On 19th June 2025, the Data (Use and Access) Act entered into law in the UK.
It brings with it the potential for major reforms to the use of data across society, impacting issues ranging from the mapping of underground pipes and cables through to the use of data in AI-based decision making and standards for data in the NHS.
But how will this new law affect UK businesses in relation to how they use data-led technology in recruitment? In many ways this legislation reflects a greater openness on behalf of the government towards automated technology and AI more broadly, giving businesses more confidence in using this kind of tech as part of daily operations - including recruitment.
Here, YOONO Chief Legal Officer, James Clark, breaks down the Data (Use and Access) Act 2025, and discusses its implications for UK businesses. Plus, find 5 easy actionable steps to take to keep your business data-compliant and ahead of the tech curve.
What is the Data (Use and Access) Act?
The Data (Use and Access) Act, or DUAA, is a new UK law that received Royal Assent on 19 June 2025. The Act introduces various reforms to the way in which data is regulated in the UK, and includes some changes to data protection law, which is the body of law that governs what businesses can do with personal data. The Act makes some subtle but important reforms that, overall, are intended to make it easier for organisations and businesses to process personal data, particularly for reasons that are supported by a public interest, while still maintaining strong safeguards to ensure that data is properly protected.
However, the Act goes far beyond the relatively small changes to data protection law. Elsewhere, the Act proposes major reforms to the way in which data (in its broader sense, not specifically personal data) is used and accessed in society. In an official press release, the UK government outlined numerous benefits of the new legislation, including the comprehensive mapping of underground pipes and cables, allowing construction workers to quickly identify and resolve problems, reducing road closures and traffic jams, a certification scheme for trusted providers of online identity verification, and standards for IT and data interoperability in the NHS.
Add to the mix improved abilities to automate bureaucracy in the NHS and police services, as well as simpler ways to verify someone’s identity online for purposes of work or rental agreements, and it seems that the Data (Use and Access) Act generally represents a positive step forward for the UK economy and infrastructure.
What will the impact of the Act be on UK businesses?
One change as part of the Act that is helpful for businesses is a softening of the law around automated decision making.
Automated decision making is where a business makes an important decision about someone using ‘solely automated means’. This includes the use of AI as part of decision making, assuming that there is no significant involvement from a human being.
In recruitment, businesses are increasingly using automation to help with candidate selection and shortlisting. Currently, businesses must establish what is known as a ‘qualifying lawful basis’ before they can conduct automated decision-making. This means that they have to demonstrate that the automated decision-making process is either:
necessary for entering into or performing a contract;
required by law; or
based on the data subject’s consent.
This requirement materially restricts the circumstances under which it is lawful to carry out automated decision making. Under the 2025 Act, this requirement will be removed. This means that businesses can carry out automated decision making in all circumstances, provided they give individuals the same rights that they currently have under data protection law once a decision is made. This means the right to request and obtain human review of the decision, to express a point of view on the decision, and to contest the decision.
A qualifying lawful basis will still be needed to carry out automated decision-making that uses ‘special category data’ (e.g. data about health, race and religion), recognising the enhanced sensitivity of this data and of the decisions that might be involved.
Consequently, one impact of the Data (Use and Access) Act 2025 might be to give businesses more confidence about transitioning decision-making tasks to automated technology, provided individuals are allowed to understand and challenge the decisions that are made. The removal of the qualifying lawful basis requirement reflects a recognition by the government that automation through the increased use of AI is now a fact of life, and that overly restricting the circumstances in which it can be used is probably not a practical approach.
Reading between the lines, one could assume that the change in data law is partly an acceptance of the ubiquity of AI in the modern workplace. This change allows businesses to embrace the use of AI and provide confidence that doing so is lawful, provided individual rights are respected.
In another potentially helpful development, the Act recognises that using personal data for commercial technological development (such as the training of AI models) may constitute ‘scientific research’ for the purposes of data protection law, which is important because of the concessions afforded to scientific research under the UK GDPR (in essence, the law recognises that it should be easier to process personal data for scientific research purposes, given the strong public interest in supporting scientific advancement).
5 actionable data tips for businesses
Within businesses, the Act has the potential to make AI and automated technology a more naturalised part of daily operations, but there is still an emphasis on responsible use of data and AI.
So, how best to balance more automation with ethical practice? These are 5 practical tips to implement in your business going forward:
1. Automate admin
Nothing in the Act, or in current data protection law, prevents businesses from using automated AI software to carry out time-consuming yet necessary tasks, such as scheduling interviews, invoice processing and HR tasks, which involve processing personal data. This is particularly the case where the automation doesn’t result in any decisions being made, or at least no decisions that could significantly impact a candidate or an employee.
As long as the software you choose is legally and ethically compliant with UK data laws (see below), you should be able to feel confident with adopting the tech for your business operations.
2. Choose the right AI software
As the data controller, it is the business’ responsibility to select AI software which enables compliance with UK data protection legislation, as modified by the Data (Use and Access) Act.
When AI is developed without consideration of data laws, the result can be software which enlarges problems like inaccuracy, bias and a lack of control over data.
Responsible AI software developers will be aware of UK data protection laws and will consider these when designing their products and their terms and conditions, but you should always check that this is the case. A product like YOONO, which uses AI to perform background checks on jobseeking candidates, is a good example of an responsibly-designed AI tool, developed using carefully considered source code and processing only publicly-accessible data sources.
With so many new AI products on the market, the best guidance is to shop around, ask software providers about their policies on data processing, and examine contracts carefully.
3. Prioritise transparency and, where needed, consent
A key tenet of data protection law - which is unchanged by the new law - is the obligation to be transparent about how and why personal data is being processed. This is particularly important where AI is being used, as automated technologies may be less familiar or ‘trustworthy’ for individuals. Any attempt to hide the use of AI is likely to be misguided and, quite possibly, unlawful.
Whilst the Act removes the requirement for a qualifying lawful basis that is specific to automated decision-making, the general requirement to establish a lawful basis when using personal data still applies. In a recruitment context this may be because the collection of personal data is necessary to comply with applicable law (for example, establishing someone’s right to work in the UK), or it might be because the business has a ‘legitimate (commercial) interest’ in understanding and evaluating candidates in order to make an informed decision on the basis of relevant information.
You can find a complete guide to data privacy in the UK here.
4. Invest in data security
Although data laws are giving businesses more freedom in some respects, it is still the responsibility of the business owner to store collected data safely and securely.
Through means of encryption, access controls and regular audits, as well as responsible disposal of data once its intended use has been fulfilled, businesses should do their best to ensure that data is not easily accessible or vulnerable to data leaks.
Under UK GDPR, some organisations are required to appoint a Data Protection Officer (DPO), who oversees compliance with data protection law.
5. Share data with third parties responsibly
A revolutionary aspect of the new data legislation is that both businesses and consumers should, in due course, have access to a much wider pool of data. This is due to the impact of the planned ‘customer’ and ‘business data’ reforms, which still need to be implemented by the government through secondary legislation. These reforms will give businesses a legal right to access data generated through the provision of products or services to them—either for the business’ own use (such as for analytics purposes) or to give to a third party who wants to use the data to provide a complementary service to the business (like support or aftercare).
The government plans to introduce these ‘open data’ frameworks on a sector by sector basis. An earlier version of the planned roadmap for these frameworks was published in April 2024. Companies will want to follow these developments closely and, as schemes come online, be ready to take advantage of the increased access to data (or be ready to share data with customers, as the case may be).
Legislation for the future of AI in business
With AI technologies developing at breakneck speed, it’s a welcome move that the UK government have decided to facilitate the pace at which automated tech can be used by businesses, without feeling like they are falling foul of UK law.
Watch this space—there’s even more to come in the future of AI in business, with more legislation likely to follow in the coming years. It’s notable that last year’s King’s Speech included a commitment from the government to “seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models”, so it seems clear the UK are anticipating a major influx of AI technology into our lives and businesses, and are declaring a commitment to ensure its accountability and ethical value in the near future.
AI-assisted technologies like background research tool YOONO have the potential to make screening and hiring candidates far easier and more efficient, freeing up significant time for employees that can be diverted to more pressing business matters.
The future of business is certainly AI-focused, and I hope that this article has helped to clarify legislation surrounding this exciting new technology, and given you the factual backdrop to implementing automated tech in your own business.