Data Act 2025 in Education

The Data (Use and Access) Act 2025 (DUAA) is a wide-ranging piece of legislation that does not replace the UK GDPR, the Data Protection Act 2018 (DPA 2018), or PECR (the Privacy and Electronic Communications Regulations). Instead, it amends them to (a) make some compliance requirements clearer/simpler, (b) enable more data sharing and innovation in specified areas, and (c) update the regulator model and enforcement toolkit. It received Royal Assent on 19 June 2025, and most changes commenced in stages (not all at once). 

()

What it means for the current UK GDPR position

The changes most likely to matter day-to-day for UK GDPR compliance in an education settings include:

Automated decision-making (ADM): more permissive, but with safeguards

DUAA relaxes the previous “general prohibition” on solely automated decisions that produce legal or similarly significant effects. Such decisions are now permitted more broadly provided safeguards are in place, including transparency, the right to challenge, and access to human review.

Admissions triage:

  • An algorithm that automatically ranks applications for further human review (e.g. flagging borderline cases) is lower risk.
  • However, a system that automatically rejects applicants without human involvement would still require clear safeguards and challenge routes.

Academic integrity tools:

  • If an AI tool automatically flags misconduct and imposes penalties, this would trigger ADM safeguards.
  • If it only flags cases for academic staff to decide, it is not “solely automated”.

Student wellbeing analytics:

  • Automated risk scoring that directly triggers interventions (e.g. mandatory referrals) must allow students to understand the logic and seek human review.

ADM is not banned, but colleges must clearly document where automation ends and human judgement begins, and explain this to students and staff.

Subject access requests (DSARs): “stop-the-clock” and proportionate searches

DUAA:

  • Introduces a statutory “stop-the-clock” mechanism where clarification is reasonably required.
  • Confirms that searches only need to be reasonable and proportionate, reflecting existing case law.

Unclear DSAR from a student:

  • “I want all data you hold on me” across a 5-year degree programme. The college can pause the clock to ask whether this includes emails, lecture recordings, disciplinary records, etc.
  • Staff DSAR involving email searches: The college is not required to search every backup or archived system if doing so would be disproportionate, provided the scope and rationale are documented.
  • Vexatious or very broad requests: The Act strengthens the ability to narrow scope rather than defaulting to refusal or excessive searches.

DUAA supports defensible, well-documented DSAR handling, rather than “search everything at all costs”.

Research purposes: clearer definitions and broad consent

DUAA clarifies what counts as research, statistical, or scientific purposes, and explicitly recognises broad consent for future research where specific purposes cannot yet be fully defined.

  1. Longitudinal student outcomes research:
    Students may give broad consent for their data to be used in future studies about employability or learning outcomes, provided safeguards and ethics approvals exist.
  1. Health or wellbeing studies:
    Data collected for one study may be reused for compatible research purposes without needing fresh consent every time, if conditions are met.
  1. Commercial or collaborative research:
    Partnerships with industry are more clearly covered under “scientific research”, provided transparency and safeguards remain.

Research governance becomes clearer and more flexible, but ethics, transparency, and minimisation still apply.

Recognised Legitimate Interests: confidence for socially valuable processing

DUAA introduces Recognised Legitimate Interests (RLI) for certain types of processing where the public interest is clear. In these cases, a full balancing test is not required.

  • Safeguarding: Sharing information about a student at risk of harm with appropriate services may rely on RLI without a detailed legitimate interests assessment.
  • Campus security: Using CCTV analytics to prevent crime or protect safety may fall under RLI where the purpose is clearly defined and documented.
  • Fraud prevention: Monitoring systems to detect enrolment or funding fraud may rely on RLI.

RLI does not replace public task or legitimate interests generally, but it simplifies justification in high-value, high-confidence scenarios such as safeguarding.

Purpose limitation and further processing: clearer compatibility rules

DUAA clarifies when further processing is compatible with the original purpose, especially for public interest and statutory functions.

  • Student data reuse: Data collected for enrolment may later be used for statutory returns, audit, or quality assurance without being incompatible.
  • Incident investigations: Data initially collected for IT security monitoring may be reused for disciplinary investigations if the purpose is compatible and proportionate.
  • Mergers or structural changes: If departments merge or controllers change internally, DUAA clarifies continuity obligations.

Colleges gain more certainty when reusing data for aligned institutional purposes, as long as transparency is maintained.

Complaints handling: a new front-line obligation

DUAA requires organisations to provide a clear process for handling data protection complaints before escalation to the ICO.

  • Student concern: “I think my data was shared without justification” must be handled through a defined DP complaints route, not just general complaints.
  • Staff concern: “My DSAR was mishandled” must trigger a review and outcome communication.
  • ICO readiness: The institute must evidence that complaints are logged, assessed, and responded to.

PECR changes that matter to colleges (cookies, comms, breach reporting in telecoms context)

DUAA updates PECR in a few relevant ways:

  • Cookies / similar technologies: maintains the general prohibition unless an exception applies, but adds new exceptions including using cookies (or similar) to collect statistical information to improve online services (plus power to add/amend exceptions via secondary legislation).
  • Direct marketing definition (“call/communication”): clarifies that infringement can occur even if a message doesn’t reach the recipient (more about nuisance marketing enforcement than mainstream HE marketing).
  • Telecom-provider breach reporting: changes certain breach-reporting timelines for providers of public telecom services (likely peripheral unless the institution operates as such).
  • May reduce consent friction for some analytics only if your usage fits the new exception and you implement it correctly (expect ICO guidance and careful interpretation).

How it impacts an institution (what to change / check)

Think of this as: core governance stays the same, but your operational playbooks should be refreshed.

DSAR operations (high impact, quick wins)

Update DSAR procedure to explicitly include:

  1. when/how you request clarification,
  2. how you record the pause (“stop the clock”) and restart,
  3. how you justify “reasonable and proportionate” searches.

Train frontline teams (student services, HR, registry, IT, security) so clarification requests are consistent.

Complaints handling (high impact, often overlooked)

  1. Create/refresh a Data Protection Complaints pathway (webform + mailbox + workflow). 
  2. Define what counts as:
    1. DP complaint vs DSAR vs FOI vs general student complaint,
    2. escalation triggers (e.g., potential breach, high-risk processing, litigation risk).

Automated decision-making (ADM) and AI in education (high risk if you use it)

Inventory where the institution uses or is considering:

  • admissions triage,
  • academic integrity/proctoring flags,
  • bursary/financial support prioritisation,
  • wellbeing risk scoring,
  • HR screening.

For any system that could be “solely automated” with significant effects:

  • ensure clear notices to individuals,
  • ensure human review / contest routes,
  • ensure your DPIAs and contracts reflect the DUAA approach and safeguards. 

Research governance (important for universities/HE colleges)

  • Refresh templates (participant information, consent language) to reflect broad consent where appropriate, while keeping ethics requirements front and centre.
  • Re-check your research vs operational analytics boundary, because DUAA clarifies research/statistical concepts and links them to specific safeguards/exemptions. 

Cookies/analytics and digital channels (moderate impact)

  • Reassess your cookie categorisation and whether any analytics you run could fit the new “service improvement statistics” exception—but do not assume you can drop consent banners without doing the legal/ICO-guidance-based mapping.

Safeguarding, security, and information sharing (selective impact)

  • Review common sharing scenarios (campus security incidents, safeguarding, serious harm prevention) to see whether Recognised Legitimate Interests or the clarified purpose compatibility rules change your documentation approach.

A realistic “what to do next” checklist

Track the ICO’s phased guidance and expectations as the reforms roll in through 2025–2026

Gap assessment against DUAA changes (DSAR, complaints, ADM, cookies/analytics, research templates).

Update policies and notices (privacy notices, DSAR guidance, complaints page, AI/ADM transparency text).

Confirm commencement dates as regulations bring sections into force in stages.

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

Share this article :

Leave a Reply

Your email address will not be published. Required fields are marked *