Legal

When will the Data Use and Access Bill become law?

The UK's data governance is undergoing change with the Data (Use and Access) Act (DUAA) receiving Royal Ascent and passing onto the statue books on 19th June 2025. Though it is becoming law, additional guidance is yet to emerge on the detail - some of the Bill's provisions need a commencement order to take effect, with the next one expected on October 1, 2025. However, some parts of the Bill will come into force immediately.

What is the DUAA about?

This legislation, has the intention of boosting economic growth, driving innovation, and improving public services (we'll see about that!), all while maintaining a balanced and practical approach to data protection (we can't change too much as it risks "adequacy" and the ability to easily transfer data with the EU and other countries). 

It's important to note that this doesn't replace or repeal the Data Protection Act 2018 or the UK GDPR - rather the new Act will serve to amend them. This means the core framework of UK GDPR, DPA 2018, (and PECR when doing online marketing for example) remain, though they will be subject to certain adjustments.

For schools and Multi-Academy Trusts (MATs), there isn't a huge amount of operational impact, understanding this Bill is essential, as it redefines how data is managed and used in education - and there are some subtle changes that could potentially have an impact over time. 

Data (Use and Access) Act Summary

Comprising eight distinct parts, the Data (Use and Access) Act covers a wide range of topics: from provisions for Access to Customer and Business data (Part 1) and Digital Verification Services (Part 2), to the National Underground Asset Register (Part 3) and the Digitisation of Birth and Death Registers (Part 4). It establishes the new Information Commission (Part 6). and also addresses Other Aspects of Data Use and Access, Including Online Safety (Part 7), concluding with standard final provisions (Part 8).These don't worry us too much in the education sector at this point.

What does interest us a little more is that it includes significant reforms to Data Protection and Privacy (Part 5)  

The Data (Use and Access) Act is more than a simple update; it's a fundamental reorientation of the UK's data strategy. It combines proposals from its predecessor, the Data Protection and Digital Information (No. 2) Bill (which in DPE's opinion was much further reaching and disruptive), seeking a more agile and results-focused framework.

Major Changes in the Act:

• New Regulator: The Information Commissioner’s Office (ICO) is replaced by the Information Commission (IC), a new corporate body. This entity's mandate includes explicitly fostering "public trust and confidence in data processing," alongside new responsibilities to consider innovation and competition. This indicates a notable shift (weakening?) in regulatory priorities.
  DPE says: In practice, this isn't going to change things much - indeed there hasn't been a great deal of regulation on GDPR from the ICO, especially in education. It's nothing related to the Bill, but the ICO is moving headquarters too. It's not a permission slip to ignore data protection, but they are going to have their hands full for the next couple of years.

• "Recognised Legitimate Interests": A new lawful basis for processing is introduced. This allows certain public interest activities (like safeguarding, national security, or crime prevention) to proceed without a complex balancing test, simplifying compliance for essential public functions.
  DPE says: Most of our processing in the sector will still be under the lawful basis of a task in the public interest. However, there may be some scope for using this for direct marketing where a MAT or a PTA, for example is a charity - we'll look at that scenario in more detail in another post.

• Refined Purpose Limitation: While the principle of processing data only for specified, explicit, and legitimate purposes remains, the Bill sets clearer conditions for secondary processing. This particularly affects research and statistical uses, balancing innovation with individual rights.
  DPE says: There may be limited effect directly on school processing with this change. However, school data provided to universities, Health Trusts, or even the DfE might be subsequently used for a seocondary research purpose. Research under the Act will also cover that undertaken by private companies, so we will need to see if some organsiations start to use school data for secondary research.

• International Data Flow: The Act establishes a UK-specific "Data Protection Test" for international data transfers. This test aims for a more adaptable yet secure system than the EU's "adequacy" mechanism, by assessing whether protection standards in a recipient country or organization are "not materially lower" than those in the UK.
  DPE says: We need to give this some time to see what impact there is on international data transfers - but this affects adequacy decisions, not other international data tranfers and associated international data transfer assessments.

• Special category data and children:  Among other things the law now specifically states that children "merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing".
  DPE says: Schools process a lot of special category data - and whilst there are no changes to the definitions of personal data (though the Act allows the Secretary of State to designate new categories if needed) additional protections and re-assurance on the processing of such data within schools may be required.

• Operational Clarity and Individual Rights: The Act also introduces key adjustments to how organizations manage data subject requests and digital interactions. It formalizes a direct complaints handling process, encouraging individuals to raise issues with the data controller first. Data sharing between public authorities is facilitated, allowing for better delivery of public services. For Subject Access Requests (SARs), clarity is provided on "stopping the clock" for requests and emphasizing a "reasonable and proportionate" search for data. The Bill addresses the rise of AI by introducing safeguards for automated decision-making processes. Moreover, it places a stronger focus on children's data, particularly when engaging with online services, requiring higher protection standards by design (see above).
  DPE says: DPE will be adding a Complaints Log to the Knowledge Bank and updating our documentation, however it could be that data-rights related complaints are handled in an existing complaints policies and procedures. It is however recommended to keep a log as the number of complaints may need to be reported to the Information Commission."Stopping-the-clock" on SARs where clarification is sought has been practice supported by the ICO over the last few years - as has the complaints handling approach. But they are now written into the law.
  AI - we have to await the detail on safeguards, and it will be very interesting to see how the new IC enforces them.
  Again, with children's data - we will expect to see some guidance on this from the IC and well as to see how this is enforced.

For schools and MATs, these changes will require a thorough review of existing data policies, practices, and technologies. From student records to staff information and parent communications, all aspects of data handling will need to align with this new regulatory environment. Adapting to these new requirements is necessary for compliance, maintaining confidence, and leveraging the potential benefits of improved data sharing within the educational community.

DPE will be sharing our updated documentation shortly and will be updating the Knowledge Bank as new guidance emerges.

Learn more

Join us for a webinar on the Act. Thurday 3rd July 2025 at 3pm. Register here.

We'll be posting more on each of these elements and what it means for schools on our News section - sign up here for updates.

Lastly, our MAT Conference in February will be covering the implications on the DUAA as well as cyber and AI. Find out more here.