← All posts

Your HR team is pasting employee data into AI. Here's the governance gap.

13 June 2026 · 5 min read

It usually starts innocently: someone in HR drops the rough notes of a grievance into a chatbot to "make the wording more professional", or pastes a sickness history to draft a sensitive letter. The output is better and faster. The problem is what just left the building.

Why HR data is the sharp end of this

Employee records are among the most sensitive data an organisation holds, and a lot of it is special-category data under UK GDPR — health information, and sometimes data revealing union membership, beliefs or sexual orientation. Special-category data carries a higher bar for lawful processing. Putting it into a consumer AI tool that the organisation hasn't assessed means a processing activity with no agreement, unknown retention, and — with a US-owned tool — exposure to US legal process under the CLOUD Act regardless of where the servers sit.

The honest position most organisations are in

Not "should we allow AI in HR?" but "HR is already using it, and no one has written down the rules." Silence reads as permission. The fix isn't a ban that will be quietly ignored — it's a short, clear policy plus one approved tool that keeps the data somewhere you can account for.

What good looks like

  1. A written rule on employee data: no employee-identifiable or special-category information goes into any tool that isn't approved and assessed.
  2. An approved tool that stays in the UK: assessed for where it processes data, who can compel it, and whether it trains on inputs. (Check yours with our free CLOUD Act exposure checker — no email, no tracking.)
  3. Human decisions stay human: AI may draft a letter; it does not decide a grievance, score a candidate, or sit in the room. Every output is reviewed by a person.
  4. An audit trail: so you can show, if asked, that AI use across the people function was governed and logged — not guessed at.

Draft HR documents without the data leaving the UK

Hush AI drafts policies, letters, job descriptions and investigation notes under human review, on hardware a UK company owns in England — outside US CLOUD Act jurisdiction, never used for training, with a one-click audit trail. It does not make employment decisions.

For HR teams Start a free pilot

Hush AI (hush-ai.uk) is a UK-sovereign AI assistant for regulated professionals. It drafts under human review and makes no employment decisions. This article is general information, not legal or HR advice; take professional advice on employment-law and data-protection matters.