On the 19th of June 2025, the Data Use and Access Act (commonly known as the DUAB or DUA Bill) officially received Royal Assent, marking a significant update to the UK’s data protection framework. While it doesn’t entirely rewrite GDPR, it does bring a number of key changes that educational institutions need to be aware of.
Let’s break it down and explore what this means for colleges, schools, and educational staff in a practical, easy-to-digest way.
Subject Access Requests: The Clock Pauses for Clarification
We know that managing Subject Access Requests (SARs) can be time-consuming, especially when students or staff request a mountain of data.
Here’s what’s changed:
- If someone submits a SAR and you need clarification, the response deadline is paused until they respond.
- You can reasonably ask for clarification if you hold a large amount of data about the person.
- Once clarification is received, you must still perform a reasonable and proportionate search for the requested data.
Takeaway for educators: If a student or staff member submits a vague or broad SAR, you now have the legal room to ask for specifics before the 30-day countdown begins. This helps you stay compliant and focused on what’s actually needed.
Complaints Must Be Handled Internally First
The new law gives organisations a chance to fix things before complaints go to the ICO (Information Commissioner’s Office).
Now, if someone raises a data protection issue:
- You must acknowledge their complaint within 30 days
- Take appropriate steps to investigate and address it
- And inform them of the outcome
What this means: Colleges should ensure there’s a clear internal complaint process. This is a great time to check that your staff know how to escalate issues internally, before they become a bigger (and more public) problem.
Automated Decision-Making & AI in Education
With AI becoming a growing tool in education, think automated exam marking or application screening, DUAB clarifies how these systems should be handled:
Automated decisions that have legal or significant effects (e.g. admissions, grading) are permitted, as long as:
- The individual is told their data will be used this way,
- They are given the option to contest the decision, and
- Human intervention is available.
Heads up: If your college uses AI to grade tests (like automated multiple-choice scoring), or any automated student decision-making systems, let your data protection lead know. You’ll need to be clear with students about their rights and the role AI plays.
Cookies: A Bit More Flexibility
Let’s talk cookies. No, not the chocolate chip kind.
DUAB introduces exemptions to the consent requirement for certain non-essential cookies. That includes cookies used for:
- Statistical analysis
- Website performance
- User preferences
- Service improvements
Good news for IT teams: If your college’s website uses cookies only for these purposes, you no longer need to obtain user consent.
Legitimate Interests: A Clearer Path Forward
There’s now a recognised list of “legitimate interests”, making life a bit easier for data protection leads. These include:
- Safeguarding students and staff
- Fraud prevention
- Network and system security
- Intra-group data sharing (for multi-site colleges)
- Direct marketing
If your college is processing data for any of the above reasons, you no longer need to complete a Legitimate Interests Assessment (LIA).
Bottom line: This streamlines processes and reduces paperwork when handling security or safeguarding-related data.
What’s Next?
While these updates are now law, the government hasn’t yet published education-specific guidance. In the meantime:
- Review your current policies, especially around SARs, complaints, and automated decision-making
- Update your internal processes and staff training to reflect the new rights and obligations
- Monitor for upcoming sector-specific guidance
If you’d like to explore more detailed legal interpretations or dive deeper into how DUAB changes things across different industries, click here for further information.
Let’s continue to champion responsible data use in our schools and colleges. These changes aim to strike a better balance between protecting individuals’ rights and reducing unnecessary red tape – and that’s something we can all get behind.
