Online & Telephone Counselling Course – Enrolment Open

Get My Handbook & Course info

The Data (Use and Access) Act 2025: What It Means for Counsellors and Therapists

Contents

If you work as a counsellor or psychotherapist, in private practice, an agency, or any other setting, you are a data controller. Your clients trust you with some of the most sensitive personal information they hold. That responsibility has always sat within a legal framework, and in June 2025, that framework was updated.

The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025. It does not replace the UK GDPR or the Data Protection Act 2018, but it does amend both. The ICO is clear: most of the changes offer you an opportunity to do things differently, rather than requiring specific changes to comply with the law. For most counsellors and therapists, the two most practically significant new requirements are a formal complaints procedure and, for those providing certain online services, a children’s data obligation.

This article sets out what the Act changes, what it means specifically for counsellors and therapists, and what practical steps you need to take.

At a Glance

The DUAA updates UK data protection law but does not replace the UK GDPR. Most changes are opportunities, not requirements. The two new legal obligations are:

  • A formal data protection complaints procedure, required by 19 June 2026
  • Consideration of children’s needs if you run an online service likely to be accessed by children

Learning Outcomes

By engaging with this material, you will be able to:

  • Understand what the Data (Use and Access) Act 2025 is and how it relates to existing data protection law
  • Distinguish between the changes that are new legal requirements and those that are optional opportunities
  • Recognise how the Act affects your obligations around subject access requests and data sharing
  • Understand the recognised legitimate interests provision and when it is relevant to your practice
  • Know what a formal data protection complaints procedure must include and when it is required
  • Take clear, proportionate steps to bring your practice into compliance

Your Free DUAA 2025 Template + Checklist

New legislation means your privacy notice needs updating. This free pack gives you the exact wording to copy in – plus a checklist of everything else you need to change.

What Is the Data (Use and Access) Act 2025?

The DUAA is a new Act of Parliament that updates laws about how data is used, shared and protected across the UK. It amends the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). It is the most significant overhaul of UK data protection law since Brexit.

The Act has two broad aims: to promote innovation and economic growth, and to make things easier for organisations, while continuing to protect individuals and their rights. For most counsellors and therapists, the practical effect is modest. If you have already built data protection into your practice through a privacy notice, client contracts, and careful record-keeping, you are largely in good shape. Most practitioners need a targeted review and some additions, not a complete overhaul.

Diagram showing how the Data Use and Access Act 2025 sits alongside UK GDPR and the Data Protection Act 2018 for counsellors and therapists

The changes are being phased in between June 2025 and June 2026.

Key Dates

  • 19 June 2025 — Royal Assent. Act becomes law.
  • 19 June 2026 — Data protection complaints procedures legally required.

What the Act Changes

Before looking at the individual changes, it helps to understand the distinction the ICO itself draws. Most changes in the DUAA are opportunities: they allow you to do certain things differently or more easily if you choose to. The two new mandatory requirements are covered below.

Subject Access Requests: A More Proportionate Standard

When a client or former client submits a Data Subject Access Request, asking to see the personal data you hold on them, the previous expectation was that you would search comprehensively for all relevant information. This could be burdensome, particularly for vague or wide-ranging requests.

The DUAA makes clear that you are only required to make reasonable and proportionate searches. You are not obliged to conduct an exhaustive trawl of every file if doing so would be disproportionate to the importance of providing access.

In practice, this clarifies rather than changes things. Most careful practitioners were already applying this standard.

  • You still need to respond to subject access requests within 30 days
  • Reasonable and proportionate effort is sufficient — exhaustive searches are not required
  • Document what you searched and why, in case your approach is ever questioned

Recognised Legitimate Interests: A New Lawful Basis

The DUAA introduces a new lawful basis called “recognised legitimate interests.” When you use personal information for certain recognised purposes, this removes the balancing test that previously applied under the legitimate interests basis. The ICO gives protecting public security as an example of a qualifying purpose, and their detailed guidance on recognised legitimate interests covers the full range of circumstances this basis applies to.

Whether this is relevant to your practice depends on which purposes qualify. If any of your data uses fall within them, you can rely on this basis without a balancing exercise. As with any lawful basis, the processing must still be necessary and proportionate, and you should document your reasoning.

Sharing Information With Organisations Performing Public Tasks

The DUAA also makes a separate change to the rules around sharing personal information with organisations such as the police. Previously, you would need to make your own assessment of whether that organisation needed the information to perform its public tasks. Under the DUAA, that responsibility rests with the requesting organisation, not with you.

If a statutory body asks you to share client information, you no longer need to assess whether they need it. That decision now sits with them. Your professional body’s safeguarding guidance and supervision remain essential reference points for the ethical and clinical dimensions of any disclosure decision.

Re-Using Personal Information: The Assumption of Compatibility

The DUAA introduces an “assumption of compatibility” for certain re-uses of personal information. For some specific purposes, including sharing information for archiving in the public interest, you can assume the re-use is compatible with the original purpose for which you collected it, without working through a formal compatibility test.

For most counsellors in private practice, this is unlikely to affect day-to-day work. It is more relevant to organisations involved in research, public health, or archiving. More broadly, the Act reflects a move towards trusting organisations to re-use data thoughtfully, rather than requiring a formal assessment at every step.

Automated Decision-Making

The DUAA allows organisations to use the full range of lawful bases when making significant automated decisions about people, provided appropriate safeguards are in place. This does not apply to special category data, which is more protected. Health information, including mental health information, is special category data.

Most counsellors and therapists will not be affected by this change. If you do not use software that makes significant automated decisions about your clients, nothing changes. If you use electronic health record systems, digital intake tools, or risk screening software, check whether those platforms involve automated decision-making using health data and, if so, what safeguards are in place.

New Requirement: Data Protection Complaints Procedure

New Legal Requirement — Action Required by 19 June 2026

All data controllers, including sole-practitioner counsellors, must have a formal data protection complaints procedure in place.

A counsellor reviewing their data protection complaints procedure as required by the Data Use and Access Act 2025

That procedure must:

  • Take steps to help people make complaints — for example, by providing a complaints form
  • Acknowledge receipt of the complaint within 30 days
  • Respond without undue delay

This does not need to be elaborate. For most counsellors in private practice, adding a clear paragraph to your privacy notice, explaining how a client can raise a data protection concern with you and committing to acknowledge it within 30 days, will satisfy the requirement. The ICO has published specific guidance on data protection complaints to help organisations implement this.

  • Check your current privacy notice — does it explain how a client can make a data protection complaint to you?
  • If not, add a clear complaints section as soon as possible
  • Keep a simple record of any complaints received, how you acknowledged them, and how you responded
  • Your complaints procedure does not replace a client’s right to escalate to the ICO — it precedes it

New Requirement: Children’s Data in Online Services

New Legal Requirement

Applies if your online services are likely to be used by children. For most counsellors and therapists in private practice, this will not require action.

The DUAA explicitly requires organisations that provide online services likely to be used by children to take children’s needs into account when deciding how to use their personal information.

If you do not run an online platform that young people might access, this provision does not apply to your practice. If you do provide such services, review your data handling in light of the ICO’s Age Appropriate Design Code.

International Data Transfers: Check Where Your Data Is Stored

A counsellor checking their practice management software and cloud storage tools for compliance with international data transfer rules under the Data Use and Access Act 2025

The DUAA rewords the test you need to apply when transferring personal information outside the UK. The practical implication for therapists is the same as before: the tools and platforms you use — practice management software, video consultation platforms, online booking systems, email providers — may store data on servers outside the UK. Check with those suppliers that their arrangements remain compliant.

If you have not done this recently, take time to map where your client data is stored and follow up with each supplier.

How the Act Affects Your Clients

Your clients retain all the rights they held under the UK GDPR. The DUAA does not remove or reduce those rights.

Clients can still:

  • Request access to the personal data you hold on them
  • Ask you to correct inaccurate data
  • Ask you to erase their data in certain circumstances
  • Withdraw consent for processing where consent is your lawful basis
  • Object to how their data is being used

Clients now have a statutory right to make a data protection complaint directly to you, not just to the ICO. This is why your complaints procedure is a legal requirement rather than simply good practice.

What You Need to Do

Diagram showing required, recommended, and ongoing compliance steps for counsellors and therapists under the Data Use and Access Act 2025
  • Add or update a data protection complaints section in your privacy notice, providing a clear route for clients to raise concerns and committing to acknowledge within 30 days
  • Review your subject access request process — you are only required to make reasonable and proportionate searches, not exhaustive ones
  • Map where your client data is stored — your practice management software, email provider, video platform, and cloud storage all potentially hold personal data outside the UK
  • Confirm with those suppliers that their arrangements for international data transfers remain compliant
  • Review the ICO’s recognised legitimate interests guidance to understand whether any of those purposes are relevant to your practice
  • Check whether any software you use makes significant automated decisions using client health data, and if so, confirm what safeguards are in place
  • Monitor ICO guidance — further updated guidance is being published throughout 2026
  • Review your data protection documentation annually as a matter of course

A Note on Professional Body Guidance

At the time of writing, the BACP, UKCP, and NCPS have not yet published specific guidance on the DUAA for practitioners. Keep an eye on your professional body’s website and member communications for updates as they emerge. The ICO remains the authoritative source and continues to update its published guidance at ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/

Your Free DUAA 2025 Template + Checklist

New legislation means your privacy notice needs updating. This free pack gives you the exact wording to copy in – plus a checklist of everything else you need to change.

Download My Compliance Pack

Frequently Asked Questions

Does the Data (Use and Access) Act 2025 replace the UK GDPR?

No. The DUAA amends the UK GDPR and the Data Protection Act 2018 but does not replace them. Your existing data protection framework remains in place. The Act clarifies, simplifies, and in a small number of areas extends those obligations. The ICO is explicit that most changes are opportunities for organisations to do things differently if they choose to, not requirements to make specific changes.

Do I need to rewrite my entire privacy notice?

No, a targeted update is almost certainly sufficient. The most important addition is a data protection complaints section, explaining how a client can raise a concern with you and committing to acknowledge it within 30 days. You may also want to confirm that your privacy notice accurately describes the lawful basis you rely on for processing client data, and that it covers international data transfers if you use cloud-based tools.

What does the recognised legitimate interests change mean for my practice?

The DUAA introduces a new lawful basis that removes the need for a balancing exercise when using personal information for certain recognised purposes. The ICO gives protecting public security as an example. Separately, the Act means you no longer need to decide whether the police or another statutory body needs the information you share with them. That responsibility now sits with the requesting organisation. The ICO has published detailed guidance on both provisions. Your professional body’s guidance and supervision remain central to the ethical and clinical dimensions of any disclosure decision.

I am a sole trader in private practice. Does all of this apply to me?

Yes. If you hold personal data about clients, you are a data controller under UK GDPR, regardless of the size of your practice. For most sole practitioners, the only mandatory new requirement is the complaints procedure, which can be addressed with a short addition to your privacy notice.

What happens if a client makes a subject access request that feels very broad or unclear?

Under the DUAA, you are only required to make reasonable and proportionate searches. You are not obliged to conduct an exhaustive search of every file if doing so would be disproportionate. Document your approach clearly so you can explain it if your response is ever questioned.

Final Reflections

Data protection can feel like an administrative concern sitting at the periphery of therapeutic work. At its heart, though, it is about the same thing as the therapeutic relationship itself: trust. Your clients share deeply personal information with you, often information they have not shared with anyone else. How you manage that information, and the rights you uphold around it, is part of the same commitment to care that defines your practice.

The Data (Use and Access) Act 2025 does not fundamentally change that. For most counsellors and therapists, it brings welcome clarifications to some existing grey areas, particularly around safeguarding disclosures, and adds one modest new obligation in the form of a complaints procedure. None of that is onerous. All of it serves the same purpose: ensuring that the people who trust you with their most private experiences can be confident that trust is well placed.

A counsellor and client in session representing the connection between data protection, client privacy, and trust in the therapeutic relationship

The June 2026 deadline for complaints procedures has now arrived. If you have not yet updated your privacy notice or reviewed your data handling processes, this is the moment to do it. The steps are straightforward, the guidance is there, and taking them reflects what good practice already looks like.

References and Further Reading

Transparency note
This article was written and reviewed by human contributors. AI was used as a supportive tool to assist with formatting, layout clarity, and language refinement. All content, interpretations, and ethical positions were created and checked by the authors.

💡 About Counselling Tutor

Counselling Tutor provides trusted resources for counselling students and qualified practitioners. Our expert-led articles, study guides, and CPD resources are designed to support your growth, confidence, and professional development.

👉 Meet the team behind Counselling Tutor

Notice any broken link or issues with this resource? Kindly let us know by email

Email us