Legislation – Data (Use and Access) Act 2025

New Search

Introduction

Part 1
Access to customer data and business data

1 Customer data and business data

2 Power to make provision in connection with customer data

3 Customer data: supplementary

4 Power to make provision in connection with business data

5 Business data: supplementary

6 Decision-makers

7 Interface bodies

8 Enforcement of regulations under this Part

9 Restrictions on powers of investigation etc

10 Financial penalties

11 Fees

12 Levy

13 Financial assistance

14 The FCA and financial services interfaces

15 The FCA and financial services interfaces: supplementary

16 The FCA and financial services interfaces: penalties and levies

17 The FCA and co-ordination with other regulators

18 Liability in damages

19 Duty to review regulations

20 Restrictions on processing and data protection

21 Regulations under this Part: supplementary

22 Regulations under this Part: Parliamentary procedure and consultation

23 Related subordinate legislation

24 Repeal of provisions relating to supply of customer data

25 Other defined terms

26 Index of defined terms for this Part

Part 2
Digital verification services

27 Introductory

28 DVS trust framework

29 Supplementary codes

30 Withdrawal of a supplementary code

31 Review of DVS trust framework and supplementary codes

32 DVS register

33 Registration in the DVS register

34 Power to refuse registration in the DVS register

35 Registration of additional services

36 Supplementary notes

37 Addition of services to supplementary notes

38 Applications for registration, supplementary notes, etc

39 Fees for applications for registration, supplementary notes, etc

40 Duty to remove person from the DVS register

41 Power to remove person from the DVS register

42 Duty to remove services from the DVS register

43 Duty to remove supplementary notes from the DVS register

44 Duty to remove services from supplementary notes

45 Power of public authority to disclose information to registered person

46 Information disclosed by the Revenue and Customs

47 Information disclosed by the Welsh Revenue Authority

48 Information disclosed by Revenue Scotland

49 Code of practice about the disclosure of information

50 Trust mark for use by registered persons

51 Power of Secretary of State to require information

52 Arrangements for third party to exercise functions

53 Report on the operation of this Part

54 Index of defined terms for this Part

55 Powers relating to verification of identity or status

Part 3
National Underground Asset Register

56 National Underground Asset Register: England and Wales

57 Information in relation to apparatus: England and Wales

58 National Underground Asset Register: Northern Ireland

59 Information in relation to apparatus: Northern Ireland

60 Pre-commencement consultation

Part 4
Registers of births and deaths

61 Form in which registers of births and deaths are to be kept

62 Provision of equipment and facilities by local authorities

63 Requirements to sign register

64 Treatment of existing registers and records

65 Minor and consequential amendments

Part 5
Data protection and privacy

Chapter 1 Data protection

Terms used in this Chapter

66 The 2018 Act and the UK GDPR

Definitions in the UK GDPR and the 2018 Act

67 Meaning of research and statistical purposes

68 Consent to processing for the purposes of scientific research

69 Consent to law enforcement processing

Data protection principles

70 Lawfulness of processing

71 The purpose limitation

72 Processing in reliance on relevant international law

Processing of special categories of personal data

73 Elected representatives responding to requests

74 Processing of special categories of personal data

Data subject’s rights

75 Fees and reasons for responses to data subjects’ requests about law enforcement processing

76 Time limits for responding to data subjects’ requests

77 Information to be provided to data subjects

78 Searches in response to data subjects’ requests

79 Data subjects’ rights to information: legal professional privilege exemption

Automated decision-making

80 Automated decision-making

Obligations of controllers

81 Data protection by design: children’s higher protection matters

Logging of law enforcement processing

82 Logging of law enforcement processing

Codes of conduct

83 General processing and codes of conduct

84 Law enforcement processing and codes of conduct

International transfers of personal data

85 Transfers of personal data to third countries and international organisations

Safeguards for processing for research etc purposes

86 Safeguards for processing for research etc purposes

87 Section 86: consequential provision

National security

88 National security exemption

Intelligence services

89 Joint processing by intelligence services and competent authorities

90 Joint processing: consequential amendments

Information Commissioner’s role

91 Duties of the Commissioner in carrying out functions

92 Codes of practice for the processing of personal data

93 Codes of practice: panels and impact assessments

94 Manifestly unfounded or excessive requests to the Commissioner

95 Analysis of performance

96 Notices from the Commissioner

Enforcement

97 Power of the Commissioner to require documents

98 Power of the Commissioner to require a report

99 Assessment notices: removal of OFSTED restriction

100 Interview notices

101 Penalty notices

102 Annual report on regulatory action

103 Complaints by data subjects

104 Court procedure in connection with subject access requests

105 Consequential amendments to the EITSET Regulations

Protection of prohibitions, restrictions and data subject’s rights

106 Protection of prohibitions, restrictions and data subject’s rights

Miscellaneous

107 Regulations under the UK GDPR

108 Further minor provision about data protection

Chapter 2 Privacy and electronic communications

109 The PEC Regulations

110 Interpretation of the PEC Regulations

111 Duty to notify the Commissioner of personal data breach: time periods

112 Storing information in the terminal equipment of a subscriber or user

113 Emergency alerts: interpretation of time periods

114 Use of electronic mail for direct marketing by charities

115 Commissioner’s enforcement powers

116 Codes of conduct

Part 6
The Information Commission

117 The Information Commission

118 Abolition of the office of Information Commissioner

119 Transfer of functions to the Information Commission

120 Transfer of property etc to the Information Commission

Part 7
Other provision about use of, or access to, data

121 Information standards for health and adult social care in England

122 Grant of smart meter communication licences

123 Disclosure of information to improve public service delivery to undertakings

124 Retention of information by providers of internet services in connection with death of child

125 Information for research about online safety matters

126 Retention of biometric data and recordable offences

127 Retention of pseudonymised biometric data

128 Retention of biometric data from INTERPOL

129 The eIDAS Regulation

130 Recognition of EU conformity assessment bodies

131 Removal of recognition of EU standards etc

132 Recognition of overseas trust products

133 Co-operation between supervisory authority and overseas authorities

134 Time periods: the eIDAS Regulation and the EITSET Regulations

135 Economic impact assessment

136 Report on the use of copyright works in the development of AI systems

137 Progress statement

138 Creating, or requesting the creation of, purported intimate image of adult

Part 8
Final provisions

139 Power to make consequential amendments

140 Regulations

141 Extent

142 Commencement

143 Transitional, transitory and saving provision

144 Short title

SCHEDULES

Schedule 1 National Underground Asset Register (England and Wales): monetary penalties

Schedule 2 National Underground Asset Register (Northern Ireland): monetary penalties

Schedule 3 Registers of births and deaths: minor and consequential amendments

Schedule 4 Lawfulness of processing: recognised legitimate interests

Schedule 5 Purpose limitation: processing to be treated as compatible with original purpose

Schedule 6 Automated decision-making: minor and consequential amendments

Schedule 7 Transfers of personal data to third countries etc: general processing

Schedule 8 Transfers of personal data to third countries etc: law enforcement processing

Schedule 9 Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision

Schedule 10 Complaints: minor and consequential amendments

Schedule 11 Further minor provision about data protection

Schedule 12 Storing information in the terminal equipment of a subscriber or user

Schedule 13 Privacy and electronic communications: Commissioner’s enforcement powers

Schedule 14 The Information Commission

Schedule 15 Information standards for health and adult social care in England

Schedule 16 Grant of smart meter communication licences

Changes to legislation:

There are currently no known outstanding effects for the Data (Use and Access) Act 2025, Part 2. Help about Changes to Legislation

Close

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.

Part 2Digital verification services

Introductory

27Introductory

(1)

This Part contains provision to secure the reliability of digital verification services by means of—

(a)

a trust framework (see section 28),

(b)

supplementary codes (see section 29),

(c)

a register (see section 32),

(d)

an information gateway (see section 45), and

(e)

a trust mark (see section 50).

(2)

In this Part, “digital verification services” means verification services provided to any extent by means of the internet.

(3)

In subsection (2), “verification services” means services that are provided at the request of an individual and consist in—

(a)

ascertaining or verifying a fact about the individual from information provided otherwise than by the individual, and

(b)

confirming to another person that the fact about the individual has been ascertained or verified from information so provided.

DVS trust framework and supplementary codes

28DVS trust framework

(1)

The Secretary of State must prepare and publish a document (“the DVS trust framework”) setting out rules concerning the provision of digital verification services.

(2)

Those rules may include (among other things) rules relating to, and to the conduct of, a person who provides such services; and references in this Part to a person providing services in accordance with the DVS trust framework (however expressed) include a person complying with such rules.

(3)

In preparing the DVS trust framework, the Secretary of State must consult—

(a)

the Information Commissioner, and

(b)

such other persons as the Secretary of State considers appropriate.

(4)

The requirement in subsection (3) may be satisfied by consultation undertaken before the coming into force of this section.

(5)

The Secretary of State may revise and republish the DVS trust framework (whether following a review under section 31 or otherwise).

(6)

The DVS trust framework, and any revised version of the framework, must specify the time it comes into force (which must not be a time earlier than the time it is published).

(7)

The DVS trust framework, and any revised version of the framework, may—

(a)

set out different rules for different digital verification services,

(b)

specify that provisions come into force at different times for different purposes, and

(c)

make transitional or saving provision.

(8)

Where the Secretary of State revises and republishes the DVS trust framework, the DVS trust framework (as revised) may provide that from a date, or from the end of a period, specified in the framework a pre-revision certificate is required to be ignored for the purposes of sections 33(1)(a), 35(1)(c), 40(1)(c) and 42(1)(c).

(9)

In subsection (8), a “pre-revision certificate” means a certificate which—

(a)

certifies that digital verification services provided by the holder of the certificate are provided in accordance with the DVS trust framework, and

(b)

was issued before the time the relevant revision to the DVS trust framework comes into force.

(10)

Provision included in the DVS trust framework in reliance on subsection (8) may make different provision in relation to different descriptions of pre-revision certificate.

29Supplementary codes

(1)

The Secretary of State may prepare and publish one or more sets of rules concerning the provision of digital verification services which supplement the DVS trust framework.

(2)

In this Part, a set of rules published under subsection (1) is referred to as a supplementary code.

(3)

Those rules may include (among other things) rules relating to, and to the conduct of, a person who provides such services; and in this Part references to a person providing services in accordance with a supplementary code (however expressed) include a person complying with such rules.

(4)

In preparing a set of rules, the Secretary of State must consult—

(a)

the Information Commissioner, and

(b)

such other persons as the Secretary of State considers appropriate.

(5)

The requirement in subsection (4) may be satisfied by consultation undertaken before the coming into force of this section.

(6)

The Secretary of State may revise and republish a supplementary code (whether following a review under section 31 or otherwise).

(7)

A supplementary code, and any revised version of a supplementary code, must specify the time it comes into force (which must not be a time earlier than the time it is published).

(8)

A supplementary code, and any revised version of a supplementary code, may—

(a)

set out different rules for different digital verification services,

(b)

specify that provisions come into force at different times for different purposes, and

(c)

make transitional or saving provision.

(9)

Where the Secretary of State revises and republishes a supplementary code, the supplementary code (as revised) may provide that from a date, or from the end of a period, specified in the code a pre-revision certificate is required to be ignored for the purposes of sections 36(1)(a), 37(1)(c), 43(1)(c)and 44(1)(c).

(10)

In subsection (9), a “pre-revision certificate” means a certificate which—

(a)

certifies that digital verification services provided by the holder of the certificate are provided in accordance with the supplementary code, and

(b)

was issued before the time the relevant revision to the supplementary code comes into force.

(11)

Provision included in a supplementary code in reliance on subsection (9) may make different provision in relation to different descriptions of pre-revision certificate.

30Withdrawal of a supplementary code

(1)

The Secretary of State may determine to withdraw a supplementary code.

(2)

A determination must—

(a)

be published, and

(b)

specify when the code is withdrawn, which must be a time after the end of the period of 21 days beginning with the day on which the determination is published.

31Review of DVS trust framework and supplementary codes

(1)

At least every 12 months, the Secretary of State must—

(a)

carry out a review of the DVS trust framework, and

(b)

at the same time, carry out a review of each supplementary code which has not been withdrawn.

(2)

In carrying out a review under subsection (1), the Secretary of State must consult—

(a)

the Information Commissioner, and

(b)

such other persons as the Secretary of State considers appropriate.

DVS register

32DVS register

(1)

The Secretary of State must establish and maintain a register of persons providing digital verification services.

(2)

The register is referred to in this Part as the DVS register.

(3)

The Secretary of State must make the DVS register publicly available.

33Registration in the DVS register

(1)

The Secretary of State must register a person providing digital verification services in the DVS register if—

(a)

the person holds a certificate from an accredited conformity assessment body certifying that digital verification services provided by the person are provided in accordance with the DVS trust framework,

(b)

the person applies to be registered in the DVS register in respect of one or more of the digital verification services to which the certificate relates,

(c)

the application complies with any requirements imposed by a determination under section 38, and

(d)

the person complies with any regulations under section 39(1) requiring a fee to be paid.

(2)

But subsection (1) is subject to—

(a)

the power to refuse registration under section 34(1), and

(b)

the duties to refuse registration under sections 34(10) and 41(10).

(3)

If the conditions in paragraphs (a) to (d) of subsection (1) are not met, the Secretary of State may not register a person in the DVS register.

(4)

The register must record the digital verification services in respect of which a person is, from time to time, registered.

(5)

For the purposes of subsection (1)(a), a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the DVS trust framework under section 28(8).

(6)

In this Part, “accredited conformity assessment body” means a conformity assessment body that is accredited by the UK national accreditation body in accordance with Article 5 of the Accreditation Regulation as competent to carry out assessments of whether digital verification services are provided in accordance with the DVS trust framework.

(7)

In subsection (6)—

the Accreditation Regulation” means Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93;

conformity assessment body” has the same meaning as in the Accreditation Regulation (see Article 2(13) of that Regulation);

the UK national accreditation body” means the UK national accreditation body for the purposes of Article 4(1) of the Accreditation Regulation.

34Power to refuse registration in the DVS register

(1)

The Secretary of State may refuse to register a person providing digital verification services in the DVS register if the Secretary of State—

(a)

considers that it is necessary to do so in the interests of national security, or

(b)

is satisfied that the person is failing to comply with the DVS trust framework in respect of one or more of the digital verification services in respect of which the person applies to be registered.

(2)

Before refusing to register a person under this section the Secretary of State must, by written notice, inform the person that the Secretary of State intends to do so.

(3)

The notice must—

(a)

state the name and address of the person,

(b)

state the reason why the Secretary of State—

(i)

considers that it is necessary to refuse to register the person in the interests of national security, or

(ii)

is satisfied that the person is failing as mentioned in subsection (1)(b),

(c)

state whether the Secretary of State intends to specify a period in the notice under subsection (8) and, if so, what period is intended to be specified,

(d)

state that the person may make written representations to the Secretary of State about—

(i)

the Secretary of State’s intention to refuse to register the person in the DVS register, and

(ii)

where relevant, the period the Secretary of State intends to specify in the notice under subsection (8), and

(e)

specify the period within which such representations may be made.

(4)

Where the Secretary of State intends to refuse to register a person in reliance on subsection (1)(a), the requirement in subsection (3)(b) does not apply if, or to the extent that, the Secretary of State considers that stating the reason described in subsection (3)(b)(i) would be contrary to the interests of national security.

(5)

The period specified for making written representations must be a period of not less than 21 days beginning with the day on which the notice is given.

(6)

If the Secretary of State considers that it is appropriate for the person to have an opportunity to make oral representations about the matters mentioned in subsection (3)(d), the notice must also—

(a)

state that the person may make such representations, and

(b)

specify the arrangements for making such representations and the time at which, or the period within which, they may be made.

(7)

When deciding whether to refuse to register the person in the DVS register under this section, the Secretary of State must consider any oral or written representations made by the person in accordance with the notice.

(8)

Where the Secretary of State refuses to register the person in the DVS register under this section, the Secretary of State must by written notice inform the person that the person’s application for registration has been refused.

(9)

The Secretary of State may, in the notice given under subsection (8), state that any further application for registration made by the person during a period specified in the notice will be refused.

(10)

If the person applies to be registered in the DVS register during the period specified in the notice in reliance on subsection (9), the Secretary of State must refuse the application.

(11)

The period specified in the notice in reliance on subsection (9) must begin with the day on which the notice is given and must not exceed two years.

35Registration of additional services

(1)

Subsection (2) applies if—

(a)

a person is registered in the DVS register,

(b)

the person applies for their entry in the register to be amended to record additional digital verification services that the person provides in accordance with the DVS trust framework,

(c)

the person holds a certificate from an accredited conformity assessment body certifying that the person provides the additional services in accordance with the DVS trust framework,

(d)

the application complies with any requirements imposed by a determination under section 38, and

(e)

the person complies with any regulations under section 39(1) requiring a fee to be paid.

(2)

The Secretary of State must amend the DVS register to record that the person is also registered in respect of the additional services referred to in subsection (1).

(3)

If the conditions in paragraphs (a) to (e) of subsection (1) are not met, the Secretary of State may not amend the DVS register as described in subsection (2).

(4)

For the purposes of subsection (1)(c), a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the DVS trust framework under section 28(8).

36Supplementary notes

(1)

Subsection (2) applies if—

(a)

a person holds a certificate from an accredited conformity assessment body certifying that digital verification services provided by the person are provided in accordance with a supplementary code,

(b)

the person applies for a note about one or more of the services to which the certificate relates to be included in the entry relating to that person in the DVS register,

(c)

the application complies with any requirements imposed by a determination under section 38, and

(d)

the person complies with any regulations under section 39(1) requiring a fee to be paid.

(2)

The Secretary of State must include a note in the entry relating to the person in the DVS register recording that the person provides, in accordance with the supplementary code referred to in subsection (1), the services in respect of which the person made the application referred to in that subsection.

(3)

But subsection (2) does not apply if the supplementary code referred to in subsection (1) has been withdrawn.

(4)

If the conditions in paragraphs (a) to (d) of subsection (1) are not met, the Secretary of State may not include a note described in subsection (2) in the DVS register.

(5)

For the purposes of subsection (1)(a), a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the supplementary code as a result of section 29(9).

(6)

In this Part, a note included in the DVS register in accordance with subsection (2) is referred to as a supplementary note.

37Addition of services to supplementary notes

(1)

Subsection (2) applies if—

(a)

a person has a supplementary note included in the DVS register relating to a supplementary code,

(b)

the person applies for the note to be amended to record additional digital verification services that the person provides in accordance with that code,

(c)

the person holds a certificate from an accredited conformity assessment body certifying that the person provides the additional services in accordance with that code,

(d)

the application complies with any requirements imposed by a determination under section 38, and

(e)

the person complies with any regulations under section 39(1) requiring a fee to be paid.

(2)

The Secretary of State must amend the note to record that the person also provides the additional services referred to in subsection (1) in accordance with the supplementary code to which the note relates.

(3)

But subsection (2) does not apply if the supplementary code to which the note relates has been withdrawn.

(4)

If the conditions in paragraphs (a) to (e) of subsection (1) are not met, the Secretary of State may not amend the note as described in subsection (2).

(5)

For the purposes of subsection (1)(c), a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the supplementary code as a result of section 29(9).

38Applications for registration, supplementary notes, etc

(1)

The Secretary of State may determine—

(a)

the form of an application under section 33, 35, 36 or 37,

(b)

the information to be contained in or provided with the application,

(c)

the documents to be provided with the application, and

(d)

the manner in which the application is to be submitted.

(2)

A determination may make different provision for different purposes.

(3)

The Secretary of State must publish a determination.

(4)

The Secretary of State may revise a determination.

(5)

If the Secretary of State revises a determination the Secretary of State must publish the determination as revised.

39Fees for applications for registration, supplementary notes, etc

(1)

The Secretary of State may by regulations make provision for or in connection with—

(a)

the payment of fees for applications under sections 33, 35, 36 and 37, and

(b)

the payment of fees in connection with continued registration in the DVS register.

(2)

The regulations may not provide for payment of fees to anyone other than the Secretary of State.

(3)

The regulations must—

(a)

specify the amount, or the maximum amount of a fee, or

(b)

provide for a fee, or the maximum amount of a fee, to be determined in accordance with regulations.

(4)

The regulations may provide for the amount of a fee to exceed the administrative costs of determining the application or the administrative costs associated with the continued registration (as the case may be).

(5)

Regulations under subsection (1) may (among other things) make provision about the following—

(a)

when fees are to be paid;

(b)

the manner in which fees are to be paid;

(c)

the payment of discounted fees;

(d)

exceptions to requirements to pay fees;

(e)

the refund of fees (in whole or in part);

(f)

interest on any unpaid amounts,

including provision conferring functions on the Secretary of State in relation to the matters in paragraphs (a) to (e).

(6)

A fee payable under regulations made under subsection (1)(b), and any interest payable in respect of it, is recoverable summarily (or, in Scotland, recoverable) as a civil debt.

(7)

The regulations may—

(a)

make different provision for different purposes;

(b)

make transitional, transitory or saving provision.

(8)

Regulations under this section are subject to the negative resolution procedure.

Annotations:
Commencement Information

I25S. 39 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

I26S. 39 in force at 1.12.2025 in so far as not already in force by S.I. 2025/1213, reg. 2

40Duty to remove person from the DVS register

(1)

The Secretary of State must remove a person from the DVS register if the person—

(a)

asks to be removed from the register,

(b)

ceases to provide all of the digital verification services in respect of which the person is registered in the register, or

(c)

no longer holds a certificate from an accredited conformity assessment body certifying that at least one of those digital verification services is provided in accordance with the DVS trust framework.

(2)

For the purposes of subsection (1)(c), a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the DVS trust framework under section 28(8).

41Power to remove person from the DVS register

(1)

The Secretary of State may remove a person from the DVS register if—

(a)

the Secretary of State is satisfied that the person is failing to comply with the DVS trust framework when providing one or more of the digital verification services in respect of which the person is registered,

(b)

the person has a supplementary note included in the DVS register and the Secretary of State is satisfied that the person is failing to comply with the supplementary code to which the note relates when providing one or more of the digital verification services recorded in the note,

(c)

the Secretary of State is satisfied that the person has failed to provide the Secretary of State with information in accordance with a notice under section 51, or

(d)

the Secretary of State considers that it is necessary to do so in the interests of national security.

(2)

Before removing a person from the DVS register under this section the Secretary of State must, by written notice, inform the person that the Secretary of State intends to do so.

(3)

The notice must—

(a)

state the name and address of the person,

(b)

state the reason why the Secretary of State—

(i)

is satisfied that the person is failing or has failed as mentioned in subsection (1)(a) to (c), or

(ii)

considers that it is necessary to remove the person from the DVS register in the interests of national security,

(c)

state whether the Secretary of State intends to specify a period in the notice under subsection (8) and, if so, what period is intended to be specified,

(d)

state that the person may make written representations to the Secretary of State about—

(i)

the Secretary of State’s intention to remove the person from the DVS register, and

(ii)

where relevant, the period the Secretary of State intends to specify in the notice under subsection (8), and

(e)

specify the period within which such representations may be made.

(4)

The requirement in subsection (3)(b) does not apply if, or to the extent that, the Secretary of State considers that stating the reason described in subsection (3)(b)(ii) would be contrary to the interests of national security.

(5)

The period specified for making written representations must be a period of not less than 21 days beginning with the day on which the notice is given.

(6)

If the Secretary of State considers that it is appropriate for the person to have an opportunity to make oral representations about the matters mentioned in subsection (3)(d), the notice must also—

(a)

state that the person may make such representations, and

(b)

specify the arrangements for making such representations and the time at which, or the period within which, they may be made.

(7)

When deciding whether to remove the person from the DVS register under this section, the Secretary of State must consider any oral or written representations made by the person in accordance with the notice.

(8)

Where the Secretary of State removes the person from the DVS register under this section, the Secretary of State must by written notice inform the person of that.

(9)

The Secretary of State may, in the notice given under subsection (8), state that any application for re-registration made by the person during a period specified in the notice will be refused.

(10)

If the person applies to be re-registered during the period specified in the notice in reliance on subsection (9), the Secretary of State must refuse the application.

(11)

The period specified in the notice in reliance on subsection (9) must begin with the day on which the notice is given and must not exceed two years.

42Duty to remove services from the DVS register

(1)

Where a person is registered in the DVS register in respect of digital verification services, subsection (2) applies if the person—

(a)

asks for the register to be amended so that the person is no longer registered in respect of one or more of those services,

(b)

ceases to provide one or more of those services (but not all of them), or

(c)

no longer holds a certificate from an accredited conformity assessment body certifying that all of those services are provided in accordance with the DVS trust framework.

(2)

The Secretary of State must amend the register to record that the person is no longer registered in respect of (as the case may be)—

(a)

the service or services mentioned in a request described in subsection (1)(a),

(b)

the service or services which the person has ceased to provide, or

(c)

the service or services for which there is no longer a certificate as described in subsection (1)(c).

(3)

For the purposes of subsection (1)(c), a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the DVS trust framework under section 28(8).

43Duty to remove supplementary notes from the DVS register

(1)

The Secretary of State must remove a supplementary note included in the entry in the DVS register relating to a person if—

(a)

the person asks for the note to be removed,

(b)

the person ceases to provide all of the digital verification services to which the note relates,

(c)

the person no longer holds a certificate from an accredited conformity assessment body certifying that at least one of those digital verification services is provided in accordance with the supplementary code to which the note relates, or

(d)

the supplementary code to which the note relates has been withdrawn.

(2)

For the purposes of subsection (1)(c), a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the supplementary code as a result of section 29(9).

44Duty to remove services from supplementary notes

(1)

Where a person has a supplementary note included in their entry in the DVS register in respect of digital verification services, subsection (2) applies if the person—

(a)

asks for the note to be amended so that it no longer records one or more of those services,

(b)

ceases to provide one or more of the services recorded in the note (but not all of them), or

(c)

no longer holds a certificate from an accredited conformity assessment body certifying that all of the services included in the note are provided in accordance with a supplementary code.

(2)

The Secretary of State must amend the supplementary note so it no longer records (as the case may be)—

(a)

the service or services mentioned in a request described in subsection (1)(a),

(b)

the service or services which the person has ceased to provide, or

(c)

the service or services for which there is no longer a certificate as described in subsection (1)(c).

(3)

For the purposes of subsection (1)(c), a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the supplementary code as a result of section 29(9).

Information gateway

45Power of public authority to disclose information to registered person

(1)

This section applies where—

(a)

a person is registered in the DVS register, and

(b)

an individual makes a request to the person for the provision of digital verification services in respect of which the person is registered.

(2)

A public authority may disclose to the person information relating to the individual for the purpose of enabling the person to provide the digital verification services for the individual.

(3)

A disclosure of information under this section does not breach—

(a)

any obligation of confidence owed by the public authority making the disclosure, or

(b)

any other restriction on the disclosure of information (however imposed).

(4)

But this section does not authorise a disclosure of information which—

(a)

would contravene the data protection legislation (but in determining whether a disclosure would do so, the power conferred by this section is to be taken into account), or

(b)

is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.

(5)

This section does not authorise a public authority to disclose information obtained by the authority otherwise than in connection with the exercise by the authority of functions of a public nature.

(6)

This section does not affect a power to disclose information that exists apart from this section.

(7)

A public authority may charge a person fees in respect of the disclosure to the person of information under this section.

(8)

In this section—

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3(9) of that Act);

public authority” means a person whose functions—

(a)

are of a public nature, or

(b)

include functions of that nature.

Annotations:
Commencement Information

I37S. 45 not in force at Royal Assent, see s. 142(1)

46Information disclosed by the Revenue and Customs

(1)

This section applies where the Revenue and Customs disclose personal information to a person under section 45 for the purpose of enabling the person to provide digital verification services for an individual.

(2)

The person must not further disclose the information otherwise than for the purpose of providing digital verification services for the individual, except with the consent of the Commissioners for His Majesty’s Revenue and Customs.

(3)

Any other person who receives the information, whether directly or indirectly from the person to whom the Revenue and Customs disclose the information, must not further disclose the information, except with the consent of the Commissioners for His Majesty’s Revenue and Customs.

(4)

If a person discloses information in contravention of this section, section 19 of the Commissioners for Revenue and Customs Act 2005 (offence of wrongful disclosure) applies in relation to that disclosure as it applies in relation to a disclosure of information in contravention of section 20(9) of that Act.

(5)

In this section—

personal information” means information relating to a person whose identity—

(a)

is specified in the information, or

(b)

can be deduced from it;

the Revenue and Customs” has the meaning given by section 17(3) of the Commissioners for Revenue and Customs Act 2005.

Annotations:
Commencement Information

I38S. 46 not in force at Royal Assent, see s. 142(1)

47Information disclosed by the Welsh Revenue Authority

(1)

This section applies where the Welsh Revenue Authority discloses personal information to a person under section 45 for the purpose of enabling the person to provide digital verification services for an individual.

(2)

The person must not further disclose the information otherwise than for the purpose of providing digital verification services for the individual, except with the consent of the Welsh Revenue Authority.

(3)

Any other person who receives the information, whether directly or indirectly from the person to whom the Welsh Revenue Authority discloses the information, must not further disclose the information, except with the consent of the Welsh Revenue Authority.

(4)

A person who discloses information in contravention of subsection (2) or (3) commits an offence.

(5)

It is a defence for a person charged with an offence under subsection (4) to prove that the person reasonably believed—

(a)

that the disclosure was lawful, or

(b)

that the information had already lawfully been made available to the public.

(6)

A person who commits an offence under subsection (4) is liable—

(a)

on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);

(b)

on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both);

(c)

on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);

(d)

on conviction on indictment, to imprisonment for a term not exceeding 2 years or a fine (or both).

(7)

In this section, “personal information” means information relating to a person whose identity—

(a)

is specified in the information, or

(b)

can be deduced from it.

Annotations:
Commencement Information

I39S. 47 not in force at Royal Assent, see s. 142(1)

48Information disclosed by Revenue Scotland

(1)

This section applies where Revenue Scotland discloses personal information to a person under section 45 for the purpose of enabling the person to provide digital verification services for an individual.

(2)

The person must not further disclose the information otherwise than for the purpose of providing digital verification services for the individual, except with the consent of Revenue Scotland.

(3)

Any other person who receives the information, whether directly or indirectly from the person to whom Revenue Scotland discloses the information, must not further disclose the information, except with the consent of Revenue Scotland.

(4)

A person who discloses information in contravention of subsection (2) or (3) commits an offence.

(5)

It is a defence for a person charged with an offence under subsection (4) to prove that the person reasonably believed—

(a)

that the disclosure was lawful, or

(b)

that the information had already lawfully been made available to the public.

(6)

A person who commits an offence under subsection (4) is liable—

(a)

on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);

(b)

on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both);

(c)

on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);

(d)

on conviction on indictment, to imprisonment for a term not exceeding 2 years or a fine (or both).

(7)

In this section, “personal information” means information relating to a person whose identity—

(a)

is specified in the information, or

(b)

can be deduced from it.

Annotations:
Commencement Information

I40S. 48 not in force at Royal Assent, see s. 142(1)

49Code of practice about the disclosure of information

(1)

The Secretary of State must prepare and publish a code of practice about the disclosure of information under section 45.

(2)

The code of practice must be consistent with the code of practice prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act (as altered or replaced from time to time).

(3)

A public authority must have regard to the code of practice in disclosing information under section 45.

(4)

The Secretary of State may from time to time revise and republish the code of practice.

(5)

In preparing or revising the code of practice, the Secretary of State must consult—

(a)

the Information Commissioner,

(b)

the Welsh Ministers,

(c)

the Scottish Ministers,

(d)

the Department of Finance in Northern Ireland, and

(e)

such other persons as the Secretary of State considers appropriate.

(6)

The requirement in subsection (5) may be satisfied by consultation undertaken before the coming into force of this section.

(7)

The Secretary of State may not publish the first version of the code of practice unless a draft of the code has been laid before, and approved by a resolution of, each House of Parliament.

(8)

The Secretary of State may not republish the code of practice following its revision unless—

(a)

a draft of the code as revised has been laid before each House of Parliament, and

(b)

the 40-day period has expired without either House of Parliament resolving not to approve the draft.

(9)

The 40-day period” means—

(a)

the period of 40 days beginning with the day on which the draft is laid before Parliament, or

(b)

if the draft is not laid before each House on the same day, the period of 40 days beginning with the later of the days on which it is laid before Parliament.

(10)

In calculating the 40-day period, no account is to be taken of any whole days that fall within a period during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days.

(11)

In this section, “public authority” means a person whose functions—

(a)

are of a public nature, or

(b)

include functions of that nature.

Trust mark

50Trust mark for use by registered persons

(1)

The Secretary of State may designate a mark for use in the course of providing, or offering to provide, digital verification services.

(2)

A mark designated under this section must be published by the Secretary of State.

(3)

A mark designated under this section may not be used by a person in the course of providing, or offering to provide, digital verification services unless the person is registered in the DVS register in respect of those digital verification services.

(4)

The Secretary of State may enforce subsection (3) in civil proceedings for an injunction or, in Scotland, an interdict.

Supplementary

51Power of Secretary of State to require information

(1)

The Secretary of State may by written notice require—

(a)

an accredited conformity assessment body, or

(b)

a person registered in the DVS register,

to provide the Secretary of State with information that the Secretary of State reasonably requires for the purposes of the exercise of the Secretary of State’s functions under this Part.

(2)

A notice under this section must state why the information is required for the purposes of the exercise of those functions.

(3)

A notice under this section—

(a)

may specify or describe particular information or a category of information;

(b)

may specify the form in which the information must be provided;

(c)

may specify the time at which, or the period within which, the information must be provided;

(d)

may specify the place where the information must be provided.

(4)

A notice under this section that is given to a person registered in the DVS register must provide information about the consequences under section 41 of failure to comply with the notice.

(5)

The Secretary of State may cancel a notice under this section by notice to the person to whom it was given.

(6)

A disclosure of information required by a notice under this section does not breach—

(a)

any obligation of confidence owed by the person making the disclosure, or

(b)

any other restriction on the disclosure of information (however imposed).

(7)

But a notice under this section does not require a disclosure of information if the disclosure—

(a)

would contravene section 46, 47 or 48,

(b)

would contravene the data protection legislation (but in determining whether a disclosure would do so, the duty imposed by the notice is to be taken into account), or

(c)

is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.

(8)

A notice under this section does not require a person to provide the Secretary of State with information in respect of a communication which is made—

(a)

between a professional legal adviser and the adviser’s client, and

(b)

in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under this Part.

(9)

In subsection (8), references to the client of a professional legal adviser include references to a person acting on behalf of the client.

(10)

A notice under this section does not require a person to provide the Secretary of State with information if doing so would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence.

(11)

The reference to an offence in subsection (10) does not include an offence under—

(a)

section 5 of the Perjury Act 1911 (false statements made otherwise than on oath);

(b)

section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath);

(c)

Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).

(12)

In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3(9) of that Act).

52Arrangements for third party to exercise functions

(1)

The Secretary of State may make arrangements for a person prescribed by regulations under this section to exercise a relevant function of the Secretary of State (and, where arrangements are made, references in this Part, or in regulations made under this Part, to the Secretary of State are to be read accordingly).

(2)

Arrangements under this section may—

(a)

provide for the Secretary of State to make payments to the person, and

(b)

make provision as to the circumstances in which any such payments are to be repaid to the Secretary of State.

(3)

Regulations under this section are subject to the affirmative resolution procedure.

(4)

In this section, “relevant function” means a function of the Secretary of State conferred by or under this Part (including the function of charging or recovering fees under regulations under section 39) other than a power to make regulations.

(5)

If a person exercises the function of charging or recovering fees by virtue of arrangements under this section, the person must pay the fees to the Secretary of State, except to the extent that the Secretary of State directs otherwise.

Annotations:
Commencement Information

I47S. 52 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

I48S. 52 in force at 1.12.2025 in so far as not already in force by S.I. 2025/1213, reg. 2

53Report on the operation of this Part

(1)

The Secretary of State must prepare and publish reports on the operation of this Part.

(2)

The first report must be published within the period of 12 months beginning with the day on which section 28 comes into force.

(3)

The reports must be published not more than 12 months apart.

54Index of defined terms for this Part

The Table below lists provisions that define or otherwise explain terms defined for the purposes of this Part.

Term

Provision

accredited conformity assessment body

section
33
(6)

digital verification services

section
27
(2)

the DVS register

section
32
(2)

the DVS trust framework

section
28
(1)

supplementary code

section
29
(2)

supplementary note

section
36
(6)

55Powers relating to verification of identity or status

(1)

In section 15 of the Immigration, Asylum and Nationality Act 2006 (penalty for employing a person subject to immigration control), after subsection (7) insert—

“(8)

An order under subsection (3) containing provision described in subsection (7)(a), (b) or (c) may, in particular—

(a)

specify a document generated by a DVS-registered person or a DVS-registered person of a specified description;

(b)

specify a document which was provided to such a person in order to generate such a document;

(c)

specify steps involving the use of services provided by such a person.

(9)

In subsection (8), “DVS-registered person” means a person who is registered in the DVS register maintained under Part 2 of the Data (Use and Access) Act 2025 (“the DVS register”).

(10)

An order under subsection (3) which specifies a description of DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to specified services (see section 36 of the Data (Use and Access) Act 2025).”

(2)

In section 34 of the Immigration Act 2014 (requirements which may be prescribed for the purposes of provisions about occupying premises under a residential tenancy agreement)—

(a)

in subsection (1)—

(i)

in paragraph (a), after “occupiers” insert “, a DVS-registered person or a DVS-registered person of a prescribed description”,

(ii)

in paragraph (b), after “occupiers” insert “, a DVS-registered person or a DVS-registered person of a prescribed description”, and

(iii)

in paragraph (c), at the end insert “, including steps involving the use of services provided by a DVS-registered person or a DVS-registered person of a prescribed description”, and

(b)

after that subsection insert—

“(1A)

An order prescribing requirements for the purposes of this Chapter which contains provision described in subsection (1)(a) or (b) may, in particular—

(a)

prescribe a document generated by a DVS-registered person or a DVS-registered person of a prescribed description;

(b)

prescribe a document which was provided to such a person in order to generate such a document.

(1B)

In subsections (1) and (1A), “DVS-registered person” means a person who is registered in the DVS register maintained under Part 2 of the Data (Use and Access) Act 2025 (“the DVS register”).

(1C)

An order prescribing requirements for the purposes of this Chapter which prescribes a description of DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to prescribed services (see section 36 of the Data (Use and Access) Act 2025).”

(3)

In Schedule 6 to the Immigration Act 2016 (illegal working compliance orders etc), after paragraph 5 insert—

“Prescribed checks and documents

5A

(1)

Regulations under paragraph 5(6)(b) or (c) may, in particular—

(a)

prescribe checks carried out using services provided by a DVS-registered person or a DVS-registered person of a prescribed description;

(b)

prescribe documents generated by such a person;

(c)

prescribe documents which were provided to such a person in order to generate such documents.

(2)

In sub-paragraph (1), “DVS-registered person” means a person who is registered in the DVS register maintained under Part 2 of the Data (Use and Access) Act 2025 (“the DVS register”).

(3)

Regulations under paragraph 5(6)(b) or (c) which prescribe a description of DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to prescribed services (see section 36 of the Data (Use and Access) Act 2025).”

Annotations:
Commencement Information

I53S. 55 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

I54S. 55 in force at 1.12.2025 in so far as not already in force by S.I. 2025/1213, reg. 2