What Employers Need To Know About The Data (Use And Access) Act 2025

Employers today hold more information about their staff than ever before. Every stage of the working relationship generates data, from job applications and personnel files, to health records, scheduling systems, and even software that tracks productivity. Employees are increasingly aware of their rights, and it has become common for someone in dispute with their employer to submit a Data Subject Access Request (DSAR) alongside a grievance or tribunal claim.

Into this environment comes the Data (Use and Access) Act 2025 (DUAA). The Act, which received Royal Assent this summer, is the UK's biggest data protection reform since the GDPR was written into domestic law. It is presented as a way to modernise the regime and ease the burden on businesses. In reality, it creates new areas of responsibility, particularly around how staff data is accessed, used and challenged. Whether you employ ten people or ten thousand, the changes will affect how you handle employee information.

DSARs

DSARs are one of the most demanding obligations for employers of any size. An employee is entitled to copies of the personal data held about them, which can mean trawling through years of emails, notes, CCTV footage and other records. Many employers complain that DSARs are used tactically in disputes, adding cost and disruption.

DUAA reframes this obligation. Instead of requiring exhaustive searches, the law now demands a "reasonable and proportionate" search. This should make life easier, but it is not a free pass. Employers will need to show that their search was thorough enough to respect the individual's rights. If you decide to exclude certain systems or limit the timeframe, those decisions must be explained and recorded. Without that paper trail, a proportionate search could be criticised as incomplete.

The timeframes also remain tight. The one-month deadline to respond still applies, though DUAA allows up to two extra months where requests are complex or numerous. To use that extension, the employer must tell the employee within the first month and explain why. This gives some breathing space, but only if you are disciplined about communication and record-keeping.

Automation

Another area of reform is automated decision-making (ADM). Technology already plays a role in recruitment shortlisting, shift-scheduling and staff monitoring. Under the old rules, decisions made solely by algorithms were heavily restricted.

DUAA relaxes that restriction. Employers may now rely on automated systems more widely, provided safeguards are in place. Staff must be told when automation is used, given the chance to make representations, and offered meaningful human review.

For small businesses, this may mean checking how off-the-shelf recruitment or scheduling software makes its decisions. For larger employers, it may mean auditing bespoke HR systems or AI-based performance tools. In both cases, the principle is the same: automation can assist, but it cannot replace the human element. Employees must have someone to turn to if they believe the system has treated them unfairly.

Complaints must be resolved in-house

DUAA also introduces a new right for individuals to complain directly to the organisation before escalating to the regulator, the Information Commissioner's Office (ICO). For employers, this means that staff concerns about data handling must be dealt with internally first.

Handled well, this is an opportunity to resolve issues quickly and avoid external investigation. Handled badly, it creates reputational and regulatory risk. An informal email reply is unlikely to be enough. Employers should put in place a basic complaints process: identify who will take responsibility, set realistic timelines for a response, and keep clear records of what was investigated and what decision was reached.

Even the smallest employer will need to think about how they log and respond to complaints. Larger organisations may want a more formal procedure, but the principle is universal: staff should know how to raise concerns and feel confident they will be taken seriously.

Sensitive data

One area that DUAA does not relax is the handling of special category data, such as information about health, racial or ethnic origin, trade union membership or religious beliefs. Employers regularly encounter this kind of information, whether through occupational health reports, diversity monitoring exercises, or union communications.

The rules remain strict. Explicit consent or another strong legal basis is required, and employees are increasingly willing to challenge how such information is collected or retained. Employers should review what sensitive data they hold, why they hold it, and whether their justification still stands. This is as important for a small business keeping health notes for sickness absence as it is for a large employer running detailed diversity surveys.

What this means in practice for employers

For employers, DUAA is not an abstract piece of legislation. It cuts directly into the day-to-day running of HR and data management.

• Policies and procedures will need updating. DSAR workflows must reflect the "reasonable and proportionate" test, with template responses adjusted to explain what searches were carried out and why.
• Training will be critical. HR teams, line managers and even IT staff need to understand when DSARs arrive, how ADM is used, and what the complaint process requires.
• Technology audits are urgent. Any system that makes decisions about employees — recruitment platforms, monitoring tools, scheduling software — should be reviewed to confirm how decisions are made, what information is given to staff, and how human review is built in.
• Complaint handling must be formalised. Employers should establish a clear process, designate responsible staff, and maintain records of how complaints are investigated and resolved.

Risks and opportunities

The risks of ignoring DUAA are significant. The ICO retains power to investigate and fine, and employees are more inclined to fold data protection complaints into tribunal claims. Legal costs can rise quickly if DSARs are mishandled or automated systems are not transparent. Beyond that, poor handling of employee data can erode trust and damage reputation – something that matters in any workplace, but especially where recruitment and retention are tight.

Yet DUAA also offers employers a chance to build trust. A clearer proportionality test for DSARs, structured rules around automation, and a formal route for internal complaints can all help create a culture of openness and accountability. Employers who are proactive, and explain processes, involve staff, and keep good records, may find that compliance enhances employee relations rather than undermines them.

Reform

The Data (Use and Access) Act 2025 is more than a technical reform. It reshapes how staff data is requested, processed and challenged, and it applies to every employer, whatever their size. The practical message is simple: review how you handle DSARs, check whether automated tools are being used appropriately, and set up a basic complaints process that works for your business.

Those who prepare now will not only reduce legal risk but also show staff that their data is handled fairly and transparently. Those who delay may face not just regulatory scrutiny but a workforce increasingly confident about asserting its rights.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.