Pensions Pod: Cyber and AI Bytes – Implications of the Data (Use and Access) Act 2025 for pension schemes

Today, Amanda and I will be talking about the Data (Use and Access) Act 2025 and the key implications for pension schemes. A topic of particular interest here is data subject complaints and what this means for your pension schemes complaints process.

Amanda, thanks so much for joining me today to talk about the Data (Use and Access) Act 2025 and its key implications for pension schemes.

Amanda Leiu (00:57)

Thanks Sam. It’s great to be here to discuss how the Act is changing data protection requirements for pension schemes and what scheme trustees and administrators need to know so they can stay compliant.

Samantha Howell (01:07)

So to start things off, Amanda, can you tell us exactly what is the Data (Use and Access) Act 2025 and why should pension trustees and administrators know about it?

Amanda Leiu (01:16)

So, DUAA received royal assent in June earlier this year and introduces phased reforms to the UK’s data protection framework. These changes will be rolled out through secondary legislation between now and June 2026, with some changes in force already. The DUAA does not replace existing laws, but instead amends existing data protection and privacy laws, so the UK GDPR, the Data Protection Act 2018 and PECR all remain in force. The DUAA tweaks and clarifies certain areas.

It introduces a handful of new requirements and creates opportunities in some areas for flexible data use.

Samantha Howell (01:51)

Okay, great. Well, firstly, DUAA is data protection speak for the Data (Use and Access) Act 2025 because it’s quite a mouthful. But yeah, it sounds like the legislation, while it’s not pension specific, it will still be relevant for pension schemes.

Amanda Leiu (02:05)

Yes, and this matters for pension trustees and administrators because schemes handle huge volumes of personal data, including sensitive data. And even though the reforms aren’t pension specific, they will directly impact data governance, member experience and risk management across the saver journey.

Samantha Howell (02:21)

That’s interesting. Can you tell us then a bit about the data protection changes that have come in force since the Act and the things that pension schemes now need to be aware of?

Amanda Leiu (02:31)

So there are a few key ones for pension clients. The main change for trustees, be aware of it’s in relation to data subject complaints. So the Act introduces a new statutory right for individuals to complain directly to the data controller. So the trustees in a pension’s context, if an individual believes their data protection rights have been infringed.

Samantha Howell (02:50)

Okay, so what are the key changes when it comes to data subject complaints?

Amanda Leiu (02:54)

So the DUAA requires that schemes must acknowledge complaints within 30 days and they must respond without undue delay. So the ICO have issued draft guidance on data subject complaints, which is expected to be finalized in early 2026. The draft guidance says that organisations need to provide a way for people to make complaints directly. So this could include a number of channels. So a complaints form submitted by email or post, over the phone, on a live chat function, via an online complaints portal and even in person.

As mentioned earlier, the Act requires data subject complaints to be responded to without undue delay and the ICO has interpreted this phrase to mean as soon as possible in its guidance.

Samantha Howell (03:34)

That’s an interesting point because under pensions legislation, all schemes have to have an internal dispute resolution procedure or an IDRP, to handle complaints relating to their scheme. And typically the timeframe to respond to a complaint under an IDRP can be up to four months and that reflects the relevant legislation and also the guidance from The Pensions Regulator. But from a data protection perspective, would you say that responding to a data subject complaint under a scheme’s IDRP, if there is that potential limit of four months, even if it’s compliant with the IDRP process, risk breaching the requirements for responding to a data subject complaint?

Amanda Leiu (04:10)

Yes, so there is a risk that in following a schemes IDRP, trustees and administrators will not be responding to a data subject complaint quickly enough, so i.e. as soon as possible to meet the threshold of without undue delay. Four months is likely to be considered too long to respond to a data subject complaint.

Samantha Howell (04:27)

Okay and it’s worth our listeners being aware as well that in the pensions context PASA has published a press release on the 30th of November 2025 about the Act and the key areas for pension schemes and one of the areas they talked about within that press release was the data protection complaints or data subject complaints points. They refer out to the ICO’s draft complaints guidance which you’ve already mentioned, Amanda, and they also make a couple of interesting statements which are: data protection complaints may need to be handled separately from other scheme member issues and escalations will go to the ICO rather than the Pensions Ombudsman. And so this new requirement adds complexity for schemes. And the other point they’ve made is: to ensure regulatory obligations are met, schemes need to update existing complaint processes to integrate these requirements, ensuring their members receive an easy to understand seamless experience.

Amanda Leiu (05:17)

Yes, and that’s a really helpful steer on how the pensions industry could respond to the changes the DUAA has introduced on data subject complaints. As I had mentioned, we are still waiting for the final version of the ICO’s guidance in this area. But subject to any changes in position when that guidance is finalised, it appears that pension schemes may need a two-tier process for dealing with complaints going forwards, depending on whether it is a data subject complaint or has a data subject element or another type of complaint.

Samantha Howell (05:44)

So in practice, sounds like pension scheme trustees and their administrators across the board will need to make changes to their complaints processes to reflect these changes and have steps in place to identify the type of complaint and which procedure needs to be followed.

Amanda Leiu (05:57)

Yes, yeah, that’s right.

Samantha Howell (06:00)

Okay, very interesting. Lots of food for thought there. You did mention that this was one of the key changes that the Act has made, which trustees should be aware of. Just at a high level, can you let us know which other changes the Act has made that should be on trustees’ radars?

Amanda Leiu (06:13)

Yes, of course. So as an overview, some of the other changes for trustees to be aware of include changes around data subject access requests or DSARs. So the DUAA codifies existing ICO guidance that organisations need only conduct reasonable and proportionate searches when responding to a DSAR. It also introduces a stop the clock mechanism allowing companies to pause the one month response timeframe if they reasonably require further information from the data subject to locate the requested data or verify the requestor’s identity. This is also a codification of existing ICO guidance.

Samantha Howell (06:48)

Yeah, and we’ll be covering the pension’s perspective of DSARs in another Cyber and AI Bytes episode in this series in more detail, because obviously, as you said, the legal position has changed and these requests do seem to be becoming more common in the pension space as well.

Amanda Leiu (07:01)

Yeah, absolutely. And the other changes around automated decision making. So ADM is a process of making significant decisions about an individual by automated means without any meaningful human involvement. So DUAA introduces a more flexible framework, allowing organizations to potentially rely on any lawful basis. So including, for example, legitimate interest, providing those special category data is involved and there are safeguards in place.

PASA’s guidance states that this is a shift from a prohibition-based model to a risk-based one, opening the door for increased automation while retaining key safeguards. Another change is that there is a new lawful basis for processing personal data called recognised legitimate interest. So unlike the standard legitimate interest lawful basis, there is no requirement to carry out legitimate interest assessment if the processing falls within this list of recognised legitimate interest.

Safeguarding vulnerable individuals which could be relevant to vulnerable scheme members is one example of a recognised legitimate interest.

Samantha Howell (08:04)

That’s quite a lot of changes for scheme trustees and administrators to be aware of. What are some steps that trustees can take now to ensure that their schemes are compliant with the Act?

Amanda Leiu (08:13)

So organisations should monitor secondary legislation passed under the DUAA and any related consultations or engagements to understand when the changes would be brought in, if not already in force, and to monitor upcoming ICO guidance. The key change covered in this episode was the changes around data subject complaints. And in this area, you need to think about how the complaint handling process will work.

Work with your administrators to integrate the new complaint handling requirements for data subjects into your existing IDRP, if preferable, and where possible, or otherwise design a two-tier process for your scheme. For data subject complaints, the draft ICO guidance also recommends having a written complaints procedure which should be made available to individuals, which may look similar to your scheme’s IDRP paperwork. And finally, make sure that your scheme administrator team whether in-house or external, know how to spot the difference between a data subject complaint and a regular complaint and consider staff training so they are aware of the requirements for handling these new complaints going forward.

Samantha Howell (09:13)

Thank you, Amanda, for those helpful and practical tips that trustees can take away. It’s also worth mentioning that we’ve drafted an article on the practical steps for compliance with the Data (Use and Access) Act 2025 from a pensions perspective, which is available on our website and sets out more tips for other areas of the Act, which you touched upon briefly earlier.

So that wraps up our discussion on the Data (Use and Access) Act and data subject complaints. Thanks again to Amanda for joining us. The key takeaways for trustees that I took from our discussion in this area are to review your schemes IDRP and to engage with your scheme administrator about firstly the changes that the Act has introduced and secondly how their processes are being updated to reflect those changes.

This was another episode of Cyber and AI Bytes, part of the Burges Salmon Pensions Pod.

If you’d like to know more about our Pensions and Lifetime Savings team or our cyber specialists throughout the firm and how our experts can work with you, then you can contact myself Samantha Howell, or any of our team via our website. As we say every episode, all of our previous episodes are available on Apple, Spotify, our website, or wherever you listen to your podcasts. Don’t forget to subscribe and thanks for listening.