The Data (Use and Access) Act 2025 (DUAA) has cleared Parliament and, once phased in later this year, will reshape how employers handle recruitment tech, staff data-requests and privacy complaints.
Automated decision-making: consent hurdle scrapped for most data
The headline change is a loosening of Article 22 UK GDPR: fully automated decisions (including AI-driven hiring, performance scoring and shift-rostering) will now be permitted unless they rely on special-category data. Where only ordinary personal data are involved, employers must still tell workers an algorithm is in play, explain the logic in plain English and give them a right to challenge the outcome.
Practical effect: algorithmic CV-sifts and productivity dashboards that previously needed explicit consent or a “contract necessity” defence can run on a transparency-and-challenge model instead. HR teams must update privacy notices and build rapid human-review channels.
DSARs: “stop the clock” and reasonable searches
The Act codifies a pause button: if a data-subject access request is vague, the 30-day clock stops while the controller seeks clarification. Searches may be limited to what is “reasonable and proportionate,” easing the burden of trawling legacy inboxes.
A new transparency rule applies when withholding documents under legal professional privilege: controllers must tell the requester that the exemption is being used, explain why, and signpost the right to complain to the ICO or court.
Mandatory internal complaints channel
Before individuals run to the ICO, organisations will have to offer a formal internal privacy complaints procedure—complete with an e-form and 30-day response target. Some regulated sectors already have similar systems, but most employers will need to build one from scratch.
Compliance checklist for HR and privacy teams
Update candidate & staff privacy notices to flag ADM use and contest rights – required under the revised Article 13/14 transparency duties.
Map all AI/ADM tools and document their logic, safeguards and human-review routes – the ICO is drafting a sector-wide AI Code for release by autumn 2025.
Revamp DSAR playbooks: add “stop-the-clock” letters, privilege explanations and search-scope records – new statutory rules narrow searches and prescribe how legal-privilege refusals must be explained.
Stand up an internal privacy-complaints workflow and train front-line HR/IT staff – mandated by DUAA §103 before workers can escalate to the ICO.
Audit special-category data flows in every algorithmic system – explicit consent or another Schedule 1 public-interest condition is still required when sensitive data feeds an automated decision.
Timeline
2–6 months after Royal Assent – most ADM and DSAR provisions expected to commence via statutory instrument.
Up to 12 months – ICO to publish updated ADM guidance and draft AI Code; complaints-procedure obligation takes full effect.
Bottom line: the DUAA lets employers embrace AI-led hiring and people-analytics with fewer legal hoops, but only if they can prove transparency, provide quick human recourse, and handle sharper DSAR and complaint duties. Building the records now will save headaches—and potential ICO fines—when the clock starts.
This article was created with insights from Lex HR - your always-on HR legal assistant. Lex HR helps HR professionals navigate complex employment law with confidence, providing real-time, reliable advice tailored to your needs. Try it free today and see how much easier compliance can be.
