Research shows that most UK organisations are not ready for the Data (Use and Access) Act 2025 (DUAA) – and the education sector is no exception
CREDIT: This is an edited version of an article that originally appeared in Personnel Today
While awareness is higher in schools and trusts than in other industries, many leaders admit they’re still unclear about what needs to change, when and how.
The DUAA, which became law on 19 June 2025, amends (but does not replace) existing data protection laws such as the UK GDPR, Data Protection Act 2018 and Privacy and Electronic Communications Regulations. Key provisions began rolling out in August 2025, with more due between now and June 2026.
What’s Changing Under the DUAA
The DUAA introduces stricter requirements for:
- Data access and sharing – how personal data is requested, handled and shared with third parties
- Breach reporting – faster response times and more detailed documentation
- Privacy governance – stronger oversight and accountability, especially for organisations that hold sensitive or large volumes of data
These changes mean schools and trusts must review how they handle everything from pupil information and safeguarding records to staff data and vendor contracts.
The Sector’s Readiness: A Mixed Picture
A recent survey of 373 compliance professionals revealed that only 1.6% of organisations say they’re fully ready for the new law.
- 77% admitted they are unprepared, unsure, or only beginning preparations
- 47% said updating governance, training and vendor management will be their biggest challenge
- 39% named staff training as their top priority for the next six months
The education sector showed relatively high awareness but also significant uncertainty with 30% of respondents “not sure” how to assess their readiness.
Why This Matters for Schools and Trusts
While schools may not handle data in the commercial sense, the personal information they manage is among the most sensitive: pupil records, safeguarding details, staff files and parental communications. “Human error and mistakes” were identified as the top data protection risk by 56% of organisations. In schools, that can mean something as simple as emailing the wrong parent or failing to secure a shared document – small actions with big consequences.
The Information Commissioner’s Office (ICO) has already released guidance explaining how the DUAA changes data protection law and what organisations should do next. For schools and trusts, this is a moment to strengthen processes and foster a culture of accountability.
Steps Schools and Trusts Can Take Now
Here’s how school business managers can start preparing:
Review Your Current Policies
Update data protection, retention, and breach response policies to reflect DUAA requirements. Check that all staff understand the difference between “data controller” and “data processor” roles.
Audit Third-Party Vendors
Review all contracts and data-sharing agreements with suppliers, catering, HR and IT partners. Confirm they are DUAA-compliant and that data sharing is properly documented.
Strengthen Governance and Oversight
Ensure your Data Protection Officer (DPO) has the latest DUAA training. Schedule regular data audits and report outcomes to governors or trustees.
Improve Incident Reporting and Record-Keeping
Review how your school records and responds to data breaches. Ensure response times and escalation procedures meet the new DUAA standards.
The Data (Use and Access) Act 2025 is more than a legal update – it’s an opportunity for schools and trusts to modernise their approach to data protection and strengthen community trust. By acting now, school business managers can ensure their institutions stay compliant, confident and secure as the DUAA rolls out over the coming year.
Be the first to comment