UK ATS compliance checklist 2026

What does a compliant ATS look like for UK employers?

A compliant applicant tracking system for UK employers should automate Right to Work verification, support DBS check workflows, capture EDI data at the point of application, and produce audit-ready reports that hold up to regulatory scrutiny - without adding administrative burden to your hiring team.

That sounds straightforward. In practice, most HR and talent acquisition leaders discover the gaps in their current system only when they are under pressure (and need the system to work better and faster) - during an audit, a CQC inspection or an OFSTED review. By then, it is too late to patch the problem.

This guide gives you a structured, step-by-step checklist to evaluate any applicant tracking system against the compliance and reporting requirements that matter most to UK employers in 2026. Whether you are assessing your existing platform or comparing alternatives, use this as your benchmark.

Why compliance readiness is now a board-level ATS requirement

Regulatory expectations around recruitment have tightened considerably. The Home Office's Right to Work guidance has been updated multiple times since the introduction of digital identity verification. Safeguarding legislation continues to evolve across health, social care and education. The Equality Act 2010 - alongside WRES and WDES reporting for NHS organisations - places a direct duty on employers to evidence fair and equitable hiring practices.

According to the CIPD's 2024 Resourcing and Talent Planning report, fewer than a third of UK organisations actively attempt to identify future skills requirements or retention issues - a gap that becomes acutely visible when recruitment processes face regulatory scrutiny. 

That gap is a risk and it's precisely why your choice of applicant tracking system is no longer just an operational decision; it's a governance one too.

Compliance checklist: what to look for in an ATS

Work through each section below. Each area maps to a specific compliance or audit requirement relevant to UK employers. Score your current or prospective system honestly.

1. Right to Work verification

UK employers have a legal obligation under the Immigration, Asylum and Nationality Act 2006 to check that every employee has the right to work in the United Kingdom before they start work. A compliant ATS should:

• Prompt Right to Work checks as a mandatory step within the hiring workflow - not as an afterthought
• Support digital identity verification in line with current Home Office guidance, including Identity Service Providers (IDSPs) for British and Irish nationals
• Capture and store document evidence with a time-stamped audit trail
• Alert hiring managers when follow-up checks are due for workers on time-limited visas
• Integrate with onboarding so that verification status carries through from offer to employment without being re-entered manually

Red flag: If Right to Work checks exist as a separate process outside of your ATS-managed via email or spreadsheet - you have a documentation gap that will not hold up under Home Office scrutiny.

Why digital verification matters more than ever in 2026

Fraud is not disappearing - it's just adapting. In a recent webinar with our compliance partner TrustID, we discussed how share code imposter cases and digitally altered documents are on the rise, why manual checks alone can leave employers exposed and what securing the statutory excuse actually requires in 2026. Read the write-up here (or watch the full webinar) →

2. DBS and safeguarding check management

For employers in health, social care, education and related sectors, disclosure and barring (DBS) checks are not optional. Your ATS should treat them as a structured, trackable workflow - not a note in the candidate record.

Look for a system that can:

• Trigger the appropriate level of DBS check (Basic, Standard, Enhanced, Enhanced with barred list) based on the role type and/or department
• Track check status within the candidate record, from request through to clearance
• Flag roles that legally require a DBS check and prevent progression without one
• Retain DBS records securely in line with data protection requirements, with configurable retention periods
• Produce a consolidated view of DBS statuses across all open vacancies - essential for safeguarding audits in regulated environments

For care sector employers specifically, this is non-negotiable. CQC inspections increasingly examine how organisations manage recruitment, safeguarding and inspectors will ask to see evidence of systematic, documented processes.

3. Equality, diversity and inclusion (EDI) data capture

For public sector organisations and the NHS, collecting and reporting on diversity data is both a legal requirement under the Equality Act 2010 and, for NHS organisations, a specific regulatory obligation under WRES (Workforce Race Equality Standard) and WDES (Workforce Disability Equality Standard).

A genuinely compliant ATS should:

• Capture EDI data at the point of application, presented to candidates as a separate, clearly optional section
• Ensure EDI data is anonymised and separated from shortlisting and interview processes - protecting against unconscious bias and demonstrating procedural fairness
• Aggregate diversity data by vacancy, department and hiring manager to identify patterns in shortlisting, interview and appointment rates
• Produce WRES and WDES-compatible reports for NHS organisations - ideally mapped to mandatory reporting templates
• Support equal opportunities monitoring across the full hiring funnel, not just at application stage

What good looks like: We support WRES and WDES reporting directly within the platform for our NHS clients. For broader UK employers, the same data infrastructure enables the kind of diversity dashboards that were once only available to enterprise organisations with dedicated analytics teams.

4. Candidate data management and GDPR compliance

The UK GDPR (as retained post-Brexit) places clear obligations on employers as data controllers in the recruitment process. Your ATS must be able to demonstrate compliance - not just assert it.

Evaluate your system against these requirements:

• Configurable data retention policies that automatically flag or delete candidate records after defined periods (typically six months to one year for unsuccessful applicants, in line with ICO guidance)
• Clear privacy notice delivery at the point of application, with consent capture recorded in the system
• Subject Access Request (SAR) functionality - the ability to extract a complete record of all data held on an individual quickly and comprehensively
• Right to erasure workflows that remove personal data without corrupting reporting integrity
• Audit logs that record who accessed or amended a candidate record and when
• Data processing agreements with all integrated third-party systems

Rather than being a one-time configuration exercise, GDPR compliance in a well-designed ATS makes ongoing compliance manageable, with automated workflows that reduce the risk of human error.

5. Audit-ready reporting

Audit readiness is the difference between a well-run compliance programme and one that only looks good on paper. When an auditor, inspector, or senior leader asks for evidence of your hiring process, your ATS should be able to produce it - accurately, quickly, and in a format that makes sense.

Reporting capabilities to prioritise:

• A full, tamper-proof audit trail for every vacancy - covering each stage from job approval through to offer and onboarding
• Configurable reporting dashboards that can be filtered by vacancy, hiring manager, department, site or date range
• Export formats compatible with regulatory reporting requirements (NHS, CQC, Ofsted, local authority)
• Time-stamped records of every decision point, with the name of the individual who made it
• Reporting on time-to-hire, source of hire, offer acceptance rate and withdrawal reasons - the operational data that supports workforce planning as well as compliance
• Pre-built report templates for common regulatory submissions, with the flexibility to build custom reports where needed

One question worth asking any ATS vendor: can you show me what an audit trail looks like for a specific vacancy? If the answer involves exporting data to a spreadsheet and formatting it manually, that is a meaningful operational risk.

6. Hiring workflow integrity

As well as being about the data you capture, compliance is also about the process you follow. A compliant ATS enforces structured, consistent hiring workflows that create a defensible record of every decision.

This means:

• Configurable approval gates that prevent a vacancy progressing until required steps are completed (e.g., job evaluation sign-off, EDI data capture, Right to Work check)
• Interview scoring recorded within the system, with structured interview questions linked to the role
• Scoring and shortlisting completed in the ATS platform - not via email or separate documents - so the rationale for every hiring decision is captured
• Offer management workflows that tie an accepted offer to a compliant pre-employment check record before employment begins
• Onboarding handoff that carries compliance documentation through from recruitment to employment - eliminating the re-entry of data that creates gaps and errors

For organisations managing high volumes of concurrent vacancies - NHS trusts, large care providers, local authorities - workflow integrity at scale is where many systems fall short. Manual workarounds may work for one or two roles. They don't for 200.

7. Integration with existing HR and workforce systems

Compliance data only has value if it flows accurately and completely between systems. Siloed recruitment data creates risks: gaps in the audit trail, duplicate records, and the manual re-entry that introduces error.

Evaluate integration capability carefully:

• Does the ATS integrate with your HR information system (HRIS) or workforce management platform and in which direction does the data flow?
• For NHS organisations: does the ATS offer real-time two-way integration with ESR (Electronic Staff Record)? This is a significant differentiator - Jobtrain was the first ATS to deliver eESS (the equivalent to ESR in Scotland) for NHS Scotland, contributing to a 31% reduction in time to hire.
• Does the ATS integrate with NHS Jobs and does candidate data transfer cleanly without manual re-entry?
• Are third-party pre-employment check providers (DBS, referencing, occupational health) integrated within the workflow or does the hiring team have to manage these separately?
• Does the ATS integrate with specialist identity verification providers? Jobtrain integrates directly with TrustID, enabling Right to Work checks to be initiated from within the recruitment workflow and results returned to the candidate's record - removing the manual handoff that creates gaps in the audit trail.

Integrations that are described as "available" but require custom development or third-party middleware should be treated with caution. Ask for a demonstration of the integration in action, not a screenshot of a feature list.

How to use this checklist in your ATS evaluation

If you're currently evaluating applicant tracking systems, use the seven sections above as your evaluation framework. For each area, score your shortlisted systems against the three criteria:

Does it do it?
Is this capability already live and present in the ATS or would it require customisation or manual workaround?

Does it do it automatically?
Is compliance built into the workflow or does it depend on individual hiring managers remembering to follow a process?

Can it prove it?
Can the system produce a clear, time-stamped record of compliance that would satisfy an auditor, inspector or tribunal?

The distinction between "yes it does that" and "yes and here's the audit trail to prove it" is the one that matters most when things are scrutinised.

What next?

Whether you are evaluating your current applicant tracking system or building a case to invest in a new one, this checklist gives you a clear framework to assess where the compliance gaps are.

We work with NHS organisations, care providers, local authorities and broader UK employers who need more than an applicant tracking tool. If you'd like to see how we approach compliance, reporting and audit readiness in practice, book a demo and we will walk you through it.

Frequently asked questions

What is an applicant tracking system for UK employers?
An applicant tracking system (ATS) for UK employers is software that manages the end-to-end recruitment process - from job posting through to offer and onboarding - while capturing the compliance data, audit trails and reporting that UK employment law requires.

What compliance features should a UK ATS include?
A compliant UK ATS should include automated Right to Work check workflows, DBS and safeguarding check management, EDI data capture and reporting, UK GDPR-aligned data retention and erasure tools and a full audit trail for every hiring decision.

Is an ATS suitable for care sector recruitment?
Yes - and the care sector has specific requirements that a general ATS may not meet. Care employers need safeguarding check workflows, CQC-defensible audit trails and EDI reporting built into the platform. Purpose-built care sector recruitment software, or an ATS like Jobtrain with proven care sector deployments, is strongly advisable.

How does an ATS support GDPR compliance in recruitment?
An ATS supports GDPR compliance by automating data retention schedules, capturing consent at the point of application, enabling Subject Access Request responses, recording data access in audit logs and integrating privacy notices into the candidate journey.

What is the difference between an ATS and an HR management system?
An ATS focuses on the recruitment process - attracting, screening, and selecting candidates. An HR management system typically encompasses broader workforce management, including performance management and HR records. Some modern ATS platforms, including Jobtrain, bridge this gap by extending into onboarding and talent intelligence.