An employer can be ‘proposing to dismiss’ staff for collective redundancy purposes...
HR Hub
Data (Use and Access) Act 2025
Among the changes introduced by the Data (Use and Access) Act 2025 (DUAA) are more proportionate subject access request (SAR) obligations, an obligatory complaints process, a renamed and re-empowered regulator, and an expanded ability to use automated decision making (ADM).
The Act became law in June 2025 and amends the UK GDPR and the Data Protection Act 2018.
The Information Commission
The existing Information Commissioner’s Office is replaced by a new statutory body – the Information Commission (IC) – with an enhanced regulatory capacity.
The IC will have expanded powers, including the ability to summon individuals for interviews (including the previous employees of organisations being investigated), compel organisations to produce specific documents, and order external expert reports (at the organisation’s cost) in the wake of a suspected breach.
SARs
The DUAA incorporates into statute long-standing IC guidance to make compliance for employers more manageable:
- It codifies the principle of ‘reasonable and proportionate’, meaning employers are not expected to search all systems and data sources to retrieve a data requester’s personal data if it would be disproportionate to do so (this is actually backdated to 2024). So, for example, there may be circumstances where requests for ‘all personal data’ are unlikely to be considered reasonable and in such a case an employer can look to clarify the request further and identify what it considers to be a reasonable scope to respond. Where an employer believes the scope is unreasonable or disproportionate, it is always going to be best to suggest an alternative scope that they do consider reasonable and are prepared to provide.
- Employers are usually required to respond to a SAR within 1 month of its receipt. However, the DUAA formalises the ability for an employer to pause the 1-month response period when clarification from the data subject is required, provided clarification is reasonably required.
- Although the normal 1-month timeframe for responding to a SAR remains in place, the DUAA provides for extensions of up to 2 months in respect of complex or multiple requests in line with the existing provisions of the UK GDPR. Employers must still notify the individual within the first month and explain the reasons why they consider the extended period applies in a particular case. Whilst the principle of ‘stopping the clock’ reflects IC guidance, the DUAA codifies this principle and confirms there is no need to respond to the request until such clarification is received.
An individual’s right to access their personal data is not absolute. There are several exemptions which may apply in certain circumstances which would entitle the employer to withhold personal data in some circumstances. For example, information may be withheld where it is subject to legal professional privilege, where disclosure would prejudice ongoing negotiations, or where it relates to confidential management planning.
The DUAA confirms that if the employer is going to withhold data by relying on an exemption, it must inform the individual of the exemptions relied on. Specifically in relation to the exemptions of legal professional privilege and client confidentiality, the DUAA requires employers to inform individuals why this exemption has been relied on and employers will have to specifically inform the individual of their right to make a request to the ICO to review the application of the exemption, the right to lodge a complaint and the right to apply to a court to challenge the employer’s use of the exemption.
The IC’s main SAR guidance has been updated. See also ‘Handling Subject Access Requests’.
Complaints process
From 19 June 2026, employers will have to set up a formal complaint-handling process which individuals can use if they think their data protection rights have been breached. If an organisation is unsure whether someone is making a data protection complaint, they should ask for clarification.
This requirement extends beyond just employees and gives workers, contractors, agency workers and customers to ability to make complaints.
Organisations need to inform individuals about their right to complain at the time their data is collected and when responding to subject rights requests.
The Information Commissioner has updated its guidance on how organisations should handle complaints.
Employers will be required to:
- have a clear and accessible complains procedure in place, with a complaint form that can be accessed and completed electronically (as well as by other means)
- tell individuals about their right to complain to the organisation, and to the ICO, and this information must be given both when personal information is collected (in the privacy notice, for example) and when responding to a SAR
- acknowledge receipt of the complaint within 30 calendar days (which includes bank holidays and weekends)
- take appropriate steps to investigate and respond to the complaint ‘without undue delay’
Automated decision making (ADM)
The DUAA relaxes restrictions on ADM, enabling wider use of AI and automation in employment contexts such as recruitment, performance management, and workforce planning.
Employers in the private sector may now rely on legitimate interests for ADM used to make significant decisions affecting individuals - provided appropriate statutory safeguards are in place.
This means that employers may be able to use automated CV screening tools without explicit consent, if transparency, human interventions and other safeguards are implemented. These include informing individuals when ADM is used and explaining the logic and consequences of the ADM, and allowing individuals to contest decisions and request human review.
The ICO says that if employers want to use ADM in recruitment processes, it expects them to:
- Proactively monitor for bias - organisations need to work hard to build trust with people when there are engrained concerns about bias and discrimination. Test regularly for biased outputs and take steps to mitigate this, so people can trust that all decisions are fair. Good practice also includes asking developers about their own bias testing when procuring tools and considering monthly bias reviews
- Be transparent with jobseekers - organisations need to be clear with candidates if ADM is being used and explain how it works
- Explain rights to recourse - organisations must tell candidates how to exercise their right to challenge a decision and request a human review if they believe it is incorrect
The ICO has published a consultation on its draft guidance on ADM including profiling.