Data Use & Access Bill Factsheet

The Data (Use and Access) Act 2025 (DUAA) is a new piece of UK legislation that introduces targeted updates and reforms to the UK's data protection framework, primarily amending the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). It is an evolution of the law, not a replacement.

🤔 Why it was created:

The DUAA was created with the stated goals of:

Promoting Innovation and Economic Growth: By making certain data processing activities simpler and more flexible, the UK government aims to facilitate data-driven innovation and enhance the UK's digital economy.

Simplifying Compliance: The Act aims to make the rules clearer and easier for UK organisations to follow, reducing administrative and compliance burdens in specific areas.

Improving Public Services: The Act includes provisions to enable better data sharing across public services, such as the NHS, and establishes new digital services.

Enabling Data Sharing: To establish new frameworks for the responsible and secure sharing of data across the economy and public services, notably through Smart Data schemes (expanding on Open Banking principles) and a new framework for digital identity verification services.

Post-Brexit Reform: To refine the UK's data protection laws following its departure from the European Union, while maintaining a sufficient level of protection to preserve the UK's EU adequacy status for seamless data transfers.

📈 Purpose and Benefit to UK Organisations:

The DUAA offers several benefits and changes that affect UK organisations:

Driving Economic Growth and Innovation

The Act looks to unlock the value of data across the economy.

⚖️🤖 Benefit: Provides greater legal certainty for businesses to innovate, particularly in commercial and scientific research (by broadening its definition), and allows for the wider, safeguarded use of automated decision-making and AI-driven tools.

💡📈 Example: Smart Data schemes in sectors like energy and finance will allow consumers to securely share their data with third parties, fostering competition and the creation of new, innovative products and services.

Improving Public Services and Security

The Act includes provisions designed to enhance government and public body functions.

🏥🚨 Benefit: Facilitates integrated healthcare records across the NHS, supports law enforcement efforts, and puts in place a statutory footing for projects like the National Underground Asset Register to streamline infrastructure work.

🛡️🤝 Example: Clarifying the legal basis for sharing data for purposes like crime prevention, emergency response, and national security provides confidence to public and private bodies when cooperating on important public interest tasks.

Streamlining Data Governance

The reforms aim to make the existing data protection framework clearer and more efficient.

🗂️🌍 Benefit: Reduces administrative overhead for organisations by clarifying rules on Data Subject Access Requests (e.g., only requiring "reasonable and proportionate" searches) and simplifies the process for international data transfers using a new "data protection test."

🗣️🔒 Example: Individuals benefit from new explicit requirements for organisations to put in place a formal process for handling data protection complaints and stronger provisions for children's data protection in online services.

📋 Reduced Compliance Burden in Specific Areas:

Recognised Legitimate Interests: It introduces a new lawful ground for processing personal data for certain specified purposes (like safeguarding, national security, or direct marketing) that removes the requirement for a lengthy balancing test (Legitimate Interest Assessment or LIA) in some cases.

Data Subject Access Requests (DSARs): It clarifies that organisations only need to conduct "reasonable and proportionate" searches when responding to a DSAR. It also introduces a "stop the clock" rule to pause the response timeframe if further necessary information is requested from the individual.

Cookies: It relaxes some consent requirements for certain "low risk" cookies, such as those used for basic website analytics or functionality, making their use easier.

🚀 Support for Innovation:

Scientific Research: The Act clarifies the definition of "scientific research" to explicitly include commercial research, making it easier to re-use data and obtain broader consent for research purposes.

Automated Decision-Making (ADM): It eases restrictions on solely automated decisions that have a significant effect on individuals, provided appropriate safeguards and human intervention rights are in place, which is particularly relevant for the use of AI.

Overall, the DUAA looks to provide a more flexible and business-friendly data regulation environment in the UK while still maintaining strong data protection safeguards for individuals. The new DUAA is currently in a phased implementation stage. While Royal Assent makes it law, most of its provisions do not come into effect immediately. They are brought into force on specific dates set out in secondary legislation (Statutory Instruments) made by the Secretary of State.

The phased implementation through the ‘Commencement Regulations’ is shown below.

🎬 Action for Organisations:

1.    Keep monitoring the legislation.gov.uk and ICO websites for the release of the Commencement No. 4 Regulations (and later Statutory Instruments), as these will confirm the exact date for the main data protection changes in Part 5.

2.    Review your current data protection arrangements to identify where you may have gaps or opportunities for improvements, considering the changes brought by the DUAA.

3.    Speak to our team at Elmar Risk Management who can support & guide you through these changes.