News

UK data protection: implications of the Data (Use and Access) Act 2025 for pension scheme trustees

14 May 2026
Sailboat on calm waters with mountain range in background.
Bynder Desktop Image for mobile

The provisions of the Data (Use and Access) Act 2025 (DUAA) have come into force gradually, via a phased introduction, in the months since the Act received Royal Assent on 19 June 2025.

This briefing summarises key changes made by the DUAA, and changes to the accompanying Information Commissioner's Office (ICO) guidance, which are relevant to UK pension schemes. It also sets out the actions which trustees should take in order to comply with the new requirements. 

Issue

Comments 

Trustee actions

Changes to the DSAR Process

The DUAA clarifies certain aspects of the data subject access request (DSAR) process. In particular, the DUAA:

  • Formalises a "reasonable and proportionate" threshold for DSAR searches, so that organisations do not need to undertake an exhaustive search of all resources and archives in response to a DSAR, but can instead conduct a targeted search of relevant resources/systems; and 
  • Formalises the "stop the clock" option, already noted in the ICO guidance, whereby organisations can pause the one-month response deadline, pending clarification from the requestor.

Trustees should consider whether to amend their DSAR processes to reflect the DUAA changes.

This review might consider what a "reasonable and proportionate" search might look like in common scenarios.

 

International Transfers

The DUAA largely formalises and clarifies the UK’s existing approach to restricted transfers – as set out in the relevant section of the ICO guidance.

Essentially, where personal data is transferred to a separate data controller or processor outside the UK, that transfer must continue to be covered by: 

  • UK adequacy regulations; 
  • Appropriate safeguards (such as the UK’s international data transfer agreement, or its international data transfer addendum, together with the EU’s standard contractual clauses); or 
  • an applicable exception. 

An "appropriate safeguard" requires that the standard of protection for data subjects is “not materially lower” post-transfer. This test used to be a slightly higher standard (protection had to be “essentially equivalent”), though it is unlikely to make a significant difference in practice.

Trustees should consider whether any updates to the scheme's GDPR policies and privacy notices are necessary. 

When entering into contractual agreements with service providers going forward, trustees should ensure that the service provider understands the restricted transfer requirements. 

Trustees should also check their existing contractual arrangements to ensure compliance. Common issues include out-of-date references (for example, contracts should refer to the UK’s adequacy decisions (as opposed to the EU’s) and standard contractual clauses should be used in conjunction with the addendum).

 

New basis for data processing: Recognised Legitimate Interests 

The DUAA introduces a new lawful basis for processing personal data – a “recognised legitimate interest” (RLI). RLIs are an additional basis; they do not replace the “legitimate interests” basis that trustees commonly rely on. 

Unlike the "legitimate interests" basis, in order to rely on an RLI, the data controller does not need to balance the interests of the controller (or third party) against those of the data subjects. However, data controllers must still consider whether the processing is necessary. 

Each RLI is a specific "condition" which has been pre-approved as being in the public interest. Two RLIs may be useful to trustees in limited scenarios: the "safeguarding condition", and the "crime prevention condition". 

The safeguarding condition may be useful for trustees when processing data in relation to vulnerable individuals; for example, where an individual has dementia and carrying out the usual balancing assessment may not be straightforward. 

The "crime prevention condition" may be useful as a basis for data processing in cases where trustees suspect fraud. 

On 23 March 2026, the ICO issued updated guidance on RLIs.

 

In practice, we expect trustees to continue to rely primarily on the existing legitimate interests basis in most day-to-day scenarios. 

However, even though reliance on RLIs may be rare, trustees should amend the scheme's GDPR policies and privacy notices to refer to the RLI basis.

 

Legitimate Interests Assessments

To demonstrate that the legitimate interests basis for data processing applies, data controllers must do a three-part balancing test – essentially, consider whether the processing is necessary, proportionate, and whether it strikes the right balance weighed against individuals’ rights and freedoms. 

The DUAA does not materially change the legitimate interests assessment process. However, the ICO has updated its guidance and template materials on documenting legitimate interests assessments. 

Trustees should review their current balancing test (usually set out in a GDPR policy) to ensure it reflects the ICO’s current guidance. 

Trustees should document their assessment and its outcome, reflecting the questions asked in the ICO’s template where possible. The assessments are usually documented in GDPR policies, so it may simply be a case of expanding that assessment.

Further Processing

Personal data can only be collected (whether from the data subject or otherwise) for specified, explicit and legitimate purposes; and it cannot be further processed by or on behalf of a controller in a manner that is incompatible with the purposes for which the controller collected the data. 

The DUAA codifies the factors that should be considered when assessing whether processing for a new purpose is compatible with the original purpose (including the link between the new and original purposes, the nature of the processing and the existence of appropriate safeguards).

 

This is unlikely to change trustee processes in practice (as the trustees' overarching purpose is always to administer the Scheme and pay the right benefits to the right person). However, trustees may wish to bear the requirements in mind when undertaking new projects or collecting additional data.

Data Handling Complaints

With effect from 19 June, the DUAA requires trustees to "give people a way" of making data protection complaints about how personal data has been handled. The complaint must be acknowledged within 30 days; and trustees must respond "without undue delay". 

More detail is set out in our separate briefing on the new requirements here and in updated ICO guidance.

Trustees will need to put in place a process to deal with data protection complaints and create a mechanism through which members can make a complaint (this may – but does not have to be – an on-line form). 

Trustees can include this process within the scheme's internal dispute resolution procedure (IDRP), provided that the requirements in respect of data protection complaints (for example, the different timeframes) are met. 

It will also be necessary for trustees to update the scheme's privacy notices and DSAR responses, to include the right to complain, as well as other data protection/IDRP policies.

 

 

 

Authored by Susanne Wilkins.

Related topics

Load more

Related countries

Related keywords

Load more

View more insights and analysis

arrow
arrow

Register now to receive personalized content and more!

 

Register
close
See benefits
Register