The Data Use and Access Act Explained: Impacts, Guidance & Next Steps for Schools

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 24th September, with our Data Protection Consultant Thomas Wynne. This session will break down the Act in clear, practical terms, explain how it could affect your policies and day-to-day operations, and outline when to expect guidance from the ICO,  helping you stay compliant and confident.

Data (Use and Access) 2025 - The legislation itself spans 144 sections, is split into 8 parts, including 16 schedules and is approx. 276 pages. 

Poll 1

Common Questions Asked

When do we need to begin following this Act and will it supersede the UK GDPR / DPA 2018? The answer to that is: The DUAA is now in effect and received Royal Assent on the 19th of June 2025.    

DUAA does not replace the current UK data protection legislation.    

The UK GDPR and the Data Protection Act 2018 still apply to organisations.  

What that means for you is that you still need to meet many of the obligations within those acts, alongside this one. Theres a caveat here and this is a developing piece of legislation, which we anticipate the ICO/IC will continue to provide clarity and guidance in the coming months.  

ICO/IC

The ICO is being restructured and will become the Information Commission (IC). The IC will also be moving their office location.   

The ICO/IC is intending to publish more detailed guidance on the DUAA later this year/early 2026. 

How will this effect you? 

We do not anticipate any changes to the methods of contacting the IC, and they will continue to perform the same role as before. Over the coming months, we will be updating our policies and privacy notices, and we will ensure these updates are communicated to our clients.  

Eight changes introduced by the DUAA

1. Complaints Process 

The DUAA requires organisations to have a complaints process for stakeholders wishing to raise data protection concerns.   

How this will affect you?  

The ICO has issued some guidance on this which states that under data protection law, you must: 

• Give people a way of making data protection complaints to you. 

• Acknowledge receipt of complaints within 30 days of receiving them. 

• Without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed.

• Without undue delay, tell people the outcome of their complaints. 

You could do this by taking the following actions: 

• Provide a complaint form that people can submit to you either electronically or in writing (eg by email or post).

• Allow people to make a complaint over the phone.

• Provide an online complaints portal. 

• Livechat function with the option to escalate to a human if needed. 

• Give people a way to make complaints to you in person (eg if you don’t have an online presence). 

Other considerations:  

• Write a complaints procedure.

• You should use plain language rather than jargon or legal terms. 

• Develop a system for asking for more information.

• Consider if there are other legal frameworks to comply with – like the Equality Act 2010. 

• Check your record keeping system is fit for purpose. 

• You should make sure you have a system for keeping your records up-to-date which is clearly organised and labelled.  

• Train your staff about data protection complaints. 

Over time, Judicium will review our policies and processes to enable a clear complaints process for both schools and Judicium as DPO to manage effectively.   

In the meantime, if individuals exercise their right to complain, ensure they have a clear platform to do so and address those concerns within a reasonable timeframe. For DPO clients, make use of our guidance.  

2. Subject Access Requests

Requests for data are a huge undertaking, and the new Act has taken steps to try and manage this expectation – the key part now is that organisations are now only required to conduct a ‘proportionate and reasonable search’ in response to a subject access request.  

Where the school requires further information in order to conduct a reasonable search, the clock is paused until this clarification is received.    

How this will affect you?  

In practice that means two things: regulators will expect you to be able to show you ran a focused, reasonable search, and requestors who ask for everything will increasingly be pushed to narrow their ask. It also means if searching for the data requested is disproportionate, there may also be grounds to return to the requestor and ask for more reasonable parameters.   

Your DPO should be taking the following steps :  

• Update policies to make this clear.   

• Making the decision as to when and if this is an appropriate step to take.  

• Ensure that any disclosures were appropriately redacted — matters as much as how you search. 

Practically this means:  

• Keep records organised and indexed – the regulator is unlikely to allow delays to responding based on lack of organisation.  

• Conduct initial discovery as soon as possible – understand how many records you may be required to review. This will help determine if you require further clarifications or extensions of time.   

• You are still required to redact the information as required and this isn’t a method to limit.  

Poll 2 

Our DPO service regularly advises the need to conduct reasonable and proportionate searches and so this is a positive change to see enshrined in law. We also now assist with redaction as a bolt on to the service, which means we can (if you are ever under pressure) rely on us to help in extreme circumstances. 

3. Legitimate Interest

Legitimate interests is a legal basis for processing personal data under the GDPR, allowing an organisation to use personal data when necessary for their own legitimate interests (or those of a third party), provided these interests do not override the fundamental rights and freedoms of the data subject. 

The ICO states: Legitimate interests is different to the other lawful bases as it is not centred around a particular purpose (eg performing a contract with the individual, complying with a legal obligation, protecting vital interests or carrying out a public task), and it is not processing that the individual has specifically agreed to (consent). Legitimate interests is more flexible and could in principle apply to any type of processing for any reasonable purpose.  

Subsequently, this means each proposed activity would be subjectively assessed via a legitimate interest's assessment to balance the organisation’s ‘legitimate interest’ against the rights and freedoms of a data subject and assess whether the processing activity can commence.  

The introduction of ‘recognised legitimate interests’ gives us specific circumstances in which legitimate interests will be a designated lawful basis and a legitimate interest assessment will not be required. 

How this will affect you?  

In practice it should become easier to rely on this lawful basis for certain activities without doing a legitimate interest assessment. This legal basis could be considered when completing a Data Protection Impact Assessment for a new proposed processing activity such as the introduction of a new application, service or data sharing process and your DPO should be able to advise on whether the specific activity would fall into these recognised interests.  

4. International Transfers 

Following Brexit, the Secretary of State took responsibility for deciding which countries were and were not appropriate to share personal data with. The Secretary of State will continue to be responsible for the assigning adequacy decisions to countries importing UK personal data.   

How this will affect you?  

With this clarity. there is a possibility that more countries may soon be recognised as ‘safe’ for data sharing. This would help ease some of the challenges around conducting third-party due diligence, making international data transfers more straightforward and less time-consuming.  

5. Digital Identity

You might have heard recently about the restriction of certain online services without first proving your identity. This is a way to protect children from harmful online content, but this development has caused some concern to members of the public around the security of these third-party service providers who will verify and store ID.  

As a result, the Government is introducing standard digital service as a secure method of ID verification. 

Providers of these services will need to be certified against the “trust framework”, which sets out stringent rules on handling data privacy, security, inclusion and more.  

How this will affect you?  

This is relevant to all schools or trusts who need to conduct identity checks and will likely transform how this is done and impact, recruitment, right to work, and DBS checks.   

Schools and trusts will changes in how they carry out ID checks, including recruitment, right to work, and DBS processes. This new approach must follow data protection laws but may improve compliance by only sharing essential information. We will watch this space as this programme develops and issue guidance as we learn more.

6. Cookies

The DUUA has removed the requirement for user consent for all non-essential cookies. It now permits the use of a broader range of cookies, such as those used for statistical purposes, without needing the user’s consent, provided they have a clearly defined purpose.  

How this will affect you?  

Unless your website uses cookies for statistical research or site improvement, this change is unlikely to affect your current consent processes. Consent is still required for marketing or tracking cookies, and these must remain disabled until the user has given explicit consent. 

7. Automated Decision Making (ADM) 

Currently, the law generally prohibits fully ADM for significant decisions affecting individuals, with certain exemptions.   

Under the DUUA, this restriction is being limited. ADM will only be prohibited when it involves the use of special category data, allowing broader use of automation in other contexts.  

How this will affect you?  

With the rise of AI platforms and other digital tools for schools, this change removes some of the red tape surrounding use of these technologies to make automated decisions. The Ed Tech industry is increasingly focused on automated tools to improve school productivity; this change will only mean increased options in this area.   

That being said, the use of special category data to inform automated decisions is still restricted and so processes will largely remain unchanged where sensitive information is required.   

ADM will continue to be a consideration in the risk assessments we support you with.  

8. Change to Fines

The PECR governs standards surrounding:  

• Marketing calls, emails, texts and faxes.  

• Cookies (and similar technologies). 

• Keeping communications services secure. 

• Customer privacy regarding traffic and location data, itemised billing, line identification, and directory listings.  

Under the DUAA, fines for non-compliance are being increased to match those imposed by breaching laws like the UK GDPR which is £17.5 million or 4% of annual turnover.  

How this will affect you?  

Whilst most schools do not routinely engage in marketing activities, nearly all school websites use Cookies and therefore are regulated by the PECR. As part of our service, we can advise on the use of Cookies and the risks associated with such.   

ICO timeline for guidance 

Guidance for organisations on how to handle data protection complaints following the requirements introduced by the Data (Use and Access) Act - Winter 2025/2026 (Drat guidance available now) 

Right of access detailed guidance - Autumn 2025  

Recognised legitimate interest guidance for organisations on the new lawful basis introduced by the Data (Use and Access) Act- Winter 2025/2026 

International Transfers guidance - Winter 2025/2026 

DUA updates to draft guidance on storage and access technologies - Spring 2026 

Automated Decision Making (ADM) and Profiling Guidance update including amendments in the Data (Use and Access) Act - Spring 2026 

Update to Direct Marketing and Privacy and Electronic Communications Guidance to include amendments from the Data (Use and Access) Act -Winter 2025/2026 

How Judicium can help...

You can find information regarding our School Data Protection Officer (DPO) service here.

Jedu is Judicium's online GDPR compliance tracking software for schools. Our platform is suitable for single schools to large MATs and is designed to assist schools with two critical needs: To enable trustees, Governors and other SLT to monitor GDPR compliance; and to assist you managing your data protection.

If you would like more information on how we can support you or more information regarding Jedu, please get in touch with us.

If you require any support in any of these steps or would like to talk to someone surrounding some support for your school, please do not hesitate to call us on 0345 548 7000 or email georgina.decosta@judicium.com.

 Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.