What does the new Data (Use and Access) Act 2025 mean for pension schemes?

Data is pivotal to the smooth running of any pension scheme. Keeping accurate information ensures that administration services can be delivered efficiently and correctly. Recent developments in this space have added an extra layer of compliance for pension scheme trustees; staying on top of data requirements is important not only for meeting regulatory requirements but also maintaining confidence in the scheme.

With that in mind, trustees should take note of the new Data (Use and Access) Act 2025 (“DUAA”), which introduces some of the most significant changes to UK data protection law since the GDPR. While DUAA isn’t pensions-specific legislation, its reforms have a direct impact on scheme governance and member experience.

In light of this development, the Pensions Administration Standards Association (“PASA”) has published an industry paper highlighting the key changes trustees need to be aware of. These include:

1. Automated decision-making: the DUAA introduces amendments to relax the current restrictions on using personal data in automated decision-making — provided appropriate safeguards are in place. For pension schemes, this means trustees can use automated decision processes in more circumstances, provided they clearly explain how decisions are made and what data is used, and consider the potential impact on members. Importantly, members must always have the right to challenge any automated decision. These changes could streamline administration and deliver better outcomes for savers. Pension schemes should be mindful, however, that restrictions continue to apply to automated decision-making which involves processing special category personal data, such as health information.
   
   
2. Data Subject Access Requests (“DSARs”): as many will be aware, scheme members have a right to ask for a copy of personal data held about them through a DSAR, with the time limit to respond being one calendar month from the date the request is made (except in the case of complex requests, for which an extension can be applied). The DUAA introduces some clarifications to DSARs to align with current regulatory guidance and case law, such as confirming that response times should be ‘paused’ whilst further clarification or information is sought, and that controllers are only obliged to conduct “reasonable and proportionate” searches for relevant personal data. For more information about how we can support pension schemes with DSARs, please contact our DSAR team.
   
   
3. Data protection complaints: the DUAA introduces a new data subject right to complain, which will give scheme members a statutory right to complain about DSARs, data breaches, and other data protection matters. Where complaints about the handling of personal data are raised by members, schemes must:
    
4. 1. provide accessible channels for complaints to be raised (e.g. online form, phone, email or in person);
   2. acknowledge receipt of the complaint within 30 days;
   3. investigate and respond without undue delay and provide regular progress updates;
   4. maintain records of complaints received, the investigation steps, the outcome, and any rectifying action take; and,
   5. inform members of their right to escalate complaints to the Information Commissioner’s Office (“ICO”), if they remain dissatisfied.
      
      For more information about the new right to complaint, please see our recent blog on this. In light of this change, schemes may need to update existing complaint procedures, data protection policies, and privacy notices to take account of these new requirements. There are potentially high fines if schemes get this wrong (up to £17.5 million).

4. Recognised Legitimate Interests (“RLIs”): the DUAA introduces a new lawful basis for processing personal data: Recognised Legitimate Interests (“RLIs”). There is scope for the government to introduce new RLIs via separate legislation, however of the first five new RLIs proposed, these include processing necessary for the prevention and detection of crime, and processing necessary for the safeguarding of vulnerable individuals. For pension schemes, this means trustees can act quickly and proactively to requests for information from law enforcement, or when members face financial vulnerability, cognitive decline, or risk of exploitation. It’s worth noting that this approach aligns with the Financial Conduct Authority (FCA)'s consumer duty; strengthening the pensions industry’s ability to support those who are less able to protect their own financial interests.
   
   
5. Digital Verification Services (“DVS”): the DUAA gives DVS a foundation in statute, with providers now needing to be certified under the UK Digital Identity & Attributes Trust Framework, and to be listed on a government register. For schemes, this can be a welcome change in that certified services can be integrated across key stages of the pensions lifecycle –onboarding, small pots tracing, decumulation, and of course pensions dashboards, resulting in a more secure process overall which does not require as much due diligence on the scheme’s part. 

Next steps 

Given these changes, trustees should review any existing documents and processes that deal with data, such as privacy notices, and assess whether any updates are needed. Particular attention should be paid to the new right to complain. Where changes are required, trustees should work closely with their administrators to implement them, ensuring the scheme operates within a compliant data protection framework.

If you would like to discuss any of the points highlighted above, please get in touch with your usual contact in the pensions team. 

Related News, Insights & Events