Data protection and employee information

FORTHCOMING CHANGE: On 19 June 2025, the Data (Use and Access) Bill received Royal Assent, becoming the Data (Use and Access) Act 2025 (DUAA 2025) and coming partly into force on that date. Part 5 and 6 serve to amend aspects of data protection and ePrivacy law in the UK, including the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003), SI 2003/2426. Certain provisions of DUAA 2025, concerning matters such as responding to data subject access requests and the conferring of power to make further regulations, came into force immediately on 19 June 2025. Other provisions, including those concerning notices from the Information Commissioner, come into effect on 19 August 2025. The majority of DUAA 2025 provisions, including changes to automated decision-making, international transfers of personal data and the introduction of a new lawful basis for processing personal data, require further secondary legislation to be made to bring them into force. For further information on DUAA 2025 generally, see

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Employment News

BoE and PRA publish annual whistleblowing report for 2024/25

The Bank of England (BoE) and the Prudential Regulation Authority (PRA) have published their annual report for 2024/25 under the Prescribed Persons (Reports on Disclosures of Information) Regulations 2017. The report covers whistleblowing disclosures received between 1 April 2024 and 31 March 2025 and includes anonymised examples illustrating how disclosures informed supervisory approaches and regulatory compliance actions.

Right to work guidance updated on Digital Verification Service checks

The Home Office has issued an updated version of its ‘Employer’s guide to right to work checks’ document, with the changes primarily related to simplifying the information on digital checks for employers of British and Irish citizens who have a valid passport (or Irish passport card). The new version has removed various technical details which were previously intended for providers of these digital verification services, and revised the relevant terminology, so that ‘Digital Verification Service (DVS)’ now includes both the terms Identity Service Providers (IDSPs) and Identity Document Validation Technology (IDVT). This is stated to align the guidance with the terminology used in the UK digital identity and attributes framework and the Data (Use and Access) Act 2025. Guidance and requirements specifically for DVS are now set out in a separate, supplementary code for digital right to work checks. The relevant guidance for employers has been revised. Although it is not currently mandatory for employers to use a DVS certified against the ‘trust framework’ and the supplementary code, this position will change ‘in the near future’, and it will become mandatory to use a DVS listed on the register of certified DVS (maintained by the Office for Digital Identities and Attributes (OfDIA)). In other changes, the new version reiterates that an original expired BRP is not proof of a right to work, and instead an online check must be taken. It also confirms that short-term entry clearance vignettes are being phased out, and that increasingly persons recently issued entry clearance will only have their eVisa to rely on for these purposes, so will need to create a UKVI account as soon as possible and can do this from overseas. In relation to asylum seekers with a pending claim, the guidance now states that they can also volunteer whilst their claim is considered without being granted permission to work, but they can only carry out 'paid' work if they have been granted permission to work under the Immigration Rules, Part 11, paras 360 or 360C. Previously the reference in our quotation marks to ‘paid’ work stated ‘voluntary’ work

Employment weekly highlights—26 June 2025

This edition of Employment weekly highlights includes: (1) clarification from the EHRC on the requirements for separate-sex facilities in the workplace, (2) an analysis of the changes to NDAs under section 17 of the Victims and Prisoners Act 2024, (3) the Financial Conduct Authority’s annual report on whistleblowing disclosures, (4) guidance and analysis on the Data (Use and Access) Act 2025 and the Information Commissioner's Office guidance, (5) an update from the Presidents of the Employment Tribunals for England & Wales and Scotland on the improper use of email addresses for use by parties only where there has been a fault with the online submission service, (6) a new Practice Note designed to help teams drafting and negotiating settlement agreements, (7) dates for your diary, and (8) other news items of interest to employment practitioners.

UK businesses facing phased rollout of data protection law changes

UK businesses will face a six- to nine-month implementation window for the Data (Use and Access) Act 2025 (DUAA), with the first changes expected by mid-December 2025 and most major guidance set for release in winter 2025/2026, the Information Commissioner’s Office says. While no fixed dates have been issued, the regulator's timeline signals a gradual rollout. Key updates will address lawful bases, complaint handling, research provisions and consent requirements for low-risk advertising.