Data Use and Access Act 2025 for gig workers

What it is

The Data (Use and Access) Act 2025 (DUAA) is the UK law that rewrote parts of the data protection framework from 26 June 2025. It replaced the old strict Article 22 right not to be subject to solely automated significant decisions with a broader permission model plus safeguards. It also introduced a "reasonable and proportionate search" standard for Subject Access Requests and lets organisations "stop the clock" on the one-month SAR deadline in some cases where they need more information to identify the person or clarify the request.

How it applies to gig workers

For Uber, Deliveroo and Amazon Flex workers, the practical change is this: platforms can now make more significant automated decisions about you than they could before June 2025, as long as they build in safeguards. The ICO says those safeguards include giving you information about the decision, a route to make representations, a route to obtain human intervention, and a route to contest the outcome. That wording is narrower than the old "right not to be subject to" standard, but it still gives gig workers real levers. The ICO also says "human involvement" only counts if it is meaningful, a person who genuinely analyses the decision and can change the outcome. A support agent clicking "uphold" after reading an auto-summary is not meaningful review.

The SAR changes matter separately. You can still send a Subject Access Request under Article 15 in any form, including email, with no legal magic words required. The platform still has one month to respond. But DUAA lets them pause the clock if they reasonably need more identifying information, and they can now argue for narrower searches than before. That makes precise drafting more important. Instead of asking for "everything you hold", ask for named data categories for a named date range: account notes, complaint logs, fraud or trust flags, facial recognition results, document verification logs, GPS records, ratings history, risk scores, and records of any automated decision-making used in relation to a specific event.

Take a 22 year old Uber driver in Glasgow deactivated in February 2026 for alleged fraud. Before DUAA, Article 22 arguments were stronger. Now the worker still sends the Article 15 SAR, but alongside it sends a separate automated decision challenge citing the amended framework and the ICO's safeguard requirements. If Uber claims "a specialist team reviewed your case", the worker presses on what that review actually involved. If the platform stalls, the worker complains to the ICO and keeps the ACAS three-months-minus-one-day clock in view for any tribunal route.

What you should do about it

• Send two letters after any deactivation or suspension: one Article 15 SAR, one automated decision challenge under the amended framework.
• Be specific about data categories and date ranges in the SAR to defeat narrow-search arguments.
• In the automated decision letter, demand confirmation of whether the decision was solely automated and, if human, who reviewed it and what they actually looked at.
• Complain to the ICO if the platform stalls past one month without a proper stop-the-clock reason.
• Keep proof of sending and every reply, because the paper trail helps at ACAS or the tribunal later.

Last reviewed

19 April 2026

Internal links this page emits:

• how to send an SAR
• automated decisions after DUAA
• download the SAR template
• automated decision challenge template
• ICO complaint template

Primary source used:

• C:\Users\thest\Documents\GigKiln\Research\Gap\G1.4-gdpr-sar-article-22.md