What’s happened 

Changes to UK data protection law come into effect on 19 June 2026, introducing new requirements for how organisations handle complaints relating to personal information. 

The changes are part of the Data (Use and Access) Act 2025 and require organisations to provide individuals with a clear and accessible route for raising concerns about how their personal data has been collected, used, stored or shared.  

For podiatry practices, this means ensuring that patients have a straightforward way of making complaints about matters such as: 

• clinical records 

• appointment and patient management systems 

• patient photographs 

• confidentiality breaches 

• subject access requests 

• sharing information with third parties 

Under the new requirements, organisations must also acknowledge data protection complaints within 30 days and respond without undue delay. 

Patients must be informed about their right to escalate concerns to the Information Commissioner’s Office (ICO) if they are dissatisfied with the outcome.  

The legislation also provides additional clarity around Subject Access Requests (SARs).  Organisations are expected to carry out reasonable and proportionate searches when responding to requests for personal information. They are not required to undertake exhaustive searches of archived systems or backups, where doing so would be disproportionate.  

Importantly, the wider principles of UK data protection law remain unchanged. Requirements relating to confidentiality, lawful processing, security and accountability continue to apply. 

Why this matters to members 

Many podiatry practices will already have a complaints procedure in place. In many cases, existing arrangements can be adapted to incorporate data protection complaints. 

The key requirement is ensuring that staff can recognise when a complaint relates to personal information and understand how it should be managed. 

For independent practitioners and clinic owners, the changes are primarily administrative. However, they also reflect a broader emphasis on transparency and accountability in the handling of personal data. 

What practices should do now 

Practices may wish to review their arrangements before the new requirements come into force. 

This could include: 

• reviewing privacy notices and patient information materials 

• updating existing complaints procedures to cover data protection complaints 

• ensuring staff understand how to identify and handle data protection concerns 

• reviewing arrangements for managing Subject Access Requests 

• checking that patient records, photographs and cloud-based systems remain secure 

Taking these steps now can help practices remain compliant while demonstrating to patients that their personal information is treated with the same professionalism and care as their clinical treatment. 

The new complaint-handling requirements come into force on 19 June 2026. 

From that date, organisations will be required to comply with the provisions introduced by the Data (Use and Access) Act 2025. 

Links and references

• Information Commissioner's Office: One month to go – what businesses need to know to meet the new data law 

• Information Commissioner's Office: How to deal with data protection complaints 

• Information Commissioner's Office: A guide to subject access requests