Data (Use and Access) Act 2025 – things for trustees to think about now

The twists and turns of UK data protection reform over the past few years have been quite the saga. After a multi-year, multi-government effort to introduce updates to UK data protection law, we finally have the Data (Use and Access) Act 2025 (“DUAA”) on the statute book. It received Royal Assent on 19 June 2025 — but implementation of its myriad changes is phased. 

Of the areas of real relevance to pension scheme trustees: the main data protection changes (Part 5 of DUAA) came into force earlier this Spring (5 February 2026). However, the key thing to focus on at the moment is new requirement for a complaints process (see below) which comes into force on 19 June 2026.

Pipes, cookies and complaints

The DUAA is the successor to the Data Protection and Digital Information (DPDI) Bill and is essentially a big package of updates: some to the UK GDPR, some to the Data Protection Act 2018, and some completely new frameworks (hello, smart data). There is also an assortment of extras all under the loose umbrella of ‘data’ — think cookies, birth and death registers, digital ID services, even a national underground asset register (all those pipes!). A real pick‑and‑mix. 

For pension schemes specifically? The direct changes are quite limited (e.g. a requirement for a complaints procedure – see below). But query whether the new smart data framework could, much further down the line, nudge pensions much further into the world of regulated data‑sharing ecosystems? More on that later.

What a lot of new legislation - do I need a new desk?

Structurally, DUAA amends rather than replaces UK GDPR and the DPA 2018.  So if you’re someone who likes reading the black letter law, remember all three pieces of legislation need to be read together (cue massive desk/multiple screens!). Many of the DUAA’s provisions are also just regulation‑making powers. This means that much of the detail will take time to emerge.

Key tasks for pension scheme trustees: a data protection complaints process (and related paperwork updates)

This is the main practical change for pension trustees: data controllers now need a data protection complaints process. It’s one of the few areas where DUAA imposes genuinely new obligations relevant to pension scheme trustees, who in turn should be aware it means complaints can be made directly to them as data controller. It comes into force on 19 June 2026, so there is still some for trustees to comply.

Obviously trustees are already required to have an IDRP (internal dispute resolution procedure) — but this is not the same thing. The DUAA inserts a new section into DPA 2018 which requires controllers to have a process dealing with complaints about infringements of UK GDPR or the DPA 2018, with specific timings and information requirements.

Trustees will therefore need to decide how best to run their DP complaints and IDRP processes (separately? or update their existing IDRP?), and what the governance around both processes will be. The required timings for DP complaints won’t necessary align with IDRP timelines, and trustees should be aware that DP complaints don’t have to be made through set process – any DP complaint, however it is made, will trigger the relevant requirements. 

Guidance from the ICO on the new requirements is worth a read, as it walks through the requirements, timings, and recommended record-keeping process.

Trustees will also need make certain consequential updates to their privacy notices and DSAR response templates. And they’ll need to work closely with administrators (who in turn need to ensure that staff recognise and know how to handle data protection complaints appropriately) so that complaints land with the right people, comply with requirements on timing and don’t get stuck in limbo — or escalate directly to the ICO. 

On that note - data subjects don’t have to complete the controller’s complaints process before going to the ICO. This is deliberate, but it does mean the risk of “dual‑track” complaints is very real, particularly with persistent or vexatious complainants. All the more reason for trustees to ensure their contractual and governance arrangements – particularly with administrators - are clear.

Data privacy changes

There’s not much here that materially affects pensions, but there are some welcome clarifications.

• On DSARs we have a legislative footing for some aspects which until now have been in ICO guidance: “Stopping the clock” for complex or multiple DSARs, and that searches can be “Reasonable and proportionate”. Alas, the proposal to lower the refusal threshold to “vexatious or excessive” didn’t make the final cut — so we’re still stuck with “manifestly unfounded or excessive”.  It is also worth a reminder that as with DP complaints, DSARs can be made in any format so training and governance processes need to ensure that staff can recognise them and know the timescales for compliance.
• For ‘lawful basis’ (i.e. do you have a lawful basis for processing data?) DUAA creates a new category of recognised legitimate interests, but these are mostly around national security and emergencies. Not exactly pensions territory, though “safeguarding vulnerable individuals” might very occasionally be relevant.
• There is some increased flexibility around the purpose limitation - new Article 8A UK GDPR clarifies how controllers decide whether new uses of data are compatible with the original purpose. Helpfully, complying with statutory requirements will automatically be treated as compatible —good news for areas like dashboards.
• Accountability - no changes here. So trustees can continue business as usual with DPIAs, ROPAs and DPO arrangements.

And finally, where we’re going, we don’t need roads…

This area is a bit more speculative from a pensions perspective. DUAA lays the foundation for smart data schemes. These are sector‑specific frameworks allowing consumers to share their data in real time with authorised third parties (think Open Banking). 

The Smart Data Impact Assessment specifically refers to pensions dashboards as an example of an existing smart data scheme, and ‘pensions and insurance’ are listed in the context of discussions around future Open Finance schemes. So there’s some clear cross‑pollination between dashboards and smart data. As such, it’s not impossible that dashboards are just phase one in a longer journey towards wider‑scale pensions data‑sharing (though who knows what that would look like, if at all).  The FCA has just published its Open Finance Roadmap (see here and here), proposing to work with industry, consumer groups and other regulators on practical use cases during 2026, and looking at a regulatory framework in 2027. So 2026 may give us a clearer sense of whether pensions are really on that trajectory. Watch this space!

Don’t forget!

A final reminder of the key action for trustees as data controllers: they must have a data protection complaints procedure place by 19 June 2026 (with corresponding updates to privacy notices). This means not just a paper exercise, but ensuring that the relevant people are trained, and that the processes and governance all work smoothly to recognise and deal with any complaints that may come in.