# Guidance on the Data Use and Access Act 2025 (DUAA)

News 

By Guest Blog

18th June 2026

## DUAA Summary for Members

The Data Use and Access Act 2025 (DUAA) is a new law that updates how personal data is handled in the UK. It doesn't replace existing laws like the UK GDPR or the Data Protection Act 2018 - it simply updates and adds to them. Below is a summary of what this means for you, the data controller, whether you're in private practice or run a counselling service.

## Complaints about the use of personal data

Clients now have a formal right to complain to you, the data controller, if they believe their personal information hasn't been handled correctly. As a practitioner or organisation, you'll need to:

• Make it easy for clients to raise a complaint - an email address or simple online form in your privacy notice is fine

• Acknowledge any complaint within 30 days

• Keep the client informed and let them know the outcome as soon as you reasonably can and 'without undue delay'.

Information on how to raise a complaint about data handling should be added to your current complaints policy.

## Subject Access Requests (SARs)

If a client asks to see the personal information you hold about them, the DUAA gives you a bit more clarity and flexibility:

• If their request is unclear or very broad, you can now "stop the clock" - pausing your response deadline while you go back to them for clarification

• You're only expected to carry out searches that are reasonable and proportionate; you don't need to go digging through everything if it wouldn't be practical to do so.

## Website cookies

If you have a practice website, some cookies - such as those used for basic analytics or to improve how your site works - no longer require explicit consent from visitors, as long as you give them the option to opt out. This means simpler cookie banners for most websites.

The above is an overview of the key points that may relate to your practice, please note this is not legal guidance. We would recommend that you read the ICO guidance.

You can read the ICO's full guidance here:

<https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/the-data-use-and-access-act-2025-what-does-it-mean-for-organisations/>

Further guidance:

<https://www.womblebonddickinson.com/uk/insights/articles-and-briefings/data-protection-complaints-are-you-ready>