Automated Decision-Making in Recruitment: What the DUAA Means for UK Agencies (2026 Guide)

If your agency uses AI to screen, rank, or shortlist candidates, the rules you operate under changed on 5 February 2026. The Data (Use and Access) Act 2025 (DUAA) replaced Article 22 of the UK GDPR — the old near-ban on automated decisions — with a new framework, Articles 22A to 22D, that permits automated decision-making but only with mandatory safeguards. The practical message for recruitment agencies is simple: automating candidate decisions is now allowed in more cases than before, and watched more closely than before. In March 2026 the ICO wrote to 16 organisations it believed were using automated decision-making on candidates and signalled that enforcement will follow. This guide explains what changed, whether it applies to you, and the safeguards a UK recruitment agency needs in place now.

This guide is general information for UK recruitment agencies, not legal advice. For your specific tools and processes, consult a data protection adviser or solicitor.

What the DUAA changed about automated decisions

The DUAA changed the default rule for automated decisions from "prohibited unless an exception applies" to "permitted if you apply safeguards." That change took effect on 5 February 2026.

Under the old Article 22 of the UK GDPR, a decision based solely on automated processing that had a legal or similarly significant effect on someone was prohibited, unless one of three narrow exceptions applied: the decision was necessary for a contract, authorised by law, or based on the person's explicit consent. For recruitment, none of those sat comfortably — consent is hard to treat as freely given in a hiring context, and "necessary for a contract" is a stretch for a screening tool.

The DUAA replaced Article 22 with new Articles 22A to 22D, inserted by section 80 and Schedule 6 of the Act and commenced by SI 2026/82. The new structure works like this:

• Article 22A defines what a "significant decision" is, and when a decision is "based solely on automated processing."
• Article 22C sets the new default: for significant decisions that do not involve special category data, automated decision-making is permitted provided you implement and document a set of safeguards.
• Article 22B keeps a stricter regime for decisions based on special category data — health, ethnicity, religion, and similar — which still need explicit consent or a substantial public interest basis, plus safeguards.

	Old Article 22 (until 4 Feb 2026)	New Articles 22A–22D (from 5 Feb 2026)
Default for significant solely-automated decisions	Prohibited unless an exception applies	Permitted if safeguards are in place (non-special-category data)
Special category data	Narrow exceptions only	Stricter regime: consent or substantial public interest, plus safeguards
Safeguards	Tied to the exceptions	Mandatory and explicitly listed in Article 22C
Practical effect for recruiters	Hard to justify automated screening at all	Easier to justify — but the safeguards are real and enforced

The headline is permissive. The detail is not: the safeguards are mandatory, special category data keeps the higher bar, and the regulator has made clear it intends to enforce.

Does the DUAA apply to recruitment agencies?

Yes. If your agency decides which candidates progress, you are a data controller making decisions about people, and the automated decision-making rules apply to you directly. The ICO's March 2026 guidance is aimed explicitly at "employers and organisations which carry out recruitment on behalf of employers, such as recruitment agencies, head-hunters or consultancies." Agencies are named.

Two assumptions get agencies into trouble here.

The first is "we're the agency — the employer is the controller." For the candidate data you collect, source, and screen, you are a controller in your own right, not a processor acting for the client. That is the same position the ICO took in its 2023 recruitment reprimand, and it means your automated decision-making obligations are your own, not something you can pass to the hiring company. (For the wider picture, see UK recruitment agency GDPR risks.)

The second is "we're too small for this to matter." The threshold is the decision, not the headcount. A five-person desk running a tool that auto-ranks applicants is doing automated decision-making in exactly the way a 500-person firm is. The DUAA does not have a small-agency exemption.

What counts as automated decision-making in recruitment?

Automated decision-making, in the DUAA sense, is a significant decision about a person made by a system without meaningful human involvement. In recruitment, the "significant decision" is almost always whether a candidate progresses — rejected, shortlisted, or advanced to the client. If software makes that call on its own, it is solely automated decision-making and the Article 22C safeguards apply.

The trap is the phrase "we just use an AI tool." What matters is not whether a tool is involved — nearly every agency uses tools — but whether a human meaningfully makes the decision.

What the tool does	Solely automated decision?
Auto-rejects applicants below an AI match score, with no human review	Yes — this is automated decision-making
Ranks applicants, then a consultant reviews and decides who progresses	No, if the review is meaningful
Parses and reformats a CV; the consultant decides everything	No — no decision is automated
Redacts contact details before client submission	No — no decision is made about the candidate

This is where the kind of tool you buy matters. A tool that scores and filters candidates puts you in automated-decision territory and triggers the full set of safeguards. A tool that only handles the mechanical work — parsing, formatting, redaction — and leaves every decision to the consultant does not. Quibench, for example, is a CV formatting and redaction tool for UK recruitment agencies that reformats and redacts candidate CVs into an agency's branded template but does not score, rank, or shortlist candidates; the consultant makes every decision, so using it is not automated decision-making. The general rule is worth holding onto before you sign up to anything: the more decisions a tool makes for you, the more compliance work you inherit.

What "meaningful human involvement" actually means

Meaningful human involvement is the line between "solely automated" — caught by the safeguards — and "human-made," which is not. The ICO's position, set out in its March 2026 draft guidance, is stricter than most agencies assume.

Two things that do not count as meaningful human involvement:

• Designing or building the system. A human who built or configured the model is not influencing any specific decision — the build happened before the candidate ever applied. The ICO is explicit that system design is not, by itself, meaningful involvement in an individual decision.
• Rubber-stamping the output. A consultant who clicks "approve" on an AI-ranked shortlist without the authority, the information, or the time to change it is not meaningfully involved. A human who only ever confirms what the machine suggested is not a safeguard.

For human involvement to count, the reviewer has to be competent, have real authority to overturn the output, and actually consider the individual case. If your "human review" is one person approving 200 AI rankings an hour, the ICO will not treat that as human involvement — and you are doing automated decision-making whether you intended to or not.

The safeguards you now need

If you make significant automated decisions about candidates, Article 22C requires four safeguards to be in place — and documented:

1. Transparency before the decision. Tell candidates, in plain terms, that automated decision-making is being used and broadly how it works — before the decision is made, not after someone complains.
2. A right to human intervention. Candidates must be able to ask for a human to review the decision.
3. A right to make representations and contest the decision. Candidates must be able to put their case and challenge the outcome.
4. Information about the decision. Candidates must be able to obtain meaningful information about decisions made about them.

Three further obligations sit alongside that list, and they are where the ICO found the most failures:

• A Data Protection Impact Assessment (DPIA). Using automated decision-making in recruitment will almost always require a DPIA. The ICO's 2026 report found many employers had none.
• A lawful basis. Automated decision-making does not remove the need for a valid lawful basis for the processing, and for special category data the bar is higher.
• Bias monitoring. Test your tools for biased outputs, and document that you do. The ICO's 2026 AI and biometrics strategy explicitly targets undocumented bias testing in employment decisions, and the recruitment report flagged tools that infer characteristics such as gender or ethnicity from a candidate's name.

One principle quietly supports several of these at once: data minimisation. Article 5(1)(c) of the UK GDPR requires personal data to be "adequate, relevant and limited to what is necessary." Redaction will not satisfy the Article 22C safeguards on its own — those are about the decision process — but minimising the candidate data you hold and pass downstream is a related obligation the same ICO report emphasises, and it shrinks the surface area for everything else to go wrong. Stripping a CV down to what a shortlisting decision actually needs (experience, skills, fit) and removing what it does not (name, contact details, and the personal data that lets a tool infer protected characteristics) is good data-minimisation practice. It is the same redaction that protects placement fees from back-door hires, doing double duty. Tools such as Quibench apply one-click redaction before client submission, and there is a free CV redaction tool if you want to try the workflow without committing to anything.

What the ICO's "Recruitment Rewired" work signalled

On 31 March 2026 the ICO published a report on the use of automated decision-making in recruitment, alongside a public consultation on updated automated decision-making guidance that ran until 29 May 2026. The report drew on voluntary engagement with more than 30 employers between March 2025 and January 2026. Three things make it the clearest enforcement signal the sector has had.

• It came with letters. The ICO wrote to 16 organisations it believed were using automated decision-making to make decisions about candidates. Those organisations have committed to acting on its recommendations.
• It named the failures. Many employers did not recognise they were carrying out automated decision-making at all. Where they did, the safeguards — transparency, bias monitoring, accountability, candidate rights — were often missing.
• It set expectations, not just observations. Legal commentators read the report as a strong signal that enforcement action will follow where organisations fall short.

Whether your agency was on the list of 16 is not the point. The ICO has now published what it expects; the next phase is holding the rest of the market to it. The consultation closing in May means final guidance — and the enforcement posture that comes with it — is the near-term direction of travel, not a distant possibility. For a full breakdown of what the report found and what it told organisations to fix, see the ICO's "Recruitment Rewired" verdict on AI in hiring.

The risk of getting it wrong

The downside is regulatory and commercial at the same time.

On the regulatory side, the ICO can require changes, issue reprimands, and impose fines. Automated decision-making without safeguards is precisely the gap its 2026 strategy targets, and it has already identified organisations it is watching.

On the commercial side, candidate trust is already thin, and automated screening is a large part of why. In 2026 UK research, 45% of jobseekers said they trust the hiring process less than a year ago, and 40% put that down to AI. One in three believe AI has shifted bias rather than removed it. Candidates are also pushing back in ways that quietly break automated screening: 38% admitted inserting hidden text into CVs to manipulate AI tools, and nearly half of those who had not tried it said they were considering it. An agency that leans on automated scoring is exposed on both fronts — a regulator that expects safeguards, and candidates actively gaming the score.

A practical checklist for a small agency

You do not need a compliance department. You need to know where automated decisions happen in your workflow and put a short set of controls around them.

1. Map your decisions. Write down every point where a candidate is progressed or rejected, and note whether software makes the call or a consultant does.
2. Find the solely-automated ones. Any decision a tool makes without a consultant who can meaningfully change it is automated decision-making. Those are the decisions that need safeguards.
3. Insert real human review. Give a competent consultant the authority, information, and time to overturn the tool — not a rubber-stamp at 200 records an hour.
4. Tell candidates. Add a plain-English line to your privacy notice and candidate communications about where automation is used and how to ask for a human review.
5. Do a DPIA. If you use automated decision-making in recruitment, document a DPIA. It is expected, and the process forces the other steps.
6. Test for bias and write it down. Ask your tool vendors what bias testing they do, and review the outputs yourself.
7. Minimise the data. Collect and share only what each decision needs. Redacting CVs down to skills, experience and fit before client submission supports data minimisation and protects your fees at the same time.
8. Prefer tools that keep you deciding. The more a tool decides for you, the more compliance you inherit. For the mechanical work — parsing, formatting, redaction — a human-in-the-loop tool keeps you out of automated decision-making entirely. (See the best CV formatting and redaction tools for small UK agencies.)

The agencies that handle this well are not the ones that avoided AI. They are the ones that know exactly which parts of their process are automated and can show the safeguards around them.

Common questions

Does the DUAA apply to recruitment agencies using AI? Yes. Recruitment agencies are data controllers for the candidate data they collect and screen, so the automated decision-making rules in Articles 22A–22D of the UK GDPR apply to them directly. The ICO's March 2026 guidance is aimed explicitly at employers and at organisations recruiting on their behalf, including agencies, head-hunters, and consultancies. There is no small-agency exemption — the threshold is the decision, not the company size.

What is automated decision-making in recruitment? It is a significant decision about a candidate — typically whether they are rejected, shortlisted, or advanced — made by a system without meaningful human involvement. If software makes that decision on its own, it is solely automated decision-making and triggers the DUAA safeguards. If a competent consultant with real authority makes the decision, with the tool only assisting, it is not.

Did the DUAA make AI candidate screening legal in the UK? It changed the default. From 5 February 2026, the old prohibition on solely automated significant decisions was replaced by a permission-plus-safeguards model for decisions that do not involve special category data. Automated screening is permitted in more cases than before, but only where the Article 22C safeguards — transparency, human intervention, the right to contest, and information about the decision — are in place and documented. Decisions involving special category data face a stricter regime.

What is "meaningful human involvement" in recruitment AI? It is human review by a competent person who has the authority, information, and time to overturn the tool's output and who actually considers the individual case. The ICO is clear that two things do not count: designing or building the system, and rubber-stamping its output. A consultant who only ever confirms what the machine suggested is not meaningful human involvement, so the process is still automated decision-making.

What safeguards does the DUAA require for automated candidate decisions? Article 22C requires four: transparency to the candidate before the decision, a right to human intervention, a right to make representations and contest the decision, and the right to meaningful information about the decision. Alongside these, agencies using automated decision-making in recruitment will generally need a Data Protection Impact Assessment, a valid lawful basis, and documented bias monitoring of their tools.

What did the ICO's 2026 report on automated decision-making in recruitment say? Published on 31 March 2026, the report found that many employers did not realise they were carrying out automated decision-making, and that safeguards were frequently missing. The ICO wrote to 16 organisations it believed were using automated decision-making on candidates, and ran a consultation on updated guidance until 29 May 2026. Commentators treat it as a strong signal that enforcement will follow where organisations fall short.

Is using a CV formatting tool automated decision-making? No, provided the tool does not make decisions about candidates. A tool that parses, reformats, or redacts a CV — but leaves every progression decision to a consultant — is not automated decision-making, because no significant decision is automated. A tool that scores, ranks, or auto-rejects candidates can be. The distinction is whether the software decides, or only assists a human who decides.

---

The DUAA did not ban AI in recruitment, and it did not wave it through either. From February 2026 it permits automated candidate decisions on the condition that you can show the safeguards around them — transparency, human review that actually means something, a route for candidates to contest, and the accountability paperwork behind it. The agencies most exposed are the ones using automated scoring without realising it counts, and the ones whose "human review" would not survive a second look. Map where decisions are automated, keep a real human on the ones that matter, minimise the candidate data you hold and share, and favour tools that assist rather than decide. That is the difference between using AI and answering to the regulator for it.