In brief
New requirements come into force on 19 June 2026 under the Data Use and Access Act 2025 relating to how data subjects, such as pension scheme members, may make a data protection complaint. The new rules also address the way in which data controllers, such as pension scheme trustees, must handle such complaints.
In response to these changes, trustees will need to review their internal and external complaints handling procedures and pension scheme data protection policies (including privacy notices) to reflect the new requirements. Trustees should also consider whether any updates or changes are required to their existing agreements with any data processors, including their scheme administrators.
In more detail
The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025 and amends existing UK data protection legislation, including the Data Protection Act 2018, although the changes have been introduced on a phased basis. One key requirement relevant to pension scheme trustees is a new obligation relating to complaints by data subjects (which would include pension scheme members) made to data controllers (which would include trustees).
The following new requirements will apply from 19 June 2026:
- A member may make a complaint to the trustee, as data controller, if the member considers that, in connection with his or her personal data, there has been a breach of relevant data protection law.
- The trustee must “facilitate” the making of such complaints by taking steps such as providing a complaint form that can be completed electronically (although guidance from the Information Commissioner’s Office (ICO) is not prescriptive on this point and does not mandate the use of electronic complaint forms).
- The trustee must acknowledge receipt of the complaint within the period of 30 days from when the complaint was received and, “without undue delay”, take “appropriate steps” to respond to the complaint and inform the member of the outcome of the complaint.
“Appropriate steps” to respond to a complaint includes making enquiries into the subject matter of the complaint (to the extent appropriate) and informing the complainant about progress of the complaint.
“Without undue delay” is not defined in the new legislation but the ICO states in its guidance that this means responding without an “unjustifiable or excessive delay”. The ICO lists the following factors as potentially impacting the timing of a response: (a) the complexity of the issue; (b) the scale of the issue (for example, whether it’s a singular complaint about a recent issue, or a complaint about a number of issues over a longer time period); and (c) any harm that the complainant is suffering as a result of the unresolved issue.
Failure to comply with this new obligation may result in a maximum fine of GBP 8.7 million or 2% of total annual worldwide turnover in the preceding financial year, whichever is the higher. As this is a new obligation, in practice we would expect the risk of such a fine being imposed in the short term as being relatively low.
Recommended actions
Trustees will need to consider whether data protection complaints will be addressed through the pension scheme’s existing Internal Dispute Resolution Procedure (IDRP), which would likely need some modification to address the statutory requirements for these complaints, or as a separate process.
Either way, to ensure compliance with the new complaints requirements and to reflect the new complaints regime, trustees should consider reviewing and updating both external, member-facing, documents (such as the scheme’s member privacy notice and IDRP procedures) and all relevant internal policies and procedures (such as data protection policies and complaint logs). Trustees should also consider whether any existing contractual agreements with a data processor, such as a scheme administrator, should be amended, for example to ensure that any relevant data complaints from members are forwarded to the trustees with an agreed timeframe.
Please get in touch with your usual Baker McKenzie contact with any queries relating to the information detailed in this alert.