--- title: "The UK Just Told AI Hiring Tools to Stop Guessing Your Gender. Most Won't Listen." description: "The ICO audited AI hiring tools in the UK and made 300 recommendations. A builder explains what they found and what job seekers need to know about regulation." canonical: "https://mortit.com/blog/uk-ico-ai-hiring-tools-regulation-2026" --- Insights # The UK Just Told AI Hiring Tools to Stop Guessing Your Gender. Most Won't Listen. The UK's data regulator spent a year investigating AI hiring tools. They found platforms guessing candidates' gender from their names. They made almost 300 recommendations. The companies accepted all of them. That last part is what worries me. 5 min read Updated April 2026 TL;DR **The ICO audited AI recruitment tools** and found them inferring gender and ethnicity from names, hoarding candidate data without consent, and allowing filtering by protected characteristics. All companies accepted the nearly 300 recommendations — but “partially accepted” is doing heavy lifting. The regulator has now opened a **consultation on draft guidance** running until 29 May 2026. That guidance becomes the benchmark courts use when things go wrong. ## What the ICO Actually Found The Information Commissioner's Office audited several AI recruitment tool providers across sourcing, screening, and selection: the entire pipeline a job application passes through before a human ever sees it. The findings were bad. Some tools were inferring candidates' gender and ethnicity from their names rather than asking for the information directly. Others were collecting far more personal data than necessary and retaining it indefinitely, building massive databases of potential candidates who had no idea their information was being stored. Some allowed recruiters to filter out candidates based on protected characteristics. The ICO made almost 300 recommendations. Every company accepted or partially accepted them. But “partially accepted” is doing a lot of heavy lifting in that sentence. And recommendations aren't enforcement actions. The regulator has now opened a consultation on draft guidance for automated decision-making in recruitment, running until 29 May 2026. This is the part that matters. Guidance becomes the benchmark courts use when things go wrong. ## Why Builders Take These Shortcuts I build an AI job matching platform. I've sat in exactly the position these companies were in when they made these choices. I understand why they made them. That doesn't make it OK. When I first built MORT's CV parser, the path of least resistance was to extract everything. Name, location, graduation year, university. Feed it all into the matching algorithm and let the model sort it out. The problem is that graduation year correlates with age. Location correlates with ethnicity. University name correlates with socioeconomic background. The “obvious” approach is the discriminatory one. But it's also the path of least resistance. Cheap to build, cheap to maintain. The hard part is justifying its removal once it's in production. Stripping fields out of my own matching engine felt like making the product worse. Every variable you remove reduces the mathematical precision of the match. Precision in a biased system isn't precision, though. It's discrimination with a confidence score. The ICO found companies inferring gender from first names. That's not a bug. Someone built that deliberately because name-to-gender inference is a well-documented NLP technique, there are open-source libraries that do it in one line of code, and the demographic insight looked useful enough to justify the legal risk. Until the regulator came knocking. ## What This Means If You're Applying for Jobs Your application is likely being processed by AI tools that know more about you than you've disclosed. If you have a name that's statistically associated with a particular gender or ethnicity, some systems are making assumptions before they read your first line of experience. The screening score you receive may reflect variables you never consented to being evaluated on. And most candidates have no idea. The ICO specifically flagged transparency as a critical gap. Candidates aren't being told how automated decisions are being made, what data is being used, or how to challenge the outcome. Under UK data protection law, you have the right to know if an automated system made a decision about you. In practice, most recruitment platforms bury this so deep that exercising that right requires legal knowledge most applicants don't have. This isn't theoretical. The ICO engaged with over 30 employers during this review. The problems they found are industry-wide, not edge cases. ## The Consultation Is What Changes Things The report is useful. The consultation is what has teeth. The ICO's draft guidance on automated decision-making in recruitment runs until 29 May 2026. Once finalised, this guidance sets the bar for how the regulator will assess compliance. It won't be law, but it becomes the standard employers are measured against when a candidate files a complaint. The key requirements: organisations must proactively monitor for bias by testing outputs regularly. They must improve transparency so candidates know automation is being used. They must ensure meaningful human involvement isn't just someone rubber-stamping an algorithm's output. They must demonstrate that data collection is proportionate. No more hoarding CVs indefinitely to build candidate databases no one consented to. For builders, this is the first time the UK regulator has been this specific about recruitment AI. The 2024 audits were the investigation. This consultation is the consequence. ## What I Changed in My Own System MORT's matching engine doesn't use candidate names in scoring. It doesn't infer demographic characteristics. It matches on skills, experience, and role requirements: the things that actually predict whether someone can do the job. I strip fields that correlate with protected characteristics before they reach the matching algorithm. That's not virtue. It's pragmatism. A matching system that scores based on what someone's name sounds like isn't accurate. It's a liability dressed up as technology. After spending months building the parser, embeddings, and vector search that power MORT's matching, I can say this with certainty: you don't need demographic shortcuts to build useful matching. You need better data models and more deliberate engineering. The ICO's 300 recommendations are a start. The consultation is the next step. The real change happens when builders stop treating candidate data as a resource to mine and start treating it as what it is: someone's professional identity, entrusted for a specific purpose. The consultation is open for public comment until 29 May. It's worth reading. The regulator is asking the right questions. Whether the industry gives honest answers is another matter. ## Your data should work for you, not against you. MORT matches you to jobs based on skills and experience — not your name, location, or graduation year. No demographic shortcuts. No hidden variables. [Learn About Job Matching](https://mortit.com/features/ai-job-matching) [Try MORT Free](https://app.mortit.com/signup) ## Keep Reading ### [Your Career Gap Is a Red Flag to AI — Even When It Shouldn't Be](https://mortit.com/blog/career-gap-red-flag-ai-bias-recruitment) New research shows AI recruitment tools penalise career gaps, hobbies, and language as proxy variables for gender. ### [AI Can Write Your CV Now. So I Built Something Else.](https://mortit.com/blog/ai-can-write-your-cv-so-i-built-something-else) Why I stopped building a better CV tool and shipped AI-powered portfolios instead. ### [HSBC Plans to Cut 20,000 Jobs for AI. If You Work in an Office, Pay Attention.](https://mortit.com/blog/hsbc-ai-job-cuts-what-it-means) The UK's largest bank is betting that AI can do the work of one in ten of its people.