.
The ICO says privacy information must provide meaningful information about the logic involved and the envisaged consequences of the processing.
Employers should be able to explain what tools are used, how they process personal data, whether they support or make decisions, and what routes exist to request human intervention or contest a result. Rejection emails that do not explain those rights are not enough.
Lawful basis also matters. The ICO found that employers often muddled up Article 6 lawful basis with the separate automated decision-making analysis.
Its 2026 view is that legitimate interests is likely to be the most appropriate lawful basis in many recruitment contexts, especially where employers are processing large numbers of applications.
By contrast, consent is often weak in recruitment because applicants may feel they have no real choice: refusing consent may feel like refusing to participate. That means consent may not be “freely given” and therefore may not be valid.
Fairness is not satisfied by simply buying a product marketed as “bias-free”. The ICO’s report highlights better practice where employers asked developers about bias testing during procurement, ran trials and used ongoing monitoring dashboards and monthly reviews.
The regulator also stresses that employers should monitor outcomes for bias and discrimination rather than assume the vendor has solved the issue.
This fits closely with 2025 guidance from the Equality and Human Rights Commission, which warns organisations to look carefully at whether AI tools collect data on protected characteristics directly or via proxy, whether there are evidence gaps, and whether monitoring and review are robust enough to detect unlawful adverse effects.
A proper DPIA is therefore not a tick-box exercise. The ICO’s recruitment findings show examples of employers recording “very high” residual risks in a DPIA yet failing to implement mitigation or consult the regulator.
That is not compliant. For high-impact recruitment automation, employers should expect to complete a serious assessment of purpose, necessity, proportionality, bias risk, data flows, safeguards and alternatives before the tool goes live.
Using AI to monitor staff
The same broad principle applies inside employment: yes, employers can monitor staff, but not secretly, excessively or without a lawful framework. The ICO’s 2025 guidance for smaller organisations is blunt.
Monitoring staff can be intrusive; it must be justified, supported by a lawful basis, and it must be necessary and proportionate in the circumstances. Employers also need to consider whether the monitoring could intrude into workers’ personal lives.
That goes well beyond CCTV. AI-enabled monitoring can include productivity dashboards, keystroke and activity tracking, ID and access logs, sentiment analysis on calls and emails, location tracking, fatigue monitoring, wearables and alertness tools.
The ICO’s employment guidance specifically notes that health tracking technologies and wearables may involve automated decision-making or AI, and says employers should first ask whether there is a less privacy-intrusive way of achieving the aim.
It also says a DPIA should be carried out before starting the processing.
Once health, fatigue or alertness data enters the picture, the stakes rise further. That type of information may amount to special category data, which means the tighter automated decision-making restrictions remain relevant under the post-DUAA framework.
The ICO’s January 2026 training note confirms that while DUAA broadened the situations in which solely automated significant decisions can be made, it kept the restrictions on the use of special category personal information in automated decision-making.
Recent international evidence helps show the scale of what employers are starting to do.
A 2025 OECD employer survey covering more than 6,000 managers found that, across the European countries surveyed, 67% of firms used algorithmic management software to automate at least one worker-monitoring task, while 35% used evaluation tools.
The report explicitly warns that monitoring tools may be more likely to collect personal data and that evaluation tools may affect consequential outcomes such as promotion or dismissal recommendations.
It also found that 60% of European managers using these tools reported observing at least one risk, including bias, lack of explainability, unclear accountability or inadequate protection of workers’ health.
The same OECD report raises another point that UK employers should not ignore. Among managers who said the software used workers’ data, 65% said workers could not opt out of collection, while 22% said workers could not access the data and 30% said they could not request corrections.
In an employment setting, that is the kind of information gap that can turn a technology rollout into a grievance, a union issue, an ICO complaint or a wider trust problem.
From an employment law perspective, AI monitoring often becomes risky not at the point of collection, but at the point of use. If monitoring data is later used to drive targets, capability processes, disciplinary allegations or dismissal decisions, the employer still needs a fair and defensible process.
The software does not remove the obligation to investigate context, accuracy and individual circumstances.
That is why Acas advises employers to develop clear AI policies, consult employees and representatives on introduction, recognise that AI is not perfect, and check outputs for accuracy and bias.
Acas also warns that if certain roles are expected to begin using AI, that may amount to a change in terms and conditions.
What the evidence says about benefits and risks
The evidence in 2025 and 2026 is not one-sided. AI is not legally toxic. Nor is it automatically fair.
On the positive side, adoption is growing because employers and employees are seeing real efficiency gains. The Institute of Student Employers reported in 2025 that 62% of employers expect to use AI in recruitment within five years and 70% expect increased automation.
In the wider workforce, PwC found that 52% of UK workers had used AI in their jobs over the previous 12 months, with workers more excited than anxious overall. The same survey found AI users reporting higher productivity, better quality and more creativity.
Meanwhile, the CIPD Good Work Index 2025 found that only 16% of workers had tasks automated by AI, but 85% of those people said the change improved performance, and those workers also reported higher job satisfaction and better mental-health outcomes.
A 2025 empirical study in the Journal of Business Research similarly found that AI adoption did not directly harm wellbeing; instead, its effects were mediated through task optimisation and safety.
At the same time, confidence, literacy and trust remain uneven.
The Department for Science, Innovation and Technology reported in 2026 that 56% of employers using or planning to use AI still rated business-wide AI knowledge as “beginner” or “novice”, and 61% of all employers had no staff currently working with AI.
Its wider research also found that only 21% of people in work felt confident using AI in the workplace. That matters because legal compliance often fails not because employers intend to cut corners, but because they do not fully understand the technology they are deploying or buying.
Public and worker attitudes also show why transparency matters. The ICO says 64% of people believe employers will rely too heavily on AI in recruitment, while 61% worry it will perform worse than a human decision-maker when assessing individual circumstances.
Acas found in 2025 that 26% of workers were most worried about AI causing job losses, 17% feared errors and 15% cited lack of regulation.
Government public dialogue research published in 2026 found that people could see the efficiency benefits of AI in hiring, but remained concerned about biased systems, unsuitable hires and opaque processes.
Participants repeatedly said they were more comfortable with AI supporting early sorting than replacing human judgement altogether.
Perhaps the most important lesson is that “human in the loop” is not a magic phrase. A 2025 study involving 528 participants found that when people made hiring decisions alone, or with unbiased AI, White and non-White candidates were selected equally.
But when the AI favoured a particular group, participants followed that bias and selected the favoured candidates up to 90% of the time. In other words, badly designed human oversight can simply legitimise automated bias rather than correct it.
But the picture is still more nuanced than “AI bad, humans good”. Emerging 2026 research on human-augmented recruiting found that human-only candidate lists were fairer on gender than AI-only outputs, but that some hybrid workflows produced the fairest results overall.
That is a useful corrective for employers: the issue is not whether AI is present; it is how it is configured, audited and challenged.
What good governance looks like in practice
The safest starting point for employers is to stop thinking about AI as a single project. It is better understood as a series of separate use cases, each with its own legal profile.
A chatbot answering candidate questions is not the same as a behavioural assessment that decides who gets interviewed.
A dashboard showing workload trends is not the same as a system that scores “productivity” and feeds into formal warnings. Each use case needs its own purpose, lawful basis, data map, risk assessment and governance trail.
In recruitment, employers should decide early whether they genuinely want a human-led decision supported by technology, or whether they are prepared to operate a significant automated decision with full safeguards.
Sitting ambiguously between the two is where many employers now seem to be exposed.
If the system is meant to support a human decision, then every candidate affected by that decision needs real review, not just the candidates the algorithm prefers.
If the system is making the decision, candidates must be told, the logic must be meaningfully explained, a route to challenge must exist, and human intervention must be real and accessible.
In monitoring, employers should strip the process back to first principles. What, exactly, is the business problem? Is it cyber security, health and safety, fraud prevention, client confidentiality, regulatory compliance, or genuine concern about workload or productivity?
Could the objective be achieved in a less intrusive way? Is the tool monitoring outputs, or just activity theatre? If disability, neurodivergence, pregnancy, caring responsibilities, field-based duties or flexible working patterns could affect the data, have those realities been built into the model and the policy?
Those are not just technical questions. They are the questions that decide whether a monitoring system is proportionate and whether it drives reasonable management or unfair treatment.
Good governance also means better procurement. Employers should want more from vendors than glossy claims about neutrality or efficiency.
They should ask what data the model was trained on, what bias testing has been done, whether the employer can audit outcomes, how explanations are generated, whether the system uses proxies for protected characteristics, and what happens when the tool is wrong.
If the employer cannot get a straight answer, that is itself useful information. The legal risk does not disappear because the software was bought from a well-known provider.
Finally, governance has to be visible. Policies, privacy notices, appeals routes, LIA paperwork, DPIAs, consultation records, training and review logs should all exist before conflict arises.
That is especially important now that UK regulators and policymakers are openly focusing on AI and workforce issues. Employers who wait until the first complaint, DSAR, grievance or tribunal claim are already on the back foot.
From a trainee solicitor’s perspective…
My view is that AI can lawfully support shortlisting in the UK, but only where employers build in transparency, fairness and real human oversight.
The current framework permits significant decisions driven by automation in some recruitment contexts, but requires safeguards that inform candidates about the decision, explain the logic in meaningful terms, and provide routes to challenge and obtain human intervention.
Meaningful human involvement means a reviewer with real authority and discretion who actually engages with each decision, not a token click-through or rubber-stamping of the system’s rankings.
Fairness demands more than buying a “bias-free” tool: employers should test for bias during procurement and monitor outcomes on an ongoing basis, rather than assuming the vendor has eliminated discrimination risk.
Equally, privacy information must go beyond vague references to “automated tools” and clearly explain what is used, how it affects candidates, and how they can seek human review or contest results.
Even with strong safeguards and thoughtful configuration, there remains a line that AI cannot cross: the human touch.
Empathy, intuition and contextual understanding are what allow experienced recruiters and managers to read between the lines, weigh imperfect information and engage with people as individuals.
These qualities are essential when making nuanced decisions about potential, culture fit, reasonable adjustments and lived experience, and they cannot be replicated by an algorithm.
AI can surface patterns and prompt better questions; only people can listen, probe, reconcile competing signals and take responsibility for outcomes. That is why a genuinely fair process does not end with a score or a flag.
It ends with a human conversation and a reasoned judgement that reflects both the evidence and the person behind it.
The Magara Law perspective
The legal position in 2026 is not that employers must avoid AI. It is that they must stop treating AI as if it were legally self-managing.
Used well, AI can speed up recruitment, support better decision-making and reduce administrative burden.
Used badly, it can hard-code bias, flatten individual circumstances, create opaque surveillance cultures and contaminate disciplinary or capability processes with data nobody can properly explain.
The most common mistake is not adopting the technology. It is assuming the technology is compliant because it is popular, or assuming that a manager clicking “approve” turns an automated process into a human one. The law is moving towards guardrails, evidence and accountability, not blind prohibition.
If your organisation is introducing AI into recruitment, shortlisting, employee monitoring, performance management, investigations or disciplinary procedures, this is exactly the stage at which you should get legal advice.
Equally, if you are an employee or job applicant who believes an AI-driven process has unfairly affected your application, your treatment at work or the way evidence has been gathered against you, it is important to challenge that position early and strategically.
Magara Law advises both employers and employees on complex workplace issues at the point where employment law, data protection and discrimination risk meet.
If you need help reviewing policies, notices, consultation plans, monitoring practices, vendor-facing documents, grievance positions or potential claims connected to AI at work, get in touch with the team.
Call 01869 325 883 or email hello@magaralaw.co.uk to arrange your consultation.
In the meantime, subscribe to our YouTube channel and follow us on social media for all the latest employment law updates and information you need.