Legislation – Data (Use and Access) Act 2025

New Search

Introduction

Part 1
Access to customer data and business data

1 Customer data and business data

2 Power to make provision in connection with customer data

3 Customer data: supplementary

4 Power to make provision in connection with business data

5 Business data: supplementary

6 Decision-makers

7 Interface bodies

8 Enforcement of regulations under this Part

9 Restrictions on powers of investigation etc

10 Financial penalties

11 Fees

12 Levy

13 Financial assistance

14 The FCA and financial services interfaces

15 The FCA and financial services interfaces: supplementary

16 The FCA and financial services interfaces: penalties and levies

17 The FCA and co-ordination with other regulators

18 Liability in damages

19 Duty to review regulations

20 Restrictions on processing and data protection

21 Regulations under this Part: supplementary

22 Regulations under this Part: Parliamentary procedure and consultation

23 Related subordinate legislation

24 Repeal of provisions relating to supply of customer data

25 Other defined terms

26 Index of defined terms for this Part

Part 2
Digital verification services

27 Introductory

28 DVS trust framework

29 Supplementary codes

30 Withdrawal of a supplementary code

31 Review of DVS trust framework and supplementary codes

32 DVS register

33 Registration in the DVS register

34 Power to refuse registration in the DVS register

35 Registration of additional services

36 Supplementary notes

37 Addition of services to supplementary notes

38 Applications for registration, supplementary notes, etc

39 Fees for applications for registration, supplementary notes, etc

40 Duty to remove person from the DVS register

41 Power to remove person from the DVS register

42 Duty to remove services from the DVS register

43 Duty to remove supplementary notes from the DVS register

44 Duty to remove services from supplementary notes

45 Power of public authority to disclose information to registered person

46 Information disclosed by the Revenue and Customs

47 Information disclosed by the Welsh Revenue Authority

48 Information disclosed by Revenue Scotland

49 Code of practice about the disclosure of information

50 Trust mark for use by registered persons

51 Power of Secretary of State to require information

52 Arrangements for third party to exercise functions

53 Report on the operation of this Part

54 Index of defined terms for this Part

55 Powers relating to verification of identity or status

Part 3
National Underground Asset Register

56 National Underground Asset Register: England and Wales

57 Information in relation to apparatus: England and Wales

58 National Underground Asset Register: Northern Ireland

59 Information in relation to apparatus: Northern Ireland

60 Pre-commencement consultation

Part 4
Registers of births and deaths

61 Form in which registers of births and deaths are to be kept

62 Provision of equipment and facilities by local authorities

63 Requirements to sign register

64 Treatment of existing registers and records

65 Minor and consequential amendments

Part 5
Data protection and privacy

Chapter 1 Data protection

Terms used in this Chapter

66 The 2018 Act and the UK GDPR

Definitions in the UK GDPR and the 2018 Act

67 Meaning of research and statistical purposes

68 Consent to processing for the purposes of scientific research

69 Consent to law enforcement processing

Data protection principles

70 Lawfulness of processing

71 The purpose limitation

72 Processing in reliance on relevant international law

Processing of special categories of personal data

73 Elected representatives responding to requests

74 Processing of special categories of personal data

Data subject’s rights

75 Fees and reasons for responses to data subjects’ requests about law enforcement processing

76 Time limits for responding to data subjects’ requests

77 Information to be provided to data subjects

78 Searches in response to data subjects’ requests

79 Data subjects’ rights to information: legal professional privilege exemption

Automated decision-making

80 Automated decision-making

Obligations of controllers

81 Data protection by design: children’s higher protection matters

Logging of law enforcement processing

82 Logging of law enforcement processing

Codes of conduct

83 General processing and codes of conduct

84 Law enforcement processing and codes of conduct

International transfers of personal data

85 Transfers of personal data to third countries and international organisations

Safeguards for processing for research etc purposes

86 Safeguards for processing for research etc purposes

87 Section 86: consequential provision

National security

88 National security exemption

Intelligence services

89 Joint processing by intelligence services and competent authorities

90 Joint processing: consequential amendments

Information Commissioner’s role

91 Duties of the Commissioner in carrying out functions

92 Codes of practice for the processing of personal data

93 Codes of practice: panels and impact assessments

94 Manifestly unfounded or excessive requests to the Commissioner

95 Analysis of performance

96 Notices from the Commissioner

Enforcement

97 Power of the Commissioner to require documents

98 Power of the Commissioner to require a report

99 Assessment notices: removal of OFSTED restriction

100 Interview notices

101 Penalty notices

102 Annual report on regulatory action

103 Complaints by data subjects

104 Court procedure in connection with subject access requests

105 Consequential amendments to the EITSET Regulations

Protection of prohibitions, restrictions and data subject’s rights

106 Protection of prohibitions, restrictions and data subject’s rights

Miscellaneous

107 Regulations under the UK GDPR

108 Further minor provision about data protection

Chapter 2 Privacy and electronic communications

109 The PEC Regulations

110 Interpretation of the PEC Regulations

111 Duty to notify the Commissioner of personal data breach: time periods

112 Storing information in the terminal equipment of a subscriber or user

113 Emergency alerts: interpretation of time periods

114 Use of electronic mail for direct marketing by charities

115 Commissioner’s enforcement powers

116 Codes of conduct

Part 6
The Information Commission

117 The Information Commission

118 Abolition of the office of Information Commissioner

119 Transfer of functions to the Information Commission

120 Transfer of property etc to the Information Commission

Part 7
Other provision about use of, or access to, data

121 Information standards for health and adult social care in England

122 Grant of smart meter communication licences

123 Disclosure of information to improve public service delivery to undertakings

124 Retention of information by providers of internet services in connection with death of child

125 Information for research about online safety matters

126 Retention of biometric data and recordable offences

127 Retention of pseudonymised biometric data

128 Retention of biometric data from INTERPOL

129 The eIDAS Regulation

130 Recognition of EU conformity assessment bodies

131 Removal of recognition of EU standards etc

132 Recognition of overseas trust products

133 Co-operation between supervisory authority and overseas authorities

134 Time periods: the eIDAS Regulation and the EITSET Regulations

135 Economic impact assessment

136 Report on the use of copyright works in the development of AI systems

137 Progress statement

138 Creating, or requesting the creation of, purported intimate image of adult

Part 8
Final provisions

139 Power to make consequential amendments

140 Regulations

141 Extent

142 Commencement

143 Transitional, transitory and saving provision

144 Short title

SCHEDULES

Schedule 1 National Underground Asset Register (England and Wales): monetary penalties

Schedule 2 National Underground Asset Register (Northern Ireland): monetary penalties

Schedule 3 Registers of births and deaths: minor and consequential amendments

Schedule 4 Lawfulness of processing: recognised legitimate interests

Schedule 5 Purpose limitation: processing to be treated as compatible with original purpose

Schedule 6 Automated decision-making: minor and consequential amendments

Schedule 7 Transfers of personal data to third countries etc: general processing

Schedule 8 Transfers of personal data to third countries etc: law enforcement processing

Schedule 9 Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision

Schedule 10 Complaints: minor and consequential amendments

Schedule 11 Further minor provision about data protection

Schedule 12 Storing information in the terminal equipment of a subscriber or user

Schedule 13 Privacy and electronic communications: Commissioner’s enforcement powers

Schedule 14 The Information Commission

Schedule 15 Information standards for health and adult social care in England

Schedule 16 Grant of smart meter communication licences

Changes to legislation:

There are currently no known outstanding effects for the Data (Use and Access) Act 2025, Cross Heading: Data protection principles. Help about Changes to Legislation

Close

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.

Part 5Data protection and privacy

Chapter 1Data protection

Data protection principles

70Lawfulness of processing

(1)

The UK GDPR is amended in accordance with subsections (2) to (5).

(2)

In Article 6(1) (lawful processing)—

(a)

in point (e)—

(i)

after “task” insert “of the controller”, and

(ii)

after “or” insert “a task carried out”,

(b)

after that point insert—

“(ea)

processing is necessary for the purposes of a recognised legitimate interest;”, and

(c)

in the words after point (f), for “Point (f)” substitute “Points (ea) and (f)”.

(3)

In Article 6(3) (basis for processing etc), in the last subparagraph, in the first sentence—

(a)

after “task” insert “of the controller”, and

(b)

after “interest or” insert “a task carried out”.

(4)

In Article 6, at the end insert—

“5.

For the purposes of paragraph 1(ea), processing is necessary for the purposes of a recognised legitimate interest only if it meets a condition in Annex 1.

6.

The Secretary of State may by regulations amend Annex 1 by—

(a)

adding or varying provisions, or

(b)

omitting provisions added by regulations made under this paragraph.

7.

The Secretary of State may only make regulations under paragraph 6 where—

(a)

the requirement in paragraph 8 is satisfied, and

(b)

if the regulations add a case to Annex 1, the requirement in paragraph 9 is also satisfied.

8.

The requirement in this paragraph is that the Secretary of State considers it appropriate to make the regulations having regard to, among other things—

(a)

the interests and fundamental rights and freedoms of data subjects which require protection of personal data, and

(b)

where relevant, the fact that children merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing.

9.

The requirement in this paragraph is that the Secretary of State considers that processing in the case to be added to Annex 1 is necessary to safeguard an objective listed in Article 23(1)(c) to (j).

10.

Regulations under paragraph 6 are subject to the affirmative resolution procedure.

11.

For the purposes of paragraph 1(f), examples of types of processing that may be processing that is necessary for the purposes of a legitimate interest include—

(a)

processing that is necessary for the purposes of direct marketing,

(b)

intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes, and

(c)

processing that is necessary for the purposes of ensuring the security of network and information systems.

12.

In paragraph 11—

intra-group transmission” means transmission between members of a group of undertakings or between members of a group of institutions affiliated to a central body;

security of network and information systems” has the same meaning as in the Network and Information Systems Regulations 2018 (S.I. 2018/506) (see regulation 1(3)(g)).”

(5)

In Article 21(1) (right to object), after “point (e)” insert “, (ea)”.

(6)

Schedule 4 to this Act inserts Annex 1 to the UK GDPR.

(7)

In section 8 of the 2018 Act (lawfulness of processing: public interest etc), omit “the controller’s”.

(8)

In the provisions listed in subsection (9)—

(a)

for “gateway” substitute “gateways”, and

(b)

for “were omitted” substitute “disapplied only the gateway in point (ea) (recognised legitimate interests)”.

(9)

The provisions are—

(a)

section 40(8) of the Freedom of Information Act 2000 (personal data which is exempt information);

(b)

section 38(5A) of the Freedom of Information (Scotland) Act 2002 (asp 13) (personal data which is exempt information);

(c)

regulation 13(6) of the Environmental Information Regulations 2004 (S.I. 2004/3391) (restriction on disclosure of personal data);

(d)

regulation 11(7) of the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520) (restriction on disclosure of personal data);

(e)

regulation 45(1E) of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042) (personal data which is sensitive information);

(f)

regulation 39(1E) of the Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494) (personal data which is sensitive information);

(g)

regulation 9(9) of the INSPIRE Regulations 2009 (S.I. 2009/3157) (limitation of public access to personal data included in a spatial data set);

(h)

regulation 10(8) of the INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440) (limitation of public access to personal data included in a spatial data set).

Annotations:
Commencement Information

I1S. 70 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

I2S. 70 in force at 5.2.2026 in so far as not already in force by S.I. 2026/82, reg. 2(c)

71The purpose limitation

(1)

The UK GDPR is amended in accordance with subsections (2) to (5).

(2)

In Article 5(1)(b) (purpose limitation)—

(a)

after “collected” insert “(whether from the data subject or otherwise)”,

(b)

after “further processed” insert “by or on behalf of a controller”, and

(c)

for the words from “those purposes;” to “initial purposes” substitute “the purposes for which the controller collected the data”.

(3)

In Article 5, at the end insert—

“3.

For the avoidance of doubt, processing is not lawful by virtue only of being processing in a manner that is compatible with the purposes for which the personal data was collected.”

(4)

In Article 6 (lawfulness of processing), omit paragraph 4.

(5)

After Article 8 insert—

“Article 8APurpose limitation: further processing

1.

This Article is about the determination, for the purposes of Article 5(1)(b) (purpose limitation), of whether processing of personal data by or on behalf of a controller for a purpose (a “new purpose”) other than the purpose for which the controller collected the data (“the original purpose”) is processing in a manner compatible with the original purpose.

2.

In making the determination, a person must take into account, among other things—

(a)

any link between the original purpose and the new purpose;

(b)

the context in which the personal data was collected, including the relationship between the data subject and the controller;

(c)

the nature of the processing, including whether it is processing described in Article 9(1) (processing of special categories of personal data) or Article 10(1) (processing of personal data relating to criminal convictions etc);

(d)

the possible consequences of the intended processing for data subjects;

(e)

the existence of appropriate safeguards (for example, encryption or pseudonymisation).

3.

Processing of personal data for a new purpose is to be treated as processing in a manner compatible with the original purpose where—

(a)

the data subject consents to the processing of personal data for the new purpose and the new purpose is specified, explicit and legitimate,

(b)

the processing is carried out in accordance with Article 84B—

(i)

for the purposes of scientific research or historical research,

(ii)

for the purposes of archiving in the public interest, or

(iii)

for statistical purposes,

(c)

the processing is carried out for the purposes of ensuring that processing of personal data complies with Article 5(1) or demonstrating that it does so,

(d)

the processing meets a condition in Annex 2, or

(e)

the processing is necessary to safeguard an objective listed in Article 23(1)(c) to (j) and is authorised by an enactment or rule of law.

4.

Where the controller collected the personal data based on Article 6(1)(a) (data subject’s consent), processing for a new purpose is only processing in a manner compatible with the original purpose if—

(a)

it falls within paragraph 3(a) or (c), or

(b)

it falls within paragraph 3(d) or (e) and the controller cannot reasonably be expected to obtain the data subject’s consent.

5.

The Secretary of State may by regulations amend Annex 2 by—

(a)

adding or varying provisions, or

(b)

omitting provisions added by regulations made under this paragraph.

6.

The Secretary of State may only make regulations under paragraph 5 adding a case to Annex 2 where the Secretary of State considers that processing in that case is necessary to safeguard an objective listed in Article 23(1)(c) to (j).

7.

Regulations under paragraph 5 may make provision identifying processing by any means, including by reference to the controller, the data subject, the personal data or the provision of Article 6(1) relied on for the purposes of the processing.

8.

Regulations under paragraph 5 are subject to the affirmative resolution procedure.”

(6)

Schedule 5 to this Act inserts Annex 2 to the UK GDPR.

(7)

The 2018 Act is amended in accordance with subsections (8) to (10).

(8)

In section 36(1) (the second data protection principle)—

(a)

in paragraph (a), for “on any occasion” substitute “(whether from the data subject or otherwise)”, and

(b)

in paragraph (b)—

(i)

after “processed” insert “by or on behalf of a controller”, and

(ii)

for “it was collected” substitute “the controller collected it”.

(9)

In section 87(1) (the second data protection principle)—

(a)

in paragraph (a), for “on any occasion” substitute “(whether from the data subject or otherwise)”, and

(b)

in paragraph (b)—

(i)

after “processed” insert “by or on behalf of a controller”, and

(ii)

for “it was collected” substitute “the controller collected it”.

(10)

In paragraph 1 of Schedule 2 (exemptions etc from the UK GDPR: provisions to be adapted or restricted), omit sub-paragraph (b)(ii).

Annotations:
Commencement Information

I3S. 71 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

I4S. 71 in force at 5.2.2026 in so far as not already in force by S.I. 2026/82, reg. 2(d)

72Processing in reliance on relevant international law

(1)

The UK GDPR is amended in accordance with subsections (2) to (5).

(2)

In Article 6(3) (lawfulness of processing: basis in domestic law)—

(a)

in the first subparagraph, omit “and (e)”,

(b)

after that subparagraph insert—

“The basis for the processing referred to in point (e) of paragraph 1 must be laid down by domestic law or relevant international law (see section 9A of the 2018 Act).”, and

(c)

in the last subparagraph, in the last sentence, after “domestic law” insert “or relevant international law”.

(3)

In Article 8A(3)(e) (purpose limitation: further processing necessary to safeguard an objective listed in Article 23(1)) (inserted by section 71 of this Act), at the end insert “or by relevant international law (see section 9A of the 2018 Act)”.

(4)

In Article 9 (processing of special categories of personal data)—

(a)

in paragraph 2(g) (substantial public interest), after “domestic law” insert “, or relevant international law,”, and

(b)

in paragraph 5, before point (a) insert—

“(za)

section 9A makes provision about when the requirement in paragraph 2(g) of this Article for a basis in relevant international law is met;”.

(5)

In Article 10 (processing of personal data relating to criminal convictions and offences)—

(a)

in paragraph 1, after “domestic law” insert “, or relevant international law,”, and

(b)

in paragraph 2, before point (a) insert—

“(za)

section 9A makes provision about when the requirement in paragraph 1 of this Article for authorisation by relevant international law is met;”.

(6)

The 2018 Act is amended in accordance with subsections (7) and (8).

(7)

Before section 10 (and the italic heading before that section) insert—

“Relevant international law

9AProcessing in reliance on relevant international law

(1)

Processing of personal data meets the requirement in Article 6(3), 8A(3)(e), 9(2)(g) or 10(1) of the UK GDPR for a basis in, or authorisation by, relevant international law only if it meets a condition in Schedule A1.

(2)

A condition in Schedule A1 may be relied on for the purposes of any of those provisions, unless that Schedule provides otherwise.

(3)

The Secretary of State may by regulations amend Schedule A1 by adding, varying or omitting—

(a)

conditions,

(b)

provision about the purposes for which a condition may be relied on, and

(c)

safeguards in connection with processing carried out in reliance on a condition in the Schedule.

(4)

Regulations under this section may only add a condition relating entirely or partly to a treaty ratified by the United Kingdom.

(5)

Regulations under this section are subject to the affirmative resolution procedure.

(6)

In this section, “treaty” and “ratified” have the same meaning as in Part 2 of the Constitutional Reform and Governance Act 2010 (see section 25 of that Act).”

(8)

Before Schedule 1 insert—

“Schedule A1Processing in reliance on relevant international law

Section 9A

This condition is met where the processing is necessary for the purposes of responding to a request made in accordance with the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime, signed on 3 October 2019.”