We present an article written by our Featured Guest Expert Ralph T O'Brien for our school and multi academy trust customers about the Data Use and Access Act where he breaks down what the latest legislative changes mean for the education sector.

About the Author: Ralph T O'Brien is a trusted advisor on Global Privacy and Security Compliance, practices and management. 

You can find out more about Ralph and Serious Privacy Ltd here

Key Changes for Education Providers, Trusts, and Schools

The UK’s Data (Use and Access) Act (DUAA) represents another significant step in the post-Brexit evolution of UK data protection law, changing PECR, Data Protection Act and the UK GDPR. While the core principles remain unchanged, the reforms do introduce important clarifications and adjustments that schools, academy trusts, and education providers should understand carefully.

These changes are unlikely to remove the need for robust governance, transparency, and safeguarding-focused decision-making. This will affect several operational areas that commonly arise in education environments, particularly:

• fundraising and alumni communications,
• automated decision-making,
• complaint handling,
• Subject access requests,
• And legitimate interests/secondary use linked to safeguarding and emergencies.

The challenge for schools is ensuring these reforms are interpreted responsibly. The DUAA should not be viewed as reducing obligations towards pupils and families. Instead, it changes how some obligations operate in practice.

1. Soft Opt-In and School Charitable Trusts

One of the most discussed reforms involves the extension of the “soft opt-in” marketing rules under PECR (Privacy and Electronic Communications Regulations). Historically, schools and associated charitable foundations have struggled with electronic fundraising communications, particularly where alumni or parents had not explicitly opted into marketing messages.

The DUAA expands the circumstances in which charities may rely on “soft opt-in” marketing rules.
This may be particularly relevant for:

• academy trust foundations,
• alumni associations,
• school development offices,
• and fundraising arms linked to schools.

In practice, this means a school-linked charitable organisation may be able to send fundraising or charitable engagement communications where:

• contact details were obtained during previous engagement,
• the messages relate to similar charitable purposes,
• and recipients are given a clear opportunity to opt out.

This should be approached cautiously. Educational institutions occupy positions of trust, and parents may not distinguish between:

• educational communications,
• fundraising communications,
• and commercial-style marketing.

Schools should therefore continue to consider fairness, reasonable expectations, transparency, and reputational impact, rather than relying purely on technical legal permission. Particular care will have to be taken where communications involve current pupils’ families, vulnerable families, or extensive profiling for fundraising purposes. Just because soft opt-in may become legally easier does not necessarily mean it will always be appropriate, some of my clients have refused to use it, especially on
existing data bases due to the admin involved in its adoption.

2. Automated Decision-Making and Special Category Data

The DUAA also reforms aspects of automated decision-making (ADM). Historically, UK GDPR imposed stricter restrictions on decisions based solely on automated processing where those decisions produced legal or similarly significant effects, in the world of AI this becomes particularly relevant.

The reforms attempt to create a more flexible framework around automated decision-making while still preserving safeguards for high-risk processing, focussing on special category data.

For schools, this matters because educational environments increasingly use:

• behaviour analytics,
• safeguarding monitoring tools,
• AI-assisted learning platforms,
• attendance scoring systems,
• and predictive risk indicators.

Some of these systems may involve:

• profiling,
• automated recommendations,
• or partially automated interventions.

Where special category data is involved such as health information, SEND data, ethnicity, biometric information, or safeguarding indicators schools should remain extremely cautious in platform adoption. Even where the law becomes more permissive, schools must still consider fairness, accuracy, explainability, proportionality, and the potential impact on children.

A technically lawful automated system can still create harmful educational outcomes if pupils are inaccurately profiled or treated as numbers, risk scores become self-fulfilling, or staff over-rely on automated outputs and reduce critical thinking.

Importantly, schools should avoid assuming that AI-assisted systems are exempt simply because a human remains “in the loop.” Meaningful human review requires genuine oversight, and human “off ramps”, the ability to make human representations and objections - not merely rubber-stamping automated outputs. The proper use of DPIAs in designing proactive controls (rather than retrospective documentation) and safeguarding assessments remain critical in this area.

3. Data Protection Complaints Procedures

The DUAA also introduces changes relating to complaints handling which has a deadline of June 19th , 2026. Organisations are increasingly expected to maintain clearer internal mechanisms allowing individuals to raise and resolve data protection concerns before escalating complaints to the ICO.

There is now a 30-day acknowledgement deadline to be built into the complaints process. For schools, this is particularly important because many disputes involving parents, pupils, staff, or governors primarily begin as communication and trust issues rather than purely legal disputes. Often the Data protection requests are ancillary to the real issue that the complaining party is concerned about.
Schools should therefore ensure they have:

• accessible complaint routes,
• clear escalation processes,
• appropriate response times,
• and documented handling procedures.

In practice, schools may benefit from aligning data protection complaints with existing complaints frameworks, ensuring frontline staff know when to escalate concerns, and maintaining careful records of decisions and responses.

We should avoid becoming overly procedural. Many parental complaints are driven by concerns about fairness, safeguarding, trust, or transparency, so while a legally defensive response may satisfy governance requirements it can still damage relationships with families.

Good complaint handling in schools remains fundamentally relational as well as regulatory.

4. Recognised Legitimate Interests and Secondary Purposes

Another notable development involves recognised legitimate interests and clarifications around secondary processing purposes. The reforms attempt to provide greater certainty for certain categories of processing considered beneficial or socially important, including areas linked to:

• safeguarding,
• emergency response,
• public protection,
• and crime prevention.

For schools, this is highly relevant and will mean that data is easier to process in these ancillary functions. Educational settings regularly process personal data for purposes that evolve beyond the original reason for collection, particularly where safeguarding concerns emerge.

Examples may include:

• sharing information with external agencies,
• identifying welfare risks,
• responding to emergencies,
• or escalating concerns about pupil safety.

The DUAA provides greater support for some of these activities where there is a recognised public interest or safeguarding rationale. Essentially there is no need to carry out documentation for Legitimate interest assessments in these cases, the legal basis or secondary purpose is assumed to satisfied and legal. This should not interpret this as unlimited permission for Schools to repurpose data freely.

The core principles still apply:

• necessity,
• proportionality,
• fairness,
• minimisation,
• and accountability.

Safeguarding remains one of the strongest justifications for information sharing, but it should not become a blanket rationale for excessive collection or unnecessary retention.

Schools should continue asking questions such as:

• Is the sharing genuinely necessary?
• Is the information proportionate?
• Are we sharing the minimum necessary data?
• Would the individual reasonably expect this use?
• Can we explain and justify the decision afterwards?

5. DSAR Procedure Changes and “Stop the Clock” Provisions

The DUAA also introduces procedural reforms affecting how organisations manage Data Subject Access Requests (DSARs). For schools, these changes are likely to have significant practical importance because DSARs in education settings are often complex, emotionally charged, and resource intensive.

Schools regularly receive requests involving:

• safeguarding records,
• behaviour logs,
• SEND documentation,
• pastoral files,
• staff communications,
• and correspondence involving multiple individuals.

These requests can be difficult to process within statutory timescales, particularly where clarification is needed or exemptions must be carefully considered. One of the most important procedural changes is the introduction of clearer “stop the clock” provisions. There is an argument that this legislative development does little but clarify the existing process.

Under the previous framework, organisations could ask requesters for clarification where a request was unclear, but the legal effect on timescales was often uncertain. The DUAA provides greater flexibility for organisations to pause response deadlines while awaiting necessary clarification or additional information.

It is also now explicitly stated that the search for the personal data must be “reasonable and proportionate”. For schools, this may be particularly helpful where:

• parents submit extremely broad requests,
• requests cover many years of records,
• multiple children are involved,
• or the school cannot reasonably identify the information being requested.

In practice, this should allow schools to:

• clarify unclear requests,
• identify relevant date ranges,
• confirm the scope of searches,
• and reduce unnecessary administrative burden.

We have to be careful to use this correctly. The “stop the clock” mechanism should not become a tactic for delaying responses unnecessarily, or reducing individuals general right to gain access and copies of all personal data held. The principles of data minimisation, retention and design should be applied to reduce the amount of data you have in the first place - if you process it, expect to have to manage it. The ICO is still likely to expect organisations to act promptly, communicate clearly, and provide reasonable assistance to requesters.

Schools should also remember that DSARs in education are often linked to broader disputes involving:

• exclusions,
• safeguarding disagreements,
• SEND concerns,
• complaints,
• or employment issues.

A purely procedural approach can therefore escalate tensions rather than resolve them. The reforms also reinforce the importance of distinguishing between genuinely excessive or unfounded requests (say no politely), and requests that are simply inconvenient or sensitive (must respond). Just because the data subject requesting is being “difficult” does not affect their legal rights.

Schools should continue to approach DSARs with caution where records contain:

• third-party information,
• safeguarding concerns,
• confidential references,
• or information that could risk serious harm if disclosed.

As always, exemptions should be applied carefully and documented appropriately. Ultimately, while the DUAA may provide schools with more procedural flexibility, the underlying objective of rights remains unchanged, enabling individuals to understand and scrutinise how organisations use their personal data. For schools, maintaining openness, trust, and clear communication will remain just as important as meeting the technical requirements of the law.

Final Thoughts

The DUAA does not fundamentally remove schools’ data protection obligations. The UK GDPR principles remain largely intact, and children’s data continues to require particularly careful handling. For schools, the greatest risk may not be misunderstanding the law itself, but interpreting flexibility as deregulation. Educational environments process some of the most sensitive and consequential personal data in society. That means schools must continue to place at the centre of decision making: 

• fairness,
• safeguarding,
• transparency,
• and proportionality

Good school data protection is not simply about complying with legislation, it is about using data for public good, whilst not hurting people, it is about maintaining trust with children, parents, and school.