From 19th June 2026, the final provisions of the Data (Use and Access) Act 2025 will come into force, bringing a significant shift in how organisations must handle complaints about personal data.

For health and social care providers, this is not just an administrative update. Given the volume and sensitivity of patient data handled across services regulated by the Care Quality Commission (CQC), these changes introduce clear, enforceable expectations around governance, transparency, and responsiveness.

At HLTH Compliance, we are already supporting providers to align their systems, policies, and staff training with these new requirements, ensuring they are not only compliant, but inspection-ready.

What’s Changing?

The new legislation introduces a statutory right for individuals to complain directly to data controllers about how their personal data is handled.

In practice, this means:

• Every organisation that processes personal data (including all CQC-regulated providers) must have a formal complaints-handling process specifically for data protection issues
• This is not optional, there are no exemptions

For providers, this sits alongside existing obligations under UK GDPR, but with a much more structured and enforceable complaints framework.

Key Requirements for Providers

A Formal Complaints Process is Mandatory

All providers must have a clearly defined and documented procedure for handling data protection complaints.

This should integrate with your wider governance systems, including:

• Incident reporting
• Safeguarding concerns
• Complaints and feedback processes

Strict Response Expectations

Providers must:

• Acknowledge complaints within 30 days (in writing)
• Investigate without undue delay
• Keep the complainant regularly informed
• Provide a clear, reasoned outcome

This aligns closely with CQC expectations under Well-led, particularly around transparency, responsiveness, and learning from feedback.

Accessible and Flexible Complaint Channels

You must ensure complaints can be raised through multiple accessible routes, such as:

• Email
• Online forms
• Postal submissions

Importantly, organisations cannot restrict complaints to one preferred method. If a patient raises a concern informally (e.g. during a consultation), this may still need to be treated as a formal data complaint.

Staff Training is Essential

The Information Commissioner’s Office (ICO) expects:

• Staff to be trained to recognise data protection complaints
• Clear processes for escalation and handling
• Defined roles and responsibilities

For health and social care providers, this is particularly relevant for:

• Reception/front-of-house staff
• Clinical teams
• HR and administrative staff

Record Keeping and Oversight

You must maintain clear records of all complaints, including:

• Nature of the complaint
• Actions taken
• Outcome and rationale

The ICO has the authority to request and review these records, making robust documentation essential.

What Should You Be Doing Now?

With the deadline approaching, providers should act now to ensure compliance:

✔ Develop or Update Your Complaints Policy

• Create a data protection complaints policy, or
• Integrate this into your existing complaints framework

✔ Strengthen Your Complaint Channels

• Ensure multiple, accessible routes for complaints
• Update your privacy notice to clearly explain:
  • The right to complain
  • How to do so

✔ Train Your Workforce

• Focus on frontline staff and managers
• Ensure they can:
  • Identify data-related complaints
  • Escalate appropriately

✔ Prepare Standard Templates

• Complaint acknowledgment letters
• Investigation updates
• Outcome responses

This ensures consistency and reduces risk.

✔ Review Third-Party Contracts

• If you use data processors (e.g. IT systems, patient record platforms), ensure:
  • Responsibilities for complaint handling are clearly defined
  • Contracts reflect the new obligations

Why This Matters for CQC-Regulated Services

These changes go beyond data protection, they directly support compliance with:

• Well-led: Effective governance, oversight, and learning
• Responsive: Listening and acting on feedback
• Safe: Managing risks associated with data handling

Failure to implement these processes could lead to:

• Regulatory scrutiny from the ICO
• Negative impact during CQC inspections
• Reputational risk

How HLTH Compliance Can Support You

At HLTH Compliance, we specialise in helping health and social care providers translate regulatory change into practical, inspection-ready systems.

We can support you to:

• Develop CQC-aligned complaints and governance frameworks
• Implement data protection complaint procedures that integrate with your wider compliance systems
• Deliver staff training tailored to your service type
• Review your policies, contracts, and documentation to ensure full compliance ahead of June 2026

If you would like support in preparing for these changes, our team is here to help you implement a robust, regulator-ready approach, not just for compliance, but for high-quality, patient-centred care.

Need support?
Get in touch with HLTH Compliance to ensure your service is fully prepared ahead of the June 2026 deadline.