The Data (Use and Access) Act 2025: What Employers Need to Know
Whilst much of the attention over the past year has focused on the Employment Rights Act and the significant changes it will bring for employers, another important piece of legislation has quietly introduced new obligations that businesses cannot afford to ignore.
The Data (Use and Access) Act 2025 has made several changes to UK data protection law, but one of the most significant developments for employers came into force on 19 June 2026. Employees and other individuals now have a statutory right to raise data protection complaints directly with their employer, and organisations are under a legal obligation to have systems in place to deal with those complaints.
At first glance, this may sound like something that only affects large organisations with dedicated HR and compliance teams. However, the reality is that every employer handles personal data every day. From recruitment records and personnel files to sickness absence records, disciplinary notes, CCTV footage and employee monitoring systems, personal data sits at the heart of the employment relationship.
For small businesses in particular, understanding these new obligations is essential because what appears to be a simple workplace concern could now trigger formal responsibilities under data protection law.
Why Should Employers Be Paying Attention?
The legislation places greater responsibility on organisations to manage data protection concerns internally before they escalate to the Information Commissioner’s Office (ICO).
Historically, if an employee believed their personal data had been mishandled, they may have gone directly to the ICO. Under the new rules, employers are expected to provide a clear route for individuals to raise concerns and must actively investigate and respond to those complaints.
Importantly, this is not simply a procedural change. Failure to comply with the complaint handling requirements could itself amount to a breach of data protection law, regardless of whether the original complaint is ultimately upheld.
For employers, this means that data protection complaints now need to be treated with the same level of seriousness as grievances, whistleblowing concerns and disciplinary matters.
A New Right for Employees to Raise Data Protection Complaints
One of the biggest challenges for employers is that employees do not need to use legal terminology or formally state that they are making a data protection complaint.
A manager may receive an email saying, “I don’t think my information should have been shared with the team.”
An employee might question why certain sickness records are still being retained on their personnel file.
Someone involved in a disciplinary process may challenge the information being relied upon or ask why personal information has been included in investigation documents.
A candidate who was unsuccessful at interview may ask how decisions were made and what information was considered during the recruitment process.
Any of these situations could potentially amount to a data protection complaint and trigger the employer’s obligations under the legislation.
This is why training managers to recognise concerns at an early stage will become increasingly important. Employees are unlikely to quote legislation or reference their rights under the Data (Use and Access) Act 2025. More often, concerns will arise through everyday workplace conversations, emails, grievances and disputes.
What Are Employers Required to Do?
The new legislation places a positive obligation on organisations to facilitate and manage data protection complaints.
This means employers must provide a means for individuals to raise concerns, acknowledge complaints within 30 days of receipt, take appropriate steps to investigate and respond without undue delay, and communicate the outcome to the individual raising the concern.
The ICO has also published guidance to help organisations understand their responsibilities and what constitutes an appropriate response.
Whilst this may sound straightforward, many businesses currently have no formal process for handling data protection complaints. As a result, concerns can easily be missed, ignored or mistakenly treated as general employee relations issues.
Employers should therefore review their existing policies and procedures to ensure they include a clear route for raising data protection concerns and that managers understand how such complaints should be escalated and handled.
Everyday HR Situations That Could Trigger a Complaint
Many employers assume that data protection complaints only arise following a cyber security breach or accidental disclosure of information. In reality, most complaints are likely to stem from routine HR activities.
For example, an employee may object to personal information being discussed openly within the workplace. Managers may inadvertently share more information than necessary when explaining sickness absence, performance concerns or disciplinary outcomes to colleagues.
Employees may question the retention of historic disciplinary warnings or absence records on their file. Recruitment candidates may request information about how hiring decisions were made. Staff may raise concerns about the use of CCTV, vehicle tracking systems, call recording technology or productivity monitoring software.
As artificial intelligence and workplace technology continue to evolve, employees are also becoming more aware of how their information is collected, analysed and used. Employers who utilise automated systems to support recruitment, performance management or workforce planning should ensure they remain transparent about how these tools are being used and maintain appropriate human oversight when decisions are being made.
Subject Access Requests Remain a Key Consideration
Alongside the new complaints framework, employers should continue to pay close attention to Subject Access Requests (SARs).
The legislation provides further clarity around the requirement for organisations to conduct reasonable and proportionate searches when responding to requests. This will be welcome news for many employers who have faced extremely broad requests requiring significant time and resources to fulfil.
However, whilst the clarification may help reduce unnecessary burdens, employers must still respond appropriately and within the required timescales. Poor record keeping, inconsistent document management and untrained managers continue to create challenges when responding to requests.
The best approach is to ensure that personnel records, investigation documents, recruitment records and management notes are maintained accurately and consistently throughout the employment lifecycle.
Why Manager Training Matters More Than Ever
One of the recurring themes I see when supporting businesses is that many data protection issues arise not because employers deliberately breach the rules, but because managers are unaware of the implications of their actions.
A manager discussing an employee’s medical condition with colleagues, forwarding confidential emails without considering who needs access, or retaining personal information for longer than necessary can all create unnecessary risk.
The introduction of the new complaints framework makes manager awareness even more important. If a manager fails to recognise a data protection concern when it is first raised, valuable time can be lost before the organisation begins addressing the issue.
As with many areas of employment law, prevention is always better than cure.
Practical Steps Employers Should Take Now
This legislation should act as a prompt for employers to review their existing data protection arrangements.
Privacy notices should be reviewed to ensure they accurately reflect how employee information is collected and used. Policies should be updated to include a clear complaints process. Managers should receive training on recognising potential data protection concerns and understanding when issues need to be escalated.
Employers should also review their approach to employee monitoring, record retention and the use of workplace technology to ensure that their practices remain transparent, proportionate and legally compliant.
Most importantly, businesses should recognise that data protection is no longer simply an administrative exercise. It is an employee relations issue, a compliance issue and increasingly a workplace culture issue.
Final Thoughts
The new obligations introduced under the Data (Use and Access) Act 2025 represent an important shift in how organisations are expected to manage concerns relating to personal data.
For employers, the challenge is not simply understanding the legislation but recognising how it applies in everyday workplace situations. A casual conversation, an email questioning how information has been used or a concern raised during a grievance could all potentially trigger formal obligations under the law.
Businesses that have clear procedures, well-trained managers and robust record-keeping practices are unlikely to find these changes difficult to manage. Those that view data protection as a paperwork exercise may find themselves facing increased scrutiny from employees and regulators alike.
As always, taking a proactive approach now will be far easier than dealing with the consequences of getting it wrong later. If you are unsure whether your policies, procedures and management practices meet the latest requirements, now is the ideal time to review them.
Angela Clay
A qualified employment law solicitor and our managing director, Angela has unparalleled legal expertise and decades of experience and knowledge to draw from. She’s a passionate speaker and writer that loves to keep employers updated with upcoming changes to legislation, and is a regular guest speaker on BBC Leicester Radio.