Hot Topic Highlight - Data (Use and Access) Act 2025 (DUAA)
- May 5
- 4 min read
Building a Better You
Property Elite’s sole aim is to build better property professionals - supporting your career every step of the way, whether you are an AssocRICS or RICS APC candidate or a MRICS or FRICS Chartered Surveyor simply seeking engaging CPD.
We provide a wide range of training and support, so why not find out more on our website about how we might be able to support you? We work with candidates across all RICS APC and AssocRICS pathways, routes to assessment and geographic regions.
Don’t forget to sign up online for your free 15 minute AssocRICS or RICS APC consultation, including a review of your referral report if you have been referred. You can also book your bespoke training or support services directly through our eShop.
Not sure about signing up? Make sure you read what our recent successful candidates have to say in our Testimonials.
What is this blog about?
In this week’s blog, we look at the Data (Use and Access) Act 2025 (DUAA). This is essential knowledge for all qualified surveyors and RICS APC and AssocRICS candidates (relating to the Data Management mandatory competency).
What’s new?
The DUAA amends the Data Protection Act 2018 and UK GDPR.
It aims to:
Streamline how organisations manage and process personal data
Provide clarity over interpreting existing legislation and regulations
Encourage innovation in data management and data protection
Here are some of the key changes:
Subject Access Requests (SARs)
Legitimate interests
Automated decision making (ADM)
Data protection complaints
Privacy and electronic communications (PECR)
What has changed relating to SARs?
A SAR is a request made by an individual (under the Right of Access) to obtain personal data held by an organisation. This will include confirmation that personal data is held, a copy of the personal data held and any supplementary information, e.g., purpose, data category and retention time.
A SAR can be made verbally or in writing to an organisation, who must respond within one calendar month (or two months for a complex request). No fee can be charged for responding to a SAR and it can only be rejected if it is ‘vexatious or excessive’ or if an exemption applies, e.g., the information would disclose the personal data of another individual.
The DUAA allows organisations to temporarily pause the one month deadline to request clarity over the SAR or to verify the individual’s identify. It also clarifies that only ‘reasonable and proportionate’ searches are required to provide the requested personal data.
What has changed relating to legitimate interests?
Previously there were six lawful bases under which an organisation could use to process personal data:
Consent
Contract
Legal obligation
Vital interests
Public task
Legitimate interests
Prior to the DUAA, if an organisation wanted to use personal data for a legitimate interest, such as fraud prevention or marketing, then a three part test was applied (a legitimate interests assessment, or LIA):
Purpose – is there a valid reason for using the data?
Necessity – is holding the data the only reasonable way to achieve the goal?
Balancing test – do the organisation’s interests outweigh the individual’s rights (i.e., the data should not be unexpected or cause unjustified harm).
Under the DUAA, a seventh lawful basis has been introduced; known a recognised legitimate interest. This relates to specific high-priority activities (within five categories; crime, safeguarding, emergencies, national security and public task disclosures), which preclude the balancing test element of a LIA. The reason for this is because the Government considers that this has already been satisfied at a legal level and this allows organisations to proceed quickly in certain circumstances.
The DUAA also clarifies that direct marketing and intra-group administrative transfers are defined as legitimate interests (although not recognised legitimate interests – thus still requiring a full LIA with the balancing test being applied).
What has changed relating to ADM?
For automated decisions (made by AI), the previous position was that an organisation could generally not make a solely automated decision (using AI) about an individual, if it had a legal or material impact (e.g., a job application). Automated decisions were only permitted in very narrow circumstances; where it was under contract, allowed by law and explicit consent was given by the individual.
Under the DUAA, organisations can use any of the lawful bases (mentioned earlier in this article) to make significant AI-based decisions, provided special safeguards are applied. These three safeguards relate to transparency, the right to contest and the right to a human review. If special category data (i.e., sensitive personal data) is involved, such as health or religion, then the previous position still applies.
What has changed relating to data protection complaints?
A new statutory right to complain to an organisation’s data controller has been introduced. The complaint must be acknowledged within 30 days and investigated without delay.
What has changed relating to privacy and electronic communications (PECR)?
The DUAA has removed the requirement to obtain consent for non-intrusive website cookies, e.g., for the purposes of website analytics or emergency alerts.
The soft opt in rule for text and email marketing has been extended to charities, who can now message individuals unless they opt out (rather than having to opt in as per the previous position).
Maximum fines under PECR have been increased from £500,000 to align with UK GDPR levels (up to £17.5m or 4% of global turnover).
How can we help?
Don't leave it too late to book your submission feedback and review, APC question pack, e-mock interview or 1-2-1 mentoring. We also provide revision quizzes, revision guides and a CPD Webinar Package.
We offer a range of short and long-term support packages in our eShop, including our popular Monthly Mentoring and Kick Start packages. These can include an RICS APC or AssocRICS Counsellor in certain circumstances.
Head to our blog archive to access even more free CPD and AssocRICS and RICS APC training and support.
Download your free AssocRICS and RICS APC resources, including e-books and revision quizzes.
Find out more about our bespoke AssocRICS and RICS APC training and support, before booking your free 15 minute consultation.
Not sure about signing up? Make sure you read what our recent successful candidates have to say in our Testimonials.
Stay tuned for our next blog post to help build a better you.
N.b. Nothing in this article constitutes legal, professional or financial advice.