Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025, which received Royal Assent and became law on 19 June 2025, represents the UK Government's attempt to roll together a series of data-related reforms and measures into a single, keystone piece of legislation.

The Data (Use and Access) Act 2025 (the "DUAA"), received Royal Assent and became law on 19 June 2025 following its introduction to Parliament in October 2024. This landmark piece of legislation represents the UK Government's attempt to roll together a series of data-related reforms and measures into a single, keystone piece of legislation, marking a significant step in the Government's approach to data protection regulation.

The DUAA introduces reforms to the UK's data protection regime and changes to the powers and composition of the regulator; measures for increasing the breadth of possibilities for pursuing smart data initiatives; improvements in public sector data sharing; data-enabled infrastructure initiatives such as the National Underground Asset Register; a new statutory scheme for digital identity verification services; and more besides.

The Government is hoping that the detailed provisions contained in the DUAA will contribute towards three overarching strategic objectives:

To harness the power of data to grow the economy;
To improve public services and enable and support modern digital government; and
To make peoples' lives easier.

Besides these objectives, the Government has also indicated that it is placing great emphasis on ensuring the renewal of the UK's data protection adequacy decision with the EU, which is formally up for review in December 2025. This explains many of the differences between the DUAA and the previous Government's attempts at reforming the UK's data protection regime under the most recent Data Protection and Digital Information Bill (the "DPDI Bill"), which never passed into law owing to the calling of the July 2024 UK general election.

Overall, the DUAA is a forward-looking overhaul of the UK's data protection landscape, aiming to balance certainty from a regulatory perspective with international alignment.

We have prepared a high-level PDF summary of the key changes introduced by the DUAA for you to read and share here.

You can also read our article series, each taking a deeper look at a particular aspect of the DUAA, at the links below (articles drafted before the DUAA received Royal Assent refer to the "DUA Bill"):

Key reforms to the UK's data protection regime – including:

A new "recognised legitimate interests" processing basis and some statutory examples of "regular" legitimate interests;
A new regime for international transfers;
The potential for ministers to add further special categories of data;
Important clarifications to the "purpose limitation" principle; and
An expansion of the types of decisions that can be made on a "solely automated" basis.

Changes to the ICO's powers, structure and composition - including:

New investigatory powers, including being able to require individuals to attend an interview when a data breach is being investigated;
Greater fining powers for breaches of PECR;
A new requirement that controllers must establish a direct complaints procedure for data subjects; and
A new structure, a new board, and a new name for the regulator itself – the "Information Commission".

Laying the groundwork for smart data schemes – including:

New regulation-making powers to create schemes for sharing "customer" and "business" data with third parties;
Provisions to create accreditation and approval requirements for third parties wishing to have such data with them;
Provisions to empower certain bodies as "decision-makers" as to which third parties are accredited and/or approved;
Regulation-making powers allowing the creation of new "interface" bodies to manage and set the standards for new smart data schemes; and
Powers to require data-holding organisations and data-receiving third parties to assist, including financially, these new decision-making and interface bodies.

A new register of digital ID verification services – including:

Powers for the Secretary of State to create a "framework" of rules for providing digital ID verification as a service;A new statutory register, on which providers of these services can apply to be listed;
An "information gateway" permitting public authorities to share information with registered providers to verify an individual's identity; and
Including the use of registered digital ID service providers as a valid means of satisfying right-to-work and right-to-rent checks.

Data (Use and Access) Act 2025: A comparison with its predecessor, the Data Protection and Digital Information Bill – including:

Retention of the DPDI Bill's dilution of the prohibition on solely automated decision-making;
A new "data protection test" for international data transfers, mirroring the DPDI Bill
Changes to DPOS, RoPAs and DPIA requirements all dropped; and
Removal of the ability to refuse a DSAR on the basis of a "vexatious or excessive" request.

A round-up of the miscellaneous provisions in the Data (Use and Access) Act 2025 - including:

The implementation of a mandatory National Underground Asset Register;
A new Electronic Register of Births and Deaths; and
The criminalisation of creating or requesting the creation of an intimate image of an adult, commonly referred to as a "deepfake".

Related Expertise