UK therapists have 10 weeks to comply with new data law

A new piece of UK legislation comes into force on 19 June 2026 that every therapist in private practice needs to know about. The Data (Use and Access) Act 2025 — known as the DUAA — makes several changes to how data subjects can exercise their rights against data controllers. For therapists, the most significant change is the introduction of a mandatory first-tier complaints procedure.

What the DUAA requires

Under Section 103 of the DUAA, data controllers — which includes any therapist who processes client data — must have a complaints procedure that allows data subjects to complain directly to them about how their data has been handled.

The procedure must:

Be accessible and easy to use
Acknowledge complaints within 30 days
Resolve complaints within three months
Inform complainants of their right to escalate to the ICO if they are not satisfied
Retain complaint records for six years

This is not entirely new territory — the ICO has always encouraged controllers to handle complaints before escalation. What changes on 19 June 2026 is that the procedure becomes legally required, not merely best practice.

What this means for therapists

If a client believes you have mishandled their personal data — kept records for too long, shared information without consent, failed to respond to a subject access request — they now have a formal right to complain to you directly before going to the ICO.

In practice, most data complaints in a therapy context will relate to:

Requests to access or delete records
Concerns about who has seen session notes
Questions about whether data has been shared (with supervisors, insurers, GPs)
Concerns following the end of a therapeutic relationship

Having a clear, accessible complaints form is not just a legal requirement — it is also good practice. A client who can raise a concern with you directly, and receive a considered response, is far less likely to escalate to the ICO.

What you need to have in place by 19 June 2026

A complaints form or process. This can be a form on your compliance page, an email address, or a postal address. The key requirement is that it is accessible and that you respond within the timeframes above.

A written acknowledgement process. When a complaint is received, you must acknowledge it within 30 days and explain the next steps.

A resolution process. You must attempt to resolve the complaint within three months.

A record-keeping system. Complaint records must be retained for six years.

A reference to the ICO. Your response must inform the complainant that they can escalate to the ICO (ico.org.uk / 0303 123 1113) if they are not satisfied.

The DUAA also changes cookie rules

A less-discussed change in the DUAA relates to cookies. From February 2026, cookies used solely for statistical or analytics purposes no longer require prior consent — provided an opt-out is available. This applies to tools like Google Analytics. Advertising and tracking cookies still require consent.

PolicyDiary handles all of this

PolicyDiary generates a complaints form on your hosted compliance page, handles the acknowledgement and resolution tracking in your dashboard, and ensures your cookie policy reflects the updated DUAA rules. If you signed up before these changes, regenerate your documents to bring them up to date.