What it means for the current UK GDPR position

The changes most likely to matter day-to-day for UK GDPR compliance in an education settings include:

Automated decision-making (ADM): more permissive, but with safeguards

DUAA relaxes the previous “general prohibition” on solely automated decisions that produce legal or similarly significant effects. Such decisions are now permitted more broadly provided safeguards are in place, including transparency, the right to challenge, and access to human review.

Admissions triage:

• An algorithm that automatically ranks applications for further human review (e.g. flagging borderline cases) is lower risk.
• However, a system that automatically rejects applicants without human involvement would still require clear safeguards and challenge routes.

Academic integrity tools:

• If an AI tool automatically flags misconduct and imposes penalties, this would trigger ADM safeguards.
• If it only flags cases for academic staff to decide, it is not “solely automated”.

Student wellbeing analytics:

• Automated risk scoring that directly triggers interventions (e.g. mandatory referrals) must allow students to understand the logic and seek human review.

ADM is not banned, but colleges must clearly document where automation ends and human judgement begins, and explain this to students and staff.

Subject access requests (DSARs): “stop-the-clock” and proportionate searches

DUAA:

• Introduces a statutory “stop-the-clock” mechanism where clarification is reasonably required.
• Confirms that searches only need to be reasonable and proportionate, reflecting existing case law.

Unclear DSAR from a student:

• “I want all data you hold on me” across a 5-year degree programme. The college can pause the clock to ask whether this includes emails, lecture recordings, disciplinary records, etc.

• Staff DSAR involving email searches: The college is not required to search every backup or archived system if doing so would be disproportionate, provided the scope and rationale are documented.

• Vexatious or very broad requests: The Act strengthens the ability to narrow scope rather than defaulting to refusal or excessive searches.

DUAA supports defensible, well-documented DSAR handling, rather than “search everything at all costs”.

Research purposes: clearer definitions and broad consent

DUAA clarifies what counts as research, statistical, or scientific purposes, and explicitly recognises broad consent for future research where specific purposes cannot yet be fully defined.

1. Longitudinal student outcomes research:
   Students may give broad consent for their data to be used in future studies about employability or learning outcomes, provided safeguards and ethics approvals exist.

2. Health or wellbeing studies:
   Data collected for one study may be reused for compatible research purposes without needing fresh consent every time, if conditions are met.

3. Commercial or collaborative research:
   Partnerships with industry are more clearly covered under “scientific research”, provided transparency and safeguards remain.

Research governance becomes clearer and more flexible, but ethics, transparency, and minimisation still apply.

Recognised Legitimate Interests: confidence for socially valuable processing

DUAA introduces Recognised Legitimate Interests (RLI) for certain types of processing where the public interest is clear. In these cases, a full balancing test is not required.

• Safeguarding: Sharing information about a student at risk of harm with appropriate services may rely on RLI without a detailed legitimate interests assessment.
• Campus security: Using CCTV analytics to prevent crime or protect safety may fall under RLI where the purpose is clearly defined and documented.
• Fraud prevention: Monitoring systems to detect enrolment or funding fraud may rely on RLI.

RLI does not replace public task or legitimate interests generally, but it simplifies justification in high-value, high-confidence scenarios such as safeguarding.

Purpose limitation and further processing: clearer compatibility rules

DUAA clarifies when further processing is compatible with the original purpose, especially for public interest and statutory functions.

• Student data reuse: Data collected for enrolment may later be used for statutory returns, audit, or quality assurance without being incompatible.
• Incident investigations: Data initially collected for IT security monitoring may be reused for disciplinary investigations if the purpose is compatible and proportionate.
• Mergers or structural changes: If departments merge or controllers change internally, DUAA clarifies continuity obligations.

Colleges gain more certainty when reusing data for aligned institutional purposes, as long as transparency is maintained.

Complaints handling: a new front-line obligation

DUAA requires organisations to provide a clear process for handling data protection complaints before escalation to the ICO.

• Student concern: “I think my data was shared without justification” must be handled through a defined DP complaints route, not just general complaints.
• Staff concern: “My DSAR was mishandled” must trigger a review and outcome communication.
• ICO readiness: The institute must evidence that complaints are logged, assessed, and responded to.

PECR changes that matter to colleges (cookies, comms, breach reporting in telecoms context)

DUAA updates PECR in a few relevant ways:

• Cookies / similar technologies: maintains the general prohibition unless an exception applies, but adds new exceptions including using cookies (or similar) to collect statistical information to improve online services (plus power to add/amend exceptions via secondary legislation).
• Direct marketing definition (“call/communication”): clarifies that infringement can occur even if a message doesn’t reach the recipient (more about nuisance marketing enforcement than mainstream HE marketing).
• Telecom-provider breach reporting: changes certain breach-reporting timelines for providers of public telecom services (likely peripheral unless the institution operates as such).
• May reduce consent friction for some analytics only if your usage fits the new exception and you implement it correctly (expect ICO guidance and careful interpretation).

How it impacts an institution (what to change / check)

Think of this as: core governance stays the same, but your operational playbooks should be refreshed.

DSAR operations (high impact, quick wins)

Update DSAR procedure to explicitly include:

1. when/how you request clarification,
2. how you record the pause (“stop the clock”) and restart,
3. how you justify “reasonable and proportionate” searches.

Train frontline teams (student services, HR, registry, IT, security) so clarification requests are consistent.

Complaints handling (high impact, often overlooked)

1. Create/refresh a Data Protection Complaints pathway (webform + mailbox + workflow). 
2. Define what counts as:
   1. DP complaint vs DSAR vs FOI vs general student complaint,
   2. escalation triggers (e.g., potential breach, high-risk processing, litigation risk).

Automated decision-making (ADM) and AI in education (high risk if you use it)

Inventory where the institution uses or is considering:

• admissions triage,
• academic integrity/proctoring flags,
• bursary/financial support prioritisation,
• wellbeing risk scoring,
• HR screening.

For any system that could be “solely automated” with significant effects:

• ensure clear notices to individuals,
• ensure human review / contest routes,
• ensure your DPIAs and contracts reflect the DUAA approach and safeguards. 

Research governance (important for universities/HE colleges)

• Refresh templates (participant information, consent language) to reflect broad consent where appropriate, while keeping ethics requirements front and centre.
• Re-check your research vs operational analytics boundary, because DUAA clarifies research/statistical concepts and links them to specific safeguards/exemptions. 

Cookies/analytics and digital channels (moderate impact)

• Reassess your cookie categorisation and whether any analytics you run could fit the new “service improvement statistics” exception—but do not assume you can drop consent banners without doing the legal/ICO-guidance-based mapping.

Safeguarding, security, and information sharing (selective impact)

• Review common sharing scenarios (campus security incidents, safeguarding, serious harm prevention) to see whether Recognised Legitimate Interests or the clarified purpose compatibility rules change your documentation approach.

A realistic “what to do next” checklist

Track the ICO’s phased guidance and expectations as the reforms roll in through 2025–2026

Gap assessment against DUAA changes (DSAR, complaints, ADM, cookies/analytics, research templates).

Update policies and notices (privacy notices, DSAR guidance, complaints page, AI/ADM transparency text).

Confirm commencement dates as regulations bring sections into force in stages.

The post Data Act 2025 in Education first appeared on Toz Ali.

1. Broader Digital Policy Landscape Raises Privacy Concerns

Civil liberties organisations are watching new data laws in the context of wider UK digital governance changes, including proposals for digital identity systems and the use of automated technologies:

Digital ID Systems

1. The government’s proposed national digital ID (e.g., “BritCard”) initiative has sparked widespread criticism from privacy advocates, who argue it could centralise sensitive personal information and enable increased state monitoring of citizens’ daily activities. Critics worry a digital identity database linking employment eligibility, access to services, and other personal details could flip into a de facto surveillance tool if safeguards are weak or expansionary.
2. Civil liberties groups like Big Brother Watch have said national digital ID systems pose a “serious threat to civil liberties” because they can allow the state to amass large volumes of personal data in centralised government databases — potentially trackable and actionable across contexts such as employment, housing, healthcare, and welfare.
3. Parliamentary motions have explicitly flagged digital ID as posing risks of unprecedented levels of monitoring, tracking, and oversight of everyday activities by the state.

These concerns aren’t about DUAA directly but illustrate how data accessibility reforms intersect with other digital governance proposals to raise civil liberties alarms.

2. Digital Rights Groups’ Critiques of Data Law Reforms

Organisations such as the Open Rights Group and civil liberties advocates expressed unease during the bill’s parliamentary stages that some provisions could weaken rights protections or grant executive powers with limited scrutiny:

The Open Rights Group warned that certain elements of the Data Use and Access Bill (the precursor to DUAA) could lower data protection standards and erode public trust, especially in how new technologies such as AI are governed.

Other critics highlighted concerns about political oversight: the bill, in its earlier form, included clauses that might allow the Secretary of State to amend key data protection rules by statutory instrument (secondary legislation), reducing parliamentary scrutiny over significant policy changes.

While many such powers were scaled back or reframed before final passage, these debates signal civil liberties vigilance around government ability to manipulate data law flexibly.

3. Automated Decision-Making, AI, and Privacy

Civil liberties groups also flagged automated systems — especially those powered by AI — as a potential vector for unchecked data use:

During parliamentary debate, civil liberties advocates urged lawmakers to retain strong protections against automated or AI-driven decisions that significantly impact individuals (for example, in areas like benefits, law enforcement, or service eligibility). Some groups sent letters urging removal of proposals to relax those safeguards.

The Open Rights Group’s briefing highlighted that lowering important protections might weaken privacy and make systems more opaque, especially with algorithmic decision-making that isn’t transparent or accountable.

Concerns here echo wider civil society debates about automated processing, algorithmic governance, and surveillance via AI systems, especially where there isn’t clear oversight.

4. Historical Context Amplifies Worries About Surveillance

Some of the discomfort around data reforms is rooted in historical UK surveillance debates. For instance:

Previous legislative efforts like the Communications Data Bill (2008) — nicknamed the “Snooper’s Charter” — were heavily criticised by civil liberties campaigners for attempting to create extensive databases of email, web browsing, and communications metadata, seen as a step toward mass surveillance. Though that bill was defeated, the legacy of those debates still influences current reactions to data law changes.

Broader digital safety laws like the Online Safety Act 2023 provoked criticism from civil liberties organisations over expansive regulatory powers affecting speech, encryption, and platform content moderation, with some commentators warning of mission creep into surveillance realms.

This reflects a wider context where civil liberties groups scrutinise any expanded access to personal data — especially when tied into security or efficiency narratives.

5. Facial Recognition and Real-World Surveillance

While not part of DUAA itself, contemporary UK initiatives such as live facial recognition (LFR) technology used by police illustrate how government use of data and biometric systems can kindle civil liberties concern:

Expansion of LFR technologies, for example in police “surveillance vans,” has drawn criticism from campaigners over privacy invasion and lack of sufficient oversight, with groups like Big Brother Watch calling such expansion a sign of a “significant expansion of the surveillance state.”

While this is separate from DUAA, it speaks to public sensitivity about state access to biometric and personal data that feeds into concerns when data laws are updated.

The post Data Use Act 2025: Liberty Concerns and Surveillance Fears first appeared on Toz Ali.

The Data (Use and Access) Act 2025 (DUAA) represents the UK’s most significant update to its data laws in years. Rather than replacing the UK GDPR or the Data Protection Act 2018, it amends them and introduces new measures designed to modernise data governance, support innovation, and clarify compliance obligations for organisations.

What Is the Data (Use and Access) Act?

The DUAA received Royal Assent on 19 June 2025 and is being implemented in stages. It does not repeal or replace the core UK GDPR, the Data Protection Act 2018 (DPA 2018), or the Privacy and Electronic Communications Regulations (PECR). Instead, it updates these laws to make data protection rules simpler and more aligned with modern data use, including digital verification services, Smart Data schemes, and data registers.

The Act also includes a range of non-privacy provisions — for example making it an offence to create or request intimate images of someone without consent using generative AI — but the focus of this post is on changes to data protection law.

Why It Matters

The UK’s data protection framework has been grounded in the UK GDPR and DPA 2018, which implement strong standards for lawful processing, transparency, data subject rights, security, and accountability. These foundational laws continue to apply, but the DUAA refines how they operate in practice and introduces new rules to reflect current needs.

Key Changes Under the Act

1. Automated Decision-Making (ADM)

The Act expands the circumstances in which organisations can make decisions based solely on automated processing that have legal or significant effects on individuals, as long as certain safeguards are in place. These include providing meaningful information, enabling people to challenge decisions, and offering access to human intervention.

This shift means the general prohibition on some kinds of automated decision-making under the previous UK GDPR is now more nuanced, particularly outside of special category data.

2. Subject Access Requests (DSARs)

DUAA clarifies how organisations should respond to subject access requests:

Organisations can pause (“stop the clock”) the statutory deadline while waiting for clarification from a requester.

Searches must be reasonable and proportionate, aligning the law with accepted regulatory practice.

These changes are intended to reduce operational strain on organisations while upholding individuals’ rights.

3. Scientific Research and Broad Consent

The Act puts into statute definitions around scientific research and expressly recognises broad consent for research purposes where precise objectives may evolve — subject to ethical safeguards. This brings concepts previously found only in GDPR recitals into the main legal text.

4. Recognised Legitimate Interests

A new lawful basis called “recognised legitimate interests” has been added. When processing meets this category, organisations no longer need to perform a full balancing test between their interests and individuals’ rights. This can make lawful processing easier for activities such as public security and certain social value purposes.

5. Complaints Handling

Organisations are now required to have a clear process for handling data protection complaints from individuals, including an accessible form and information on how the complaint will be resolved.

6. Storage & Access Technologies (Cookies)

In certain low-risk situations, organisations can use some storage and access technologies (like cookies) without requiring explicit consent from individuals, reflecting similar adjustments in ePrivacy law.

7. International Transfers and Other Amendments

The Act also reorganises and clarifies rules on international data transfers, purpose compatibility, and other technical provisions across the UK GDPR and DPA 2018, offering more consistency and certainty.

What It Means for Compliance

For most organisations that already comply with UK GDPR and related UK privacy laws, the DUAA does not require a complete overhaul of their compliance frameworks. However, the changes do require updates to policies, contracts, and operational procedures, especially around ADM, DSAR handling, consent mechanisms, and legitimate interest assessments.

Debate and Concerns

While the government and the Information Commissioner’s Office (ICO) frame the Act as balanced and modernising, some commentators and privacy advocates have raised questions around:

• How the expanded ADM rules affect individual rights. Critics suggest the changes make it easier to justify automated decisions in more cases.
• The new lawful basis for recognised legitimate interests, which removes the balancing exercise in certain scenarios.
• Whether these reforms could lead to divergence from EU data protection standards, though the UK has recently had its adequacy status renewed for continued data flows from the EU.

Additionally, earlier stages of data-law reform in Parliament drew criticism from civil liberties groups over potential broad government powers, particularly around political campaigning uses of personal data. While these specific provisions are not part of the final Act, they reflect ongoing public debate about data governance in the UK.

In summary…

The Data (Use and Access) Act 2025 represents a measured update to the UK’s data protection framework. It clarifies and streamlines existing rules, introduces new lawful bases and procedures, and embeds modern data-use concepts into law while retaining the UK GDPR’s core principles. Organisations operating in the UK should begin updating their compliance efforts to reflect these changes and watch for forthcoming ICO guidance as provisions are brought into force.

Watch out next month for part two of the The Data Use Act 2025 blog: Growing Fears of Surveillance and Eroded Liberties

The post Understanding the UK’s Data (Use and Access) Act 2025 first appeared on Toz Ali.

The digital world has become an indispensable part of our lives — but with that connection comes a darker side. Over the past decade, online spaces have evolved from places of information and community into complex ecosystems where harmful content, abuse, and misinformation can spread rapidly and widely.

From cyberbullying, harassment, and grooming, to the viral spread of extremist material, self-harm encouragement, and child sexual exploitation, online harms have become an urgent social issue. The risks are no longer limited to what users post — algorithms themselves can amplify divisive or distressing content, exposing users, especially children, to repeated trauma or manipulation.

At the same time, disinformation and “fake news” campaigns have undermined trust in institutions and media, while privacy-invading practices, such as data misuse and opaque recommendation systems, have eroded users’ control over their digital lives. The rapid growth of AI-generated content and deepfakes adds yet another dimension of risk — making it harder to distinguish truth from falsehood, authenticity from deception.

The UK’s Online Safety Act 2023 (formerly known as the Internet Safety Bill) is the government’s most ambitious attempt yet to tackle these escalating online threats. It aims to make the internet safer for children and vulnerable users, reduce the prevalence of illegal and harmful material, and hold tech platforms legally accountable for the design and operation of their systems.

In short, the law seeks to shift responsibility away from the individual user and toward the platforms themselves — forcing online services to actively manage risk, enforce safety by design, and prioritise user protection over pure engagement or profit.

What Is the Online Safety Act?

Though passed in October 2023, the Act is being phased in over several years. In essence, it imposes legal duties on a wide range of online services—social media platforms, messaging apps, search engines, forums, and more—with the goal of making the internet safer, particularly for children and vulnerable groups.

Unlike some earlier measures (e.g. the Digital Economy Act’s attempted age verification), this law is broader in scope, with stronger powers for enforcement, obligations for design and transparency, and significant financial penalties for non-compliance.

Core Duties Placed on Platforms

Here are the main obligations the law places on online services:

• Prevent and remove illegal content

  Platforms must take steps to reduce the risk their service is used for criminal activity, and they must remove illegal material when it appears. Search engines, too, must filter illegal content from their results.

• Protect children from harmful content

  Services likely to be accessed by minors must prevent them encountering harmful but legal content (bullying, self-harm content, content encouraging risky behaviour), and ensure age verification or assurance systems for more sensitive content.

• “Safety by design” and transparency

  Platforms must carry out risk assessments, consider harm when designing features, and be transparent about how moderation, algorithms, and reporting systems work.

• User reporting, redress and accountability

  Users (especially children and parents) must have easy ways to report harmful content and get responses. Also, platforms must designate a senior executive responsible for safety.

Enforcement, Penalties & Oversight

Before enforcement begins, it’s important to understand that the Online Safety Act doesn’t just outline principles — it introduces real consequences for inaction. One of the key criticisms of previous online safety efforts was their lack of enforceability: platforms could promise to improve moderation or adopt safety measures, yet fail to follow through without meaningful repercussions.

To ensure accountability, the Act gives regulators powerful tools to monitor, investigate, and sanction non-compliant services. This framework is designed to make safety obligations as serious and binding as financial or privacy regulations — placing real legal weight behind user protection.

• Regulator: Ofcom (the UK communications regulator) will oversee compliance, issue codes of practice, and investigate breaches.

• Fines & penalties: Violations can attract fines up to £18 million or 10% of a company’s global turnover (whichever is higher).

• Blocking or suppression: Non-complying services risk being blocked in the UK or having features suppressed.

• Criminal liability: In serious or repeated violations, senior executives may face criminal liability.

What This Means for Users & Businesses

For users (especially parents & young people):

• Greater protection against exposure to harmful content (e.g. self-harm, bullying, dangerous challenges).

• Expect more age gating, filters, or restricted access to certain types of content.

• More clarity about how platforms moderate content and how to report problems.

• However, there may be tradeoffs in terms of privacy (e.g. how age validation is done) or delays in content posting while systems check compliance.

For platforms, tech companies, startups:

• Substantial compliance burden: technical, legal, operational.

• Need to conduct risk assessments, redesign features, adopt moderation tools, and maintain audit trails.

• Smaller services may struggle more with costs and complexity.

• Pressure to balance safety with user experience—overzealous removal may frustrate users; under-enforcement risks penalties.

• Navigating ambiguity: many requirements are defined by upcoming codes of practice, so uncertainty remains.

Key Challenges & Criticisms

1. Chilling effects on speech

To avoid liability, platforms might remove borderline or controversial content even when it’s lawful.

Real-life impact: For example, social media companies already faced criticism for taking down posts that discussed sensitive political issues or satire during elections, fearing they could be seen as spreading misinformation. Under the new Act, this risk intensifies — artists, activists, and journalists may find their content suppressed by over-cautious moderation algorithms or automated filters that can’t always distinguish context or intent.

2. Encryption and privacy

The tension between scanning for illicit content and preserving end-to-end encryption remains unresolved. While the government softened some language around mandatory scanning, the risk persists.

Real-life impact: WhatsApp and Signal both publicly warned that if forced to break encryption to comply with content-scanning requirements, they could withdraw from the UK rather than compromise user privacy. This creates a serious dilemma — between protecting children from abuse and safeguarding citizens’ right to private, secure communication.

3. Evasion & loopholes

Even with strict controls, users can find ways to bypass restrictions.

Real-life impact: After age restrictions were introduced on adult sites in other countries, users quickly turned to VPNs and anonymous browsers to evade checks. Similarly, extremist or harmful communities often migrate to encrypted or decentralised platforms (like Telegram or peer-to-peer networks) where moderation is limited or non-existent — undermining the law’s intent and pushing harmful activity further underground.

4. Delayed clarity

Much depends on secondary legislation, Ofcom codes, and evolving technical standards — meaning uncertainty will persist for years.

Real-life impact: Many businesses, particularly smaller social platforms or forums, still don’t know exactly how to classify themselves or what compliance will cost. The absence of detailed Ofcom codes has left developers unsure whether their services will fall under “high-risk” categories. This limbo delays investment and innovation while increasing anxiety about future enforcement.

5. Disproportionate impact on small players

Big tech firms can afford dedicated compliance teams, lawyers, and infrastructure. Smaller startups and niche communities cannot.

Real-life impact: A small UK-based social platform or discussion forum might have to invest heavily in automated moderation tools, legal audits, and age-verification systems — costs that could easily exceed their annual revenue. This may discourage innovation and reduce competition, consolidating more power in the hands of global tech giants who can more easily absorb regulatory burdens.

What to Watch for in the next 12 months

• Ofcom’s published codes of practice (for children’s safety, illegal content, transparency, etc.).

• How age verification / assurance systems are implemented in practice.

• Enforcement actions and fines—will Ofcom take on big names or only smaller offenders initially?

• How platforms adapt moderation policies, algorithmic design, and user appeal systems.

• Legal challenges on free speech, privacy, or misuse of powers.

• International implications: how UK regulation may influence or clash with regulation elsewhere (especially regarding encryption, cross-border platforms, jurisdictional issues).

Final Thoughts

The Online Safety Act is ambitious. It signals a shift from soft self-regulation of the internet toward legally binding accountability for platforms. Its success depends not just on good laws, but careful and transparent implementation, ongoing dialogue with civil society, tech providers, and constant adaptation to evolving threats.

For users, it promises stronger protection—but also tradeoffs and uncertainties. For businesses, it presents a formidable compliance challenge and an incentive to bake safety into design, not bolt it on as an afterthought.

The post Understanding the UK Online Safety Act 2025 first appeared on Toz Ali.