Getting your data ducks in a row: putting the Data (Use and Access) Act 2025 into practice for pension schemes

The Data (Use and Access) Act 2025 (the “DUAA”) raises the bar for how pension trustees’ role as data controllers must be performed. 

Our previous blog on the DUAA explored the key changes introduced for pension schemes and trustees. We are now seeing trustees reviewing their data protection frameworks in light of DUAA requirements, and a number of key practical considerations are beginning to emerge. 

Documenting recognised legitimate interests 

The DUAA introduces a new lawful basis for processing personal data: Recognised Legitimate Interests (“RLIs”). On one hand, this is a benefit in that trustees can act quickly and proactively on certain specified lawful bases, without needing to carry out a benefit/impact balancing exercise (which is otherwise required when relying on the legitimate interest grounds). 

As trustees update their internal policies and privacy notices to reflect this, it might be tempting to use generic ‘catch-all’ wording (i.e. to list all the RLIs that are set out in the DUAA). However, given the nature of pension schemes, some of the RLIs will be of limited relevance to trustees (for example, processing data for defence or national security interests is unlikely to be relevant). Trustees should instead clearly identify which RLIs are relevant to their scheme and policy documentation (including in any privacy notices shared with scheme members), most commonly those relating to prevention of crime or safeguarding vulnerable individuals – though it is worth bearing in mind that RLIs do not apply to processing of special category personal data (such as health information) or criminal offence data. 

Trustees should also be mindful that both internal policy and external communication should be consistent in reflecting how data processing is carried out in scheme practice (and if necessary, trustees’ records of processing activities should be reviewed and updated accordingly). 

Automated decision making

The DUAA creates a framework that removes some of the prior restrictions on the use of automated decision making (“ADM”) and allows schemes to now expand the use of ADM in scheme administration. This can streamline administration and deliver better outcomes for members. 

However, the increasing use of AI in scheme administration means it also presents a risk area for trustees if DUAA requirements are not met. Trustees should be mindful of this, engage with administrators to understand ADM usage within the scheme, and request confirmation of any current or planned ADM uses in scheme work. If there are any, trustees should work with administrators to ensure that the mandatory safeguards required by the DUAA are in place and highlight any current limitations within the scheme’s data collection and management processes; the key concern will be to avoid ADM outputs that are tainted by discrimination and bias. 

Where trustees are not satisfied with data quality or data management, they will need to ensure that processes are put in place to improve them, prior to any ADM being implemented, as this will affect the quality of decision outcomes. Trustees may wish to consider suggesting targeted training for scheme administrators in relation to the operation of ADM procedures, to ensure that such procedures are applied effectively in practice. 

New data complaints requirements

The new data subject complaints requirements mean that existing complaints frameworks – such as scheme internal dispute resolution procedures – may not be sufficient to deal with complaints about the handling of personal data by scheme beneficiaries. Trustees may wish to:

• review their current complaints arrangements in light of ICO guidance and consider whether to adapt existing procedures or implement a standalone data complaint process;
• review delegation agreements with scheme administrators and ensure clarity on what they will be expected to do;
• ensure the scheme’s data complaints process will be able to withstand the expected increase in complaint numbers, especially due to the increasing use of AI tools to draft complaints;
• ensure that scheme administrators, as data processors, can appropriately escalate and handle data complaints within clear timeframes;
• when dealing with a complaint, consider which party is best placed to handle it impartially (and review any conflicts policy where necessary); and
• where scheme benefits have been bought in, ensure that the insurer and trustees are both complying with their duties as data controllers in delegating data complaints administration.

The DUAA does not fundamentally change the role of trustees as data controllers, but it does raise the bar in how that role must be performed. We can support trustees in their DUAA compliance journey by drafting or updating internal policies, member communications, and procedures required by the DUAA, ensuring that procedures are workable in practice. 

Dashboards

Separately, trustees will also be aware of the introduction of pension dashboards. Given that pension dashboards will require trustees to share member personal data with the dashboards framework, trustees’ data protection policy and privacy notice will also need to be updated to account for this. From a practical and costs perspective, it might make sense to include any necessary changes for pensions dashboards alongside those arising from the DUAA review.

If you would like to discuss any of the points highlighted above, please get in touch with your usual contact in the pensions team. 

Related News, Insights & Events