The UK Data (Use and Access Act): What does it mean for Schools and EdTech Vendors?

June 2025 saw a change to the data protection landscape in the UK, with the Data (Use and Access)  Bill becoming law, to update the UK GDPR and Data Protection Act 2018. Whilst highlighting the importance of considering children’s needs in relation to online services and the need to have ‘humans in the loop’ for automated decisions, the DUAA also reduces some administrative burdens for schools. In this article we take a look at some of the key changes under the Act, how these impact schools and EdTech Vendors, and how 9ine can help, including with our upcoming webinar which you can register for here. 

Children and Online Services 

The need for online services to explicitly take children’s needs into account is clearly established under the Data Use and Access Act (DUAA). If an organisation provides an online service which is likely to be accessed by children, they must take their needs into account when deciding how to collect, use and share their personal data. As well as putting in place robust technical and organisational measures that reflect the unique needs and vulnerabilities of children, EdTech vendors providing online services will need to consider: 

• How best to protect and support children in their use of the service;
• That children are less likely to understand the risks of their personal data being used (so vendors should help them understand these); and
• That children have different needs at different ages and developmental stages (meaning that a one-size-fits-all approach should be avoided). 

For EdTech Vendors, conforming to the Age Appropriate Design Code is a strong indicator of compliance. But, to go one step further, and give yourself a competitive edge, 9ine’s Certified Vendor Programme is a comprehensive way for EdTech Vendors to demonstrate their commitment to data privacy, AI and cyber security compliance to schools. 9ine’s certification instills confidence, and supports EdTech vendors to navigate the complex maze of AI, data protection and cyber security laws and requirements, including the new requirements of the DUAA . If you want to know more about the programme please contact us.

For schools, ensuring that the EdTech Vendors that you use meet their data privacy, AI and cybersecurity requirements is a must. If they have participated in the Certified Vendor Programme then you can be confident that they have been vetted for compliance and meet the requirements under the DUAA. For those that haven’t yet, we also have Vendor Management, including Vendor Library, which allows you to continuously monitor EdTech vendors for compliance. With Vendor Library, 9ine take away the pain of burdensome and continuous manual reviews, which schools would need to complete to ensure compliance. We do the due diligence, highlight the risks, but also the safeguards that you need to put in place to use an EdTech Vendor, including highlighting whether they are meeting the new DUAA requirements. If you want to know more about Vendor Management you can contact us here.

Automated Decision-Making 

With Artificial Intelligence being increasingly used in Education, requirements on automated decision-making (ADM) are an important consideration. Whether you are using ADM to automatically grade assessments or to sift through CVs and applications, the DUAA now defines an automated decision as one made without ‘meaningful human involvement’. 

Under the DUAA, a ‘significant decision’ is one made solely by an automated process (without human involvement), and cannot be based on special category data (e.g. data revealing racial or ethnic origin, political opinions, health data etc.) unless one of these strict conditions is met:

• The individual has given explicit consent; or 
• The decision is required by law; or
• The decision is necessary for the fulfillment of a  contract (and certain conditions are put in place)

A decision is ‘significant’ if it: 

• Produces legal effects for a person (e.ig. denying a visa or a job offer); or
• Has a similarly serious adverse effect (e.g. exclusion from services or benefits) 

In some ways, the DUAA has relaxed the rules around Automated-Decision Making, allowing it to be used based on legitimate interests in many cases, but not where sensitive or special category data is involved without one of the above conditions being met. However, wherever schools and EdTech Vendors are using ADM to make significant decisions, they must still have a number of safeguards in place, these include: 

• Informing individuals that an automated decision has been made and how it affects them; 
• Giving individuals the right to object to the decision being made or to raise concerns about it;
• Providing a path to human review, so a real person can reconsider the outcome of a decision; and
• Ensuring that individuals can challenge the decision through an appeal or formal complaint

For schools, a key part of meeting these requirements will be to make sure that your staff have the knowledge they need on AI, data privacy and cyber security to have meaningful involvement in automated decisions, enabling them to reconsider outcomes and respond to challenges to decisions. 

To make sure that your staff are empowered to be the ‘humans in the loop’ required to take on these tasks, 9ine’s Academy LMS can support you. This is our online digital learning and certification platform, which offers pathways in AI, Privacy and Cybersecurity across four levels (Beginner, Intermediate, Advanced and Specialist). Our AI Pathway offers over 20 courses on AI in Education and can help schools to ensure that their staff have the knowledge they need to have meaningful involvement in automated decisions made using AI. 

Scientific Research and Purpose Limitation 

Under the DUAA, the rules around consent for research have been refined, as have the rules on when EdTech Vendors would be able to use personal data collected for one purpose for another one. The DUAA makes it clear that organisations can use personal data for scientific research, even when it was originally collected for another purpose, although if the data was collected based on the individual’s consent, then they will need to meet stricter requirements to reuse the data. What makes this relevant is that scientific research is now defined broadly to include privately and publicly funded research, and research for commercial or non-commercial purposes. 

This means that it is possible for an EdTech Vendor, service provider or online platform to reuse student and staff data for scientific research, as long as safeguards are in place and new consent isn’t practical. However, this will only be the case if the EdTech Vendor or third party is acting as a data controller in their own right. For schools, this makes it important to ensure that you have agreements or contracts which place obligations on the vendor to ensure that they only act as a data processor and only process the data in the way the school gives them instructions to do. 

Contracts and agreements are also something we review as part of our Vendor Library, to check that the appropriate ones are in place between schools and EdTech Vendors to protect personal data (or to highlight where they are not).

How is the DUAA reducing the administrative burdens on schools?

It is not all additional requirements under the DUAA though, and in a number of ways the DUAA actually reduces some of the requirements for UK schools. These include requirements around cookies, data subject rights and legitimate interests. 

Cookies 

In relation to cookies, the DUAA recognises that some cookie-type activities are either essential or non-intrusive, and expands the exceptions where consent is not required, including where the storage or access is: 

• Necessary for communication; 
• Strictly necessary for an information society service; 
• Used for anonymous analytics; 
• Used for interface preferences; or 
• Used for geolocation in emergences 

For schools, this means that if your website uses cookies, there are more types of cookies that can be used without you needing to get consent from the user. 

Data Subject Rights 

The DUAA now confirms that the right of access (one of several key rights that individuals have over their personal data) now only extends to personal data that schools are able to provide following a reasonable and proportionate search. This means that schools are not expected to conduct exhaustive or burdensome searches, especially where the data is stored across multiple systems or in a form that is not readily accessible. This means that schools may be able to refuse or narrow Subject Access Requests (SARs) if the information is stored in legacy systems or would take excessive time and resources to retrieve. 

Legitimate Interests

Schools and EdTech Vendors should only be processing personal data under one of six lawful bases, one of which is that you have a legitimate interest in processing the personal data concerned. The DUAA gives clear examples of purposes that legitimate interests can be used for, including direct marketing and network and information security measures. Additionally, the Act highlights a number of purposes where there is no need to carry out a formal legitimate interests assessment, as long as the processing is necessary to achieve the purpose. These include: 

• For safeguarding vulnerable individuals: Schools can process data to protect individuals who are under 18, or adults “at risk”. This includes actions to protect individuals or groups from neglect or physical, mental, or emotional harm. 
• When disclosing information to public authorities (or bodies carrying out public tasks): schools can respond to requests for information from public bodies (or bodies carrying out public tasks) without having to decide whether the requesting body needs the information to carry out its public task
• In emergencies: schools may process personal data to respond to emergencies, such as events that threaten life, health, or essential services

This means that under the DUAA, schools can more confidently rely on legitimate interests in a number of areas, particularly when it comes to safeguarding and child protection.  

How else can 9ine help us?

It is clear that the DUAA has given EdTech Vendors and schools more responsibilities, but it has also clarified existing ones and reduced several burdens in many ways. In addition to our Certified Vendor Programme, Vendor Management and Academy LMS, at 9ine we also offer: 

• Application Library: A solution that enables all staff to access a central searchable library of all EdTech in the school. The library contains all information staff need to know about any AI, privacy, safeguarding and cyber risks. With easy to add ‘How to’ and ‘Help’ guides, Application Library becomes a single, central digital resource of all the approved EdTech at your school. This means if an Application or Product has age-restrictions or different ways it should be used considering the needs of the child under the DUAA, schools can flag it to their staff here. Through implementing Application Library, your school will also be able to identify duplication in EdTech, reduce contract subscription costs and have a workflow for the request of new EdTech for staff to follow
• AI and Privacy Academy: A certified monthly training programme for risk professionals and education privacy teams. It equips Data Protection Officers (DPOs) or anyone else at your school that are responsible for data protection and privacy in handling data breaches, subject access requests, and international data transfers confidently. The new enrollment intake will commence in November 2025, and cover nine live sessions ending in April 2026. The program offers interactive sessions, group scenarios, and comprehensive resources.

Webinar alert: 9ine are hosting a webinar on Tuesday 26 August 2025 at 10:30am BST on ‘KCSIE, DUAA and GenAI: Through the acronyms to actions’, in which we will go through these and other changes under the DUAA in more detail, as well as other changes under the latest draft of Keeping Children Safe in Education and the European Commission’s General-Purpose AI Code of Practice, providing schools with practical steps to meet the requirements. You can sign up to attend here:

Register for the webinar

9ine company overview

9ine equips schools to stay safe, secure and compliant. We give schools access to all the expertise they need to meet their technology, cyber, data privacy, governance, risk & compliance needs - in one simple to use platform. For additional information, please visit www.9ine.com or follow us on LinkedIn @9ine.