UK Data (Use and Access) Act 2025: Key Employer Obligations

The UK Data (Use and Access) Act 2025 sounds like one of those laws you promise yourself you’ll read after lunch, after coffee, after a stronger coffee, and possibly after a minor existential crisis. But for employers, this law matters more than the title suggests. It affects how businesses handle employee, applicant, contractor, and former employee data, especially where subject access requests, workplace monitoring, biometrics, complaints, and AI-powered HR tools are involved.

Here’s the good news: this is not a total rewrite of UK data protection law. It is more of a remodel than a demolition. The Act amends the UK GDPR, the Data Protection Act 2018, and parts of PECR. So employers do not need to throw out their privacy framework and start again from a blank page while stress-eating crackers at 11:43 p.m. What they do need is a careful refresh of policies, procedures, and internal habits.

What the Act actually changes for employers

The first thing employers should understand is timing. The Data (Use and Access) Act 2025 was passed in 2025, but the pieces that matter most to private employers did not all land at once. The rollout has been staged. That matters because some obligations are already active, while others still require preparation rather than full compliance on day one.

For employers, the biggest practical themes are these: lawful basis reviews, subject access request handling, automated decision-making safeguards, complaint procedures, and continued discipline around high-risk processing such as monitoring, health data, and biometrics.

In other words, the law is not telling HR teams, “Relax, nothing matters anymore.” It is saying, “Some rules are clearer, some processes are more flexible, and some obligations are now more explicit.” That is a very different message.

Employer obligation #1: Review your lawful basis, not just your vibes

One of the Act’s best-known changes is the introduction of “recognised legitimate interests.” For certain narrow types of processing, organizations may rely on a new lawful basis without doing the traditional balancing test that usually comes with legitimate interests. That sounds exciting until someone in a meeting decides this means every HR process is now magically allowed. It does not.

For most ordinary employment processing, employers still need to identify the correct lawful basis the old-fashioned way: accurately, specifically, and with documentation that matches reality. Payroll will usually still be about legal obligation or contract. Performance management may rely on legitimate interests. Recruitment screening might involve several different bases depending on the step. Health information needs additional special category conditions. None of that disappears.

What does become clearer is that some activities may be treated more explicitly as legitimate interests. The law now gives legislative footing to examples such as direct marketing, intra-group transfers for internal administrative purposes, and network and information security. For employers, the most relevant of those is often intra-group administrative data sharing.

If your company centralizes HR operations, payroll support, benefits administration, or global mobility in a shared service center, this clarification matters. But it does not mean “send employee data everywhere and call it efficiency.” Employers still need necessity, transparency, security, minimization, and accurate privacy notices. A lawful basis is not a hall pass for sloppy governance.

Practical move: review your HR privacy notice, recruitment privacy notice, records of processing, and internal data maps. If your paperwork still describes 2023 reality while your business now runs on a multinational HR tech stack and three AI plugins, that gap needs closing.

Employer obligation #2: Modernize your DSAR process

Subject access requests, or DSARs, are where theory meets inbox chaos. The Act gives employers some welcome clarity here. When responding to a DSAR, controllers only need to carry out “reasonable and proportionate” searches for relevant personal data. The law also allows the response timeline to pause where the employer reasonably needs clarification, such as confirming identity or narrowing the scope of the request.

This is helpful, but it is not a permission slip for a half-hearted search followed by a brave email saying, “We checked one folder and found vibes.” Reasonable and proportionate still means organized, defensible, and tied to the actual systems where the requester’s data is likely to sit.

For employers, a strong DSAR process should include intake triage, identity verification, scoping questions, custodian interviews when needed, clear search instructions, legal review for exemptions, and a record of what was searched and why. The point is not to search absolutely everything under the sun. The point is to be able to explain why the search you did was appropriate.

Example: if a former employee requests all data about their dismissal, a proportionate search may focus on HR files, manager emails, investigation notes, grievance records, and relevant Slack or Teams messages. It probably does not require a heroic archaeological dig through every backup tape since the invention of Wednesday.

Practical move: update your DSAR playbook now. Add template questions for clarification, standard workflows for email and chat searches, and guidance for managers who tend to save important documents with names like “final_v2_REAL_final_USETHIS.”

Employer obligation #3: Put real safeguards around AI and automated HR decisions

The Act expands the circumstances in which organizations can make significant decisions based solely on automated processing, provided appropriate safeguards are in place. This is one of the most important changes for employers, especially those using tools for CV screening, candidate ranking, productivity scoring, absence pattern analysis, fraud detection, or workforce analytics.

But let’s underline the part that matters: safeguards are not optional. If a decision is significant and based solely on automated processing, employers must give the individual information about the decision, allow them to make representations, enable human intervention, and let them contest the result.

Even more importantly, the restriction on using special category personal data in automated decision-making remains. So if an employer is processing health data, biometric data used for identification, racial or ethnic origin data, or other special category information, the room for automation narrows sharply. This is not the place for improvisation.

That makes hiring and people analytics a live risk zone. If software ranks candidates, flags employees as retention risks, or assigns performance scores without meaningful human involvement, employers need to check whether those outputs are producing legal or similarly significant effects. If they are, the governance has to be much tighter than “the vendor said it was compliant in a slide deck.”

Practical move: inventory every HR tool that scores, predicts, filters, flags, or recommends. Then ask four questions: Is there meaningful human involvement? Is the outcome significant? What lawful basis applies? Are any special category data involved? If nobody can answer those questions clearly, the tool is not ready for autopilot.

Employer obligation #4: Prepare a formal data protection complaints process

This is the sleeper issue employers should not sleep on. The Act creates a more formal route for individuals to complain directly to organizations about how their personal data has been handled. For employers, that means a clearer, more structured internal privacy complaint process. The key point is timing: this duty is due to commence on June 19, 2026.

Once active, employers will need to help people make complaints, likely including an electronic form or similarly accessible route. They must acknowledge complaints within 30 days, take appropriate steps to investigate, keep the complainant informed as appropriate, and communicate the outcome without undue delay.

For HR teams, this matters because many privacy complaints arrive disguised as something else. A grievance may include surveillance concerns. A recruitment complaint may include allegations about automated filtering. A disciplinary appeal may question who saw what data, when, and why. If the business treats those issues as informal side notes instead of structured privacy complaints, it may end up creating a bigger problem than the original one.

Practical move: build the procedure before the deadline. Decide who owns intake, how complaints will be categorized, how they interact with grievances and whistleblowing processes, and what records will be kept. By the time June 2026 arrives, the process should feel boring. In compliance, boring is beautiful.

Employer obligation #5: Keep monitoring, biometrics, and health data on a tight leash

Employers often act as though workplace privacy risk lives only in fancy AI systems. In reality, ordinary tools create extraordinary headaches: webcam monitoring, keystroke tools, vehicle tracking, call recording, attendance systems, fingerprint scanners, and occupational health records can all carry serious risk.

The wider legal framework still requires necessity, fairness, transparency, and proportionality. If you monitor employees, they should normally know about it. If you use biometric systems, you need both a lawful basis and, where the data are special category biometric data used for identification, a valid additional condition. If you cannot identify a valid condition, you should not be using the system.

For example, an employer replacing badge access with facial recognition might think it is being futuristic. Employees may think it is being weird. Regulators may ask whether a less intrusive method would do the job just as well. That is not anti-innovation. That is basic proportionality.

Health data deserves the same discipline. Sickness records, fit notes, occupational health reports, disability accommodations, drug or alcohol testing, and wellbeing alerts all require careful handling. The Act does not make special category data casual. It stays sensitive, and employers should behave accordingly.

Practical move: do a fresh DPIA for any monitoring-heavy or biometric project, check whether employees were clearly informed, and confirm that retention periods are not drifting into “we kept it because no one remembered to delete it.”

Employer obligation #6: Do not mistake reform for deregulation

Some employers read about the Act and hear what they want to hear: “Less red tape.” What the law actually delivers is more nuance. Yes, there is additional clarity. Yes, some workflows may become easier. But core governance expectations remain standing.

Data protection officers still matter where required. Records of processing activities still matter. DPIAs still matter. Vendor management still matters. Security still matters. Retention and deletion still matter. Cross-border transfer governance still matters. The Act is not a legal leaf blower that clears your compliance backlog in one satisfying gust.

If anything, the Act makes it easier for regulators and employees to ask sharper questions, because some issues are now more explicitly spelled out in the law. Once a rule is clearer, “we interpreted it creatively” starts sounding less like a defense and more like a confession.

A practical employer checklist for 2026

• Refresh HR and recruitment privacy notices.
• Review lawful bases for employee, applicant, and contractor data.
• Update records of processing to reflect real systems and real data flows.
• Rewrite DSAR procedures around reasonable and proportionate searches.
• Add clock-stopping steps for identity and scope clarification.
• Map all AI and automated HR tools and assess significance.
• Implement a formal internal privacy complaints process before June 19, 2026.
• Reassess monitoring, biometric, and health-data uses with DPIAs and policy updates.
• Train HR, managers, IT, and legal teams together, not in separate compliance silos.

Common mistakes employers should avoid

The first mistake is treating “reasonable and proportionate” as code for “do less.” The second is calling a process “human reviewed” when the human is really just clicking approve on whatever the software says. The third is using legitimate interests like hot sauce: splashing it on everything and hoping nobody asks follow-up questions. The fourth is waiting until June 2026 to think about complaints handling. That deadline is a starting gun, not a suggestion.

Practical employer experiences and lessons learned

In practice, employers usually do not get into trouble because they failed to memorize section numbers. They get into trouble because their processes drifted. The policy said one thing, the software did another, and the managers on the ground were operating on folklore. The Data (Use and Access) Act 2025 shines a bright light on that gap.

One common experience is the multinational employer that centralizes HR services for efficiency and then discovers its privacy notice still reads like a small local business from five years ago. Payroll is handled in one country, recruitment data are reviewed in another, benefits administration sits with a vendor elsewhere, and nobody updated the documentation to explain the flows in plain English. The legal basis might still exist, but the transparency piece lags behind. That is where frustration begins, especially when an employee asks a simple question and gets three inconsistent answers.

Another frequent lesson comes from DSARs. Employers often assume the real challenge is volume. Usually, the real challenge is inconsistency. One team searches email. Another searches only the HRIS. A manager forgets messages on a collaboration platform. Legal assumes HR handled the scope. HR assumes legal handled exemptions. Then the response goes out and the requester immediately spots missing material. The Act’s clarification around reasonable and proportionate searches helps, but only if the employer can show a consistent method. Good process beats heroic scrambling every time.

AI in recruitment is another area where reality moves faster than governance. Employers often pilot a screening or ranking tool because it promises speed and reduced admin. At first, it feels harmless. Then candidates start asking how decisions are made, whether humans review rejections, and what data trained the model. By that point, the privacy team is meeting the tool for the first time. The experience many employers report is not that AI is automatically unlawful, but that AI projects fail when procurement, HR, legal, and IT do not sit at the same table early enough.

Monitoring tools tell a similar story. Businesses install software to improve security or productivity, but employees experience it as a trust issue. Even where monitoring may be lawful, poor communication creates suspicion. The lesson is simple: if an employer would feel awkward explaining a monitoring tool openly, that awkwardness is usually trying to tell them something useful.

Biometric projects are especially revealing. Employers often like the convenience of fingerprint or facial systems until they realize convenience is not itself a lawful basis. The operational lesson is that less intrusive alternatives matter. If a badge, PIN, or app-based check-in solves the problem, the biometric option needs a stronger justification than “it looked modern in the vendor demo.”

Overall, the employers that handle this Act best are not the ones with the flashiest compliance decks. They are the ones that align legal rules, HR practice, technical design, and employee communication. They treat privacy as part of workplace governance, not as a document buried in a shared drive under “misc final final.”

Conclusion

The UK Data (Use and Access) Act 2025 is important for employers not because it tears up the rulebook, but because it sharpens it. It gives useful clarification on lawful basis, DSAR handling, and automated decision-making, while also making complaint handling more explicit and keeping pressure on employers to justify high-risk processing. For most organizations, the smartest response is not panic and not complacency. It is disciplined modernization.

Employers that review their HR data map, tighten their DSAR procedures, govern AI realistically, prepare for privacy complaints, and keep monitoring and health-data practices proportionate will be in a much stronger position. Everyone else may soon discover that “we thought the vendor handled that” is not a winning compliance strategy.