UK Secure File Transfer - Virtual Data Rooms

« Back

Security News

The Data (Use and Access) Bill 2025 or ‘DUA Act’

Posted by Data Send UK / Created by Tony Stewart

After a parliamentary gestation of three years and four different (very different!) prime ministers, the much-anticipated Data (Use and Access) Act (the ‘DUA Act’) finally received Royal Assent on Thursday 19 June 2025.

The bill aims to modernise the UK’s data protection laws. It seeks to facilitate data sharing to boost the economy and improve public services. Key provisions include enabling government-mandated data sharing, reforms to the UK GDPR, and stricter penalties for non-compliance. However, concerns have been raised about the potential misuse of personal data and its impact on the creative industries, leading to ongoing debates in Parliament.

While the DUA Act primarily focusses on reforming the UK GDPR, the DPA (Data Protection Act) 2018, and the PECR (Privacy and Electronic Communications Regulations), it goes beyond a privacy update.

The Act supports broader data-related policy ambitions, such as facilitating the use of smart data, creating robust digital identity infrastructure, and updating the legal treatment of data access, management, and automation across the public and private sectors.

The DUA Act is structured into seven substantive parts:

• 
  - Part 1 extends the concept of “smart data” beyond financial services, enabling customers and businesses to access and share their data across various sectors, promoting innovation and consumer choice.
• - Part 2 establishes a digital verification trust framework, along with a register of providers, a trust mark, and data-sharing mechanisms to regulate digital ID systems.
• - Part 3 gives legal footing to the National Underground Asset Register, ensuring safer and more coordinated management of subterranean infrastructure.
• - Part 4 transitions birth and death registrations from paper to a secure, electronic registry managed by designated officials.
• - Part 5 enacts pivotal reforms to the UK’s data protection regime, focussing on the UK GDPR and PECR.
• - Part 6 transforms the ICO (Information Commissioner’s Office) into a newly empowered Information Commission with an expanded regulatory and enforcement remit.
• - Part 7 introduces additional measures for data access and usage across critical areas such as health and social care, smart meters, online safety, and public service delivery.

Below, we focus on Part 5, which outlines changes to the UK GDPR, the DPA 2018, and PECR:

Key Modifications to the UK GDPR, DPA 2018, and PECR

The Data User Access Act (DUA Act) modifies several key provisions of the existing UK data protection framework, particularly in areas where businesses and public-sector organisations interact with data subjects. These are outlined below:

Recognised Legitimate Interests:

The Act introduces a list of “recognised legitimate interests” under Article 6(1)(f) of the UK GDPR, including national security, public safety, emergency response, crime prevention, and safeguarding vulnerable individuals. Organisations relying on these recognised interests listed in Annex 1 will have lighter obligations in regard to conducting a balancing test against individual rights.

Secondary Processing and Research:

The DUA Act includes definitions and establishes that data processing for purposes other than the original intent – such as scientific, historical, or statistical research – is presumed compatible with initial consent under certain conditions. This change allows further processing, particularly benefiting the academic and health sectors.

DSARs (Data Subject Access Requests):

The DUA Act formalises the practices and guidance already in use for DSARs. It does not include the ability for controllers to refuse to respond to DSARs because they are considered to be vexatious (a provision from the DPDI Bill), but does include certain provisions relating to applicable time periods and the scope of searches carried out in response to DSARs.

Controllers are given clearer authority to extend the time allocated to a DSAR while verifying the data subject’s identity or gathering additional context. The Act also clarifies that responses should be based on a reasonable and proportionate search, providing welcome relief to data controllers handling complex or voluminous requests.

Article 12 defines the “applicable time period” as one month from the “relevant time,” which is the latest of:

• - The date the controller receives the request
• - The date further identification information is received
• - The date a fee (if applicable) is paid

Controllers may extend the response time by two further months for complex or multiple requests, provided they notify the data subject within the initial month and explain the reasons for the delay.

The Bill also clarifies that responses should be based on a reasonable and proportionate search, offering more flexibility to data controllers handling complex or voluminous requests.

Legal professional privilege exemption

Additionally, the Act clarifies that controllers are not required to provide information in respect of which a claim to legal professional privilege (or, in Scotland, confidentiality of communications) could be maintained in legal proceedings, or information in respect of which a duty of confidentiality is owed by a professional legal adviser to their client. This ensures that communications between legal advisers and their clients remain protected, in line with long-standing principles of confidentiality and privilege in legal practice.

Information to be provided to data subjects

Under Article 13, paragraph 4 is amended and a new paragraph 5 is added. Paragraph 5 states that the obligation to inform does not apply if the data will be processed for scientific or historical research, archiving in the public interest, or statistical purposes – provided it is in accordance with Article 84B – and if providing the information is impossible or would involve disproportionate effort.

ADM (automated decision-making)

The Data Protection Act 2018 (DUA Act) replaces Article 22 of the UK GDPR with Articles 22A–22D. These articles introduce greater flexibility for automated processing, particularly when dealing with special category data. The Act also requires transparency and safeguards for significant decisions made solely by algorithms, including human intervention, the right to contest outcomes, and meaningful explanation to data subjects.

Cookies and ePrivacy Reforms

Reforms to the PECR include exemptions for certain low-risk cookies, such as those used for site performance or analytics. This reduces the compliance burden on website operators, but user transparency and opt-out options remain mandatory.

The DUAA also enhances PECR fines, bringing their monetary penalties into line with the UK GDPR. Fines can now be up to 4% of global annual turnover or £17.5 million, whichever is greater.

Reform of the Information Commissioner’s Office and the right to complain

The right to complain is another significant institutional change brought by the DUA Act. The ICO is replaced with a new regulatory authority called the Information Commission.

The goal of reforming the ICO is to modernise its governance structure. This involves establishing a more formal board-led model, similar to the approach taken by regulators such as the FCA and the CMA.

The new Commission will retain the core investigatory and enforcement powers of the ICO. However, it will also have a strengthened remit in areas like ePrivacy enforcement, age-appropriate design, and prompt data breach response.

Additionally, the DUA Act introduces a clearer right for data subjects to complain directly to data controllers. While data subjects have always had a general right to raise concerns with organisations, the DUA Act formalises this process and places new obligations on controllers to respond promptly and transparently. Controllers must now acknowledge receipt of a complaint within 30 days and respond without undue delay, informing the complainant of the outcome and any action taken. In complex cases, controllers must also keep the complainant informed of progress. Additionally, the Secretary of State is empowered to require controllers to report complaint volumes to the Information Commission, ensuring transparency and regulatory oversight.

International data transfers

International data transfers are governed by a new data protection test that replaces the former EU-style adequacy framework. Under the Data User Agreement (DUA Act), transfers are allowed if the receiving country or organisation provides protection not materially lower than UK standards. This potentially diverges from the EU’s stricter standards, but care has been taken to minimise conflict with the EU-UK adequacy decision.

What should businesses know?

For most organisations, especially those operating across the UK and EU, the message is one of continuity with caution. The core principles of the UK GDPR remain intact, including the need to appoint DPOs where required, maintain ROPAs (records of processing activities) and uphold individual rights. Using an approved third-party data transfer service such as Data Send UK, for UK and international data transfers, is a simple solution to meet compliance when required.

Conclusion

Organisations should be ready to update their documentation following the Royal Assent on the19th June 2025. Some parts of the Act will require secondary legislation for full implementation.