The provisions of the Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025, have now been introduced by way of staged regulations. The final regulations were introduced on 5 and 6 February 2026; these introduced some key changes to managing data subject access requests and clarified the existing Information Commissioner's Office (ICO) guidance. We outline certain provisions in the article below.
When a data controller receives a data subject access request, it has one calendar month to provide a response; this can be extended by an additional two months where the request is deemed complex.
The Data (Use and Access) Act 2025 codifies existing ICO guidance by providing a ‘stop the clock’ provision where data controllers need further information in order to process the data subject access request. This pauses the timeframe for a response whilst the data controller seeks further clarification on the scope of the data subject access request from the data subject, or requests verification of the data subject’s identification. Once the data subject has provided the necessary information, the timeframe for a response restarts.
Although existing legislation did not explicitly provide that searches for relevant documents only needed to be reasonable and proportionate, case law and ICO guidance did. The Data (Use and Access) Act 2025 now introduces the ‘reasonable and proportionate’ requirement into legislation, mirroring existing guidance and authorities.
This confirms that data controllers are not required to conduct an exhaustive search for responsive data, leaving no stone unturned, but rather to make reasonable efforts to search for and provide the requested data. What constitutes a ‘reasonable and proportionate’ search will still depend on factors such as the volume of information request, the circumstances of the request, any difficulties in locating information, the nature of the data controller’s business, and available resources.
Although widely excluded under from disclosure pursuant to other exemptions, legislation did not previously provide a specific exemption from disclosure in respect of legal professional privilege. The Data (Use and Access) Act 2025 now formally introduces this exemption into legislation, clarifying that data controllers are not required to disclose confidential correspondence between themselves and their solicitors.
The Data (Use and Access) Act 2025 introduces a new requirement for data controllers to have a process in place for handling complaints from data subjects for data protection breaches. This is not specific to data subject access requests but will be relevant should data subjects raise a complaint about the content of a data subject access request response.
The Act does not prescribe the complaint-handling process itself, but recommends “providing a complaint form which can be completed electronically and by other means”. The Act requires data controllers to acknowledge receipt of any complaint within 30 days of receipt, and to respond to the complaint “without undue delay”. This shifts the complaints process from the ICO to the data controller in the first instance, with complaints to the ICO only being made if a data subject is unhappy with the data controllers response. This requirement comes into force on 19 June 2026, providing businesses with some time to get their complaint process in place.
A new court procedure has been introduced - where a dispute has arisen and the data subject applies to court to determine whether a controller has complied with their obligations. The legislation provides that the data controller may now be required to produce all relevant data to the court for inspection, so that the court can consider if any refusal was appropriate. However, and importantly, the data does not need be disclosed to the data subject until the court has determined in the data subject’s favour.
Further information and insights on other key provisions in the Data (Use and Access) Act 2025, produced by our expert team of data protection lawyers, can be found here.
If you require further information, please contact our data protection team.
