Peter A Clarke

Data protection laws are undertaking some refining in the UK with the Data (Use and Access) Act 2025 (DUAA) The DUAA received Royal Assent on June 19, 2025. On July 21, 2025, the Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025 were published. The DUAA reforms how the UK manages non-personal and personal data. The DUAA amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).  The aim is to change data protection laws in order to promote innovation and economic growth and make things easier for organisations, whilst it still protecting people and their rights.  

The UK legislation is significantly more prescriptive than the Privacy Act 1988.  That is not surprising given it was based on the GDPR.  It is also structured very differently. It is useful to be aware of changes to UK legislation as Australian legislation can be influenced by the UK legislation over time.

The Long title to the Bill states:

A bill to make provision about access to customer data and business data; to make provision about services consisting of the use of information to ascertain and verify facts about individuals; to make provision about the recording and sharing, and keeping of registers, of information relating to apparatus in streets; to make provision about the keeping and maintenance of registers of births and deaths; to make provision for the regulation of the processing of information relating to identified or identifiable living individuals; to make provision about privacy and electronic communications; to establish the Information Commission; to make provision about information standards for health and social care; to make provision about the grant of smart meter communication licences; to make provision about the disclosure of information to improve public service delivery; to make provision about the retention of information by providers of internet services in connection with investigations into child deaths; to make provision about providing information for purposes related to the carrying out of independent research into online safety matters; to make provision about the retention of biometric data; to make provision about services for the provision of electronic signatures, electronic seals and other trust services; to make provision about the creation and solicitation of purported intimate images and for connected purposes.

The Government states that the Act enables:

• important changes to the UK’s data protection and privacy legislation
• the growth of digital verification services
• new Smart Data schemes like Open Banking
• a new National Underground Asset Register

The Regulations set out the provisions of the DUAA that enter into force on 20 August, 2025. Those provisions include:

• section 113 on the interpretation of time periods for emergency alerts.
• Part 1 on access to customer data and business data;
• section 74 on processing of special categories of personal data;
• section 84 on law enforcement processing and codes of conduct;
• section 92 on codes of practice for the processing of personal data;
• section 93 on codes of practice: panels and impact assessments;
• section 106 on protection of prohibitions, restrictions and data subject’s rights;
• section 109 on the Privacy and Electronic Communications Regulations (PECR);
• section 111 on the duty to notify the ICO of a personal data breach and time periods; and
• section 113 on the interpretation of time periods for emergency alerts

• establishing a new  ‘recognised legitimate interests’ lawful basis: using personal information for certain?‘recognised legitimate interests’  removes?the need  to balance the impact on the people whose?personal information are being used against the benefits arising from that?use.?  
• establishes disclosures that help other organisations perform their public tasks: personal information can be given to certain organisations without having to decide whether that organisation needs the information to perform its public tasks or functions. The organisation making the request is responsible for this decision.   
• establishing the assumption of compatibility: there is an assumption that some re-uses of personal information are compatible with the original purpose of collection without having to do a compatibility test.  
• including a ‘soft opt in’ for charities: it allows sending electronic mail marketing to people whose personal information has been collected unless they object.  
• Subject access requests (SARs): it is only required to make reasonable and proportionate searches when someone asks for access to their personal information. 
• Children and online services:for an online service that is likely to be used by children, the DUAA explicitly requires that their needs are taken into account when deciding how to use their personal information. 
• Data protection complaints: the DUAA requires taking steps to help people who want to make complaints about how their personal information is being used, such as providing an electronic complaints form. Complaints have to be acknowledged within 30 days and responded ‘without undue delay’.??