The DUAA: More Carrot, Less Stick

The 60-Second Briefing

• It’s the Law: The Data Use and Access Act (DUAA) officially entered UK law on February 5, 2026.
• Fundraising Unlock: Independent schools (as charities) can now use the "soft opt-in" for email marketing, a massive win for alumni and development teams.
• DSAR Sanity: "Stopping the clock" and "reasonable searches" are no longer just helpful ICO advice; they are now statutory rights, giving schools a much stronger legal defence.
• Less Paperwork: "Recognised Legitimate Interests" cuts the red tape on standard safeguarding tasks.

I spent the last week running on caffeine and adrenaline. We suffered a critical systems outage - the kind that stops a school dead in its tracks - and my first instinct wasn't just "fix it," it was pure, unadulterated panic. I spent the first two hours staring at traffic logs, worried about a potential cyberattack.

It wasn't. It was just a standard, boring server failure. I have never been so happy to restore a system in my life!

But once the adrenaline faded and the systems came back up, I realised I had missed something important. While I was knee-deep in disaster recovery, a piece of legislation crossed the finish line on February 5th that is actually good news.

The Data Use and Access Act (DUAA) is now the law of the land.

Getting excited about data protection legislation is usually a sign that I need to get out more. But this is not just another GDPR stick to beat us with. For the first time in a long time, the government has handed us a carrot. The DUAA fundamentally rewires the UK’s data landscape to be more pragmatic, less bureaucratic, and more supportive of fundraising.

Here is why this Act matters, and why you should be walking into your next SLT meeting with a smile on your face.

The Fundraising Unlock

If you take one thing away from this post, make it this: the rules on digital fundraising have just changed in our favour.

For years, there has been this bizarre regulatory asymmetry. Commercial companies could spam you mercilessly with marketing emails just because you once bought a pair of socks from them, relying on the soft opt-in. They didn't need you to tick a box; they just needed to give you an "unsubscribe" link. Charities, however, were held to a higher standard. We needed explicit, affirmative consent -that elusive tick box - before we could send electronic fundraising appeals.

As of February 5, 2026, the DUAA has levelled the playing field.

Under the new Section 114, the soft opt-in is extended to non-commercial organisations. This is huge for the independent sector. It means that if a parent or an alumnus has engaged with us - perhaps they bought tickets to the school play, attended an open morning, or paid fees - we can now legitimately send them fundraising communications about similar charitable objectives without needing that explicit prior consent.

Think about the implications for your Development Office. The ability to engage with our "warm" audience, people who already know and value the school, without navigating a minefield of consent forms is a game-changer.

Of course, there are guardrails. You cannot use this for cold contacts; you must have obtained their details during a "sale" or an expression of interest. And you absolutely must give them a clear chance to opt-out when you collect the data and in every subsequent email. But compared to the previous regime, the friction has been massively reduced.

Restoring Sanity to DSARs

If you are an IT Director, you have likely lost weeks of your life to the weaponised Data Subject Access Request (DSAR). You know the drill: a disgruntled individual submits a DSAR asking for "all data held about me."

Previously, the clock started ticking the moment the email landed. You had one month to sift through terabytes of emails, CCTV footage, and MIS records, regardless of how vague the request was.

The DUAA introduces two sanity checks that I have been praying for:

1. "Stop the Clock": We can now officially pause the statutory response period while we ask the requester to clarify what information they actually want. No more frantic scrambling while the requester plays games with tactical ambiguity. If they don't clarify, the clock doesn't restart.
2. "Reasonable and Proportionate": The Act explicitly states that our search for data only needs to be "reasonable and proportionate". This is a shield against those requests that demand we restore backup tapes from 2015 or forensic-search a teacher's personal device. If it is an excessive burden, the law now backs us in saying "no."

I must admit, this gave me pause. I thought: "Wait, didn't the ICO already say we could stop the clock for clarification? And haven't we always argued that searches should be proportionate?"

But there is a critical difference. Until now, those protections existed largely in ICO guidance and scattered case law. And the thing is, guidance can be changed, and case law can be argued.

The DUAA takes those concepts and writes them into primary legislation. This is a massive upgrade in our legal armour.

Of course, this does not mean we can ignore DSARs. But it shifts the balance of power back towards the institution. It turns a DSAR from a tactical weapon into what it was meant to be: a transparency tool.

The Bonfire of the Paperwork

One of the dullest parts of the job is the "Legitimate Interest Assessment" (LIA). Every time we wanted to process data for something obvious, like passing student details to a visiting sports coach or running a CCTV system, we theoretically had to write a document balancing our interests against the child's rights.

The DUAA introduces the concept of "Recognised Legitimate Interests".

The government has published a list of activities that are pre-approved as "legitimate." If your processing falls onto this list, you do not need to conduct an LIA. The list includes:

• Safeguarding: Detecting and preventing crime or threats to public security.
• Emergency Response: responding to situations that threaten life.
• Democratic Engagement: (less relevant for IT, but good for PSHCE).

For schools, this removes a layer of compliance theatre. We can finally treat safeguarding data sharing as a standard operational necessity rather than a privacy puzzle to be solved.

From "Commissioner" to "Commission"

Finally, a structural change that signals a shift in culture. The Information Commissioner's Office (ICO) is being abolished. In its place, we get the Information Commission.

This isn't just a rebrand. The old ICO was a corporation sole - essentially one person (the Commissioner) making the calls. The new Commission is a corporate body with a board, looking much more like Ofcom or the FCA.

Significantly, the Act gives this new Commission a statutory objective to consider "innovation and competition" alongside data privacy.

Why does this matter to a school? It appears that the government is executing a pincer movement on AI adoption. The Testbeds (funded by DfE) are designed to generate the evidence of what works. The DUAA (enforced by the Commission) is designed to remove the compliance friction that stops us from deploying it.

By forcing the regulator to consider "innovation," the government is effectively telling them to stop saying "no" by default. It signals a move from a precautionary principle (block it until proven safe) to a pro-growth approach (allow it unless proven harmful).

For schools, this is a double-edged sword. It means we have more freedom to innovate, but we are also responsible if we crash.

There is one final win in the small print: the Act also changes the complaints procedure. It formalises the requirement that individuals must complain to the school first before running to the regulator. The Information Commission won't even look at a complaint unless the data controller has had a chance to resolve it. Again, this restores order and prevents the regulator from being used as a first-resort stick by aggrieved individuals.

The Strategic Takeaway

It is easy to be cynical about government IT projects and legislation. But the Data Use and Access Act feels like it was written by people who understand that data protection had become too rigid, bureaucratic, and disconnected from the real world.

For the independent sector, this Act is a lifeline. The Soft Opt-in gives us a tool to fight the VAT financial squeeze. The DSAR reforms give us back our time. And the Recognised Legitimate Interests cut the red tape.

So, while we bolster our firewalls against "The Com" and worry about deepfakes, we should also take a moment to appreciate a rare win. The legislative landscape just got a little less hostile.

Now, go tell your Development or Marketing Director they can send that email campaign. Just make sure they include an unsubscribe link!

See you in the digital staffroom.