Data Use and Access Act (DUAA) 2025 - Employment Data Protection Policy Updates

We have reviewed and updated our Employment Data Protection Policy templates to reflect the Data (Use and Access) Act 2025 and the latest practical requirements of the UK GDPR.

These updates build on the existing UK GDPR framework and are designed to help employers manage workplace personal data clearly, fairly, and responsibly. The revised policies support compliance when handling employee, worker, contractor, and applicant data, including HR records, payroll information, sickness and absence records, disciplinary materials, recruitment data, and other employment-related personal data.

What Has Changed?

The updated Employment Data Protection Policy templates include revised and expanded provisions covering key areas of workplace data protection compliance, including:

• Employee subject access requests, including clearer wording on reasonable and proportionate searches and requests for clarification;
• Further processing, helping employers assess when staff personal data may be used for a new or additional purpose;
• Recognised legitimate interests, reflecting the new lawful basis introduced by the Data (Use and Access) Act 2025;
• Automated decision-making and profiling, with updated safeguards relevant to workplace and HR processing;
• Data protection complaints, including the new requirement for controllers to provide a clear complaints process;
• International data transfers, with updated wording on UK transfer safeguards and risk assessments; and
• Workplace data security, including practical wording on secure handling, storage, remote access, third-party systems, and the use of AI tools.

Why Have These Updates Been Made?

The Data (Use and Access) Act 2025 introduces a number of targeted changes to UK data protection law. For employers, many of the most important updates relate to everyday compliance processes, such as responding to access requests, handling data protection complaints, documenting lawful bases, and ensuring that personal data is only used for appropriate purposes.

The revised Employment Data Protection Policy templates are intended to help employers set out clear internal rules for the collection, use, storage, protection, retention, and disposal of workplace personal data.

Practical Employment and HR Focus

These templates are designed for use by employers and HR teams. They focus on the practical data protection issues that arise in the employment relationship, while remaining adaptable for different types and sizes of business.

The updated wording helps employers maintain transparent and up-to-date data protection practices, support staff rights, and demonstrate appropriate accountability under the UK GDPR.