Data (Use and Access) Act 2025: What schools and trusts need to know

The Data (Use and Access) Act 2025, was first introduced to parliament in October 2024 and has now obtained Royal Assent. 

The Data (Use and Access) Act 2025 (DUA) received Royal Assent on 19 June 2025. While the DUA is by no means a revolution in data protection legislation as we know it, there are some refinements to the current law which will impact school and trusts’ data protection compliance. 

We understand that navigating new legislation can create unease, so we have prepared five key takeaways for schools and trusts on the introduction of the DUA:

1. ‘Stopping the clock’ on time limit for responding to SARs

Managing subject access requests (SARs) can become a burdensome responsibility for schools and trusts as the volume of SARs has vastly increased. The DUA aims to reduce the burden, intricacy and complexity of processing these requests by codifying in legislation some elements of current ICO guidance. 

The DUA will solidify the ICO’s published position on ‘stopping the clock’. Schools and trusts will be able to ask the requester to clarify the information they are seeking in response to their SAR where this is unclear. The time limit for responding will be paused until such clarification is received. 

While this is a change in the law, it’s already the approach taken within the ICO’s detailed SAR guidance and so this is unlikely to result in a huge change to existing SAR procedures. However, you should check your existing SAR procedure to ensure you include the ability to pause the time for response whilst clarification is sought.

2. A ‘reasonable and proportionate’ search 

The DUA clarifies that organisations are only obliged to conduct searches that are 'reasonable and proportionate' when responding to SARs. This will empower schools and trusts to push back on overly broad request and reiterates the principle that you don't need to send information to which the requester already holds or has access to. 

Again while this is a change in what is set out expressly within data protection law, it is already the advice given within the ICO’s detailed SAR guidance and so this is unlikely to result in a huge change to existing SAR procedures. However, you should ensure your SAR procedure is up to date to reflect the requirement to conduct 'reasonable and proportionate searches' and any staff involved in handling SARs are made aware of this change.

3. Recognised legitimate interests 

The DUA also introduces a list of 'recognised legitimate interests,' which, for certain processing activities, means you might not need to conduct a full legitimate interest assessment (LIA). This aims to reduce red tape and offer more certainty.

Similar to the changes listed above, this is unlikely to pose a major change to school and trusts’ data protection compliance. Schools and trusts will primarily rely on the 'public task' lawful basis for most data processing and therefore will not often rely on the ‘legitimate interests’ lawful basis. 

However, there are instances where legitimate interests may be the most appropriate lawful basis (e.g. direct marketing for fundraising, internal administrative transfers).

Schools and trusts should familiarise themselves with the recognised legitimate interests and assess if any of their current processing activities (particularly those relying on legitimate interests) fall within these, however we do not envisage that this change will impact most data processing activities within schools.

4. Data protection complaint process

The DUA introducing some additional provisions about complaints made by data subjects. The UK GDPR gives data subjects the right to make a complaint to the ICO about the way in which their personal data has been handled.  

The ICO has always stated that it expects data subjects to raise a complaint with the organisation directly in the first instance before making the complaint to the ICO. The DUA clarifies this position and introduces additional requirements for organisation’s complaint processes:

• schools and trusts will be required to facilitate the making of data protection complaints by taking steps such as providing a complaint form which can be completed electronically and by other means

• the complaint must be acknowledged within 30 days; and

• schools and trusts will then be required to take appropriate steps to respond to the complaint and inform the complainant of the outcome of the complaint without undue delay

Schools and trusts should therefore review their data protection policy to ensure it expressly refers to the ability to make data protection complaints and who they should be directed to.  

Existing complaints procedures may also need to be revisited to confirm that data protection complaints will be dealt with in accordance with the statutory complaints process under data protection law, rather than the school’s complaints procedure.

5. AI and automated decision making

The DUA aims to foster the use of AI while ensuring safeguards for individuals. It relaxes some of the existing restrictions on automated decision making, particularly where special category data is not involved, but reinforces the need for human oversight for 'significant decisions.'

This means that when considering any AI tool, particularly those that make decisions about pupils or staff (e.g. attendance tracking, behaviour analytics, personalised learning pathways), schools and trusts will need to understand how automated decisions are made.  

Schools and trusts must develop robust governance frameworks for AI, including risk assessments, clear policies, and comprehensive staff training. The DUA reinforces the need for a thoughtful, measured approach to AI adoption, ensuring it genuinely supports learning and administrative efficiency without compromising data protection or individual rights.

The changes brought by the DUA will be a good prompt for schools and trust to review and strengthen their data protection practices. By taking a proactive and pragmatic approach, you can ensure your school remains compliant, efficient, and continues to foster a culture of data confidence.

Available support for schools from Browne Jacobson

Our data protection support pack for schools and trusts is currently being updated to reflect the changes that are being introduced by the DUA and will include updated SAR guidance and data protection complaint procedures. If you already have the support pack, you’ll automatically receive these updates as part of your purchase. If you haven’t yet downloaded your support pack, do so now to benefit from this support to handle these new developments.