Data (Use and Access) Act 2025: An update for Academy Trusts

The Data (Use and Access) Act 2025 has introduced updates to data protection laws in the UK.

Although the Act implements minor adjustments rather than a complete overhaul, there are several important changes that academy trusts will need to be aware of and address accordingly.

Data (Use and Access) Act 2025 – key changes

The Data (Use and Access) Act 2025 began its journey in 2022. Having undergone three drafts, a general election, and numerous amendments, the legislation has finally been passed and is due to come into law in the coming months.

The Act was held up most recently by controversial changes regarding AI and copyright law. The data protection changes are, by comparison, relatively minor and uncontroversial, nevertheless there are some important amendments to data protection law coming into force in the next six months:

• Complaints Reform: Academy trusts must now provide a complaints process for data protection issues before such complaints are escalated to the Information Commissioner’s Office. Practically this has been expected by the regulator for many years, but it will be important to update complaints policies to specifically reference how data protection complaints will be handled.

• Proportionality in Data Subject Access Requests: When responding to data subject access requests, academy trusts will now only be required to conduct a "reasonable and proportionate search" for the personal data and information required. Whilst this merely confirms the principles set out in guidance previously issued by the Information Commissioner, it is helpful confirmation that this limit on the extent of searches is applicable.

• Automated Decision Making: The Act introduces changes that makes it easier to use ‘automated decision making’ (i.e. decisions made without human involvement), provided certain safeguards are put in place to inform the individual of the automated decision making and the right to request a human review of any such decision. The true impact of these changes is likely to take some time to come to light as technology develops in this area.

• Information Commission: The Information Commissioner's Office will be restructured and renamed the Information Commission. This change will not significantly impact interactions with the regulator.

• EU-UK Data Sharing: The Act aims to ensure the UK's data protection legislation is in place before the EU reviews its adequacy decision for the UK, which is due to expire in December 2025. The European Commission has proposed a 6-year extension to the current adequacy decision, meaning that it will adjudge the UK’s data protection regime as “essentially equivalent” to the EU’s GDPR, allowing for much smoother transfers of personal data between the UK and the EU. Whilst this may not be a day-to-day concern for academy trusts, it will ensure that existing contracts with suppliers who may have European operations can continue uninterrupted.

Next Steps

Whilst most changes are not yet in force, the government has indicated that the Act will come into force in stages, with the final changes expected to come into force in early 2026.

In the meantime, academy trusts should review their complaints policies and data protection policies to consider whether a separate complaints process is required to comply with the new requirements.  Many academy trust complaints processes are stated to be open only to parents of current pupils of trust schools (in line with the DfE’s Best practice guidance for academies complaints procedures and The Education (Independent School Standards) Regulations 2014). Complaints about data protection issues from non-parents may be best handled under a bespoke process which is open to all data subjects.

Academy trusts should also be mindful of the changes to automated decision-making which may present opportunities to use such technology going forward as new products come to market.

Many data protection policies/documents will need a small change to change references to the ICO to the Information Commission as and when that restructuring takes effect (likely early next year). Academy trusts can also take this opportunity to carry out a wider review of their policies to ensure they continue to be relevant to the data processing activities they undertake.

The DfE’s Data protection in schools guidance now includes reference to the Data (Use and Access) Act 2025 and states that the DfE will provide further information on what the changes in the Act mean for the education sector in due course. Academy trusts should keep a watching brief and take into account this further guidance once published. 

If you would like to discuss any aspect of this article further, please contact our education team on 0113 244 6100.

You can also keep up to date by following Wrigleys Solicitors on LinkedIn.

The information in this article is necessarily of a general nature. The law stated is correct at the date (stated above) this article was first posted to our website.

Specific advice should be sought for specific situations. If you have any queries or need any legal advice please feel free to contact Wrigleys Solicitors.