Legislation – Data (Use and Access) Act 2025

New Search

Introduction

Part 1
Access to customer data and business data

1 Customer data and business data

2 Power to make provision in connection with customer data

3 Customer data: supplementary

4 Power to make provision in connection with business data

5 Business data: supplementary

6 Decision-makers

7 Interface bodies

8 Enforcement of regulations under this Part

9 Restrictions on powers of investigation etc

10 Financial penalties

11 Fees

12 Levy

13 Financial assistance

14 The FCA and financial services interfaces

15 The FCA and financial services interfaces: supplementary

16 The FCA and financial services interfaces: penalties and levies

17 The FCA and co-ordination with other regulators

18 Liability in damages

19 Duty to review regulations

20 Restrictions on processing and data protection

21 Regulations under this Part: supplementary

22 Regulations under this Part: Parliamentary procedure and consultation

23 Related subordinate legislation

24 Repeal of provisions relating to supply of customer data

25 Other defined terms

26 Index of defined terms for this Part

Part 2
Digital verification services

27 Introductory

28 DVS trust framework

29 Supplementary codes

30 Withdrawal of a supplementary code

31 Review of DVS trust framework and supplementary codes

32 DVS register

33 Registration in the DVS register

34 Power to refuse registration in the DVS register

35 Registration of additional services

36 Supplementary notes

37 Addition of services to supplementary notes

38 Applications for registration, supplementary notes, etc

39 Fees for applications for registration, supplementary notes, etc

40 Duty to remove person from the DVS register

41 Power to remove person from the DVS register

42 Duty to remove services from the DVS register

43 Duty to remove supplementary notes from the DVS register

44 Duty to remove services from supplementary notes

45 Power of public authority to disclose information to registered person

46 Information disclosed by the Revenue and Customs

47 Information disclosed by the Welsh Revenue Authority

48 Information disclosed by Revenue Scotland

49 Code of practice about the disclosure of information

50 Trust mark for use by registered persons

51 Power of Secretary of State to require information

52 Arrangements for third party to exercise functions

53 Report on the operation of this Part

54 Index of defined terms for this Part

55 Powers relating to verification of identity or status

Part 3
National Underground Asset Register

56 National Underground Asset Register: England and Wales

57 Information in relation to apparatus: England and Wales

58 National Underground Asset Register: Northern Ireland

59 Information in relation to apparatus: Northern Ireland

60 Pre-commencement consultation

Part 4
Registers of births and deaths

61 Form in which registers of births and deaths are to be kept

62 Provision of equipment and facilities by local authorities

63 Requirements to sign register

64 Treatment of existing registers and records

65 Minor and consequential amendments

Part 5
Data protection and privacy

Chapter 1 Data protection

Terms used in this Chapter

66 The 2018 Act and the UK GDPR

Definitions in the UK GDPR and the 2018 Act

67 Meaning of research and statistical purposes

68 Consent to processing for the purposes of scientific research

69 Consent to law enforcement processing

Data protection principles

70 Lawfulness of processing

71 The purpose limitation

72 Processing in reliance on relevant international law

Processing of special categories of personal data

73 Elected representatives responding to requests

74 Processing of special categories of personal data

Data subject’s rights

75 Fees and reasons for responses to data subjects’ requests about law enforcement processing

76 Time limits for responding to data subjects’ requests

77 Information to be provided to data subjects

78 Searches in response to data subjects’ requests

79 Data subjects’ rights to information: legal professional privilege exemption

Automated decision-making

80 Automated decision-making

Obligations of controllers

81 Data protection by design: children’s higher protection matters

Logging of law enforcement processing

82 Logging of law enforcement processing

Codes of conduct

83 General processing and codes of conduct

84 Law enforcement processing and codes of conduct

International transfers of personal data

85 Transfers of personal data to third countries and international organisations

Safeguards for processing for research etc purposes

86 Safeguards for processing for research etc purposes

87 Section 86: consequential provision

National security

88 National security exemption

Intelligence services

89 Joint processing by intelligence services and competent authorities

90 Joint processing: consequential amendments

Information Commissioner’s role

91 Duties of the Commissioner in carrying out functions

92 Codes of practice for the processing of personal data

93 Codes of practice: panels and impact assessments

94 Manifestly unfounded or excessive requests to the Commissioner

95 Analysis of performance

96 Notices from the Commissioner

Enforcement

97 Power of the Commissioner to require documents

98 Power of the Commissioner to require a report

99 Assessment notices: removal of OFSTED restriction

100 Interview notices

101 Penalty notices

102 Annual report on regulatory action

103 Complaints by data subjects

104 Court procedure in connection with subject access requests

105 Consequential amendments to the EITSET Regulations

Protection of prohibitions, restrictions and data subject’s rights

106 Protection of prohibitions, restrictions and data subject’s rights

Miscellaneous

107 Regulations under the UK GDPR

108 Further minor provision about data protection

Chapter 2 Privacy and electronic communications

109 The PEC Regulations

110 Interpretation of the PEC Regulations

111 Duty to notify the Commissioner of personal data breach: time periods

112 Storing information in the terminal equipment of a subscriber or user

113 Emergency alerts: interpretation of time periods

114 Use of electronic mail for direct marketing by charities

115 Commissioner’s enforcement powers

116 Codes of conduct

Part 6
The Information Commission

117 The Information Commission

118 Abolition of the office of Information Commissioner

119 Transfer of functions to the Information Commission

120 Transfer of property etc to the Information Commission

Part 7
Other provision about use of, or access to, data

121 Information standards for health and adult social care in England

122 Grant of smart meter communication licences

123 Disclosure of information to improve public service delivery to undertakings

124 Retention of information by providers of internet services in connection with death of child

125 Information for research about online safety matters

126 Retention of biometric data and recordable offences

127 Retention of pseudonymised biometric data

128 Retention of biometric data from INTERPOL

129 The eIDAS Regulation

130 Recognition of EU conformity assessment bodies

131 Removal of recognition of EU standards etc

132 Recognition of overseas trust products

133 Co-operation between supervisory authority and overseas authorities

134 Time periods: the eIDAS Regulation and the EITSET Regulations

135 Economic impact assessment

136 Report on the use of copyright works in the development of AI systems

137 Progress statement

138 Creating, or requesting the creation of, purported intimate image of adult

Part 8
Final provisions

139 Power to make consequential amendments

140 Regulations

141 Extent

142 Commencement

143 Transitional, transitory and saving provision

144 Short title

SCHEDULES

Schedule 1 National Underground Asset Register (England and Wales): monetary penalties

Schedule 2 National Underground Asset Register (Northern Ireland): monetary penalties

Schedule 3 Registers of births and deaths: minor and consequential amendments

Schedule 4 Lawfulness of processing: recognised legitimate interests

Schedule 5 Purpose limitation: processing to be treated as compatible with original purpose

Schedule 6 Automated decision-making: minor and consequential amendments

Schedule 7 Transfers of personal data to third countries etc: general processing

Schedule 8 Transfers of personal data to third countries etc: law enforcement processing

Schedule 9 Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision

Schedule 10 Complaints: minor and consequential amendments

Schedule 11 Further minor provision about data protection

Schedule 12 Storing information in the terminal equipment of a subscriber or user

Schedule 13 Privacy and electronic communications: Commissioner’s enforcement powers

Schedule 14 The Information Commission

Schedule 15 Information standards for health and adult social care in England

Schedule 16 Grant of smart meter communication licences

Changes to legislation:

There are currently no known outstanding effects for the Data (Use and Access) Act 2025, Part 7. Help about Changes to Legislation

Close

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.

Part 7Other provision about use of, or access to, data

Information standards for health and social care

121Information standards for health and adult social care in England

Schedule 15 makes provision about information standards for health and adult social care in England (under Part 9 of the Health and Social Care Act 2012) and information technology.

Smart meter communication services

122Grant of smart meter communication licences

Schedule 16 makes provision in connection with the grant of smart meter communication licences.

Annotations:
Commencement Information

I3S. 122 in force at Royal Assent for specified purposes, see s. 142(2)(c)(4)

Information to improve public service delivery

123Disclosure of information to improve public service delivery to undertakings

(1)

Section 35 of the Digital Economy Act 2017 (disclosure of information to improve public service delivery) is amended as follows.

(2)

In subsection (9)—

(a)

in paragraph (a), for “or households” substitute “, households or undertakings”, and

(b)

in paragraph (b), for “or households” substitute “, households or undertakings”.

(3)

In subsection (10)—

(a)

the words after “its purpose” become paragraph (a), and

(b)

at the end of that paragraph, insert “, or

(b)

the assisting of undertakings in connection with any trade, business or charitable purpose.”

(4)

After subsection (12) insert—

“(13)

In this section “undertaking” means—

(a)

any person, other than a public authority, carrying on a trade or business, whether or not with a view to profit, or

(b)

any body, or the trustees of a trust, established for charitable purposes only.

(14)

In this section, in so far as it forms part of the law of Scotland or Northern Ireland, “charitable purpose” has the same meaning as it has in the law of England and Wales (see section 2 of the Charities Act 2011).”

Annotations:
Commencement Information

I4S. 123 not in force at Royal Assent, see s. 142(1)

Retention of information by providers of internet services

124Retention of information by providers of internet services in connection with death of child

(1)

The Online Safety Act 2023 is amended as follows.

(2)

In section 100 (power to require information)—

(a)

omit subsection (7);

(b)

after subsection (8) insert—

“(8A)

The power to give a notice conferred by subsection (1) does not include power to require processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, the duty imposed by the notice is to be taken into account).”

(3)

In section 101 (information in connection with investigation into death of child)—

(a)

before subsection (1) insert—

“A1

Subsection (C1) applies if a senior coroner (in England and Wales), a procurator fiscal (in Scotland) or a coroner (in Northern Ireland) (“the investigating authority”)—

(a)

notifies OFCOM that they are conducting an investigation in connection with the death of a child, and

(b)

provides OFCOM with the details in subsection (B1).

B1

The details are—

(a)

the name of the child who has died,

(b)

the child’s date of birth,

(c)

any email addresses used by the child (so far as the investigating authority knows), and

(d)

if any regulated service has been brought to the attention of the investigating authority as being of interest in connection with the child’s death, the name of the service.

C1

Where this subsection applies, OFCOM—

(a)

must give a notice to the provider of a service within subsection (E1) requiring the provider to ensure the retention of information relating to the use of the service by the child who has died, and

(b)

may give a notice to any other relevant person requiring the person to ensure the retention of information relating to the use of a service within subsection (E1) by that child.

D1

The references in subsection (C1) to ensuring the retention of information relating to the child’s use of a service include taking all reasonable steps, without delay, to prevent the deletion of such information by the routine operation of systems or processes.

E1

A service is within this subsection if it is—

(a)

a regulated service of a kind described in regulations made by the Secretary of State, or

(b)

a regulated service notified to OFCOM by the investigating authority as described in subsection (B1)(d).

F1

A notice under subsection (C1) may require information described in that subsection to be retained only if it is information—

(a)

of a kind which OFCOM have power to require under a notice under subsection (1) (see, in particular, subsection (2)(a) to (d)), or

(b)

which a person might need to retain to enable the person to provide information in response to a notice under subsection (1) (if such a notice were given).

G1

OFCOM must share with the investigating authority any information they receive in response to requirements mentioned in section 102(5A)(d) that are included in a notice under subsection (C1).”;

(b)

in subsection (3), for “power conferred by subsection (1) includes” substitute “powers conferred by this section include”;

(c)

after subsection (5) insert—

“(5A)

The powers to give a notice conferred by this section do not include power to require processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, the duty imposed by the notice is to be taken into account).”

(4)

In section 102 (information notices)—

(a)

in subsection (1), for “101(1)” substitute “101(C1) or (1)”;

(b)

in subsection (3)—

(i)

after “information notice” insert “under section 100(1) or 101(1)”;

(ii)

omit the “and” at the end of paragraph (c);

(iii)

after paragraph (c) insert—

“(ca)

specify when the information must be provided (which may be on or by a specified date, within a specified period, or at specified intervals), and”;

(c)

omit subsection (4);

(d)

after subsection (5) insert—

“(5A)

An information notice under section 101(C1) must—

(a)

specify or describe the information to be retained,

(b)

specify why OFCOM require the information to be retained,

(c)

require the information to be retained for the period of one year beginning with the date of the notice,

(d)

require the person to whom the notice is given—

(i)

if the child to whom the notice relates used the service in question, to notify OFCOM by a specified date of steps taken to ensure the retention of information;

(ii)

if the child did not use the service, or the person does not hold any information of the kind required, to notify OFCOM of that fact by a specified date, and

(e)

contain information about the consequences of not complying with the notice.

(5B)

If OFCOM give an information notice to a person under section 101(C1), they may, in response to information received from the investigating authority, extend the period for which the person is required to retain information by a maximum period of six months.

(5C)

The power conferred by subsection (5B) is exercisable—

(a)

by giving the person a notice varying the notice under section 101(C1) and stating the further period for which information must be retained and the reason for the extension;

(b)

any number of times.”;

(e)

after subsection (9) insert—

“(9A)

OFCOM must cancel an information notice under section 101(C1) by notice to the person to whom it was given if advised by the investigating authority that the information in question no longer needs to be retained.”;

(f)

in subsection (10), after the definition of “information” insert—

““the investigating authority” has the same meaning as in section 101;”.

(5)

In section 109 (offences in connection with information notices)—

(a)

in subsection (2)(b), for “all reasonable steps” substitute “all of the steps that it was reasonable, and reasonably practicable, to take”;

(b)

after subsection (6) insert—

“(6A)

A person who is given an information notice under section 101(C1) commits an offence if—

(a)

the person deletes or alters, or causes or permits the deletion or alteration of, any information required by the notice to be retained, and

(b)

the person’s intention was to prevent the information being available, or (as the case may be) to prevent it being available in unaltered form, for the purposes of any official investigation into the death of the child to whom the notice relates.

(6B)

For the purposes of subsection (6A) information has been deleted if it is irrecoverable (however that occurred).”

(6)

In section 110 (senior managers’ liability: information offences)—

(a)

after subsection (6) insert—

“(6A)

An individual named as a senior manager of an entity commits an offence if—

(a)

the entity commits an offence under section 109(6A) (deletion etc of information), and

(b)

the individual has failed to take all reasonable steps to prevent that offence being committed.”;

(b)

in subsection (7), for “or (6)” substitute “, (6) or (6A)”.

(7)

In section 113 (penalties for information offences), in subsection (2)—

(a)

for “(4) or (5)” substitute “(4), (5) or (6A)”;

(b)

for “(5) or (6)” substitute “(5), (6) or (6A)”.

(8)

In section 114 (co-operation and disclosure of information: overseas regulators), in subsection (7), omit the definition of “the data protection legislation”.

(9)

In section 225 (Parliamentary procedure for regulations), in subsection (10), after paragraph (c) insert—

“(ca)

regulations under section 101(E1)(a),”.

(10)

In section 236(1) (interpretation)—

(a)

after the definition of “country” insert—

““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3(9) of that Act);”;

(b)

in the definition of “information notice”, for “101(1)” substitute “101(C1) or (1)”.

(11)

In section 237 (index of defined terms), after the entry for “CSEA content” insert—

“the data protection legislation

section 236”.
Annotations:
Commencement Information

I5S. 124 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

I6S. 124 in force at 30.9.2025 in so far as not already in force by S.I. 2025/982, reg. 2

Information for research about online safety matters

125Information for research about online safety matters

(1)

The Online Safety Act 2023 is amended in accordance with subsections (2) to (4).

(2)

After section 154 insert—

“154AInformation for research about online safety matters

(1)

The Secretary of State may by regulations require providers of regulated services to provide information for purposes related to the carrying out of independent research into online safety matters.

(2)

Regulations under this section may (for example) provide for—

(a)

the making of applications by persons seeking information;

(b)

the procedure to be followed in the making and determination of applications;

(c)

the grounds on which applications are to be determined;

(d)

the imposition of requirements described in subsection (1) to be effected by means of notices given to providers of regulated services (“researcher access notices”);

(e)

the contents of researcher access notices;

(f)

the procedure to be followed in the giving of researcher access notices;

(g)

the form in which, and the means by which, information is to be provided;

(h)

the safeguards to be applied in respect of the handling of information;

(i)

the charging of fees payable by applicants for information under the regulations and by providers of regulated services;

(j)

the enforcement of requirements imposed by the regulations;

(k)

appeals in respect of decisions taken under the regulations.

(3)

Provision about enforcement under subsection (2)(j) may include provision—

(a)

about investigations (including the making of reports);

(b)

conferring powers of entry, inspection and audit;

(c)

imposing monetary penalties;

(d)

creating offences, but such provision may not impose a penalty for an offence that is greater than a penalty of any of the descriptions mentioned in section 113.

(4)

Regulations under this section—

(a)

may authorise or require anything that is to be done under, or for the purposes of, the regulations to be done by an appropriate person;

(b)

may confer a discretion on an appropriate person for the purposes of provision under paragraph (a);

(c)

may apply (with or without modifications) other provisions of this Act.

(5)

Regulations under this section may apply generally or only in relation to specified descriptions of—

(a)

regulated services;

(b)

persons carrying out independent research;

(c)

research into online safety matters or the purposes of such research;

(d)

information,

and provision made by virtue of section 224(1) in connection with this section may, in particular, make different provision for different descriptions of services, researchers, research or information.

(6)

Regulations under this section may not require—

(a)

processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, the duty imposed under the regulations to provide information is to be taken into account);

(b)

provision of information in respect of which a claim to legal professional privilege, or (in Scotland) to confidentiality of communications, could be maintained in legal proceedings.

(7)

Before making regulations under this section the Secretary of State must consult—

(a)

OFCOM,

(b)

the Information Commissioner,

(c)

persons who appear to the Secretary of State to represent providers of regulated services,

(d)

persons who appear to the Secretary of State to represent the interests of persons carrying out independent research into online safety matters, and

(e)

such other persons as the Secretary of State considers appropriate.

(8)

For the purposes of this section—

(a)

“independent research” is research carried out other than on behalf of a provider of a regulated service;

(b)

references to an “appropriate person” are references to—

(i)

OFCOM, or

(ii)

such other person as the Secretary of State considers appropriate to carry out functions under regulations made under this section (and the regulations may include provision establishing a body for this purpose).”

(3)

In section 162 (OFCOM’s report about researchers’ access to information), omit subsections (7) to (10).

(4)

In section 225 (Parliamentary procedure for regulations), for subsections (8) and (9) substitute—

“(8)

A statutory instrument containing (whether alone or with other provision) the first regulations under the following provisions may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament—

(a)

section 154A(1);

(b)

paragraph 1(1) of Schedule 11.

(9)

Any other statutory instrument containing regulations under a provision mentioned in subsection (8) is subject to annulment in pursuance of a resolution of either House of Parliament.”

(5)

The requirement to consult under section 154A(7) of the Online Safety Act 2023 (as inserted by subsection (2) of this section) may be satisfied by consultation undertaken before the day on which this Act is passed.

Annotations:
Commencement Information

I7S. 125 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

I8S. 125 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(s)

Retention of biometric data

126Retention of biometric data and recordable offences

(1)

Part 1 of the Counter-Terrorism Act 2008 (powers to gather and share information) is amended in accordance with subsections (2) to (10).

(2)

In section 18A(3) (retention of material: general), after “recordable offence” insert “or recordable-equivalent offence”.

(3)

Section 18E (supplementary provision) is amended in accordance with subsections (4) to (10).

(4)

In subsection (1), after the definition of “recordable offence” insert—

““recordable-equivalent offence” means an offence under the law of a country or territory outside England and Wales and Northern Ireland where the act constituting the offence would constitute a recordable offence if done in England and Wales or Northern Ireland (whether or not the act constituted such an offence when the person was convicted);”.

(5)

In subsection (3), in the words before paragraph (a), after “offence” insert “in England and Wales or Northern Ireland”.

(6)

After subsection (5) insert—

“(5A)

For the purposes of section 18A, a person is to be treated as having been convicted of an offence in a country or territory outside England and Wales and Northern Ireland if, in respect of such an offence, a court exercising jurisdiction under the law of that country or territory has made a finding equivalent to—

(a)

a finding that the person is not guilty by reason of insanity, or

(b)

a finding that the person is under a disability and did the act charged against the person in respect of the offence.”

(7)

In subsection (6)(a)—

(a)

after “convicted” insert “—

(i)”, and

(b)

after “offence,” insert “or

(ii)

in a country or territory outside England and Wales and Northern Ireland, of a recordable-equivalent offence,”.

(8)

In subsection (6)(b)—

(a)

omit “of a recordable offence”, and

(b)

for “a recordable offence, other than a qualifying offence” substitute “an offence, other than a qualifying offence or qualifying-equivalent offence”.

(9)

In subsection (7), for “subsection (6)” substitute “this section”.

(10)

After subsection (7) insert—

“(7A)

In subsection (6), “qualifying-equivalent offence” means an offence under the law of a country or territory outside England and Wales and Northern Ireland where the act constituting the offence would constitute a qualifying offence if done in England and Wales or Northern Ireland (whether or not the act constituted such an offence when the person was convicted).”

(11)

The amendments made by this section apply only in connection with the retention of section 18 material that is or was obtained or acquired by a law enforcement authority—

(a)

on or after the commencement day, or

(b)

in the period of 3 years ending immediately before the commencement day.

(12)

Subsection (13) of this section applies where—

(a)

at the beginning of the commencement day, a law enforcement authority has section 18 material which it obtained or acquired in the period of 3 years ending immediately before the commencement day,

(b)

at a time before the commencement day (a “pre-commencement time”), the law enforcement authority was required by section 18(4) of the Counter-Terrorism Act 2008 to destroy the material, and

(c)

at the pre-commencement time, the law enforcement authority could have retained the material under section 18A of the Counter-Terrorism Act 2008, as it has effect taking account of the amendments made by subsections (2) to (10) of this section, if those amendments had been in force.

(13)

Where this subsection applies—

(a)

the law enforcement authority is to be treated as not having been required to destroy the material at the pre-commencement time, but

(b)

the material may not be used in evidence against the person to whom the material relates—

(i)

in criminal proceedings in England and Wales, Northern Ireland or Scotland in relation to an offence where those proceedings, or other criminal proceedings in relation to the person and the offence, were instituted before the commencement day, or

(ii)

in criminal proceedings in any other country or territory.

(14)

In this section—

the commencement day” means the day on which this Act is passed;

law enforcement authority” has the meaning given by section 18E(1) of the Counter-Terrorism Act 2008;

section 18 material” has the meaning given by section 18(2) of that Act.

(15)

For the purposes of this section, proceedings in relation to an offence are instituted—

(a)

in England and Wales, when they are instituted for the purposes of Part 1 of the Prosecution of Offences Act 1985 (see section 15(2) of that Act);

(b)

in Northern Ireland, when they are instituted for the purposes of Part 2 of the Justice (Northern Ireland) Act 2002 (see section 44(1) and (2) of that Act);

(c)

in Scotland, when they are instituted for the purposes of Part 3 of the Proceeds of Crime Act 2002 (see section 151(1) and (2) of that Act).

Annotations:
Commencement Information

I9S. 126 in force at Royal Assent, see s. 142(2)(d)

127Retention of pseudonymised biometric data

(1)

Part 1 of the Counter-Terrorism Act 2008 (powers to gather and share information) is amended in accordance with subsections (2) to (6).

(2)

Section 18A (retention of material: general) is amended in accordance with subsections (3) to (5).

(3)

In subsection (1), for “subsection (5)” substitute “subsections (4) to (9)”.

(4)

In subsection (4)(a), after “relates” insert “(a “pseudonymised form”)”.

(5)

After subsection (6) insert—

“(7)

Section 18 material which is not a DNA sample may be retained indefinitely by a law enforcement authority if—

(a)

the authority obtains or acquires the material directly or indirectly from an overseas law enforcement authority,

(b)

the authority obtains or acquires the material in a form which includes information which identifies the person to whom the material relates,

(c)

as soon as reasonably practicable after obtaining or acquiring the material, the authority takes the steps necessary for it to hold the material in a pseudonymised form, and

(d)

having taken those steps, the law enforcement authority continues to hold the material in a pseudonymised form.

(8)

In a case where section 18 material is being retained by a law enforcement authority under subsection (7), if—

(a)

the law enforcement authority ceases to hold the material in a pseudonymised form, and

(b)

the material relates to a person who has no previous convictions or only one exempt conviction,

the material may be retained by the law enforcement authority until the end of the retention period specified in subsection (9).

(9)

The retention period is the period of 3 years beginning with the date on which the law enforcement authority first ceases to hold the material in a pseudonymised form.”

(6)

In section 18E(1) (supplementary provision)—

(a)

in the definition of “law enforcement authority”, for paragraph (d) substitute—

“(d)

an overseas law enforcement authority;”, and

(b)

after that definition insert—

““overseas law enforcement authority” means a person formed or existing under the law of a country or territory outside the United Kingdom so far as exercising functions which—

(a)

correspond to those of a police force, or

(b)

otherwise involve the investigation or prosecution of offences;”.

(7)

The amendments made by this section apply only in connection with the retention of section 18 material that is or was obtained or acquired by a law enforcement authority—

(a)

on or after the commencement day, or

(b)

in the period of 3 years ending immediately before the commencement day.

(8)

Subsections (9) to (12) of this section apply where, at the beginning of the commencement day, a law enforcement authority has section 18 material which it obtained or acquired in the period of 3 years ending immediately before the commencement day.

(9)

Where the law enforcement authority holds the material in a pseudonymised form at the beginning of the commencement day, the authority is to be treated for the purposes of section 18A(7)(c) and (d) of the Counter-Terrorism Act 2008 as having—

(a)

taken the steps necessary for it to hold the material in a pseudonymised form as soon as reasonably practicable after obtaining or acquiring the material, and

(b)

continued to hold the material in a pseudonymised form until the commencement day.

(10)

Where the law enforcement authority does not hold the material in a pseudonymised form at the beginning of the commencement day, the authority is to be treated for the purposes of section 18A(7)(c) of the Counter-Terrorism Act 2008 as taking the steps necessary for it to hold the material in a pseudonymised form as soon as reasonably practicable after obtaining or acquiring the material if it takes those steps on, or as soon as reasonably practicable after, the commencement day.

(11)

Subsection (12) of this section applies where, at a time before the commencement day (a “pre-commencement time”), the law enforcement authority was required by section 18(4) of the Counter-Terrorism Act 2008 to destroy the material but—

(a)

at the pre-commencement time, the law enforcement authority could have retained the material under section 18A(7) to (9) of the Counter-Terrorism Act 2008 (as inserted by this section) if those provisions had been in force, or

(b)

on or after the commencement day, the law enforcement authority may retain the material under those provisions by virtue of subsection (9) or (10) of this section.

(12)

Where this subsection applies—

(a)

the law enforcement authority is to be treated as not having been required to destroy the material at the pre-commencement time, but

(b)

the material may not be used in evidence against the person to whom the material relates—

(i)

in criminal proceedings in England and Wales, Northern Ireland or Scotland in relation to an offence where those proceedings, or other criminal proceedings in relation to the person and the offence, were instituted before the commencement day, or

(ii)

in criminal proceedings in any other country or territory.

(13)

In this section—

the commencement day”, “law enforcement authority” and “section 18 material” have the meaning given in section 126(14);

in a pseudonymised form” has the meaning given by section 18A(4) of the Counter-Terrorism Act 2008 (as amended by this section);

instituted”, in relation to proceedings, has the meaning given in section 126(15).

Annotations:
Commencement Information

I10S. 127 in force at Royal Assent, see s. 142(2)(e)

128Retention of biometric data from INTERPOL

(1)

Part 1 of the Counter-Terrorism Act 2008 (powers to gather and share information) is amended in accordance with subsections (2) to (4).

(2)

In section 18(4) (destruction of national security material not subject to existing statutory restrictions), after “18A” insert “, 18AA”.

(3)

After section 18A insert—

“18AARetention of material from INTERPOL

(1)

This section applies to section 18 material which is not a DNA sample where the law enforcement authority obtained or acquired the material as part of a request for assistance, or a notification of a threat, sent to the United Kingdom via INTERPOL’s systems.

(2)

The law enforcement authority may retain the material until the National Central Bureau informs the authority that the request or notification has been cancelled or withdrawn.

(3)

If the law enforcement authority is the National Central Bureau, it may retain the material until it becomes aware that the request or notification has been cancelled or withdrawn.

(4)

In this section—

INTERPOL” means the organisation called the International Criminal Police Organization – INTERPOL;

the National Central Bureau” means the body appointed for the time being in accordance with INTERPOL’s constitution to serve as the United Kingdom’s National Central Bureau.

(5)

The reference in subsection (1) to material obtained or acquired as part of a request or notification includes material obtained or acquired as part of a communication, sent to the United Kingdom via INTERPOL’s systems, correcting, updating or otherwise supplementing the request or notification.

18ABRetention of material from INTERPOL: supplementary

(1)

The Secretary of State may by regulations amend section 18AA to make such changes as the Secretary of State considers appropriate in consequence of—

(a)

changes to the name of the organisation which, when section 18AA was enacted, was called the International Criminal Police Organization – INTERPOL (“the organisation”),

(b)

changes to arrangements made by the organisation which involve fingerprints or DNA profiles being provided to members of the organisation (whether changes to existing arrangements or changes putting in place new arrangements), or

(c)

changes to the organisation’s arrangements for liaison between the organisation and its members or between its members.

(2)

Regulations under this section are subject to affirmative resolution procedure.”

(4)

In section 18BA(5)(a) (retention of further fingerprints), after “18A” insert “, 18AA”.

(5)

Section 18AA of the Counter-Terrorism Act 2008 applies in relation to section 18 material obtained or acquired by a law enforcement authority before the commencement day (as well as material obtained or acquired on or after that day), except where the law enforcement authority was informed, or became aware, as described in subsection (2) or (3) of that section before the commencement day.

(6)

Subsection (7) of this section applies where—

(a)

at the beginning of the commencement day, a law enforcement authority has section 18 material,

(b)

at a time before the commencement day (a “pre-commencement time”), the law enforcement authority was required by section 18(4) of the Counter-Terrorism Act 2008 to destroy the material, but

(c)

at the pre-commencement time, the law enforcement authority could have retained the material under section 18AA of that Act (as inserted by this section) if it had been in force.

(7)

Where this subsection applies—

(a)

the law enforcement authority is to be treated as not having been required to destroy the material at the pre-commencement time, but

(b)

the material may not be used in evidence against the person to whom the material relates—

(i)

in criminal proceedings in England and Wales, Northern Ireland or Scotland in relation to an offence where those proceedings, or other criminal proceedings in relation to the person and the offence, were instituted before the commencement day, or

(ii)

in criminal proceedings in any other country or territory.

(8)

In this section—

the commencement day”, “law enforcement authority” and “section 18 material” have the meaning given in section 126(14);

instituted”, in relation to proceedings, has the meaning given in section 126(15).

Annotations:
Commencement Information

I11S. 128 in force at Royal Assent, see s. 142(2)(f)

Trust services

129The eIDAS Regulation

In sections 130 to 134, “the eIDAS Regulation” means Regulation (EU) No. 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market.

130Recognition of EU conformity assessment bodies

In Chapter 3 of the eIDAS Regulation (trust services), after Article 24A insert—

“Article 24BRecognition of EU conformity assessment bodies

For the purposes of Articles 20(1), 21 and 24(1)(d), a body is to be treated as if it were a conformity assessment body in relation to a description of trust services provider (and trust service) if it is a conformity assessment body in relation to that description of provider (and service) for the purposes of the equivalent EU law.”

131Removal of recognition of EU standards etc

(1)

The Secretary of State may by regulations—

(a)

amend Article 24A of the eIDAS Regulation (recognition of EU standards etc for qualified trust services) so as to remove circumstances in which something is to be treated as qualified under that Regulation for the purposes of a provision or measure specified in paragraph 1 of that Article;

(b)

revoke that Article;

(c)

revoke Article 24B of the eIDAS Regulation (recognition of EU conformity assessment bodies);

(d)

revoke Article 51 of the eIDAS Regulation (transitional measures for electronic signatures);

(e)

amend a provision listed in subsection (3) so as to remove a reference to a trust service provider established in the EU;

(f)

amend a provision listed in subsection (4) so as to remove a reference to European standards or provisions of equivalent EU law.

(2)

The power under subsection (1)(a) includes power to amend or remove an assumption in Article 24A(2) of the eIDAS Regulation.

(3)

The provisions mentioned in subsection (1)(e) are—

(a)

Article 13(1) of the eIDAS Regulation;

(b)

Articles 2(1)(a) and 4(1)(a) of the Implementing Decision.

(4)

The provisions mentioned in subsection (1)(f) are—

(a)

Article 24(2)(b) of the eIDAS Regulation;

(b)

Articles 2(2)(c)(7) and 4(2)(c)(7) of the Implementing Decision.

(5)

Regulations under this section may—

(a)

include transitional provision or savings, and

(b)

make different provision for different purposes, including for the purposes of different provisions of the eIDAS Regulation.

(6)

Regulations under this section are subject to the negative resolution procedure.

(7)

In this section, “the Implementing Decision” means Commission Implementing Decision (EU) 2015/1506 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies pursuant to Articles 27(5) and 37(5) of the eIDAS Regulation.

Annotations:
Commencement Information

I16S. 131 not in force at Royal Assent, see s. 142(1)

132Recognition of overseas trust products

(1)

The eIDAS Regulation is amended as follows.

(2)

In Chapter 3 (trust services), after Article 45 insert—

“SECTION 9Recognition of overseas trust services

Article 45ALegal effects of overseas electronic signatures etc

1.

The Secretary of State may by regulations provide that, for the purposes of Articles 25(2), 35(2), 41(2) and 43(2), an overseas trust product of a specified description is to be treated as qualified.

2.

In this Article—

overseas”, in relation to a trust product, means provided by a person established in a country or territory outside the United Kingdom;

specified” means specified by regulations under this Article;

trust product” means an electronic signature, an electronic seal, an electronic time stamp or an electronic registered delivery service.

3.

The Secretary of State may not make regulations under this Article specifying a description of overseas trust product unless satisfied that the reliability of such a product is at least equivalent to the reliability of a comparable trust product that is qualified.

4.

When making regulations under this Article in relation to a description of overseas trust product, the Secretary of State must have regard to (among other things) the law in the other country or territory relevant to that description of product and related trust services.

Article 45BOverseas signatures and seals in public service

1.

The Secretary of State may by regulations provide that an overseas electronic signature of a specified description is to be treated—

(a)

for the purposes of Article 27(1), as an advanced electronic signature that complies with the Implementing Decision;

(b)

for the purposes of Article 27(2), as an advanced electronic signature based on a qualified certificate for electronic signature, or a qualified signature, that complies with the Implementing Decision.

2.

The Secretary of State may by regulations provide that an overseas electronic seal of a specified description is to be treated—

(a)

for the purposes of Article 37(1), as an advanced electronic seal that complies with the Implementing Decision;

(b)

for the purposes of Article 37(2), as an advanced electronic seal based on a qualified certificate for electronic seal, or a qualified seal, that complies with the Implementing Decision.

3.

In this Article—

the Implementing Decision” means Commission Implementing Decision (EU) 2015/1506 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies;

overseas”, in relation to an electronic signature or electronic seal, means provided by a person established in a country or territory outside the United Kingdom;

specified” means specified by regulations made under this Article.

4.

The Secretary of State may not make regulations under point (a) or (b) of paragraph 1 or point (a) or (b) of paragraph 2 specifying a description of overseas electronic signature or overseas electronic seal unless satisfied that the reliability of such a signature or seal is at least equivalent to the reliability of a signature or seal described in that point.

5.

When making regulations under this Article in relation to a description of overseas electronic signature or overseas electronic seal, the Secretary of State must have regard to (among other things) the law in the other country or territory relevant to that description of signature or seal and related trust services.

Article 45CRegulations under this Section

1.

Before making regulations under Article 45A or 45B, the Secretary of State must consult the supervisory body.

2.

Regulations under Article 45A or 45B—

(a)

may describe something by (among other things) describing something that meets a condition specified in the regulations or is provided by a person who meets such a condition, and

(b)

may include a condition referring to (among other things) the law of the other country or territory or a standard or other document, including the law, standard or other document as amended from time to time.

3.

Regulations under Article 45A or 45B may—

(a)

make different provision for different purposes, including for the purposes of different provisions of this Regulation, and

(b)

include transitional or transitory provision or savings.

4.

Regulations under Article 45A or 45B are to be made by statutory instrument.

5.

A statutory instrument containing regulations under Article 45A or 45B is subject to annulment in pursuance of either House of Parliament.”

(3)

In Article 3(21) (definition of “product”), at the end insert “(except in the expression “trust product”)”.

Annotations:
Commencement Information

I17S. 132 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

I18S. 132 in force at 5.2.2026 in so far as not already in force by S.I. 2026/82, reg. 2(z4)

133Co-operation between supervisory authority and overseas authorities

(1)

Article 18 of the eIDAS Regulation (co-operation with EU authorities) is amended as follows.

(2)

In the heading, for “EU” substitute “overseas”.

(3)

In paragraph 1, for “public authority in the EU” substitute “designated overseas authority”.

(4)

In paragraph 2, for “other than in accordance with the data protection legislation” substitute “if the processing would contravene the data protection legislation (but in determining whether processing would do so, take into account the power conferred by that paragraph)”.

(5)

After paragraph 2 insert—

“3.

In this Article—

designated” means designated by regulations made by the Secretary of State that are in force;

overseas authority” means a person, or description of person, with functions relating to the regulation or supervision of trust services outside the United Kingdom.

4.

Before making regulations under this Article, the Secretary of State must consult the supervisory body.

5.

Regulations under this Article may include transitional or transitory provision or savings.

6.

Regulations under this Article are to be made by statutory instrument.

7.

A statutory instrument containing regulations under this Article is subject to annulment in pursuance of either House of Parliament.”

134Time periods: the eIDAS Regulation and the EITSET Regulations

(1)

In Chapter 1 of the eIDAS Regulation (general provisions), after Article 3 insert—

“Article 3APeriods of time

References in this Regulation to a period expressed in hours, days, months or years are to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.”

(2)

The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696) are amended as follows.

(3)

In regulation 2 (interpretation), at the end insert—

“(3)

References in these regulations to a period expressed in days or years are to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.”

(4)

In Schedule 1 (monetary penalties)—

(a)

in paragraph 4(f), for the words from “a period” to the end substitute “the period of 21 days beginning when the notice of intent is served”,

(b)

in paragraph 5, for the words from “a period” to the end substitute “the period of 21 days beginning when the notice of intent is received”, and

(c)

in paragraph 6, for the words from “a period” to the end substitute “the period of 21 days beginning when the notice of intent is served”.

Purported intimate images

138Creating, or requesting the creation of, purported intimate image of adult

(1)

The Sexual Offences Act 2003 is amended in accordance with subsections (2) and (3).

(2)

After section 66D insert—

“66ECreating purported intimate image of adult

(1)

A person (A) commits an offence if—

(a)

A intentionally creates a purported intimate image of another person (B),

(b)

B does not consent to the creation of the purported intimate image, and

(c)

A does not reasonably believe that B consents.

(2)

“Purported intimate image” of a person means an image which—

(a)

appears to be, or to include, a photograph or film of the person (but is not, or is not only, a photograph or film of the person),

(b)

appears to be of an adult, and

(c)

appears to show the person in an intimate state.

(3)

Subsections (5) to (9) of section 66D (person in an intimate state) apply for the purposes of this section as if references in those subsections to a photograph or film were references to an image.

(4)

References in this section to creating a purported intimate image of a person do not include doing so by modifying a photograph or film of the person where what is created by the modification is an image which—

(a)

appears to show the person, but

(b)

does not appear to show—

(i)

something within section 66D(5)(a) to (e) (read with subsections (6) and (7) of that section) which is not shown in the photograph or film, or

(ii)

a person who is not shown in the photograph or film.

(5)

It is a defence for a person charged with an offence under this section to prove that the person had a reasonable excuse for creating the purported intimate image.

(6)

A person who commits an offence under this section is liable on summary conviction to imprisonment for a term not exceeding the maximum term for summary offences or a fine (or both).

(7)

The Secretary of State must—

(a)

review the operation of subsection (5),

(b)

publish the outcome of the review in a report before the end of the period of two years beginning with the day on which this section comes into force, and

(c)

lay the report before Parliament.

66FRequesting the creation of purported intimate image of adult

(1)

A person (A) commits an offence if—

(a)

A intentionally requests the creation of a purported intimate image of another person (B) (either in general or specific terms),

(b)

B does not consent to A requesting the creation of the purported intimate image, and

(c)

A does not reasonably believe that B consents.

(2)

A person (A) commits an offence if—

(a)

A intentionally requests that, if a purported intimate image of another person (B) is created, it includes or excludes something in particular (whether relating to B’s appearance, the intimate state in which B is shown or anything else),

(b)

B does not consent to A requesting the inclusion or exclusion of that thing, and

(c)

A does not reasonably believe that B consents.

(3)

References in this section to making a request (however expressed) include doing an act which could reasonably be taken to be a request (such as, for example, indicating agreement in response to an offer or complying with conditions of an offer).

(4)

References in this section to making a request (however expressed) are references to—

(a)

making a request directed to a particular person or persons, or

(b)

making a request so that it is available to one or more persons (or people generally), without directing it to a particular person or persons.

(5)

References in this section to consent to a person requesting something are—

(a)

in a case described in subsection (4)(a), references to consent to a request being made that is directed to the particular person or persons, and

(b)

in a case described in subsection (4)(b), references to consent to a request being made so that it is available to the person or persons (or people generally), as appropriate.

(6)

An offence under this section is committed—

(a)

regardless of whether the purported intimate image is created,

(b)

regardless of whether the purported intimate image, or the particular thing to be included in or excluded from such an image, is also requested by another person, and

(c)

regardless of where in the world the person or persons mentioned in subsection (4)(a)and (b) is or are located.

(7)

It is a defence for a person charged with an offence under this section to prove that the person had a reasonable excuse for making the request.

(8)

A person who commits an offence under this section is liable on summary conviction to imprisonment for a term not exceeding the maximum term for summary offences or a fine (or both).

(9)

In this section, references to a purported intimate image, to creating such an image and to a person shown in an intimate state have the same meaning as in section 66E.

(10)

The Secretary of State must—

(a)

review the operation of subsection (7),

(b)

publish the outcome of the review in a report before the end of the period of two years beginning with the day on which this section comes into force, and

(c)

lay the report before Parliament.

66GCreating, or requesting the creation of, purported intimate image of adult: further definitions etc

(1)

This section applies for the purposes of sections 66E and 66F.

(2)

“Consent” to an act includes general consent covering the particular act as well as specific consent to that particular act (and see also section 66F(5)).

(3)

Whether a belief is “reasonable” is to be determined having regard to all the circumstances, including any steps A has taken to ascertain whether B consents.

(4)

Photograph” includes the negative as well as the positive version.

(5)

Film” means a moving image.

(6)

A reference to an “image”, “photograph” or “film” includes data stored by any means which is capable of conversion into an image, photograph or film.

(7)

An image of a person appears to be an image of an adult if—

(a)

the impression conveyed by the image is that the person shown is aged 18 or over, or

(b)

the predominant impression conveyed by the image is that the person shown is aged 18 or over (even if some of the physical characteristics shown are those of a person under 18).

(8)

The “maximum term for summary offences” means—

(a)

if the offence is committed before the time when section 281(5) of the Criminal Justice Act 2003 comes into force, six months;

(b)

if the offence is committed after that time, 51 weeks.

66HCreating, or requesting the creation of, purported intimate image of adult: time limit for prosecution

(1)

Notwithstanding section 127(1) of the Magistrates’ Courts Act 1980, a magistrates’ court may try an information or written charge relating to an offence under section 66E or 66F if the information is laid or the charge is issued—

(a)

before the end of the period of 3 years beginning with the day on which the offence was committed, and

(b)

before the end of the period of 6 months beginning with the day on which evidence which the prosecutor thinks is sufficient to justify a prosecution comes to the prosecutor’s knowledge.

(2)

A certificate signed by or on behalf of a prosecutor stating the date on which evidence described in subsection (1)(b) came to the prosecutor’s knowledge is conclusive evidence of that fact.”

(3)

In section 79(5) (meaning of references to image of a person), after “a person” insert “(except in sections 66E, 66F and 66G)”.

(4)

In the Armed Forces Act 2006, after section 177D insert—

“177DAPurported intimate images to be treated as used for purpose of certain offences

(1)

This section applies where a person commits an offence under section 42 as respects which the corresponding offence under the law of England and Wales is an offence under section 66E of the Sexual Offences Act 2003 (creating purported intimate image of adult).

(2)

The purported intimate image to which the offence relates, and anything containing it, is to be regarded for the purposes of section 177C(3) (and section 94A(3)(b)(ii)) as used for the purposes of committing the offence (including where it is committed by aiding, abetting, counselling or procuring).”

(5)

In Part 2 of Schedule 3 to the Serious Crime Act 2007 (offences to be disregarded in reckoning whether an act is capable of encouraging or assisting the commission of an offence: England and Wales), after paragraph 38 insert—

“Sexual Offences Act 2003

38ZA

An offence under section 66F of the Sexual Offences Act 2003 (requesting the creation of purported intimate image of adult).”

(6)

In the Sentencing Code, after section 154 insert—

“154APurported intimate images to be treated as used for purpose of certain offences

(1)

Subsection (2) applies where a person commits an offence under section 66E of the Sexual Offences Act 2003 (creating purported intimate image of adult).

(2)

The purported intimate image to which the offence relates, and anything containing it, is to be regarded for the purposes of section 153 (and section 157(3)(b)) as used for the purposes of committing the offence (including where it is committed by aiding, abetting, counselling or procuring).

(3)

Subsection (4) applies where a person commits an offence under section 66F of the Sexual Offences Act 2003 (requesting the creation of purported intimate image of adult).

(4)

A purported intimate image which is connected with the offence, and anything containing it, is to be regarded for the purposes of section 153 (and section 157(3)(b)) as used for the purposes of committing the offence (including where it is committed by aiding, abetting, counselling or procuring).

(5)

A purported intimate image is connected with an offence under section 66F of the Sexual Offences Act 2003 if —

(a)

it appears to be of a person who was the subject of the request to which the offence relates (whether or not it is what was requested), and

(b)

it was in the offender’s possession, or under the offender’s control, as a result of that request.”

Annotations:
Commencement Information

I29S. 138 not in force at Royal Assent, see s. 142(1)