Data Use & Access Bill - 2025

The new ‘Data Use & Access’ Act (DUAA) has received Royal Assent and will be enacted into UK law on 19th June 2025. This legislation will be integrated into the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). Accordingly, this does not create an additional regulatory framework for the protection of personal information but rather amends the existing laws and regulations. Additionally, the Privacy of Electronic Communications Regulation (PECR) has been revised and incorporated into the UK GDPR because of the DUA.  

Key Changes:

There are 8 parts to the DUAA, the key changes below are those which are most relevant to our client’s businesses and organisations. The 8 parts are:

Part 1 – Access to Customer Data & Business Data

Part 2 – Digital Verification Services

Part 3 – National Underground Asset Register

Part 4 – Registrar of Births & Deaths

Part 5 – Data Protection & Privacy

Part 6 – The Information Commission

Part 7 – Other provisions about Use of, or Access to Data

Part 8 – Final Provisions

Should you require information on all the 8 parts or specific details on all the changes, contact info@elmarrisk.co.uk 

Recognised Legitimate Interests:

The DUAA introduces the provision for 'Recognised Legitimate Interests' to be established for activities such as protecting public security, public health, and crime prevention, among others. This means that when processing personal data for these recognised purposes, it is not necessary to perform a balancing test or a 'Legitimate Interests Assessment' (LIA). This will not negate the need to perform a balancing test for non-listed recognised purposes.

Soft Opt-In Extension for Charities:

Previously, only commercial organisations were permitted to utilise the ‘soft opt-in’ under PECR, which allowed them to send email and text marketing to individuals who had previously purchased similar goods or services. This provision will now be extended to Charities and Not-For-Profits. Accordingly, if individuals demonstrate support, make donations, or express interest in the charity or its activities, these entities will be authorised to use the 'soft opt-in'. Regardless, when using the ‘Soft Opt’ In approach the requirements of the GDPR are to be maintained, such as ensuring that when accessing charitable services at a time of crisis, it may not be appropriate to take the opportunity to opt a client into marketing, for example.

Subject Access Requests (DSAR) - Reasonable and Proportionate Searches:

This update reinforces advice and guidance that has been consistently provided by the ICO, making it clearer in the context of legal requirements. In relation to Subject Access Requests (SARs), organisations are obligated only to conduct reasonable and proportionate searches when individuals request their personal data.

Cookie Rules

When utilising cookies on websites or mobile applications for purposes such as service usage analytics, emergency alert systems, accessibility adjustments, or website enhancement, obtaining consent from web site visitors and users is no longer required. However, it remains necessary to inform individuals about these cookies; therefore, banners and cookie notices will still be required. There is no change to cookies which are strictly necessary for the performance of a website.

PECR Enforcement

The DUAA harmonises the enforcement framework of the UK GDPR, DPA18, and PECR, resulting in an increase in the maximum fines under PECR from £500,000 to the same level as those stipulated by the GDPR (4 or 2% of Group Turnover or £17m). The ICO will now have the regulatory powers to interview people of an organisation involved in enforcement investigations where suspected breaches of PECR have occurred.

Using Data for Research Purposes

The updated definition because of the DUAA now defines ‘Scientific Research’ to include both non-commercial and commercial research. Explicit consent is needed initially with privacy notices explaining the full extent of the Consent being given at that time. This change addresses the ‘Purpose Limitation’ which, until now has allowed a single use & purpose of the processing of Personally Identifiable Information (PII).

The DUAA allows research & scientific organisations to obtain broader consent for various types of scientific research, even if not all purposes are known at the time. This allows data use for longer periods, new research projects and unforeseen purposes beyond the original purpose limitation.

Lawful Basis for Automated Decision Making

When using personal data for automated decision making, you can now choose from a broader range of legal bases, including legitimate interests. Regardless of the legal basis, organisations must ensure that appropriate safeguards are in place, such as the ability to object, providing transparency through notices, and allowing individuals to request human intervention. It is important to note that this change does not apply if you are processing special category or sensitive personal data.

Using Children’s Data

The DUAA mandates that when processing children's personal data, including during the provision of online services, their specific needs must be explicitly considered. Compliance with the ICO’s Age-Appropriate Design Code (‘Children’s Code’) should ensure adherence to these new requirements.

Information Commission, not Commissioner

In the United Kingdom, we have traditionally had an ‘Information Commissioner’, an individual tasked with regulating Data Protection and Freedom of Information. The DUAA aims to reform the ICO by establishing the ‘Information Commission’, which will feature a formal Board and CEO, like many other organisations.

Data Protection Complaints Processes

This requirement offers a clearer mandate on how Data Protection complaints should be managed and processed. Organisations are obligated to facilitate the process for individuals to submit data protection complaints, including the provision of electronic forms on websites or applications. Moreover, organisations are required to acknowledge such complaints within 30 days and respond, 'without undue delay'. It’s anticipated that additional guidance from the Information Commissioner will be available in due course.

International Transfers

The Secretary of State for Science, Innovation and Technology will now have the authority to determine the adequacy of third countries. Under the DUAA, the requirement shifts from the EU-GDPR's 'Equivalent' protection to 'No Lower' protection than the UK GDPR. This subtle wording change may cause a divergence from the EU-GDPR and impact the UK's data transfer adequacy with EU-GDPR compliant countries.   

Source

https://www.legislation.gov.uk/ukpga/2025/18/contents/enacted

Actions / Advice

It is advisable to evaluate your business's or organization's current approach to Data Protection and consider the implications of the changes introduced by the DUAA. Many of these changes are expected to offer opportunities to reduce administrative burdens and adopt a more pragmatic approach to innovation, while still upholding the protection of personally identifiable information and the legal rights of data subjects.   

Whilst this bulletin covers the main points relevant to our clients, it is advisable to review the entire DUAA for specific changes which may impact your business or charity. Tailored consultation services can be provided upon request to support you.