Legislation – Data (Use and Access) Act 2025

New Search

Introduction

Part 1
Access to customer data and business data

1 Customer data and business data

2 Power to make provision in connection with customer data

3 Customer data: supplementary

4 Power to make provision in connection with business data

5 Business data: supplementary

6 Decision-makers

7 Interface bodies

8 Enforcement of regulations under this Part

9 Restrictions on powers of investigation etc

10 Financial penalties

11 Fees

12 Levy

13 Financial assistance

14 The FCA and financial services interfaces

15 The FCA and financial services interfaces: supplementary

16 The FCA and financial services interfaces: penalties and levies

17 The FCA and co-ordination with other regulators

18 Liability in damages

19 Duty to review regulations

20 Restrictions on processing and data protection

21 Regulations under this Part: supplementary

22 Regulations under this Part: Parliamentary procedure and consultation

23 Related subordinate legislation

24 Repeal of provisions relating to supply of customer data

25 Other defined terms

26 Index of defined terms for this Part

Part 2
Digital verification services

27 Introductory

28 DVS trust framework

29 Supplementary codes

30 Withdrawal of a supplementary code

31 Review of DVS trust framework and supplementary codes

32 DVS register

33 Registration in the DVS register

34 Power to refuse registration in the DVS register

35 Registration of additional services

36 Supplementary notes

37 Addition of services to supplementary notes

38 Applications for registration, supplementary notes, etc

39 Fees for applications for registration, supplementary notes, etc

40 Duty to remove person from the DVS register

41 Power to remove person from the DVS register

42 Duty to remove services from the DVS register

43 Duty to remove supplementary notes from the DVS register

44 Duty to remove services from supplementary notes

45 Power of public authority to disclose information to registered person

46 Information disclosed by the Revenue and Customs

47 Information disclosed by the Welsh Revenue Authority

48 Information disclosed by Revenue Scotland

49 Code of practice about the disclosure of information

50 Trust mark for use by registered persons

51 Power of Secretary of State to require information

52 Arrangements for third party to exercise functions

53 Report on the operation of this Part

54 Index of defined terms for this Part

55 Powers relating to verification of identity or status

Part 3
National Underground Asset Register

56 National Underground Asset Register: England and Wales

57 Information in relation to apparatus: England and Wales

58 National Underground Asset Register: Northern Ireland

59 Information in relation to apparatus: Northern Ireland

60 Pre-commencement consultation

Part 4
Registers of births and deaths

61 Form in which registers of births and deaths are to be kept

62 Provision of equipment and facilities by local authorities

63 Requirements to sign register

64 Treatment of existing registers and records

65 Minor and consequential amendments

Part 5
Data protection and privacy

Chapter 1 Data protection

Terms used in this Chapter

66 The 2018 Act and the UK GDPR

Definitions in the UK GDPR and the 2018 Act

67 Meaning of research and statistical purposes

68 Consent to processing for the purposes of scientific research

69 Consent to law enforcement processing

Data protection principles

70 Lawfulness of processing

71 The purpose limitation

72 Processing in reliance on relevant international law

Processing of special categories of personal data

73 Elected representatives responding to requests

74 Processing of special categories of personal data

Data subject’s rights

75 Fees and reasons for responses to data subjects’ requests about law enforcement processing

76 Time limits for responding to data subjects’ requests

77 Information to be provided to data subjects

78 Searches in response to data subjects’ requests

79 Data subjects’ rights to information: legal professional privilege exemption

Automated decision-making

80 Automated decision-making

Obligations of controllers

81 Data protection by design: children’s higher protection matters

Logging of law enforcement processing

82 Logging of law enforcement processing

Codes of conduct

83 General processing and codes of conduct

84 Law enforcement processing and codes of conduct

International transfers of personal data

85 Transfers of personal data to third countries and international organisations

Safeguards for processing for research etc purposes

86 Safeguards for processing for research etc purposes

87 Section 86: consequential provision

National security

88 National security exemption

Intelligence services

89 Joint processing by intelligence services and competent authorities

90 Joint processing: consequential amendments

Information Commissioner’s role

91 Duties of the Commissioner in carrying out functions

92 Codes of practice for the processing of personal data

93 Codes of practice: panels and impact assessments

94 Manifestly unfounded or excessive requests to the Commissioner

95 Analysis of performance

96 Notices from the Commissioner

Enforcement

97 Power of the Commissioner to require documents

98 Power of the Commissioner to require a report

99 Assessment notices: removal of OFSTED restriction

100 Interview notices

101 Penalty notices

102 Annual report on regulatory action

103 Complaints by data subjects

104 Court procedure in connection with subject access requests

105 Consequential amendments to the EITSET Regulations

Protection of prohibitions, restrictions and data subject’s rights

106 Protection of prohibitions, restrictions and data subject’s rights

Miscellaneous

107 Regulations under the UK GDPR

108 Further minor provision about data protection

Chapter 2 Privacy and electronic communications

109 The PEC Regulations

110 Interpretation of the PEC Regulations

111 Duty to notify the Commissioner of personal data breach: time periods

112 Storing information in the terminal equipment of a subscriber or user

113 Emergency alerts: interpretation of time periods

114 Use of electronic mail for direct marketing by charities

115 Commissioner’s enforcement powers

116 Codes of conduct

Part 6
The Information Commission

117 The Information Commission

118 Abolition of the office of Information Commissioner

119 Transfer of functions to the Information Commission

120 Transfer of property etc to the Information Commission

Part 7
Other provision about use of, or access to, data

121 Information standards for health and adult social care in England

122 Grant of smart meter communication licences

123 Disclosure of information to improve public service delivery to undertakings

124 Retention of information by providers of internet services in connection with death of child

125 Information for research about online safety matters

126 Retention of biometric data and recordable offences

127 Retention of pseudonymised biometric data

128 Retention of biometric data from INTERPOL

129 The eIDAS Regulation

130 Recognition of EU conformity assessment bodies

131 Removal of recognition of EU standards etc

132 Recognition of overseas trust products

133 Co-operation between supervisory authority and overseas authorities

134 Time periods: the eIDAS Regulation and the EITSET Regulations

135 Economic impact assessment

136 Report on the use of copyright works in the development of AI systems

137 Progress statement

138 Creating, or requesting the creation of, purported intimate image of adult

Part 8
Final provisions

139 Power to make consequential amendments

140 Regulations

141 Extent

142 Commencement

143 Transitional, transitory and saving provision

144 Short title

SCHEDULES

Schedule 1 National Underground Asset Register (England and Wales): monetary penalties

Schedule 2 National Underground Asset Register (Northern Ireland): monetary penalties

Schedule 3 Registers of births and deaths: minor and consequential amendments

Schedule 4 Lawfulness of processing: recognised legitimate interests

Schedule 5 Purpose limitation: processing to be treated as compatible with original purpose

Schedule 6 Automated decision-making: minor and consequential amendments

Schedule 7 Transfers of personal data to third countries etc: general processing

Schedule 8 Transfers of personal data to third countries etc: law enforcement processing

Schedule 9 Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision

Schedule 10 Complaints: minor and consequential amendments

Schedule 11 Further minor provision about data protection

Schedule 12 Storing information in the terminal equipment of a subscriber or user

Schedule 13 Privacy and electronic communications: Commissioner’s enforcement powers

Schedule 14 The Information Commission

Schedule 15 Information standards for health and adult social care in England

Schedule 16 Grant of smart meter communication licences

Changes to legislation:

There are currently no known outstanding effects for the Data (Use and Access) Act 2025, Cross Heading: Information Commissioner’s role. Help about Changes to Legislation

Close

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.

Part 5Data protection and privacy

Chapter 1Data protection

Information Commissioner’s role

91Duties of the Commissioner in carrying out functions

(1)

The 2018 Act is amended in accordance with subsections (2) to (4).

(2)

Omit section 2(2) (duty of Commissioner when carrying out functions).

(3)

After section 120 insert—

“Duties in carrying out functions

120APrincipal objective

It is the principal objective of the Commissioner, in carrying out functions under the data protection legislation—

(a)

to secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest, and

(b)

to promote public trust and confidence in the processing of personal data.

120BDuties in relation to functions under the data protection legislation

In carrying out functions under the data protection legislation, the Commissioner must have regard to such of the following as appear to the Commissioner to be relevant in the circumstances—

(a)

the desirability of promoting innovation;

(b)

the desirability of promoting competition;

(c)

the importance of the prevention, investigation, detection and prosecution of criminal offences;

(d)

the need to safeguard public security and national security;

(e)

the fact that children merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing.

120CStrategy

(1)

The Commissioner must prepare a strategy for carrying out the Commissioner’s functions under the data protection legislation in accordance with the Commissioner’s duties under—

(a)

sections 120A and 120B,

(b)

section 108 of the Deregulation Act 2015 (exercise of regulatory functions: economic growth), and

(c)

section 21 of the Legislative and Regulatory Reform Act 2006 (exercise of regulatory functions: principles).

(2)

The Commissioner must—

(a)

review the strategy from time to time, and

(b)

revise the strategy as appropriate.

(3)

The Commissioner must publish the strategy and any revised strategy.

120DDuty to consult other regulators

(1)

The Commissioner must, at such times as the Commissioner considers appropriate, consult the persons mentioned in subsection (2) about how the manner in which the Commissioner exercises functions under the data protection legislation may affect economic growth, innovation and competition.

(2)

The persons are—

(a)

such persons exercising regulatory functions as the Commissioner considers appropriate;

(b)

such other persons as the Commissioner considers appropriate.

(3)

In this section, “regulatory function” has the meaning given by section 111 of the Deregulation Act 2015.”

(4)

In section 139 (reporting to Parliament), after subsection (1) insert—

“(1A)

In connection with the Commissioner’s functions under the data protection legislation, the report must contain (among other things)—

(a)

a review of what the Commissioner has done during the reporting period to comply with the duties under—

(i)

sections 120A and 120B,

(ii)

section 108 of the Deregulation Act 2015, and

(iii)

section 21 of the Legislative and Regulatory Reform Act 2006,

including a review of the operation of the strategy prepared and published under section 120C;

(b)

a review of what the Commissioner has done during the reporting period to comply with the duty under section 120D.

(1B)

In subsection (1A), “the reporting period” means the period to which the report relates.”

(5)

The Information Commissioner must prepare and publish a strategy in accordance with section 120C of the 2018 Act before the end of the period of 18 months beginning with the day on which this section comes into force.

92Codes of practice for the processing of personal data

(1)

The 2018 Act is amended in accordance with subsections (2) to (6).

(2)

After section 124 insert—

“124AOther codes of practice

(1)

The Commissioner must prepare appropriate codes of practice giving guidance as to good practice in the processing of personal data if required to do so by regulations made by the Secretary of State.

(2)

Regulations under this section—

(a)

must describe the personal data or processing to which the code of practice is to relate, and

(b)

may describe the persons or classes of person to whom it is to relate.

(3)

Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.

(4)

Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—

(a)

trade associations;

(b)

data subjects;

(c)

persons who appear to the Commissioner to represent the interests of data subjects.

(5)

A code under this section may include transitional provision or savings.

(6)

Regulations under this section are subject to the negative resolution procedure.

(7)

In this section—

good practice in the processing of personal data” means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, including compliance with the requirements of the data protection legislation;

trade association” includes a body representing controllers or processors.”

(3)

In section 125 (approval of codes prepared under sections 121 to 124)—

(a)

in the heading, for “124” substitute “124A”,

(b)

in subsection (1), for “or 124” substitute “, 124 or 124A”,

(c)

in subsection (3), for “or 124” substitute “, 124 or 124A”,

(d)

for subsection (5) substitute—

“(5)

If the Commissioner is prevented by subsection (3) from issuing a code that is not a replacement code, the Commissioner must prepare another version of the code.”, and

(e)

in subsection (9), for “or 124” substitute “, 124 or 124A”.

(4)

In section 126 (publication and review of codes issued under section 125(4)), in subsection (4), for “or 124(2)” substitute “, 124(2) or 124A(3)”.

(5)

Omit section 128 (other codes of practice).

(6)

In section 129 (consensual audits), in subsection (3), for “128” substitute “124A”.

(7)

In section 19AC of the Registration Service Act 1953 (code of practice), in subsection (11), for “128” substitute “124A”.

(8)

In the Statistics and Registration Service Act 2007—

(a)

in section 45 (information held by HMRC), in subsection (4A), for “128” substitute “124A”,

(b)

in section 45A (information held by other public authorities), in subsection (8), for “128” substitute “124A”,

(c)

in section 45E (further provisions about powers in sections 45B, 45C and 45D), in subsection (16), for “128” substitute “124A”, and

(d)

in section 53A (disclosure by the Board to devolved administrations), in subsection (9), for “128” substitute “124A”.

(9)

In the Digital Economy Act 2017—

(a)

in section 43 (code of practice), in subsection (13), for “128” substitute “124A”,

(b)

in section 52 (code of practice), in subsection (13), for “128” substitute “124A”,

(c)

in section 60 (code of practice), in subsection (13), for “128” substitute “124A”, and

(d)

in section 70 (code of practice), in subsection (15), for “128” substitute “124A”.

Annotations:
Commencement Information

I3S. 92 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

I4S. 92 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(f)

93Codes of practice: panels and impact assessments

In the 2018 Act, after section 124A (inserted by section 92 of this Act) insert—

“124BPanels to consider codes of practice

(1)

This section applies where a code is prepared under section 121, 122, 123, 124 or 124A, subject to subsection (11).

(2)

The Commissioner must establish a panel of individuals to consider the code.

(3)

The panel must consist of—

(a)

individuals the Commissioner considers have expertise in the subject matter of the code, and

(b)

individuals the Commissioner considers—

(i)

are likely to be affected by the code, or

(ii)

represent persons likely to be affected by the code.

(4)

Before the panel begins to consider the code, the Commissioner must—

(a)

publish the code in draft, and

(b)

publish a statement that—

(i)

states that a panel has been established to consider the code,

(ii)

identifies the members of the panel,

(iii)

explains the process by which they were selected, and

(iv)

explains the reasons for their selection.

(5)

Where at any time it appears to the Commissioner that a member of the panel is not willing or able to serve as a member of the panel, the Commissioner may select another individual to be a member of the panel.

(6)

Where the Commissioner selects an individual to be a member of the panel under subsection (5), the Commissioner must publish a statement that—

(a)

identifies the member of the panel,

(b)

explains the process by which the member was selected, and

(c)

explains the reasons for the member’s selection.

(7)

The Commissioner must make arrangements—

(a)

for the members of the panel to consider the code with one another (whether in person or otherwise), and

(b)

for the panel to prepare and submit to the Commissioner a report on the code within such reasonable period as is determined by the Commissioner.

(8)

If the panel submits to the Commissioner a report on the code within the period determined by the Commissioner, the Commissioner must as soon as reasonably practicable—

(a)

make any alterations to the code that the Commissioner considers appropriate in the light of the report, and

(b)

publish—

(i)

the code in draft,

(ii)

the report or a summary of it, and

(iii)

in a case where a recommendation in the report to alter the code has not been accepted by the Commissioner, an explanation of why it has not been accepted.

(9)

The Commissioner may pay remuneration and expenses to the members of the panel.

(10)

This section applies in relation to amendments prepared under section 121, 122, 123, 124 or 124A as it applies in relation to codes prepared under those sections, subject to subsection (11).

(11)

The Secretary of State may by regulations provide that this section does not apply, or applies with modifications, in the case of—

(a)

a code prepared under section 124A, or

(b)

an amendment of such a code,

that is specified or described in the regulations.

(12)

Regulations under this section are subject to the negative resolution procedure.

124CImpact assessments for codes of practice

(1)

Where a code is prepared under section 121, 122, 123, 124 or 124A, the Commissioner must carry out and publish an assessment of—

(a)

who would be likely to be affected by the code, and

(b)

the effect the code would be likely to have on them.

(2)

This section applies in relation to amendments prepared under section 121, 122, 123, 124 or 124A as it applies in relation to codes prepared under those sections.”

Annotations:
Commencement Information

I5S. 93 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

I6S. 93 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(g)

94Manifestly unfounded or excessive requests to the Commissioner

(1)

The 2018 Act is amended in accordance with subsections (2) and (3).

(2)

In section 135 (manifestly unfounded or excessive requests made to the Commissioner)—

(a)

before subsection (1) insert—

“A1

This section makes provision about cases in which a request made to the Commissioner, to which the Commissioner is required or authorised to respond under the data protection legislation, is manifestly unfounded or excessive.”,

(b)

in subsection (1) omit the words from the beginning to “excessive,”,

(c)

after subsection (1) insert—

“(1A)

In subsection (1)—

(a)

the reference in paragraph (a) to charging a reasonable fee is, in a case in which section 134 is relevant, a reference to doing so under that section, and

(b)

paragraph (b) is not to be read as implying anything about whether the Commissioner may refuse to act on requests that are neither manifestly unfounded nor excessive.”,

(d)

in subsection (3), for “(1)” substitute “(A1)”,

(e)

omit subsection (4), and

(f)

after that subsection insert—

“(5)

Article 57(3) of the UK GDPR (performance of Commissioner’s tasks generally to be free of charge for data subject) has effect subject to this section.”

(3)

In section 136(1) (guidance about fees), omit paragraph (b) and the “or” before it.

(4)

In Article 57 of the UK GDPR (Commissioner’s tasks), omit paragraph 4.

95Analysis of performance

In the 2018 Act, after section 139 insert—

“139AAnalysis of performance

(1)

The Commissioner must prepare and publish an analysis of the Commissioner’s performance using key performance indicators.

(2)

The analysis must be prepared and published at least annually.

(3)

In this section, “key performance indicators” means factors by reference to which the Commissioner’s performance can be measured most effectively.

Documents and notices”.

96Notices from the Commissioner

(1)

The 2018 Act is amended in accordance with subsections (2) and (3).

(2)

Omit section 141 (notices from the Commissioner).

(3)

After that section insert—

“141ANotices from the Commissioner

(1)

This section applies in relation to a notice authorised or required by this Act to be given to a person by the Commissioner.

(2)

The notice may be given to the person by—

(a)

delivering it by hand to a relevant individual,

(b)

leaving it at the person’s proper address,

(c)

sending it by post to the person at that address, or

(d)

sending it by email to the person’s email address.

(3)

A “relevant individual” means—

(a)

in the case of a notice to an individual, that individual;

(b)

in the case of a notice to a body corporate (other than a partnership), an officer of that body;

(c)

in the case of a notice to a partnership, a partner in the partnership or a person who has the control or management of the partnership business;

(d)

in the case of a notice to an unincorporated body (other than a partnership), a member of its governing body.

(4)

For the purposes of subsection (2)(b) and (c), and section 7 of the Interpretation Act 1978 (services of documents by post) in its application to those provisions, a person’s proper address is—

(a)

in a case where the person has specified an address as one at which the person, or someone acting on the person’s behalf, will accept service of notices or other documents, that address;

(b)

in any other case, the address determined in accordance with subsection (5).

(5)

The address is—

(a)

in a case where the person is a body corporate with a registered office in the United Kingdom, that office;

(b)

in a case where paragraph (a) does not apply and the person is a body corporate, partnership or unincorporated body with a principal office in the United Kingdom, that office;

(c)

in any other case, an address in the United Kingdom at which the Commissioner believes, on reasonable grounds, that the notice will come to the attention of the person.

(6)

A person’s email address is—

(a)

an email address published for the time being by that person as an address for contacting that person, or

(b)

if there is no such published address, an email address by means of which the Commissioner believes, on reasonable grounds, that the notice will come to the attention of that person.

(7)

A notice sent by email is treated as given 48 hours after it was sent, unless the contrary is proved.

(8)

In this section, “officer”, in relation to a body corporate, means a director, manager, secretary or other similar officer of the body.

(9)

This section does not limit other lawful means of giving a notice.”

(4)

In Schedule 2 to the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696) (Commissioner’s enforcement powers), in paragraph 1(b), for “141” substitute “141A”.

Annotations:
Commencement Information

I11S. 96 in force at 19.8.2025, see s. 142(3)(c)