The Data (Use and Access) Act 2025

Written on 2 July, 2025

The Data (Use and Access) Act 2025 (DUA) received Royal Assent on the 19^th June 2025. This new Act does not repeal UK GDPR or the Data Protection Act 2018 – rather it amends the existing provisions.

We understand that this change in legislation may cause concern, so we wanted to take the opportunity to breakdown the key changes that may affect schools and Multi Academy Trusts for you.

Clarification within Subject Access Requests.

The first major change that could affect Schools and MATs link to dealing with Subject Access Requests (SARs). The new legislation codifies some of the pre-existing guidance from the Information Commissioners Office (ICO), giving schools extra protection and direction on how to deal with SARs.

The Act states that organisations are only obliged to conduct searches that are ‘reasonable and proportionate’ when responding to SARs.

With the ongoing increase in Information Requests as a whole, this provision will allow schools to push back on overly broad requests, and in turn reduce the time spent on searching for information. The provision also reiterates the principle that you do not need to send information to the requester which they already hold or have access to, confirming there is no requirement to send emails to and from the requester.

This new provision commenced immediately upon Royal Assent and in fact is back dated to Jan 2024.

The Act also enacts the ICOs guidance on ‘stopping the clock’ when obtaining clarification from requesters. This provision allows you to pause the time limit for responding to requests whilst you wait for clarification from the requester. It is guidance we already follow, but again, having this written within the law could provide a little protection for schools.

This new provision will require a Commencement Order before coming into effect – so watch this space for further updates.

These are not a huge changes to how both the ICO, and the team at Education Data Hub deal with SARs so are unlikely to change our existing SAR Procedures. However, they do bolster the position of schools when dealing with requests as you can now rely on these provisions within the law should requesters dispute how a school has responded to a request.

Recognised Legitimate Interests.

The new Act introduces a list of ‘recognised legitimate interests’ to be used for certain processing activities. This was created to reduce time spent on completing legitimate interest tests, however it is unlikely to have a major impact on schools.

As a school, you will rely on the ‘public task’ lawful basis for a lot of your data processing needs, therefore you will not need to worry about the changes to legitimate interests.

This is an area that you may come across when working on new Data Processing Impact Assessments (DPIAs), where we, as your DPO, will assess whether a recognised legitimate interest applies to your new processing activity.

A new requirement for a ‘complaints procedure’.

There is a new requirement to have a ‘complaints procedure for data protection matters’. The UK GDPR already gives data subjects the right to make a complaint to the ICO about the way in which their personal data has been handled. However, this new law introduces additional requirements for your complaints procedures.

Schools will be required to acknowledge complaints within 30 days and take appropriate steps to respond to any data protection complaint without “undue delay”.

Although this may seem daunting at first, all schools and MATs should have a pre-existing complaints procedure in place and therefore you should be able to incorporate these data protection matters into your current complaints procedures. You should also review your data protection policy to ensure it expressly refers to the ability to make data protection complaints and who they should be directed to. This is something we will ensure is incorporated in the April 2026 policy suite.

Artificial Intelligence

Over the last year we have created a number of guidance documents on AI for our schools to use, this includes an AI policy and DPIAs. The new legislation reinforces the need for risk assessing the use of any AI tools. The legislation requires schools to have a robust framework in place for AI, which for our subscribing schools includes personalising our AI Policy and DPIA templates to fit the needs of your schools.

3 Key Takeaways:

‘Reasonable searches’ does not mean records management is no longer important. So do keep working on your Retention Schedule and get rid of anything you should no longer have.
Review your complaints procedure to ensure it includes data protection complaints.
Don’t panic! If you subscribe to our data protection for school’s service, we will provide separate guidance or policy template updates on any major changes that occur as a result of this new legislation.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.