APSCo UK May Legal Updates

W/C 25th May

ICO Guidance – Protecting your Organisation from AI-powered Cyber Threats

The Information Commissioner’s Office (ICO) has published new guidance warning organisations to strengthen their cyber security measures as cyber criminals increasingly use artificial intelligence (AI) to carry out more sophisticated attacks.

The ICO highlights risks including AI-generated phishing emails, automated cyber attacks and impersonation tactics, and has outlined five key steps organisations should take to improve resilience and protect personal data, including:

• understanding the evolving AI threat landscape;
• implementing layered cyber security controls and basic cyber hygiene;
• restricting and reviewing access to systems and personal data;
• improving monitoring, detection and incident response capabilities; and
• ensuring appropriate protections remain in place for personal data.

The guidance is particularly relevant for organisations handling large volumes of sensitive personal information, with the ICO reinforcing that robust cyber security practices form part of UK GDPR compliance obligations.

You can read the guidance through our What’s New page.

DBT and Fair Work Agency Publish Labour Market Non-Compliance Report

The Department for Business and Trade (DBT) and the Fair Work Agency have published the final report following a five-year project examining the scale and nature of labour market non-compliance and workplace harms across the UK labour market.

The report found that around 1 in 7 workers reported experiencing some form of labour market non-compliance or workplace harm, with unpaid overtime and workplace stress identified as some of the most common issues raised.

The findings also extend beyond traditionally defined “precarious workers”, highlighting that workplace harms can impact workers across the wider labour market.

You can read the report through our What’s New page.

W/C 18th May

APSCo Update - FAQs for Suppliers not on the GCA Framework (RM6376)

Following the introduction of the GCA Framework RM6376 for Supply Teachers and Education Recruitment, APSCo has created guidance to assist members in understanding the requirements to be met when joining the framework, which is accessible here.

If you have not joined the framework, this does not necessarily exclude you from working with Trusts, however this may mean you will need alternative compliant arrangements.

To assist you in understanding what these alternative compliant arrangements are, we have set out a list of frequently asked questions (FAQs) available in our APSCo Update here.

ICO - Report, guidance and consultation on Automated decision-making in recruitment

This is a reminder that the Information Commissioner's Office (ICO) published a report and associated draft guidance on AI automation and the use of automated decision-making (ADM) systems, available here.

To finalise the guidance, the ICO is seeking views on the following points:

· Your general and specific views on the draft guidance;

· Your experience;

· Your views on the daft impact assessment; and

· Your views on the costs and benefits of the draft guidance to your organisation.

The consultation is open until 29 May 2026 and can be answered by completing the ICO's online survey.

W/C 11th May 

Home Office - Quarterly report on illegal working penalties

The Home Office published a quarterly list of UK employers who have received civil penalties for breaking right-to-work rules. The list highlights employers penalised for employing individuals without valid right-to-work documentation.To avoid falling foul, you can access APSCo and JMW legal update on Right to Work Checks here. Please also review government guidance accessible here.

PGMOL v HMRC - Key points for recruitment companies

After 8 years and 5 hearings, the long-running PGMOL v HMRC case has concluded with the First-tier Tribunal again finding football referees engaged by PGMOL (2014–2016) were self-employed, not employees for tax purposes. The decision is a useful reminder for recruitment businesses that employment status remains highly fact-specific, with tribunals focusing on the full reality of the working relationship rather than contract wording alone. APSCo created a Legal Update providing the key points of the case and the recommended actions recruitment companies should take. Our legal update is accessible on our What's New page here.

W/C 4th May

DfE launches new framework for supply teachers and education recruitment

The Department for Education has introduced a new “Supply Teachers and Education Recruitment” framework (RM6376), launching in May 2026, aimed at improving value and transparency in the use of agency staff by schools and trusts.

The framework will introduce capped agency fees, greater cost transparency, and a 12-week free temp-to-perm provision. From September 2026, academy trusts will be expected to use the framework or demonstrate equivalent value through alternative routes.

Department for Education commercial strategy and innovation commercial lead Beth Lord explains the new Government Commercial Agency supply staff framework and how it aims to rebalance the market, saving schools money here.

DBT - Consultation on misuse of Non-Disclosure Agreements (NDAs)

The Department for Business and Trade (DBT) launched a consultation on the misuse of non-disclosure agreements following measures introduced in the Employment Rights Act 2025, which will render void any contractual provisions (including in employment contracts and settlement agreements) that prevents workers from speaking about relevant harassment or discrimination.

The consultation seeks views on:

• when NDAs may still be enforceable as an “excepted agreement” (for example, where confidentiality is requested by the worker and supported by independent advice);
• who workers can still disclose concerns to, regardless of any NDA, such as legal or medical professionals; and
• whether protections should extend beyond employees and workers to cover some self-employed individuals.

The deadline to respond to the consultation is 8 July 2026 and you can respond here.

ICO - New guidance on Recognised Legitimate Interests

The Information Commissioner's Office (ICO) has published guidance on the new recognised legitimate interest lawful basis, introduced under the Data (Use and Access) Act 2025. The guidance provides organisations with information on the new lawful basis for certain limited processing activities deemed to be in the public interest, without requiring the usual balancing test associated with the standard legitimate interest.

Some of the key points addressed by the guidance are:

• Recognised legitimate interests apply only to specific prescribed purposes set out in legislation;
• Organisations must still demonstrate that processing is necessary and comply with wider UK GDPR obligations, including transparency and accountability; and
• This is a separate basis from the standard legitimate interests, rather than a replacement for it.

The guidance is accessible here.