The Data (Use and Access) Act 2025 and how it affects the education sector

The UK’s data protection framework has recently been updated by the Data (Use and Access) Act 2025 (DUAA). The DUAA does not replace the UK GDPR or the Data Protection Act 2018, but introduces a number of targeted reforms intended to support innovation, reduce administrative burdens, and provide greater clarity in certain areas of data protection law.

While the changes apply across all sectors, they are very relevant to universities, colleges, and other education providers given the volume of personal data they process, the frequency of data subject rights requests they receive, and their research activities.

Key changes

  1. New complaints handling requirements

DUAA introduces a new requirement for data controllers to provide data subjects with a means of making complaints directly to the organisation about its processing of their personal data, such as providing a complaint form. Controllers must acknowledge complaints within prescribed timescales and take appropriate steps to investigate and respond.

Although DUAA does not prescribe a particular format (it suggests a complaint form as an example), organisations should consider implementing a data protection complaints procedure. Making a standard form available can help ensure complaints are identified, recorded, and managed consistently.

  1. Changes to automated decision-making (ADM)

DUAA relaxes certain restrictions on automated decision-making. Organisations can now, in a broader range of circumstances, make decisions based solely on automated processing that have a legal or other significant effect on individuals, provided that appropriate safeguards are in place. These safeguards include informing the data subjects that the decision was based on ADM, that they have the right to seek human intervention, and can challenge the outcome.

This is relevant where educational institutions use or are considering implementing automated tools in areas such as admissions, student support, or HR systems. Any such use should be carefully reviewed to ensure appropriate safeguards are implemented.

  1. Research, archiving and statistical processing

Universities can now make greater use of existing datasets for research, statistical, and archiving purposes without having to either (a) re-seek consent from individuals for the new purpose or (b) conduct purpose compatibility assessments.

For example, if a university collected personal data in a research project for a particular purpose and later wanted to use that data for a new purpose, it now has more flexibility to do so.

However, organisations still have to ensure that appropriate governance and safeguards remain in place. See our article here which explores these rules in more detail.

  1. Data subject access requests (DSARs)

DUAA states that controllers are only required to conduct ‘reasonable and proportionate’ searches when responding to a DSAR, rather than carrying out exhaustive searches across all systems.

It also says that organisations can pause the response period (ie ‘stop the clock’), including where further information is reasonably required to clarify the information requested or verify the requester’s identity. The one-month response period remains unchanged (subject to the existing ability to extend this for complex requests).

What is a ‘reasonable and proportionate’ search? Relevant factors include the circumstances of the request, the volume of information involved, the ease or difficulty of locating the data, and the importance of the individual’s right of access. Importantly, the burden remains on the controller to justify why additional searches would be unreasonable or disproportionate.

Practical steps to take

Institutions should consider taking the following actions:

  • review and update privacy notices, data protection policies, and records of processing;
  • implement or refresh a formal data protection complaints procedure, ideally including a complaints form and internal escalation process;
  • review any use of automated decision-making tools (or proposals to introduce them) and ensure that required safeguards are documented and operational;
  • assess research governance frameworks to determine whether research projects could benefit from the revised research provisions; and
  • provide training and awareness sessions for relevant staff, particularly those involved in admissions, DSARs, student services, HR, compliance, and research functions.

UK-EU divergence

DUAA is the latest example of the UK’s divergence from EU data protection laws, post-Brexit. While the UK framework remains fundamentally similar to the EU regime, there are now a growing number of differences.

For institutions operating in the EU, for example recruiting EU students, employing staff across jurisdictions, or participating in cross-border research projects, it is important to understand these differences. Where feasible, maintaining broadly aligned policies and procedures across UK and EU operations can reduce administrative complexity and support consistent compliance. However, complete alignment may no longer be possible as the two regimes continue to evolve separately.

Conclusion

DUAA introduces a number of important changes for the education sector, particularly in relation to complaints handling, DSARs, automated decision-making and processing for research purposes. Education providers should take the opportunity to review their existing data protection policies and procedures, and update them in line with the new provisions as appropriate.

Related expertise