The Data (Use and Access) Act 2025 and Subject Access Requests: what independent schools need to know

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025, introducing significant updates to the UK’s data protection regime. It amends key legislation, including the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and the UK GDPR.

Independent schools should be aware of several important changes:

1. New statutory right for data subjects to raise complaints

Previously, individuals who believed their data protection rights had been breached could complain to the Information Commissioner’s Office (ICO). Under the DUAA, complainants must now first raise their issue directly with the data controller before approaching the ICO.

Data controllers must:

• Establish a formal complaints process (e.g., an online form).
• Acknowledge complaints within 30 days.
• Keep complainants informed of the steps taken and provide progress updates.

This new framework formalises the complaints process, placing greater emphasis on data controllers resolving issues earlier. While this may increase the administrative workload, it should also reduce the number of cases escalated to the ICO and promote transparency and proactive resolution.

2. Changes to the Privacy and Electronic Communications Regulations 2003

The DUAA significantly increases penalties for breaches—from a maximum of £500,000 to £17.5 million or 4% of global annual turnover, aligning with the penalty structure under the UK GDPR.

Another key reform relates to cookies:

• User consent is no longer required for low risk, non-essential cookies, such as first party analytics cookies. Users must still be informed about such processing and given a clear opt-out option.
• -Third-party tracking cookies will still require explicit consent.

These changes signal a tougher enforcement approach but also greater flexibility for low-risk data uses.

3. International data transfers

The DUAA replaces the old requirement that third countries offer “essentially equivalent” data protection with a new threshold: protections must not be “materially lower” than those in the UK.

Data controllers must still:

• Carry out transfer risk assessments, and
• Ensure appropriate safeguards are in place where no adequacy decision exists.

This change simplifies cross-border data transfers while maintaining a reasonable level of protection.

4. Legitimate interests as a lawful basis

The DUAA clarifies that direct marketing can fall under the legitimate interests lawful basis. However, organisations must still balance their interests against the individual’s rights and conduct a careful assessment—particularly when processing personal data for commercial purposes.

This clarification provides more certainty but does not lessen the need for due diligence.

5. Subject Access Requests (SARs)

The DUAA also enshrines some of the ICO’s existing SAR guidance into law. This development is helpful to schools as the new SAR provisions are helpful, particularly around unreasonable and disproportionate SARs.

Common problem areas for independent schools include:

a. Conducting excessive searches

Schools sometimes go beyond what is legally required when searching for personal data. Under the DUAA, data controllers must perform a reasonable and proportionate search only. Requestors may attempt to dictate how or where searches are carried out, but schools are not legally required to comply with such directions.

If keyword searches produce excessive results, this may indicate the search parameters are too broad and fall outside the scope of a reasonable search.

b. Understanding the scope of disclosure

Individuals are entitled to their personal data, not necessarily to specific documents. Schools can extract relevant personal data from documents and present it in a summary table rather than providing full copies. Where redactions are minimal, providing the original documents may be acceptable. Otherwise, extracting and compiling the personal data is preferable.

c. Requests for pupil information and safeguarding

Requests involving pupil data can be sensitive, especially where safeguarding issues arise. In such cases, schools can rely on exemptions that permit withholding information to protect the child’s welfare. Legal advice should be sought, but a practical approach is to identify what information would benefit the child and use exemptions to withhold anything potentially harmful or inappropriate to disclose.

d. Response times

The standard timeframe to respond to a SAR remains one month, extendable to three months if the request is considered “complex.” This flexibility is particularly valuable when requests overlap with school holidays. The threshold for complexity is relatively low, and to date, the ICO has not criticised schools for using the extension where justified.

e. Handling data protection complaints

As noted earlier, the DUAA requires schools to have a formal complaint-handling process. This structured approach should reduce drawn-out correspondence and improve resolution efficiency.

For further advice or assistance with Subject Access Requests, please contact Thomas Emmett below.