The Data (Use and Access) Act, 2025
We've previously described the ill-fated Data Protection and Digital Information (DPDI) Bill which was brought by the Conservative party. Due to the change of government, the Bill did not become law.
We said at the time, watch this space. The new Labour government had options ranging from doing nothing at all with the DPDI Bill, to implementing it as-was, completely unchanged. The most likely outcome, or course, was Labour doing something in between these two extremes.
That is exactly what has happened. On the June 19th, 2025, the Data (Use and Access) Act 2025 received Royal Assent and came into force.
The DUAA Act does not replace any existing regulations. It sits alongside, and modifies portions of, the:
- Data Protection Act 2018
- UK General Data Protection Regulation (UK GDPR)
- Privacy and Electronic Communications (EC Directive) Regulations 2003
Here is a quick rundown of what the DUAA means for you and your organisation.
Recognised Legitimate Interests
Data processing for purposes such as national security or crime prevention, have a clearer legal basis and might not require the usual extensive checks. Also, the responsibility for the legitimacy of the data transfer sits with the requesting body, not your organisation.
Scientific Research and Broad Consent
It is now permissible to use personal data for scientific research (including commercial research) with a 'broad consent' covering a field of study.
Under UK GDPR, consent for using personal data traditionally had to be specific and informed. The DUAA relaxes this requirement for research contexts.
With broad consent, you will not need to refresh consent for every research-driven change of processing type.
AI and Automated Decisions
Businesses have more flexibility to use automated systems and artificial intelligence. Their use must be transparent, and individuals must be able to challenge decisions.
Simpler Data Requests
Organisations only need to do ‘reasonable’ searches for a data subject’s information. You can also ‘stop the clock ticking’ on your time to respond if you need more time or more clarity on the request from the data subject.
Children's Online Privacy
Online services that children are likely to use must be designed with their privacy in mind from the start.
Stronger Enforcement for Marketing
Fines for breaking e-Privacy rules (think marketing emails and cookies) are now much higher, matching GDPR levels. The Privacy and Electronic Communication Regulations date back to 2003. These changes bring the financial penalties in line with more modern regulations such as GDPR.
Cookie Changes
Low-risk cookies no longer require prior consent. This covers cookies that rare used for the functioning of a site or for anonymous statistical analysis.
Charity Marketing
Charities can now use a ‘soft opt-in’ for email marketing. A charity can now send marketing emails to previous donors, or people who have expressed an interest in the charity’s work, without obtaining prior marketing consent.
Data subjects retain the right to opt out.
New Information Commission
The Information Commissioner's Office (ICO) has become the Information Commission with enhanced powers for enforcing data rules.
A New Complaints Procedure
You must establish a process for individuals to lodge data protection complaints directly. If an individual believes a company is misusing their data or not respecting their rights, the company must have a clear channel (for example, an online complaint form or email address) to facilitate such complaints.
You must acknowledge receipt of a complaint within 30 days.
Interestingly, the ICO can turn away complaints made directly to them if the complainant has not already used the complaint procedure of the reported organisation.
Things That Did Not Make the Cut
The redefinition of personal data did not make it into the final Act, and neither did the removal of the requirement to have a Data Protection Officer, where such a requirement existed.
What Do You Need to Do?
Review the DUAA Guidance
The ICO provides guidance on the DUAA's key changes. Organisations should familiarise themselves with this documentation.
Review Your Current Practices
Evaluate how your existing data protection activities align with the new requirements, particularly regarding DSARs and automated decision-making.
Implement A Data Processing Complaints Procedures
Establish a complaints process. The DUAA requires a clear process for handling data protection complaints from individuals. Acknowledge complaints within 30 days and respond to complaints without undue delay. Consider providing resources like an electronic complaint form to facilitate the process.
As Always, We Are Here to Help
We will be pleased to answer your questions about the new Act and how it affects you.