The Data (Use and Access) Act 2025 (DUAA) doesn’t replace UK-GDPR — but it reshapes how organisations handle DSARs in several important ways.

At first glance, the changes look technical. In practice, they affect the two things most organisations struggle with the most:
how far they need to search, and how quickly they must respond.

DUAA introduces the long-awaited “reasonable and proportionate” search standard, formalises stop-the-clock pauses, and raises expectations around documentation and governance. These shifts especially affect universities, public bodies and data-rich corporates, who often handle high-volume, complex DSARs.

Where DUAA Sits in UK Data Law

DUAA received Royal Assent on 19 June 2025. Its purpose is to modernise UK data law, simplify compliance, and support innovation — while maintaining core data rights.

For DSARs, DUAA focuses on:

• How time limits work

• What counts as a reasonable search

• How organisations justify decisions

• How research and AI contexts affect transparency

It clarifies areas that were previously open to interpretation, reducing ambiguity for DSAR teams.

---

Timeline Expectations & Stop-the-Clock

What DUAA actually changes

The one-month DSAR deadline stays the same. DUAA simply clarifies how that month works in practice:

• A controller may pause the clock while verifying identity or clarifying scope.

• Timelines are judged against practical, evidenced efforts, not theoretical exhaustive searches.

The ICO emphasises that stop-the-clock is legitimate when used genuinely, not as a delay tactic.

Why this matters

Universities
Broad “all emails” DSARs from students or staff can now be paused while the requester narrows time periods or subject areas.

Public sector bodies
Councils and NHS teams can pause timelines for identity checks before releasing sensitive files.

Corporates
HR and litigation-adjacent DSARs can be scoped early (custodians, date ranges, keywords), giving teams breathing room to search the right systems.

Operationally

Workflows should now include:

• Logging the request

• Assessing whether clarification is needed

• Pausing the clock (with timestamps)

• Resuming when information arrives

This level of structure will matter during ICO reviews.

---

“Reasonable and Proportionate” Searches

This is one of DUAA’s biggest practical clarifications.

Previously, organisations feared they had to search everything. DUAA codifies what many DPOs already practised: search where it makes sense — and be able to explain it.

ICO guidance suggests considering:

• Where relevant data is likely to be

• Accessibility and cost of retrieving systems

• Volume and age of archived material

• Disruption to operations

• Risks to the requester if data is missed

The requirement is not perfection — it’s justified, transparent decision-making.

Sector Examples

University
A DSAR about a 2024 supervision dispute justifies checking the case-management system and relevant departmental mailboxes, but not decade-old backup tapes.

Local authority
A housing DSAR triggers searches of the housing system, complaint system and relevant staff emails — not all borough CCTV footage.

Corporate
A redundancy DSAR requires HR systems and manager notes — not the restoration of legacy file servers with low expected value.

---

Documentation & Governance Expectations

DUAA subtly raises the standard for DSAR governance.

Policies and DPIAs

Organisations should refresh:

• DSAR policies (stop-the-clock, proportionality, clarification)

• RoPAs

• DPIAs or LIAs tied to DSAR processes

• Research transparency notices

This is especially relevant to research-heavy organisations — universities, NHS bodies, life sciences and AI companies.

Governance alignment

The ICO plans updated guidance on DUAA topics such as AI and ADM. DSAR processes should now tie into:

• Recognised legitimate interests

• Meaningful explanations for automated decisions

• Transparency for secondary research uses

• Structured complaint-handling procedures

---

Record-Keeping: Demonstrating Proportionality

DUAA doesn’t introduce a new DSAR register, but accountability requires stronger records.

Teams should document:

• Systems searched, and why

• Systems excluded, and why

• Stop-the-clock events (dates, reasons)

• Redaction decisions and exemptions

• Complaint handling timeline

Examples

University
A narrowed DSAR for a staff–student dispute includes a note explaining why older off-site email backups were excluded due to disproportionate burden.

Public sector
Police-supplied intelligence withheld under DPA 2018 exemptions is logged with statutory references.

Corporate
If CCTV has overwritten after 31 days, this is explained in the DSAR response and logged internally.

---

Redaction & Third-Party Data

DUAA doesn’t alter core third-party privacy principles, but proportionality puts more focus on structured, consistent redaction.

Controllers must still decide:

• What identifies another individual

• When third-party details can be disclosed

• What should be redacted or anonymised

• How to document borderline cases

Examples

University
Feedback that clearly identifies other students is redacted unless anonymisation preserves meaning.

Council
Family statements in social care files may require partial redaction.

Corporate
Whistleblowing-related DSARs may redact witness names to prevent retaliation risks.

---

Rights of the Requester After DUAA

Core DSAR rights remain unchanged:

• Confirmation of processing

• Access to personal data

• Information about purposes, categories, recipients and retention

Requesters may experience a more structured process:

• ID checks

• Clarification requests

• Justified exclusions of certain systems

• Explanations where data cannot be provided (e.g., overwritten CCTV)

Adjacent rights strengthened

• Clearer complaint routes

• 30-day acknowledgement requirement

• Enhanced transparency for automated decisions

• Updated expectations on research compatibility

---

Practical Checklist for DSAR Handling Under DUAA

Governance

• Update DSAR policy

• Refresh staff training

• Reflect DUAA in RoPAs and DPIAs

Intake & Scoping

• Triage quickly

• Request ID/scope clarification if necessary

• Pause the clock in writing

Search

• Define systems to be searched

• Justify exclusions

• Document everything

Review & Redaction

• Apply consistent rules

• Record key exemptions

• Explain withheld data clearly

Response

• Respond within adjusted timelines

• Provide accessible complaint routes

• Keep a clear audit trai

---

FAQs

1. Has DUAA changed the one-month DSAR deadline?

No — the one-month period still applies. DUAA simply formalises stop-the-clock, allowing organisations to pause the deadline while verifying identity or clarifying scope.

---

2. What counts as a “reasonable and proportionate” search?

A search focused on the systems most likely to contain relevant data. Organisations must be able to explain why certain systems were searched and why others were excluded.

---

3. Can organisations refuse a DSAR for being too broad?

Not purely for being broad. They must first seek clarification and may apply proportionality. Refusal is only allowed when a request is manifestly unfounded or excessive.

---

4. How does DUAA affect research-heavy organisations like universities?

DSAR rights still apply. DUAA clarifies consent and compatibility for research, but universities must still explain research-related uses and provide data unless exemptions apply.

---

5. Does DUAA affect DSARs involving automated decisions or AI?

Yes — indirectly. DUAA strengthens transparency requirements for significant automated decisions, and many individuals use DSARs to request explanations and challenge outcomes.

Need support navigating DSARs under DUAA?
DSAR.ai helps organisations automate redaction, streamline searches, document proportionality, and deliver structured responses — especially in high-volume settings like universities and public bodies.
Book a demo to see how DSAR.ai supports DUAA-aligned DSAR handling.