We are open Mon-Fri from 9am till 5pm
eileen.schofield@schofieldandassociates.co.uk
01564 739 103

Schofield & Associates - The Data (Use and Access) Act 2025 - What Employers Need to Know

20th August 2025

The Data Use and Access Act 2025 came into force on 19th of June 2025, with some provisions, such as the new "reasonable and proportionate" rule for subject access requests already applying. From today, 20th of August 2025, the first phase of further measures takes effect, including new objectives for the ICO, which marks a major update to the UK's data protection framework. Whilst much of the Act's focus has been on innovation and cross-border data sharing, there are important changes that directly affect SMEs and their employers, specifically regarding handling staff data and responding to employee rights.


Key Changes Relevant to Employers

1. Subject Access Requests (SARs)

- Employees already had the right to access their company held personal data, however, the Act now clarifies that organisations are only required to make "reasonable and proportionate" searches when responding.

- Employers no longer need to chase every possible email or archived record, but must show they've acted fairly and reasonably.

- The one-month response period remains, though it can be extended by two months where requests are complex.


Why does this matter? It reduces the administrative burden for employers, especially when dealing with broad or repeated SARs during disputes or grievances.


2. Data Protection Complaints and the 30-Day Rule

The Act now requires employers to:

- Provide staff (and other data subjects) with a clear complaints route.

- Acknowledge complaints within 30 days.

- Respond "without undue delay" with updates and outcomes.


Why does this matter? Complaints about payroll records, monitoring systems, or recruitment processes can't be ignored or considered as informal. Employers must show they take concerns seriously and deal with them promptly.


3. Automated Decision-Making

The Act loosens restrictions around automated decision-making, allowing employers to rely on more lawful bases for using staff data in automated processes, such as recruitment screening or performance monitoring, provided appropriate safeguards are in place.


Why does this matter? Whilst this gives more flexibility, it also means that policies should explain when decisions may be automated and ensure employees know they can request a human review.


4. Cookies & Monitoring

The Act relaxes some cookie data collection rules, allowing low-risk tracking (like site analytics) without consent. For employers, this mostly affects staff intranets, e-learning systems, or monitoring tools that use cookies.

Why does this matter? Employers should still be transparent with staff about monitoring and align cookie use with workplace privacy policies.


5. The Information Commission (IC)

The current ICO will be replaced by a new Information Commission with wider investigative powers, including compelling interviews and requesting documents. Fines can still reach up to £17.5 million or 4% of global turnover.

Why does this matter? SMEs won't be immune. Employment disputes that highlight poor data handling, like failure to respond to SARs or mishandled complaints, could lead to regulatory backlash and fines.


How Can We Help at Schofield & Associates?

Handbook & Policy Reviews: Updating staff handbooks, privacy notices, and grievance procedures to reflect SARs, complaint handling, and automated decision-making safeguards.

Compliance Audits: Reviewing HR processes for data protection gaps before they escalate to tribunal complaints.

Dispute Support: Advising on complex SARs or complaints that arise during disciplinary or tribunal proceedings.

Staff Training: Equipping managers with practical guidance on handling data complaints and SARs correctly.

Process Creation: Creating user-friendly complaint forms, internal guidance, and escalation routes.

Culture of Transparency: Helping maintain trust by communicating these changes clearly to staff.


Conclusion

For employers, the Data Use and Access Act 2025 directly shapes how staff rights are managed day-to-day. By updating policies, training HR teams, and creating or updating new complaint and SAR processes, employers can stay compliant and build employee confidence in how their data is handled.

If you're looking for advice, then we're here to help.

Contact us at:

Eileen Schofield for Employment Law advice on eileen.schofield@schofieldandassociates.co.uk - 01564 334614

Derri Moran for HR advice on derri.moran@schofieldhr.co.uk - 07508 741505


To visit our main website pages, follow:

https://www.schofieldandassociates.co.uk/

https://www.schofieldandassociates.co.uk/hr

© 2025 Schofield & Associates | All rights reserved
Powered by Webnode Cookies
Create your website for free! This website was made with Webnode. Create your own for free today! Get started