PASA has today released a new industry paper, ‘The Data (Use and Access) Act 2025 Unpacked: Six key areas for pension schemes’. The paper provides a practical breakdown of the Data (Use and Access) Act 2025 (DUAA) and the accompanying Information Commissioner’s Office (ICO) materials, highlighting the most relevant implications for schemes.
The DUAA received Royal Assent on 19 June 2025 and introduces significant modifications to the UK’s data protection landscape. While not bespoke to pensions, the reforms directly affect scheme governance, saver experience, data operations, and risk management across the saver journey.
The paper outlines six core areas schemes need to understand and act upon:
- Automated Decision Making – A shift from a prohibition-based model to a risk-based one, opening the door for increased automation while retaining key safeguards
- Digital Verification Services and the Trust Framework – Statutory certification of Digital Verification Services (DVS) under the Digital Identity & Attributes Trust Framework (DIATF), enabling more secure, consistent and high-assurance identity matching
- Recognised Legitimate Interests (RLIs) – Including Safeguarding Vulnerable Individuals – A new lawful basis which removes the need for a balancing test, supporting timely and proportionate safeguarding interventions
- Subject Access Requests (SARs) – Introduction of reasonable and proportionate search requirements and the ability to pause response times while awaiting clarification
- Data Protection Complaints – Clear obligations for accessible channels, timely acknowledgement, investigation records and ICO escalation routes
- Looking Ahead – Practical areas schemes should prioritise when refining their processes, governance frameworks and saver support pathways
Ross Wilson, Co-Chair of the PASA Industry Policy Committee, said: “The DUAA represents the most meaningful shift in data protection requirements since UK GDPR, and schemes need clarity on what this means in practice. This paper breaks the Act down into digestible, relevant components so trustees, administrators and providers can understand where the most material impacts will be. From safeguarding vulnerable savers to navigating new SAR and complaints processes, the DUAA creates both obligations and opportunities for schemes to strengthen data governance and member support.”
David Fairs, PASA Chair, commented: “High-quality data governance is central to delivering good saver outcomes and the DUAA marks an important evolution in the regulatory framework. PASA’s paper provides much-needed direction for schemes seeking to interpret the changes and adapt their processes with confidence. As data expectations continue to rise across the pensions ecosystem, PASA will continue to support the industry with practical, accessible resources to help schemes meet their responsibilities and protect saver trust.”
The full paper is available here.
