Skip to content

Candidate Transparency Notice — AI-Assisted Recruitment Template

Project: Sable AI Ltd — AI Governance Framework Stage: Stage 5 — Commercial Packaging Status: Draft Version: v1 Date: 2026-03-01 Assumptions: Built on outline assumptions — not verified against real Sable AI Ltd data

About This Template

This template provides a candidate-facing transparency notice for recruiters and HR teams using the Scout AI-assisted CV screening tool.

Who this template is for: Any organisation using Scout to screen job applications — whether you are a recruitment agency or an in-house HR team. See the Adaptation Notes at the end of this document for guidance on tailoring the template to your organisation type.

Why this notice is required: UK law (the UK General Data Protection Regulation and the Data (Use and Access) Act 2025) requires organisations to tell people clearly when and how they use AI to make or assist with decisions about them. The ICO's November 2024 audit of AI in recruitment found that candidate transparency was consistently inadequate across the sector, and identified this as a key enforcement focus.

How to use this template: 1. Complete all [SQUARE BRACKET] placeholders with your organisation's specific information 2. Review the Adaptation Notes to confirm which version is appropriate for your customer type 3. Have the completed notice reviewed by a data protection professional or qualified solicitor before use 4. Publish the notice on your website and/or provide it to candidates at the point of application

A note on plain language: This notice is written in plain English. Under UK data protection law, privacy notices must be concise, transparent, intelligible, easily accessible, and written in clear and plain language. Do not add legal jargon or overly technical language when completing the placeholders.

Note on ICO guidance status: Some ICO guidance pages on individual rights and transparency remain under review following the Data (Use and Access) Act 2025. This template applies the current UK GDPR Articles 22A–22C structure as amended by the Act. Where older ICO guidance pages still reference pre-DUAA Article 22 wording, the statutory text of UK GDPR Articles 22A–22C (as in force from 5 February 2026) takes precedence.

---

Candidate Transparency Notice: How We Use AI to Screen Applications

Issued by: [FULL LEGAL NAME OF YOUR ORGANISATION]

Effective date: [DATE]

The short version

We use an AI tool to help us review job applications. Here is what you need to know:

  • AI screens your CV first. When you apply, a computer system called Scout reads your CV and gives your application an initial score or ranking against the job requirements.
  • A person reviews the result. A recruiter or HR professional reviews the AI's assessment before any decision is made about your application. No decision is made by the AI alone. [ASSUMPTION: A-007]
  • You can ask questions. You can ask us to explain how the AI assessed your application, ask a person to review it, or tell us if you think the assessment was wrong.
  • Your data is kept securely and deleted when it is no longer needed for your application.

The full notice

1. Who is responsible for your data?

The organisation responsible for your personal data (your "data controller") is:

[FULL LEGAL NAME] [ADDRESS] [EMAIL] [PHONE — optional]

[IF YOUR ORGANISATION HAS A DATA PROTECTION OFFICER:] Our Data Protection Officer can be contacted at: [DPO NAME / EMAIL]

[IF YOUR ORGANISATION IS A RECRUITMENT AGENCY ACTING ON BEHALF OF AN EMPLOYER:] We are processing your application on behalf of [EMPLOYER CLIENT NAME]. [EMPLOYER CLIENT NAME] is also responsible for how your data is used in their hiring process. You can contact them at [EMPLOYER CLIENT CONTACT DETAILS].

2. What is Scout and what does it do?

Scout is an AI-powered tool made by Sable AI Ltd that helps us review your CV and application. It is powered by large language model (LLM) technology. [ASSUMPTION: A-002]

What Scout does: - It reads the content of your CV and application - It compares your experience, qualifications, and skills against the requirements of the role - It produces a summary and score or ranking to help our recruiter decide who to invite to the next stage

What Scout does not do: - It does not make a final decision about your application — a person always reviews the AI's assessment before any decision is made [ASSUMPTION: A-007] - It does not access any information about you other than what you have provided in your application - It does not use your data to train or improve its AI model [ASSUMPTION: A-005]

Limitations: AI tools are not perfect. Scout may miss relevant experience presented in an unusual format, or may weight certain criteria differently from how a human recruiter would. We have implemented human review to catch these cases. If you believe the AI has made a mistake in assessing your application, you can ask us to review it (see Section 5).

3. What personal data do we use?

We process the following personal data about you when you apply for a role with us:

Data Where it comes from
Name Provided by you in your application
Contact details (email, phone, address) Provided by you in your application
Work history and experience Provided by you in your CV or application form
Education and qualifications Provided by you in your CV or application form
Skills and competencies Provided by you in your CV or application form
Any other information you include in your CV or covering letter Provided by you

[IF YOU ALSO RECEIVE CANDIDATE DATA FROM A THIRD PARTY, SUCH AS A JOB BOARD OR ANOTHER AGENCY:] We may also receive your details from [SOURCE, e.g. "a job board" / "a recruitment agency"]. If so, we will contact you within one month of receiving your information to let you know we hold it.

A note on sensitive information: Please try not to include sensitive personal information (such as information about your health, disability, religion, or ethnicity) in your CV unless it is relevant to your application. If you choose to include it, we will process it only for the purpose of your application and will handle it with extra care in accordance with UK law.

We process your personal data to: - Review your application and decide whether to progress it - Communicate with you about your application - [ADD ANY OTHER PURPOSES SPECIFIC TO YOUR ORGANISATION, e.g. "maintain a talent pool for future roles — only if you consent to this"]

Our legal basis: [COMPLETE WITH YOUR APPLICABLE LAWFUL BASIS. EXAMPLES:] - "We process your data because it is necessary for steps taken at your request before potentially entering into a contract of employment (UK GDPR Article 6(1)(b))." — appropriate where the candidate is applying for a role that could lead to employment - "We process your data on the basis of our legitimate interests in finding suitable candidates for our clients' roles (UK GDPR Article 6(1)(f)). Our legitimate interests do not override your right to privacy." — appropriate in a recruitment agency context where the agency is sourcing candidates for employer clients [LEGAL REVIEW REQUIRED]

[YOU MUST CONFIRM THE CORRECT LAWFUL BASIS WITH LEGAL ADVICE BEFORE PUBLISHING THIS NOTICE]

5. Your rights regarding AI-assisted decisions

Because we use AI to review your application, you have specific rights under UK GDPR Articles 22A–22C, as amended by the Data (Use and Access) Act 2025:

The right to be told about AI involvement We are telling you now, in this notice, that we use an AI tool in our application review process.

The right to ask a person to review the AI's assessment You have the right to ask us to have a person manually review the AI's assessment of your CV. To do this, contact us at [CONTACT EMAIL / FORM] and state that you are requesting human review of your application. We will respond within [TIMEFRAME, e.g. "5 business days"].

The right to make your case If you think the AI has missed relevant information in your application, you can tell us. Contact us at [CONTACT EMAIL / FORM] with any information you would like us to take into account.

The right to challenge the outcome If your application is unsuccessful and you believe the AI-assisted assessment was unfair or incorrect, you have the right to formally contest the outcome. Contact us at [CONTACT EMAIL / FORM] explaining your concerns. We will review your challenge and give you a written response.

6. Your general data protection rights

In addition to the AI-specific rights above, you have the following rights under UK data protection law:

Right What it means
Access You can ask for a copy of the personal data we hold about you (including any AI-generated assessments of your CV)
Correction You can ask us to correct any inaccurate or incomplete data
Erasure In some circumstances, you can ask us to delete your data
Restriction You can ask us to stop processing your data in certain circumstances
Objection You can object to processing based on our legitimate interests
Portability Where processing is automated and based on your consent or a contract, you can ask for your data in a machine-readable format

To exercise any of these rights, contact us at: [CONTACT EMAIL / DATA SUBJECT RIGHTS REQUEST FORM URL]

7. How long do we keep your data?

[COMPLETE WITH YOUR SPECIFIC RETENTION PERIODS — examples below:]

Data How long we keep it
Successful applicants' CV and application data Transferred to your personnel file on appointment. See our employee privacy notice for further details.
Unsuccessful applicants' CV and application data [e.g. "6 months after the role is filled"] — then deleted
AI-generated shortlisting assessments Deleted at the same time as the related application data
Correspondence about your application [e.g. "6 months after the application process closes"]

[ASSUMPTION: A-022] Retention periods have not been confirmed for Sable AI Ltd's customers. You must specify appropriate retention periods with legal advice before publishing this notice.

8. Who do we share your data with?

We share your CV and application data with:

  • Scout / Sable AI Ltd — to carry out the AI screening of your application. Sable AI Ltd processes your data in accordance with the data processing arrangements agreed between us. In most cases Sable AI Ltd acts as our data processor and processes your data only on our instructions, but the precise controller/processor allocation must reflect the actual recruitment arrangement in place. [LEGAL REVIEW REQUIRED where controller/processor roles are not straightforward]
  • Anthropic, Inc. — Sable AI Ltd uses Anthropic's AI technology to power Scout. Your CV data is processed by Anthropic's systems to generate the shortlisting output. Anthropic is based in the United States; see Section 9 below on international transfers. [ASSUMPTION: A-005]
  • [EMPLOYER CLIENT NAME (agency customers only)] — if we are screening applications on behalf of an employer, we share shortlist outputs with that employer.
  • [ANY OTHER RECIPIENTS — e.g. background check provider, ATS platform, etc.]

We do not sell your personal data to third parties.

9. International transfers

Some of the organisations we work with are based outside the United Kingdom:

  • Anthropic, Inc. is based in the United States. Your CV data is transferred to Anthropic's systems in the US when Scout processes your application. This transfer is protected by [COMPLETE: e.g. "the UK-US Data Bridge (where Anthropic is certified)" OR "a UK International Data Transfer Agreement"]. [ASSUMPTION: A-005] [LEGAL REVIEW REQUIRED]

[Sable AI Ltd must confirm and insert the applicable transfer mechanism before this notice is finalised.]

10. How to raise a concern or complaint

If you have a concern about how we have handled your personal data, please contact us first:

[ORGANISATION NAME] [CONTACT EMAIL] [ADDRESS]

If you are not satisfied with our response, you have the right to complain to the UK's data protection regulator:

Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Tel: 0303 123 1113 Website: www.ico.org.uk

11. Updates to this notice

We will update this notice if we change how we use your data. If we start using your data in a new way — for example, if we introduce additional AI tools or use your data for a new purpose — we will tell you before that processing begins.

---

Adaptation Notes — How to Use This Template for Each Customer Type

For Recruitment Agency Customers

If you are a recruitment agency screening candidates on behalf of employer clients:

  1. Section 1 (Who is responsible): Insert your agency's details only where the agency has concluded that it acts as a controller for the relevant processing. If the agency and employer jointly determine the purposes and means of the processing, the notice must reflect the Article 26 allocation of responsibilities agreed in the Joint Controller Addendum (L4-5.1-Data-Processing-Agreement-Template-v1.md, Appendix A Addendum). Do not describe the agency as the sole or primary controller unless that role allocation has been legally confirmed. [LEGAL REVIEW REQUIRED] Include the employer client's name and contact details in the paragraph about acting on behalf of an employer.

  2. Section 4 (Legal basis): Your likely lawful basis is legitimate interests under UK GDPR Article 6(1)(f): your legitimate interest in identifying suitable candidates for your clients' roles. You should carry out and document a legitimate interests assessment (LIA) confirming that your interests do not override candidates' privacy rights. [LEGAL REVIEW REQUIRED]

  3. Section 8 (Who we share data with): Include the employer client(s) as data recipients. Where your agency and the employer are joint controllers for any part of the processing, the notice should reflect the allocation of responsibilities agreed in the Article 26 Joint Controller Addendum (L4-5.1-Data-Processing-Agreement-Template-v1.md, Appendix A Addendum).

  4. Section 4 — Article 14 timing: If you receive candidate CVs from job boards, other agencies, or public sources (rather than directly from candidates), UK GDPR Article 14 requires you to provide this notice to candidates within one month of obtaining their data. Build a process for this before deploying Scout. [ICO AI in Recruitment Outcomes Report, November 2024]

  5. Delivery: Provide the notice to candidates at the earliest point of contact — ideally at the point of application or initial contact. Do not rely on a generic website privacy policy to satisfy this obligation.

For In-House HR Customers

If you are an in-house HR or talent acquisition team using Scout for direct hiring:

  1. Section 1 (Who is responsible): Insert your organisation's details. You are the sole controller. Delete the paragraph about acting on behalf of an employer. If your organisation has a DPO, include their contact details.

  2. Section 4 (Legal basis): Your likely lawful basis is pre-contractual steps under UK GDPR Article 6(1)(b) — you are taking steps necessary to assess candidates for employment at their request — or legitimate interests under Article 6(1)(f). Where candidates apply for roles, Article 6(1)(b) is the more natural fit. [LEGAL REVIEW REQUIRED]

  3. Section 8 (Who we share data with): Delete the reference to employer clients. Add any other internal or external systems you use in recruitment (ATS platforms, background check providers, etc.).

  4. DPIA obligation: Before deploying Scout, ensure you have completed a Data Protection Impact Assessment. AI-assisted CV screening constitutes processing likely to result in high risk under UK GDPR Article 35. See L2-3.4-DPIA-Template-v1.md for the framework DPIA. [ICO AI in Recruitment Outcomes Report, November 2024]

  5. Human review: Your notice commits to human review before any decision is made (Section 2 and Section 5). Ensure your recruiters are trained to treat Scout's output as an input to their decision, not the decision itself, and that this is documented in your governance policy. [Cross-reference: L1-2.4-Governance-Policy-v1.md; L1-2.5-Roles-and-Responsibilities-v1.md]

General Checklist Before Publishing

Before publishing this notice, confirm the following:

  • [ ] All [SQUARE BRACKET] placeholders have been completed
  • [ ] Your lawful basis has been confirmed with legal advice
  • [ ] Retention periods have been specified and are proportionate
  • [ ] The transfer mechanism for Anthropic has been confirmed with Sable AI Ltd
  • [ ] The notice has been reviewed by a qualified data protection professional
  • [ ] You have a process for handling candidates' AI review and challenge requests (Section 5)
  • [ ] If you receive candidate data from third parties: you have a process for providing Article 14 notices within one month
  • [ ] The notice is accessible at the point of application (not buried in a general privacy policy)

Sources: UK GDPR Arts. 4(7), 13, 14, 15, 22A–22C (as amended by the Data (Use and Access) Act 2025); ICO Right to be Informed guidance; ICO AI in Recruitment Outcomes Report, November 2024; DSIT Responsible AI in Recruitment Guide, March 2024.

End of L4-5.2 — Candidate Transparency Notice Template