What The Data Act 2025 Means For Schools And MATs | EIS
Skip to content
Subscribe to our newsletter

This field is for validation purposes and should be left unchanged.
I am interested in these sectors...(Required)
I am interested in these topics...(Required)
Request a brochure
Request a call back
I am happy to receive marketing information in relation to our products and services(Required)
I agree with the privacy policy(Required)
Get in Touch

This field is for validation purposes and should be left unchanged.
Request a brochure
Request a call back
I am happy to receive marketing information in relation to our products and services
I agree with the privacy policy(Required)
EIS logo - White

Earlier this year, the UK’s Data (Use and Access) Act 2025 received Royal Assent, bringing in a series of targeted changes to data protection law that are relevant for schools and multi-academy trusts (MATs). These changes amend, rather than replace, the existing UK GDPR and Data Protection Act 2018, but they bring in new obligations and clarify certain responsibilities.

We asked our schools’ Data Protection Officers (DPOs), Adam Halsey and Stacy Williams, from Invicta Law, for a breakdown of the key changes that educators should be aware of and what schools can do now to prepare.

Key Changes for Schools:

1. SARs: Clearer Timelines and Practical Expectations

 

The Data Use and Access Act (DUA) now sets out the rules most schools have already been following: the one-month response period for a Subject Access Request begins when you receive the request or, if you need to verify identity, from when that evidence is provided.

If you need to extend the timeframe, you must inform the requester within that first month. Searches should be reasonable and proportionate. While this may not require a change in your current approach, it’s a good opportunity to check whether your staff are clear on these rules, now set out in law.

 

2. Automated Decision-Making: New Flexibility, Ongoing Responsibilities

 

If your school uses automated systems or AI to make important decisions, such as admissions, the DUA brings some flexibility, but also new expectations.

You’ll still need to be transparent, allow decisions to be challenged and keep human oversight in the loop. As AI becomes more common in education, check that your risk assessments, processes and policies are keeping pace.

 

3. Data Protection Complaints: Raising the Bar for Accessibility

 

The DUA now requires schools to make it easy for individuals to raise data protection concerns – think accessible online forms or app-based options. Complaints should be acknowledged within 30 days and resolved without unnecessary delay. Importantly, individuals must approach the school first before going to the ICO. Schools need to ensure that the process for raising issues is straightforward for parents, pupils or staff.

Schools should also be aware of the new Act’s focus on children’s personal data, and the need to ensure that services accessed by children have stronger protections as a default position. This may be particularly relevant as your school looks to onboard more applications, including those that use AI. Schools should ask themselves, “Are we doing the due diligence on these tools that allows us to demonstrate they have adequate safeguards in place – before we start rolling them out?”.

Checklist: What Educators Should Do Now - A Checklist

With changes expected to come into effect from December 2025, with some requirements following in 2026, now is the time to get ahead and ensure your staff, systems and policies are ready to meet these new requirements.

 

  •  Review and update your policies and procedures to reflect the new legal requirements and keep a record of what’s changed.

 

  •  Refresh staff awareness and training, using practical examples to ensure everyone understands their responsibilities in real-world situations.

 

  •  Risk-assess any automated or AI-powered systems – do you know where these are used in your school, and are your risk assessments up to date?

 

  • Map your data flows to understand how personal data moves through your systems and with third-party providers.

 

  • Ensure transparency and accessibility for data subjects, making it easy for individuals to exercise their rights or raise concerns.

 

  • Plan for regular reviews as guidance evolves and new technologies emerge.

 

  • Communicate changes clearly to parents, pupils and staff, especially around new complaint procedures.

 

  • Document your actions so you can evidence compliance if required.

 

  • Lean on your DPO for support to help you interpret the new requirements, review your policies and ensure your school is fully prepared for the changes ahead.

Support from EIS

Customers using the EIS DPO Service (DPOaaS) can contact their DPO for help preparing for the changes. We will provide updates as further guidance emerges and implementation dates are confirmed.