New Search
Introduction
Part 1
Access to customer data and business data
1 Customer data and business data
2 Power to make provision in connection with customer data
3 Customer data: supplementary
4 Power to make provision in connection with business data
5 Business data: supplementary
6 Decision-makers
7 Interface bodies
8 Enforcement of regulations under this Part
9 Restrictions on powers of investigation etc
10 Financial penalties
11 Fees
12 Levy
13 Financial assistance
14 The FCA and financial services interfaces
15 The FCA and financial services interfaces: supplementary
16 The FCA and financial services interfaces: penalties and levies
17 The FCA and co-ordination with other regulators
18 Liability in damages
19 Duty to review regulations
20 Restrictions on processing and data protection
21 Regulations under this Part: supplementary
22 Regulations under this Part: Parliamentary procedure and consultation
23 Related subordinate legislation
24 Repeal of provisions relating to supply of customer data
25 Other defined terms
26 Index of defined terms for this Part
Part 2
Digital verification services
27 Introductory
28 DVS trust framework
29 Supplementary codes
30 Withdrawal of a supplementary code
31 Review of DVS trust framework and supplementary codes
32 DVS register
33 Registration in the DVS register
34 Power to refuse registration in the DVS register
35 Registration of additional services
36 Supplementary notes
37 Addition of services to supplementary notes
38 Applications for registration, supplementary notes, etc
39 Fees for applications for registration, supplementary notes, etc
40 Duty to remove person from the DVS register
41 Power to remove person from the DVS register
42 Duty to remove services from the DVS register
43 Duty to remove supplementary notes from the DVS register
44 Duty to remove services from supplementary notes
45 Power of public authority to disclose information to registered person
46 Information disclosed by the Revenue and Customs
47 Information disclosed by the Welsh Revenue Authority
48 Information disclosed by Revenue Scotland
49 Code of practice about the disclosure of information
50 Trust mark for use by registered persons
51 Power of Secretary of State to require information
52 Arrangements for third party to exercise functions
53 Report on the operation of this Part
54 Index of defined terms for this Part
55 Powers relating to verification of identity or status
Part 3
National Underground Asset Register
56 National Underground Asset Register: England and Wales
57 Information in relation to apparatus: England and Wales
58 National Underground Asset Register: Northern Ireland
59 Information in relation to apparatus: Northern Ireland
60 Pre-commencement consultation
Part 4
Registers of births and deaths
61 Form in which registers of births and deaths are to be kept
62 Provision of equipment and facilities by local authorities
63 Requirements to sign register
64 Treatment of existing registers and records
65 Minor and consequential amendments
Part 5
Data protection and privacy
Chapter 1 Data protection
Terms used in this Chapter
66 The 2018 Act and the UK GDPR
Definitions in the UK GDPR and the 2018 Act
67 Meaning of research and statistical purposes
68 Consent to processing for the purposes of scientific research
69 Consent to law enforcement processing
Data protection principles
70 Lawfulness of processing
71 The purpose limitation
72 Processing in reliance on relevant international law
Processing of special categories of personal data
73 Elected representatives responding to requests
74 Processing of special categories of personal data
Data subject’s rights
75 Fees and reasons for responses to data subjects’ requests about law enforcement processing
76 Time limits for responding to data subjects’ requests
77 Information to be provided to data subjects
78 Searches in response to data subjects’ requests
79 Data subjects’ rights to information: legal professional privilege exemption
Automated decision-making
80 Automated decision-making
Obligations of controllers
81 Data protection by design: children’s higher protection matters
Logging of law enforcement processing
82 Logging of law enforcement processing
Codes of conduct
83 General processing and codes of conduct
84 Law enforcement processing and codes of conduct
International transfers of personal data
85 Transfers of personal data to third countries and international organisations
Safeguards for processing for research etc purposes
86 Safeguards for processing for research etc purposes
87 Section 86: consequential provision
National security
88 National security exemption
Intelligence services
89 Joint processing by intelligence services and competent authorities
90 Joint processing: consequential amendments
Information Commissioner’s role
91 Duties of the Commissioner in carrying out functions
92 Codes of practice for the processing of personal data
93 Codes of practice: panels and impact assessments
94 Manifestly unfounded or excessive requests to the Commissioner
95 Analysis of performance
96 Notices from the Commissioner
Enforcement
97 Power of the Commissioner to require documents
98 Power of the Commissioner to require a report
99 Assessment notices: removal of OFSTED restriction
100 Interview notices
101 Penalty notices
102 Annual report on regulatory action
103 Complaints by data subjects
104 Court procedure in connection with subject access requests
105 Consequential amendments to the EITSET Regulations
Protection of prohibitions, restrictions and data subject’s rights
106 Protection of prohibitions, restrictions and data subject’s rights
Miscellaneous
107 Regulations under the UK GDPR
108 Further minor provision about data protection
Chapter 2 Privacy and electronic communications
109 The PEC Regulations
110 Interpretation of the PEC Regulations
111 Duty to notify the Commissioner of personal data breach: time periods
112 Storing information in the terminal equipment of a subscriber or user
113 Emergency alerts: interpretation of time periods
114 Use of electronic mail for direct marketing by charities
115 Commissioner’s enforcement powers
116 Codes of conduct
Part 6
The Information Commission
117 The Information Commission
118 Abolition of the office of Information Commissioner
119 Transfer of functions to the Information Commission
120 Transfer of property etc to the Information Commission
Part 7
Other provision about use of, or access to, data
121 Information standards for health and adult social care in England
122 Grant of smart meter communication licences
123 Disclosure of information to improve public service delivery to undertakings
124 Retention of information by providers of internet services in connection with death of child
125 Information for research about online safety matters
126 Retention of biometric data and recordable offences
127 Retention of pseudonymised biometric data
128 Retention of biometric data from INTERPOL
129 The eIDAS Regulation
130 Recognition of EU conformity assessment bodies
131 Removal of recognition of EU standards etc
132 Recognition of overseas trust products
133 Co-operation between supervisory authority and overseas authorities
134 Time periods: the eIDAS Regulation and the EITSET Regulations
135 Economic impact assessment
136 Report on the use of copyright works in the development of AI systems
137 Progress statement
138 Creating, or requesting the creation of, purported intimate image of adult
Part 8
Final provisions
139 Power to make consequential amendments
140 Regulations
141 Extent
142 Commencement
143 Transitional, transitory and saving provision
144 Short title
SCHEDULES
Schedule 1 National Underground Asset Register (England and Wales): monetary penalties
Schedule 2 National Underground Asset Register (Northern Ireland): monetary penalties
Schedule 3 Registers of births and deaths: minor and consequential amendments
Schedule 4 Lawfulness of processing: recognised legitimate interests
Schedule 5 Purpose limitation: processing to be treated as compatible with original purpose
Schedule 6 Automated decision-making: minor and consequential amendments
Schedule 7 Transfers of personal data to third countries etc: general processing
Schedule 8 Transfers of personal data to third countries etc: law enforcement processing
Schedule 9 Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision
Schedule 10 Complaints: minor and consequential amendments
Schedule 11 Further minor provision about data protection
Schedule 12 Storing information in the terminal equipment of a subscriber or user
Schedule 13 Privacy and electronic communications: Commissioner’s enforcement powers
Schedule 14 The Information Commission
Schedule 15 Information standards for health and adult social care in England
Schedule 16 Grant of smart meter communication licences
Changes to legislation:
There are currently no known outstanding effects for the Data (Use and Access) Act 2025, Cross Heading: Definitions in the UK GDPR and the 2018 Act.
Changes to Legislation
Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.
Part 5Data protection and privacy
Chapter 1Data protection
Definitions in the UK GDPR and the 2018 Act
67Meaning of research and statistical purposes
(1)
In Article 4 of the UK GDPR (definitions)—
(a)
the existing text becomes paragraph 1, and
(b)
after that paragraph insert—
“2.
References in this Regulation to the processing of personal data for the purposes of scientific research (including references to processing for “scientific research purposes”) are references to processing for the purposes of any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity.
3.
(a)
include processing for the purposes of technological development or demonstration, fundamental research or applied research, so far as those activities can reasonably be described as scientific, but
(b)
only include processing for the purposes of a study in the area of public health that can reasonably be described as scientific where the study is conducted in the public interest.
4.
References in this Regulation to the processing of personal data for the purposes of historical research (including references to processing for “historical research purposes”) include processing for the purposes of genealogical research.
5.
References in this Regulation to the processing of personal data for statistical purposes are references to processing for statistical surveys or for the production of statistical results where—
(a)
the information that results from the processing is aggregate data that is not personal data, and
(b)
the controller does not use the personal data processed, or the information that results from the processing, in support of measures or decisions with respect to a particular data subject to whom the personal data relates.”
(2)
In consequence of the amendment made by subsection (1)(a), in section 6 of the 2018 Act (meaning of “controller”), for “4(7)” substitute “4(1)(7)”
.
68Consent to processing for the purposes of scientific research
(1)
Article 4 of the UK GDPR (definitions) is amended as follows.
(2)
In point (11) of paragraph 1 (definition of “consent”), at the end insert “(and see paragraphs 6 and 7 of this Article)”
.
(3)
After paragraph 5 (inserted by section 67 of this Act) insert—
“6.
A data subject’s consent is to be treated as falling within the definition of “consent” in point (11) of paragraph 1 if—
(a)
it does not fall within that definition because (and only because) the consent is given to the processing of personal data for the purposes of an area of scientific research,
(b)
at the time the consent is sought, it is not possible to identify fully the purposes for which personal data is to be processed,
(c)
seeking consent in relation to the area of scientific research is consistent with generally recognised ethical standards relevant to the area of research, and
(d)
so far as the intended purposes of the processing allow, the data subject is given the opportunity to consent only to processing for part of the research.
7.
References in this Regulation to consent given for a specific purpose (however expressed) include consent described in paragraph 6.”
69Consent to law enforcement processing
(1)
The 2018 Act is amended as follows.
(2)
In section 33 (definitions), after subsection (1) insert—
“(1A)
“Consent” of the data subject to the processing of personal data means a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data (and see section 40A).”
(3)
In section 34(2) (overview of Chapter 2 of Part 3), after paragraph (a) (but before the “and” at the end of that paragraph) insert—
“(aa)
section 40A makes provision about processing carried out in reliance on the consent of the data subject,”.
(4)
After section 40 insert—
“40AConditions for consent
(1)
This section is about processing of personal data that is carried out in reliance on the consent of the data subject.
(2)
The controller must be able to demonstrate that the data subject consented to the processing.
(3)
If the data subject’s consent is given in writing as part of a document which also concerns other matters, the request for consent must be made—
(a)
in a manner which clearly distinguishes the request from the other matters,
(b)
in an intelligible and easily accessible form, and
(c)
in clear and plain language.
(4)
Any part of a document described in subsection (3) which constitutes an infringement of this Part is not binding.
(5)
The data subject may withdraw the consent at any time (but the withdrawal of consent does not affect the lawfulness of processing in reliance on the consent before its withdrawal).
(6)
Processing may only be carried out in reliance on consent if—
(a)
before the consent is given, the controller or processor informs the data subject of the right to withdraw it, and
(b)
it is as easy for the data subject to withdraw the consent as to give it.
(7)
When assessing whether consent is freely given, account must be taken of, among other things, whether the provision of a service is conditional on consent to the processing of personal data that is not necessary for the provision of that service.”
(5)
In section 206 (index of defined expressions), in the Table, in the entry for “consent”—
(a)
after “consent” insert “(to processing of personal data)”
,
(b)
for “Part” substitute “Parts 3 and”
, and
(c)
for “section” substitute “sections 33, 40A and”
.