Diagnostic Checklist
Is Your Hiring Process
Legally Defensible?
A 20-point diagnostic for talent acquisition leaders, HR managers, and hiring teams
Most hiring process risk is not created by obviously wrong decisions. It is created by decisions that cannot be explained.
When a rejected candidate, a hiring manager, or a regulator asks "why wasn't this person hired?", the question is not always whether the right person was chosen. The question is whether you can show how the decision was made.
Without a documented process, even a correct decision becomes indefensible. You may have chosen the right person. But if you cannot reconstruct why, you cannot prove it.
This checklist identifies the specific documentation and process gaps that turn defensible decisions into indefensible ones. It covers five areas: pre-screening, evaluation consistency, technology use, rejection communications, and audit readiness.
Each section has four yes/no statements and a severity key. The severity key explains what the gap means in practice, not just in theory.
Work through it before your next hiring cycle. Most teams find at least one section they cannot fully answer yes to.
How to use this document
Read each statement honestly. Check the box only if the answer is clearly yes for your current process. Not partially true. Not aspirationally true. Count your checked boxes per section, then read the severity key for each. Note your highest-risk sections at the end.
Section 1 of 5
Why this section matters
Most scoring inconsistency starts before any candidate is reviewed. Without written criteria defined before screening begins, every shortlisting decision is retrospectively justified rather than prospectively applied. That distinction is what separates a defensible process from a personal opinion.
We have a written job brief that defines what a suitable candidate looks like for this specific role, produced before the role is advertised.
We have defined scoring criteria or a structured rubric that any assessor could apply independently and arrive at a consistent result.
We have documented which requirements are non-negotiable (minimum) versus preferred (desirable), and that distinction is visible to everyone who screens CVs for this role.
We have agreed in writing who is involved in the screening decision and what authority each person holds.
What your score means
0 checked
High risk. Every screening decision in this process can be challenged as arbitrary. There is no documented basis against which candidates were compared. This is the most common gap in teams that hire by instinct.
1 to 2 checked
Moderate risk. Some criteria exist in some form, but inconsistency between assessors is likely. A challenge would reveal that different people applied different standards to the same applicants.
3 to 4 checked
Low risk. The pre-screening structure is documented and defensible. The main risk at this level is drift: processes that exist on paper but are not consistently followed.
Section 2 of 5
Why this section matters
Consistency is the mechanism that makes screening defensible. When two people review the same candidate stack against different mental models of the role, the outcome is not a hiring process. It is a series of individual opinions. Research shows 55% of candidates report their process felt "disorganised or inconsistent." That statistic carries legal weight.
Every candidate is assessed against the same written criteria, not a personal sense of whether they seem right for the role.
The person screening CVs has been briefed on what the criteria mean in practice, not just given the job description and asked to use their judgement.
We have a record of why each candidate was progressed or not progressed at the initial screening stage, not only at the final decision point.
We do not rely on proxies for quality (university name, employer brand, years of experience as a standalone figure) unless those proxies are explicitly listed in the written criteria for this role.
What your score means
0 checked
High risk. Shortlisting decisions are entirely personal. They cannot be reconstructed or justified against any shared standard. In a legal or regulatory review, you would have no record of why any decision was made.
1 to 2 checked
Moderate risk. Partial documentation exists but gaps remain. The process would likely produce inconsistent results across different assessors, and a challenge would expose that inconsistency.
3 to 4 checked
Low risk. Shortlisting is documented and consistent. The focus here should be on ensuring documentation is actively used, not just filed.
Section 3 of 5
Why this section matters
From August 2026, the EU AI Act classifies AI tools used in recruitment as high-risk systems. Employers using AI in screening, scoring, or ranking must be able to explain how the tool works, what it decided, and why. Using an AI tool without documentation of what it does is not a technical problem. It is a compliance gap that a rejected candidate or regulator can challenge directly.
We have a clear record of which AI tools, if any, are used in our hiring process and at which stage each tool is applied.
We can explain to a candidate or regulator, in plain language, how any AI tool produced its output and what that output was used for in the final decision.
We have reviewed whether the AI tools we use meet the documentation and transparency requirements set out under EU AI Act Article 9 and Article 13 for high-risk systems.
Human review is applied to AI-generated outputs at each decision point. No candidate is progressed or rejected based solely on an automated output.
Note
If AI tools are not currently used in your process, mark all four items as checked. This section applies only where automated or AI-assisted tools are involved in candidate evaluation, screening, or ranking.
What your score means
0 checked
High risk (if AI is in use). AI tools without documentation represent an active compliance gap under EU AI Act regulations taking effect August 2026. This is not a future concern for organisations already using AI in hiring.
1 to 2 checked
Moderate risk. Awareness exists but documentation is incomplete. You know what tools are in use but cannot fully explain outputs or demonstrate human oversight at every stage.
3 to 4 checked
Low risk. Technology use is documented, explainable, and has human oversight at every decision point. Maintain documentation as tools evolve.
Section 4 of 5
Why this section matters
Rejection emails are the most visible record of a hiring decision. A vague or poorly worded rejection creates the impression that the real reason cannot be stated. Specific, professionally worded rejections signal that the process had a clear basis. They do not prevent challenges. They reduce the likelihood of one succeeding.
Every rejected candidate receives a notification at the stage they were rejected, not only at the final decision point. Candidates who were not shortlisted are told, not left waiting.
Our rejection communications do not contain phrasing that could imply the reason was related to a protected characteristic, even unintentionally.
Our standard rejection templates have been reviewed for legal safety within the last 12 months, either internally or by someone with employment law knowledge.
We retain a log of when rejection communications were sent, to which candidates, and at which stage in the process.
What your score means
0 checked
High risk. Rejections are creating exposure on two fronts: no audit trail of when candidates were notified, and no assurance that communications are legally safe. Both can be used against you in a challenge.
1 to 2 checked
Moderate risk. Some practice is in place but inconsistency or outdated templates leave gaps. A reviewed, updated rejection process is a low-effort fix that significantly reduces exposure.
3 to 4 checked
Low risk. Rejection communications are timed, documented, reviewed for legal safety, and logged. This area is not creating exposure at this stage.
Section 5 of 5
Why this section matters
Audit readiness does not mean expecting to be audited. It means having documentation robust enough to reconstruct any hiring decision if asked. Employment tribunals, subject access requests under GDPR, and regulatory reviews can all require you to explain decisions made months earlier. Without records, you are relying on memory. Memory is not a defence.
We could reconstruct the full hiring decision for any vacancy completed in the last 12 months using existing records alone, without needing to contact the hiring manager for context.
We store hiring documentation (scorecards, interview notes, assessment records) for a minimum of 12 months after the role is filled, in a format that is accessible and searchable.
We have a defined process for responding to a subject access request from a candidate or a formal request for feedback, and we could execute it within the required timeframe.
Responsibility for hiring process compliance is formally assigned to a named person or function. It is not assumed to be covered by general HR policy or handled informally.
What your score means
0 checked
High risk. Your process would not survive a regulatory request or a legal challenge requiring documentary evidence. Every hire made without records is a decision that cannot be defended after the fact.
1 to 2 checked
Moderate risk. Some records exist but are incomplete, difficult to access, or informally held. Partial documentation is better than none but would not withstand a formal review.
3 to 4 checked
Low risk. The process is documented, stored, and owned. The focus should be on maintaining standards as hiring volume increases.
Interpreting Your Results
Count the number of sections where you scored 0 (high risk).
| High-risk sections |
What it means |
Where to focus |
| 0 sections |
Your process is documented and defensible. |
The main risk at this level is drift: processes that are documented but not followed consistently as the team or hiring volume grows. Schedule a review every six months. |
| 1 section |
One area is actively creating exposure. The rest of your process is holding. |
Address that one section before your next significant hiring cycle. It is likely fixable with one focused effort: a template review, a documentation session, or a policy update. |
| 2 to 3 sections |
Your process has structural gaps that a legal or regulatory challenge could exploit. |
Prioritise sections 1 and 2 first. Pre-screening criteria and evaluation consistency are the foundation that every other section depends on. Fix those and the others become easier. |
| 4 to 5 sections |
Your hiring decisions are currently indefensible as a body of work. |
Start with section 1. Without written criteria before screening begins, everything downstream is inconsistent. This is structural, not personal, and it is fixable. |
The thing most hiring teams get wrong
A defensible process is not the same as a slow process. The documentation required to protect you is largely the same documentation that makes your hiring more consistent, more repeatable, and better at finding the right person.
The most common gap in talent teams is not bad intent. It is the assumption that good judgement is a substitute for a paper trail. In practice, it is not. A correct decision made without documentation cannot be proved correct when it is later questioned.
What this diagnostic is really measuring is not how careful your team is. It is whether the structure underneath your process is visible enough to survive scrutiny by someone who was not in the room when the decision was made.
Produced by Talent Atrium. Free tools for recruiters and hiring managers at talentatrium.com/tools. No login required.