The Data Use and Access Act 2025 requires every care provider to have a formal written procedure for handling data protection complaints. We create yours.
The Data Use and Access Act 2025 (DUAA) became law on 19 June 2025. It is the most significant update to UK data protection law since GDPR.
Section 103 of the DUAA inserts a new Section 164A into the Data Protection Act 2018. This section creates a brand new statutory obligation that did not exist before: every data controller must have a formal written procedure for handling data protection complaints.
This is not guidance. This is not best practice. This is the law. From 19 June 2026, if you do not have this procedure in place, you are in breach of statute.
Yes. There are no exemptions.
The DUAA applies to every organisation in the UK that processes personal data. This includes:
There is no exemption based on size, number of clients, turnover, CQC rating, or any other factor. If you process personal data, you must comply.
Section 164A specifies the minimum requirements your complaints procedure must meet:
Individuals must be able to submit complaints through accessible channels. This means providing clear contact details, multiple ways to submit a complaint (email, post, phone), and ensuring the process is accessible to people with disabilities.
You must acknowledge receipt of any data protection complaint within 30 days. This acknowledgement must be in writing and must confirm that you are investigating.
Complaints must be investigated "without undue delay". Your procedure must set out how investigations are conducted, who is responsible, and what the expected timeframes are.
The procedure must inform complainants of their right to escalate to the ICO if they are not satisfied with your response. You must provide the ICO's contact details.
You must keep a record of all data protection complaints received. This log must include the date received, the nature of the complaint, the outcome, and any actions taken.
For £400, you receive a complete, bespoke DUAA-compliant Data Protection Complaints Procedure:
Not a template. Your agency name, your responsible person, your contact details.
The procedure names your responsible person and their contact details.
Email, post, phone — all documented with your actual contact details.
Template acknowledgement letter included.
Step-by-step process for investigating complaints.
Documented right to escalate with ICO contact details.
Ready-to-use spreadsheet for tracking all complaints.
Summary document you can share with your team.
Delivered within 5 working days
From receipt of your completed intake questionnaire.
After 19 June 2026, not having a complaints procedure is a breach of Section 164A DPA 2018. The ICO can investigate immediately.
There is no statutory maximum fine for DUAA non-compliance. The ICO has the full range of enforcement powers available.