What the Data (Use and Access) Act Means for AI on Your Care Home Phone Line

AI on your phone line is no longer just a technology decision — it is a data governance one. The Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025, brought its key enforcement provisions into force on 5 February 2026. For care homes using or evaluating AI call tools — whether for screening, transcription, or automated answering — that date matters.

What the DUAA Changes

The DUAA builds on UK GDPR and the Data Protection Act 2018 but extends several provisions relevant to AI-assisted processing. Three changes are most relevant to care home phone operations.

Legitimate interests balancing: The DUAA clarifies the legitimate interests test but does not remove the balancing requirement. If your AI phone tool records or transcribes calls, you need to demonstrate that the processing is necessary and that it does not override the rights and expectations of callers — which in a care home context includes relatives, residents, and vulnerable adults.

Smart data schemes: The Act enables sector-specific smart data rules for sharing records with authorised services. The initial schemes focus on banking and energy, but the framework is extensible. Care homes using AI to aggregate and share call data should monitor this space.

Data intermediaries: The DUAA creates a regulated category of "data intermediaries" — services that handle personal data on behalf of others. Some AI call platforms may fall into this category depending on how they store and process recordings.

Three Questions That Are Now Baseline Due Diligence

If you are using or considering any AI phone tool, these three questions should be answered before deployment.

Where are recordings stored and for how long? Retention periods must be proportionate. Keeping every call recording indefinitely is unlikely to pass a data minimisation test under UK GDPR.

Is there a Data Protection Impact Assessment? Any AI tool that systematically records calls to a care home is processing personal data at scale. A DPIA is required under UK GDPR Article 35 for high-risk processing, and AI call monitoring meets that threshold.

Are callers told their call is being recorded and why? Transparency is a core UK GDPR principle. This means an upfront disclosure — either via an IVR announcement or a written privacy notice — that explains the AI processing in plain terms. "Your call may be recorded for training purposes" does not cover AI transcription and summarisation.

The NHS Precedent

NHS England's April 2026 guidance on ambient scribing products — co-developed with the ICO and National Data Guardian — set a governance framework for AI that listens to care conversations: transparency, output verification, defined retention periods, and a DPIA. While that guidance targets clinical settings, the underlying principles apply broadly to any AI processing personal voice data in health and care.

For care home phone AI, the practical test is whether the tool you are evaluating can answer four questions cleanly:

• Do callers know the AI is transcribing?
• Does a human verify what the AI produces?
• Is there a defined retention period for recordings and transcripts?
• Has a DPIA been completed for your specific use case?

A provider that cannot answer these clearly is a compliance risk.

What to Ask Before You Buy

Before deploying any AI call tool:

• Is the service UK-hosted and UK-processed?
• Is a completed DPIA available to share with your Information Governance lead?
• What is the default retention period for call recordings and transcripts?
• How does the system disclose AI processing to callers before the call begins?
• Are you acting as data processor or data controller under UK GDPR, and what does the data processing agreement cover?

Asking these questions up front protects you against both regulatory risk and reputational harm if a recording surfaces that a caller did not know was being made.

CareTime's Silent Guard is UK-hosted, GDPR compliant, and built with a defined retention and disclosure framework designed for the care sector. Start a 30-day pilot to see how it works in practice.