Data protection changes: finally, some good news!
With attention firmly focused on the first wave of Employment Rights Act changes, most employers have missed recent, helpful, amendments to data protection legislation. For once, most changes are good news for you!
The Data Use and Access Act 2025 substantially took effect in February 26. Certain elements have later effective dates. Guidance from the (reprofiled) Information Commission is still awaited regarding others. Not everything has a human resources impact. But most elements that do are helpful. I’ve set out some key provisions below.
Automaticity
Effectively, the EU General Data Protection Regulation (and its later UK manifestation) required there always to be human involvement in employment matters involving personal data. The new legislation relaxes this significantly. With most organisations now making extensive use of artificial intelligence, this is really helpful.
It’s now possible, for instance, to use AI tools for candidate screening and shortlisting, performance management, workforce analytics etc. The relaxation does not extend to special category data. And there must be safeguards e.g. to ensure transparency, an opportunity to challenge, and human review provisions.
Subject access requests
Although the initial timeframe remains one month, data controllers can now pause data subject access requests to obtain additional information from the data subject. What’s more, requests must now be ‘reasonable and proportionate’, avoiding disgruntled ex-employees demanding every item of personal data on record, with all the attendant time and effort previously implicit.
Complaints procedure
Soon it will be necessary to have a formal procedure to deal with data protection complaints. This may sound like a chore. However, it also means that the Information Commission will not consider a complaint unless and until it has been referred, and progressed through, your procedure.
Lawful processing basis
Existing legislation recognises that you have both legal and contractual entitlement to an employee’s relevant personal data. You don’t need their consent. You couldn’t pay staff, or deal with statutory obligations such as tax and benefits, otherwise. A third basis often used in employment – legitimate interest – has been clarified and extended.
In an employment context, legitimate interest might include internal reporting, internal audits, visitor logs, cctv, systems access, malware detection, etc. When you use ‘legitimate interest’ you must normally carry out what’s called a balancing test. This is to ensure possible risk to the employee does not outweigh benefit to the employer. And that it’s not unnecessarily intrusive.
Recognised legitimate interests
This is a new, lawful, processing basis. It lets you deal with matters such as safeguarding, fraud detection, crime prevention, emergency action, etc. more pragmatically. It does not require you to measure risk to the employee. Hence, you can disclose such personal data without first conducting a balancing test. Instances of use are likely to be occasional, however.
International transfers
Many of our clients have their HQ or other offices outside the UK. Transferring personal data beyond the UK has become notoriously difficult.
Although still not straightforward, the Act eases the situation somewhat. Essentially, the previous test, requiring ‘equivalent or higher protection’ in the other country, is modified to ‘not materially lower’ (than the UK). This is still a potentially complex situation, however. And the provisions in Europe and the EEA have not (yet) changed. Clients needing to transfer personal data in/out of the UK should take specific advice.
Enforcement
Be ready to exercise a significant degree of caution, here. The Privacy and Electronic Communication Regulation has been modified. The penalty regime has now been brought in line with GDPR – up to £17.5 million or 4% of global turnover. Its previous maximum fine was £500,000. This is the legislation that regulates all those unwanted phone calls we’re all pestered with!
But before you jump with joy, bear in mind it also potentially applies to smart phones you issue to staff, trackers in company vehicles, workforce monitoring, time-tracking software etc. If your use of such provisions is soundly based, e.g. for safety purposes, PECR does not prevent its use. Where use is covert, or you require staff to ‘consent’ to its use, matters are potentially more problematic. And, as with most areas of data protection in employment, ‘consent’ is inevitably deemed inappropriate.
A final note
This precis does not provide an exhaustive analysis of the Data Use and Access Act 2025. Much of the Act is helpful in reducing bureaucracy, developing, and supporting, digital workforce strategies. However, the relaxations introduced require vigilance, disciplined governance, transparency, and a thorough review of wider organisational impact.
