On 19 June 2025, the Data (Use and Access) Act 2025 (DUAA) received royal assent, introducing a number of reforms to the UK’s data protection framework. While some of its provisions concerning data subject rights reinforce existing principles under the UK GDPR and Data Protection Act 2018 (DPA 2018), other elements may require additional compliance steps to be taken.
One potentially significant development is the creation of a formal statutory right to complain for anyone who considers that UK GDPR has been infringed in relation to their personal data. Once in force (expected within 2–12 months via secondary legislation), this right will require data subjects to first raise complaints directly with the data controller ie. the institution, before escalating their complaint to the “Information Commission” (which will replace the ICO when the relevant provisions of DUAA are in force).
What this means for education institutions
Education institutions, as data controllers, will need to ensure they have clear, accessible, and compliant complaints procedures in place (and institutions will also need to be mindful of the interaction with other frameworks such as their consumer law and equality law obligations to students and prospective students, the OIA scheme etc). This is especially relevant for staff managing subject access requests (SARs), where complaints are most likely to arise.
Key requirements under the new section 164A of the DPA 2018 will include:
- Acknowledging complaints within 30 days
- Taking “appropriate steps” to investigate without undue delay, including making appropriate enquiries and keeping the complainant informed of progress
- Informing the complainant of the outcome once the investigation concludes
- Facilitating complaints, for example by offering electronic and alternative submission methods
These expectations will be familiar to institutions already subject to FOIA and EIR internal review processes, though the DUAA introduces a more structured and potentially lengthier timeline.
Practical considerations
Now is the time for those responsible for information governance compliance to:
- Review and update existing complaints handling procedures if appropriate
- Ensure alignment with DUAA requirements and other potentially relevant legal frameworks (such as consumer law), including documentation, response timelines, and communication protocols
- Assess resourcing and training needs, particularly for staff handling SARs and other data subject rights
- Consider governance implications, including oversight, escalation routes, and reporting mechanisms
It’s worth noting that the DUAA also empowers the Secretary of State to require controllers to report complaint volumes to the Information Commission, adding a further layer of accountability.
While the new process may introduce additional administrative steps, it also offers an opportunity to resolve concerns early, potentially reducing regulatory scrutiny and improving trust in institutional data practices.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.