Practical steps for compliance with the Data (Use and Access) Act 2025 from a pensions perspective
5 Nov 2025
2 min read
/Passle/5d9604688cb6230bac62c2d0/SearchServiceImages/2025-11-05-13-33-16-514-690b521c331a31629324b2cb.jpg)
The Data (Use and Access) Act 2025 (DUAA) – which became law on 19 June 2025 - brings phased reforms to UK data protection law with important implications for pension scheme trustees and administrators.
To support pension scheme trustees and administrators, we have produced a short document outlining the key changes to data protection requirements under the DUAA from a pensions perspective and practical steps that can be taken for compliance, which can be accessed here.
Among the provisions taking effect between June 2025 and June 2026, the most significant for schemes is likely to be the new, more demanding timeframe for responding to data subject complaints. Under the DUAA, schemes will be expected to ‘acknowledge complaints within 30 days’ and respond ‘without undue delay’, which may require swifter action than the typical four-month longstop for a response under a scheme’s IDRP.
Other notable changes include:
- Enhanced ICO powers: The ICO can now compel interviews and require the production of specific documents to assess compliance.
- Data Subject Access Requests (DSARs): Data controllers are now only expected to carry out “reasonable and proportionate” searches in response to a DSAR; the “stop the clock” rule allows the response deadline to be paused while awaiting identity verification or clarification from the data subject. Both changes codify existing ICO guidance.
- Automated Decision Making (ADM): Schemes may rely on a wider range of lawful bases, including legitimate interests, for ADM involving non-special category data; mandatory safeguards now apply whenever ADM is used, whether special category data is involved or not.
- Purpose limitation: Trustees and administrators may be able to reuse member data for certain processing activities without a fresh compatibility assessment, due to the expanded list of ‘automatically compatible’ purposes’.
Trustees may find that some of their existing processes and policies already align with the changes introduced by the DUAA, as some of these simply codify existing ICO guidance. However, as further ICO guidance is released throughout the year, these actions may evolve.
In light of these changes and the potential for requirements to evolve, it is important for trustees (as data controllers) to take action to ensure they are aware of and their scheme is compliant with the changes.
If you would like us to help to ensure your scheme is compliant or if you have any queries then please contact Samantha Howell or Richard Pettit from our Pensions and Lifetime Savings team, Amanda Leiu or Hamish Corner from our Commercial and Technology team or your usual Burges Salmon contact.
The DUAA introduces changes to data protection requirements that scheme trustees and administrators should be aware of. This document summarises the key changes relevant to pension schemes and practical compliance steps that can be taken.