The Data (Use and Access) Act 2025 (DUAA) marks a significant evolution in UK data protection. It introduces practical changes that employers must understand and implement.

Published: 3 February 2026
Author: Gwynneth Tan

The DUAA introduces into the UK GDPR and Data Protection Act 2018 more proportionate DSAR obligations, a mandatory complaints process, new recognised legitimate interests and expanded ability to use automated decision-making (ADM) with statutory safeguards. In this article, we explore the employment-related implications of the DUAA.

Commencement is being phased, with the process of incorporation likely to finish in Summer 2026.

Handling employee DSARs

DSARs remain a cornerstone of data protection rights, but the DUAA has incorporated into statute long-standing ICO guidance to make compliance for employers more manageable:

• reasonable and proportionate searches

The DUAA codifies the principle of ‘reasonable and proportionate’, meaning employers are not expected to search all systems and data sources to retrieve a data requester’s personal data if it would be disproportionate to do so. This is particularly helpful for large employers with complex IT infrastructures.Employers still need to adopt a reasonable approach to the request.

• ‘Stop the Clock’ provision

Normally, employers are required to respond to a DSAR within one month of its receipt. However, the DUAA formalises the ability for an employer to pause the one-month response period when clarification from the data subject is required, provided clarification is reasonably required to respond to the DSAR. For example, if an employee requests ‘all documents about my performance’, an employer can seek clarification from the employee on the scope of their request such as whether this includes informal notes or only formal appraisals. In doing so, the employer will pause the clock until the employee responds. Employers should update their DSAR policies to reflect these changes and implement systems to track ‘stop the clock’ periods.

• extensions for complexity

Although the normal one-month timeframe for responding to a DSAR remains in place, the DUAA provides for extensions of up to two months in respect of complex or multiple requests in line with the existing provisions of the UK GDPR. Employers must still notify the individual within the first month and explain the reasons why they consider the extended period applies in a particular case. The DUAA also clarifies the reasons why an employer may refuse to respond to a DSAR.

Employee data complaints

The DUAA introduces a mandatory requirement for employers to enable employees to raise complaints with their employer about the way it has handled their data. As a result, employers must provide clear and accessible routes for submitting data protection complaints, such as online complaint forms, dedicated email addresses, and postal options. Employers also need to ensure that complaints are acknowledged within 30 days and must investigate and respond without undue delay. Regular updates should be provided to the complainant.

This requirement means that HR and compliance teams need robust processes for handling complaints efficiently. HR should coordinate with the Data Protection Officer/Lead to ensure complaints are logged, tracked, and resolved alongside grievance procedures.

Employers should create a documented complaints procedure, train staff handling complaints, and ensure alignment with grievance and whistleblowing frameworks.

Recognised legitimate interests

The DUAA introduces a list of recognised legitimate interests (RLI), a new lawful basis for processing data by private sector controllers without the need for a balancing test in certain scenarios. Examples of RLI include processing which is necessary for:

• disclosures to public bodies for public tasks
• safeguarding vulnerable individuals
• crime prevention and detection
• responding to emergencies or national security concerns

If, for instance, HR needs to share employee details with the police during a workplace security incident, this may now fall under an RLI without a balancing test needing to be carried out before the disclosure of information can take place. For other activities carried out on the basis of legitimate interests, the traditional Legitimate Interest Assessment (LIA) usually remains mandatory.

Employers should review their data processing activities to identify where RLI applies and update their workforce privacy notices accordingly. This could simplify compliance for certain HR functions, such as sharing data for safeguarding purposes.

Automated Decision Making (ADM)

The DUAA relaxes restrictions on ADM, enabling wider use of AI and automation in employment contexts such as recruitment, performance management, and workforce planning.

Employers in the private sector may now rely on legitimate interests for ADM used to make significant decisions affecting individuals, provided appropriate statutory safeguards are in place. This means that employers may be able to use automated CV screening tools without explicit consent, if transparency, human interventions and other safeguards are implemented. These include informing individuals when ADM is used and explaining the logic and consequences of the ADM, allowing individuals to contest decisions and request human review. There are, therefore, still compliance hurdles for employers to overcome and other elements of data protection law still apply, as do other legal considerations. For instance, employers should consider carefully whether the ADM will result in discrimination or unfair treatment. As a result, ADM should still be used with caution. If adopted, privacy notices must be updated to reflect any new processing activities.

Stricter rules remain for automated processing of special category data, where explicit consent will often be required. So, for example, using health data in automated absence management systems still requires explicit consent, as well as the other required safeguards.

Next steps for employers

To comply with the DUAA, employers must:

• update privacy notices and DSAR policies
• implement a complaints procedure to allow employees and others to raise issues internally
• identify processing activities eligible for RLI
• assess ADM practices against data protection requirements
• if undertaking ADM with significant effects, ensure transparency, fairness, and meaningful human oversight safeguards are in place
• avoid rubber‑stamping decisions generated by algorithms
• train reviewers to override or adjust automated outcomes
• train HR and compliance teams
• monitor DUAA commencement and ICO Guidance

Further regulatory guidance is expected in early 2026.

Conclusion

The DUAA represents a shift towards a more pragmatic and innovation-friendly data protection regime. For employers, the changes offer opportunities to streamline compliance but also impose new responsibilities, particularly around complaints handling and ADM safeguards. Early action will help organisations avoid regulatory risk and maintain employee trust.