Practical steps for compliance with the Data (Use and Access) Act 2025 from a pensions perspective

The Data (Use and Access) Act 2025 (DUAA) became law on 19 June 2025 and introduces phased reforms to UK data protection law, with provisions taking effect between June 2025 and June 2026.

The DUAA introduces changes to data protection requirements that scheme trustees and administrators should be aware of. This document summarises the key changes relevant to pension schemes and practical compliance steps that can be taken. Trustees may find that some of their existing processes and policies already align with the changes introduced by the DUAA, as some of these simply codify existing ICO guidance. These actions may evolve as further ICO guidance is released throughout the year.

Topic	Changes under the DUAA	Practical steps
Data Subject Complaints	Schemes must acknowledge complaints within 30 days and respond “without undue delay” (which is interpreted by the ICO to mean “as soon as possible”). This may require swifter action than the typical 4 month longstop for a response under a scheme’s IDRP. In its recent consultation response on the ICO’s draft guidance for organisations handling data protection complaints, PASA has asked the ICO to clarify how and whether procedures for data subject and general pensions complaints should interact, particularly in terms of timescales and escalation processes.	When changes come into force: • Consider the scheme’s current IDRP and whether to update complaints handling protocols with administrators to reflect the ICO’s interpretation of responding “without undue delay”. • Ensure paper and electronic records are up-to-date – PASA has also asked the ICO to clarify escalation timeframes and recommend retention practices for complaint records and responses by data controllers. • Establish procedure for requesting any necessary additional information (e.g. ID, reference numbers) at the earliest opportunity. • Arrange data protection training for trustees and scheme administrators to ensure complaints are promptly recognised and directed. • Monitor ICO guidance on complaints handling.
ICO Powers	The ICO can now compel interviews and require the production of specific documents to assess compliance. The ICO can also request technical reports at the expense of the scheme or its service providers and can issue formal notices by email as well as post.	• Maintain clear records of data protection and cybersecurity decisions. • Document rationale for key actions – legal professional privilege may apply. • Be prepared to provide documents/technical reports to evidence compliance if requested by the ICO.
Data Subject Access Requests (DSAR)	Trustees, typically with the support of scheme administrators, are now only expected to carry out “reasonable and proportionate” searches when responding to DSARs. The one-month response deadline can be paused under the “stop the clock” rule while awaiting identity verification or clarification from the member, with the clock restarting once the requested information is received. These changes codify existing ICO guidance on DSARs. If exemptions (e.g. legal professional privilege or client confidentiality) are relied on to withhold information, trustees must clearly inform members which exemption applies and why. Data subjects will have the right to request that the ICO reviews how an exemption is applied.	• Ensure scheme administrators are aware of the updated DSAR handling processes and understand how a DSAR response timeframe may be paused. • If relevant, update DSAR policies and procedures to reflect the new “reasonable and proportionate” search standard (effective from 1 January 2024) → PASA has also asked the ICO to clarify what constitutes a “reasonable and proportionate” search. • If relevant, update DSAR policies and procedures to reflect the new “stop the clock” rule and the prescribed information regarding exemptions relied on (a date has not yet been set for implementation of these changes).
Automated Decision Making (ADM)	Schemes may now rely on a wider range of lawful bases – including legitimate interests – when using ADM involving non-special category data. Safeguards are now mandatory when using ADM (whether special category data or personal data is involved). These include informing the individual about the automated decision; allowing them to make representations, offering human intervention on request or as required by law; and enabling them to challenge the decision. Restrictions still apply when special category data is involved, and the Secretary of State has a broader power to expand what qualifies as ‘special category’ data under UK GDPR.	• Identify new opportunities for compliant ADM use. • Monitor ICO guidance on ADM – consultation expected to launch in Winter 2025/26, with a final version due for publication in Spring 2026. • Clearly explain current ADM processes, data used and potential impact so members can understand or contest decisions. • Organisations using ADM should have processes in place to ensure safeguards can be implemented and be ready to update processes if the scope of ‘special category’ data expands under the DUAA.
Purpose Limitation	Trustees and scheme administrators may be able to reuse member data for certain processing activities without needing to conduct a fresh compatibility assessment, due to the expanded list of ‘automatically compatible’ purposes. However, if the new purpose isn’t on the list, trustees and scheme administrators will still need to assess whether the reuse is appropriate. DUAA sets out factors that controllers are to consider when determining “purpose compatibility” for data reuse in other circumstances.	• Review and identify processing activities that may fall under the DUAA’s ‘automatically compatible’ purposes. • Update privacy notices, particularly around data reuse and communication practices.