Procentia - The Data (Use and Access) Act 2025. What will the legislation mean for automated decision-making in pensions administration?

The Data (Use and Access) Act 2025:

What Will Changes to Automated Decision-Making Mean for Pensions Administration?

August 2025

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025. When all provisions of the DUAA are brought fully into force it will amend the data protection framework in the UK, including by changing how pension schemes can approach automated decision-making.

Specifically, Section 80 of the DUAA replaces Article 22 of the UK General Data Protection Regulation (UK GDPR), with new Articles removing many of the previous restrictions on Automated Decision-Making (ADM). But it does not reduce accountability. The shift from a prohibition-based framework to a risk-based model still requires organisations to implement mandatory safeguards under new Article 22C, including transparency, human intervention, and contest rights.

The Information Commissioner’s Office (ICO) emphasises that these changes are designed to support innovation while maintaining strong protections for individuals, stating:

“The Bill will revise the provisions so that, apart from cases using special category data, Automated Decision-Making (ADM) resulting in a legal or similarly significant effect will no longer be expressed as a prohibition with exceptions.”

However, it stresses that organisations must review and potentially adapt their current practices to ensure they meet the new legal requirements. This includes reassessing transparency measures, updating privacy notices, and ensuring systems can support the new rights and safeguards.

A cautious approach to automated decision-making is still required.

Understanding the Automated Decision-Making Provision

The DUAA suggests the capability for a broader use of automation across all administrative and communications activities, which will help reshape how pension schemes interact with members by leveraging automated decision-making mechanisms.

New Articles 22A, 22B, and 22C of the UK GDPR set out the foundational definitions, restrictions, and mandatory safeguards that govern this new approach. Together, they establish the criteria for lawful automated decision-making and the protections that must be in place to uphold individuals’ rights and freedoms.

DUAA Section 80:

For ease of reference, we’ve extracted Articles relating to automated decision-making.

Article 22A – Automated processing and significant decisions:

For the purposes of Article 22B and 22C—
(a) a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision, and
(b) a decision is a significant decision, in relation to a data subject, if — (i) it produces a legal effect for the data subject, or (ii) it has a similarly significant effect for the data subject.
(2) When considering whether there is meaningful human involvement in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling.
 
Article 22B – Restrictions on automated decision-making:

(1) A significant decision based entirely or partly on processing described in Article 9(1) (processing of special categories of personal data) may not be taken based solely on automated processing, unless one of the following conditions is met:
(2) The first condition is that the decision is based entirely on processing of personal data to which the data subject has given explicit consent.
(3) The second condition is that—
(a) the decision is—
(i) necessary for entering into, or performing, a contract between the data subject and a controller, or
(ii) required or authorised by law, and
(b) point (g) of Article 9(2) applies.
(4) A significant decision may not be taken based solely on automated processing if the processing of personal data carried out by, or on behalf of, the decision-maker for the purposes of the decision is carried out entirely or partly in reliance on Article 6(1)(ea).
 
Article 22C – Safeguards for automated decision-making:

Where a significant decision taken by or on behalf of a controller in relation to a data subject is—
based entirely or partly on personal data, and
based solely on automated processing,
the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with paragraph 2 and regulations under Article 22D(3).
(2) The safeguards must consist of or include measures which—
(a) provide the data subject with information about decisions described in paragraph 1 taken in relation to the data subject;
(b) enable the data subject to make representations about such decisions;
(c) enable the data subject to obtain human intervention on the part of the controller in relation to such decisions;
(d) enable the data subject to contest such decisions

Automation Opportunities

While the DUAA does not refer to pension processes or specific administrative processes, the removal of previous restrictions on automated decision-making enables schemes to reconsider automation across various administrative functions, provided they comply with the conditions set out in new Article 22B of the UK GDPR and implement the safeguards required under new Article 22C of the UK GDPR.

The type of processes that may benefit from the changes that will be brought about by the DUAA include:

  • Calculations such as benefit adjustments and payment determinations
  • Processing of transfers involving quotations and approvals
  • Member administration tasks, such as enrolment and scheme membership decisions
  • Regulatory calculations for compliance and reporting
  • Processing of small lump sum payments
  • Administrative handling of benefit claims

Each application would require a legal assessment to ensure compliance with the DUAA framework and associated data protection obligations.

Operational Oversight 

Member Services: New Article 22C of the UK GDPR requires that information about automated decisions affecting members must be provided. Whilst the DUAA does not specify the format or detail level, providing clear and accessible explanations would support compliance with the information requirement.

Challenge Support: New Article 22C of the UK GDPR grants members specific rights to make representations, contest decisions, and obtain human intervention. Compliance with these statutory rights requires systems and processes to enable members to exercise these rights effectively.

Documentation: Whilst the DUAA does not mandate specific documentation requirements, maintaining comprehensive records would support demonstrating compliance with the DUAA safeguarding requirements and enable schemes to evidence how they meet their obligations.

Special Category Data Management – Enhanced Considerations

Organisations handling health-related benefits administration should give particular attention to the restrictions on automated decision-making based entirely or partly on the processing of special category data under the DUAA framework. While the DUAA does not alter the definition or core protections of special category data under the UK GDPR, its provisions for automated decision-making (particularly new Article 22B of the UK GDPR) introduce specific restrictions that must be considered when special category data, including health data is involved.

In practice, this means:

  • Health Data Decisions: Where automated decisions involve special category data, including health data, organisations must ensure that the processing meets one of the permitted conditions under new Article 22B of the UK GDPR—such as where explicit consent has been obtained from the data subject.
  • Medical Evidence: Any processing of special category data, including health-related information, remains subject to the protections and conditions set out in Article 9 of the UK GDPR. Organisations should therefore continue to apply appropriate safeguards when handling special category data, including health data.
  • Health-Related Assessments: When automated decisions involve special category data such as health data, organisations must ensure compliance with both the automated decision-making safeguards under the new Article 22C of the UK GDPR and the lawful basis requirements for special category data under the UK GDPR.

Conclusion

The DUAA is an enabling framework that will pave the way for greater operational efficiency and improved member service through expanded automated decision-making capabilities. The DUAA’s shift from a prohibition-based to a risk-based framework will offer a broader use of automation, providing significant benefits and positive outcomes to schemes and their members. But a cautious and considered approach is required.

——————————


Source:  Gov.UK – Data (Use and Access) Act 2025 

In reference to: Changes to the rules regarding automated decision-making under the UK GDPR.

Supporting reference: Section 80 of the Data (Use and Access) Act 2025

Additional source: ICO Guidance – What does it mean for organisations

——————————

Disclaimer: This article is written as a commentary and opinion on the DUAA legislation and in no way constitutes legal advice. Pension schemes are encouraged to follow developments in this area, including by reviewing the Automated Decision-Making (ADM) and Profiling Guidance update, which the ICO is expected to release in Spring 2026.

AI was used to research and analyse the Act, extract key points, facts, and Articles contained therein. The article has been written and edited by human hand and reviewed by Procentia’s Legal Counsel.

// END //

#DataUseAndAccessAct2025 #AutomatedDecisionMaking #PensionSoftware #PensionAdministration #DigitalAdmin