Legislation – Data (Use and Access) Act 2025

New Search

Introduction

Part 1
Access to customer data and business data

1 Customer data and business data

2 Power to make provision in connection with customer data

3 Customer data: supplementary

4 Power to make provision in connection with business data

5 Business data: supplementary

6 Decision-makers

7 Interface bodies

8 Enforcement of regulations under this Part

9 Restrictions on powers of investigation etc

10 Financial penalties

11 Fees

12 Levy

13 Financial assistance

14 The FCA and financial services interfaces

15 The FCA and financial services interfaces: supplementary

16 The FCA and financial services interfaces: penalties and levies

17 The FCA and co-ordination with other regulators

18 Liability in damages

19 Duty to review regulations

20 Restrictions on processing and data protection

21 Regulations under this Part: supplementary

22 Regulations under this Part: Parliamentary procedure and consultation

23 Related subordinate legislation

24 Repeal of provisions relating to supply of customer data

25 Other defined terms

26 Index of defined terms for this Part

Part 2
Digital verification services

27 Introductory

28 DVS trust framework

29 Supplementary codes

30 Withdrawal of a supplementary code

31 Review of DVS trust framework and supplementary codes

32 DVS register

33 Registration in the DVS register

34 Power to refuse registration in the DVS register

35 Registration of additional services

36 Supplementary notes

37 Addition of services to supplementary notes

38 Applications for registration, supplementary notes, etc

39 Fees for applications for registration, supplementary notes, etc

40 Duty to remove person from the DVS register

41 Power to remove person from the DVS register

42 Duty to remove services from the DVS register

43 Duty to remove supplementary notes from the DVS register

44 Duty to remove services from supplementary notes

45 Power of public authority to disclose information to registered person

46 Information disclosed by the Revenue and Customs

47 Information disclosed by the Welsh Revenue Authority

48 Information disclosed by Revenue Scotland

49 Code of practice about the disclosure of information

50 Trust mark for use by registered persons

51 Power of Secretary of State to require information

52 Arrangements for third party to exercise functions

53 Report on the operation of this Part

54 Index of defined terms for this Part

55 Powers relating to verification of identity or status

Part 3
National Underground Asset Register

56 National Underground Asset Register: England and Wales

57 Information in relation to apparatus: England and Wales

58 National Underground Asset Register: Northern Ireland

59 Information in relation to apparatus: Northern Ireland

60 Pre-commencement consultation

Part 4
Registers of births and deaths

61 Form in which registers of births and deaths are to be kept

62 Provision of equipment and facilities by local authorities

63 Requirements to sign register

64 Treatment of existing registers and records

65 Minor and consequential amendments

Part 5
Data protection and privacy

Chapter 1 Data protection

Terms used in this Chapter

66 The 2018 Act and the UK GDPR

Definitions in the UK GDPR and the 2018 Act

67 Meaning of research and statistical purposes

68 Consent to processing for the purposes of scientific research

69 Consent to law enforcement processing

Data protection principles

70 Lawfulness of processing

71 The purpose limitation

72 Processing in reliance on relevant international law

Processing of special categories of personal data

73 Elected representatives responding to requests

74 Processing of special categories of personal data

Data subject’s rights

75 Fees and reasons for responses to data subjects’ requests about law enforcement processing

76 Time limits for responding to data subjects’ requests

77 Information to be provided to data subjects

78 Searches in response to data subjects’ requests

79 Data subjects’ rights to information: legal professional privilege exemption

Automated decision-making

80 Automated decision-making

Obligations of controllers

81 Data protection by design: children’s higher protection matters

Logging of law enforcement processing

82 Logging of law enforcement processing

Codes of conduct

83 General processing and codes of conduct

84 Law enforcement processing and codes of conduct

International transfers of personal data

85 Transfers of personal data to third countries and international organisations

Safeguards for processing for research etc purposes

86 Safeguards for processing for research etc purposes

87 Section 86: consequential provision

National security

88 National security exemption

Intelligence services

89 Joint processing by intelligence services and competent authorities

90 Joint processing: consequential amendments

Information Commissioner’s role

91 Duties of the Commissioner in carrying out functions

92 Codes of practice for the processing of personal data

93 Codes of practice: panels and impact assessments

94 Manifestly unfounded or excessive requests to the Commissioner

95 Analysis of performance

96 Notices from the Commissioner

Enforcement

97 Power of the Commissioner to require documents

98 Power of the Commissioner to require a report

99 Assessment notices: removal of OFSTED restriction

100 Interview notices

101 Penalty notices

102 Annual report on regulatory action

103 Complaints by data subjects

104 Court procedure in connection with subject access requests

105 Consequential amendments to the EITSET Regulations

Protection of prohibitions, restrictions and data subject’s rights

106 Protection of prohibitions, restrictions and data subject’s rights

Miscellaneous

107 Regulations under the UK GDPR

108 Further minor provision about data protection

Chapter 2 Privacy and electronic communications

109 The PEC Regulations

110 Interpretation of the PEC Regulations

111 Duty to notify the Commissioner of personal data breach: time periods

112 Storing information in the terminal equipment of a subscriber or user

113 Emergency alerts: interpretation of time periods

114 Use of electronic mail for direct marketing by charities

115 Commissioner’s enforcement powers

116 Codes of conduct

Part 6
The Information Commission

117 The Information Commission

118 Abolition of the office of Information Commissioner

119 Transfer of functions to the Information Commission

120 Transfer of property etc to the Information Commission

Part 7
Other provision about use of, or access to, data

121 Information standards for health and adult social care in England

122 Grant of smart meter communication licences

123 Disclosure of information to improve public service delivery to undertakings

124 Retention of information by providers of internet services in connection with death of child

125 Information for research about online safety matters

126 Retention of biometric data and recordable offences

127 Retention of pseudonymised biometric data

128 Retention of biometric data from INTERPOL

129 The eIDAS Regulation

130 Recognition of EU conformity assessment bodies

131 Removal of recognition of EU standards etc

132 Recognition of overseas trust products

133 Co-operation between supervisory authority and overseas authorities

134 Time periods: the eIDAS Regulation and the EITSET Regulations

135 Economic impact assessment

136 Report on the use of copyright works in the development of AI systems

137 Progress statement

138 Creating, or requesting the creation of, purported intimate image of adult

Part 8
Final provisions

139 Power to make consequential amendments

140 Regulations

141 Extent

142 Commencement

143 Transitional, transitory and saving provision

144 Short title

SCHEDULES

Schedule 1 National Underground Asset Register (England and Wales): monetary penalties

Schedule 2 National Underground Asset Register (Northern Ireland): monetary penalties

Schedule 3 Registers of births and deaths: minor and consequential amendments

Schedule 4 Lawfulness of processing: recognised legitimate interests

Schedule 5 Purpose limitation: processing to be treated as compatible with original purpose

Schedule 6 Automated decision-making: minor and consequential amendments

Schedule 7 Transfers of personal data to third countries etc: general processing

Schedule 8 Transfers of personal data to third countries etc: law enforcement processing

Schedule 9 Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision

Schedule 10 Complaints: minor and consequential amendments

Schedule 11 Further minor provision about data protection

Schedule 12 Storing information in the terminal equipment of a subscriber or user

Schedule 13 Privacy and electronic communications: Commissioner’s enforcement powers

Schedule 14 The Information Commission

Schedule 15 Information standards for health and adult social care in England

Schedule 16 Grant of smart meter communication licences

Changes to legislation:

There are currently no known outstanding effects for the Data (Use and Access) Act 2025, Cross Heading: Intelligence services. Help about Changes to Legislation

Close

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.

Part 5Data protection and privacy

Chapter 1Data protection

Intelligence services

89Joint processing by intelligence services and competent authorities

(1)

Part 4 of the 2018 Act (intelligence services processing) is amended as follows.

(2)

In section 82 (processing to which Part 4 applies)—

(a)

before subsection (1) insert—

“A1

This Part—

(a)

applies to processing of personal data by an intelligence service, and

(b)

applies to processing of personal data by a qualifying competent authority where the processing is the subject of a designation notice that is for the time being in force (see sections 82A to 82E).”,

(b)

in subsection (1)—

(i)

after “applies” insert “only”,

(ii)

in paragraph (a), for “the processing by an intelligence service” substitute “processing”, and

(iii)

in paragraph (b), for “the processing by an intelligence service” substitute “processing”,

(c)

after subsection (2) insert—

“(2A)

In this Part—

competent authority” has the same meaning as in Part 3;

qualifying competent authority” means a competent authority specified or described in regulations made by the Secretary of State.”, and

(d)

after subsection (3) insert—

“(4)

Regulations under this section are subject to the affirmative resolution procedure.”

(3)

After section 82 insert—

“82ADesignation of processing by a qualifying competent authority

(1)

For the purposes of this Part, the Secretary of State may give a notice designating processing of personal data by a qualifying competent authority (a “designation notice”) where—

(a)

an application for designation of the processing is made in accordance with this section, and

(b)

the Secretary of State considers that designation of the processing is required for the purposes of safeguarding national security.

(2)

The Secretary of State may only designate processing by a qualifying competent authority that is carried out by the authority as a joint controller with at least one intelligence service.

(3)

The Secretary of State may not designate processing by a qualifying competent authority that consists of the transfer of personal data to—

(a)

a country or territory outside the United Kingdom, or

(b)

an international organisation.

(4)

A designation notice must—

(a)

specify or describe the processing and qualifying competent authority that are designated, and

(b)

be given to the applicants for the designation (and see also section 82D).

(5)

An application for designation of processing of personal data by a qualifying competent authority must be made jointly by—

(a)

the qualifying competent authority, and

(b)

the intelligence service with which the processing is to be carried out.

(6)

An application may be made in respect of more than one qualifying competent authority and in respect of processing with more than one intelligence service.

(7)

The application must—

(a)

describe the processing, including the intended purposes and means of processing, and

(b)

explain why the applicants consider that designation is required for the purposes of safeguarding national security.

(8)

Before giving a designation notice, the Secretary of State must consult the Commissioner.

(9)

In this section, “joint controller”, in relation to processing of personal data, means a controller whose responsibilities for compliance with this Part in relation to the processing are determined in an arrangement under section 104.

82BDuration of designation notice

(1)

A designation notice must state when it comes into force.

(2)

A designation notice ceases to be in force at the earliest of the following times—

(a)

at the end of the period of 5 years beginning when the notice comes into force;

(b)

(if relevant) at the end of a shorter period specified in the notice;

(c)

when the notice is withdrawn under section 82C.

(3)

The Secretary of State may give a further designation notice in respect of processing that is, or has been, the subject of a previous designation notice.

82CReview and withdrawal of designation notice

(1)

Subsections (2) to (4) apply where processing is the subject of a designation notice for the time being in force.

(2)

A person who applied for the designation of the processing must notify the Secretary of State without undue delay if the person considers that the designation is no longer required for the purposes of safeguarding national security.

(3)

A person who applied for the designation of the processing must, on a request from the Secretary of State, provide—

(a)

a description of the processing that is being, or is intended to be, carried out in reliance on the notice, and

(b)

an explanation of why the person considers that designation of the processing continues to be required for the purposes of safeguarding national security.

(4)

The Secretary of State must at least annually—

(a)

review each designation notice that is for the time being in force, and

(b)

consider whether designation of the processing which is the subject of the notice continues to be required for the purposes of safeguarding national security.

(5)

The Secretary of State—

(a)

may withdraw a designation notice by giving a further notice (a “withdrawal notice”) to the persons who applied for the designation, and

(b)

must give a withdrawal notice if the Secretary of State considers that designation of some or all of the processing to which the notice applies is no longer required for the purposes of safeguarding national security (whether as a result of a review required under subsection (4) or otherwise).

(6)

A withdrawal notice must—

(a)

withdraw the designation notice completely, and

(b)

state when it comes into force.

(7)

In determining when a withdrawal notice required under subsection (5)(b) comes into force, the Secretary of State must consider—

(a)

the desirability of the processing ceasing to be designated as soon as possible, and

(b)

where relevant, the time needed to effect an orderly transition to new arrangements for the processing of personal data.

82DRecords of designation notices

(1)

Where the Secretary of State gives a designation notice—

(a)

the Secretary of State must send a copy of the notice to the Commissioner, and

(b)

the Commissioner must publish a record of the notice.

(2)

The record must contain—

(a)

the Secretary of State’s name,

(b)

the date on which the notice was given,

(c)

the date on which the notice ceases to have effect (if not previously withdrawn), and

(d)

subject to subsection (3), the rest of the text of the notice.

(3)

The Commissioner must not publish the text, or a part of the text, of the notice if—

(a)

the Secretary of State has determined that publishing the text or that part of the text—

(i)

would be against the interests of national security,

(ii)

would be contrary to the public interest, or

(iii)

might jeopardise the safety of any person, and

(b)

the Secretary of State has notified the Commissioner of that determination.

(4)

The Commissioner must keep the record of the notice available to the public while the notice is in force.

(5)

Where the Secretary of State gives a withdrawal notice, the Secretary of State must send a copy of the notice to the Commissioner.

82EAppeal against designation notice

(1)

A person directly affected by a designation notice may appeal to the Tribunal against the notice.

(2)

If, on an appeal under this section, the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Secretary of State did not have reasonable grounds for giving the notice, the Tribunal may—

(a)

allow the appeal, and

(b)

quash the notice.”

Annotations:
Commencement Information

I1S. 89 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

I2S. 89 in force at 17.11.2025 in so far as not already in force by S.I. 2025/996, reg. 2(2)(a)

90Joint processing: consequential amendments

(1)

The 2018 Act is amended in accordance with subsections (2) to (9).

(2)

In section 1(5) (overview: Part 4), at the end insert “(and certain processing carried out by competent authorities jointly with the intelligence services)”.

(3)

In section 29 (processing to which Part 3 applies), after subsection (1) insert—

“(1A)

This Part does not apply to processing to which Part 4 applies by virtue of a designation notice (see section 82A).”

(4)

In section 83 (meaning of “controller” and “processor” in Part 4)—

(a)

before subsection (1) insert—

“A1

For the purposes of this Part—

(a)

an intelligence service is the “controller” in relation to the processing of personal data if it satisfies subsection (1) alone or jointly with others, and

(b)

a qualifying competent authority is the “controller” in relation to the processing of personal data that is the subject of a designation notice that is for the time being in force if the authority satisfies subsection (1) jointly with others.”,

(b)

in subsection (1), for the words before paragraph (a) substitute “This subsection is satisfied by a person who—”, and

(c)

in subsection (2), for “intelligence service on which” substitute “person on whom”.

(5)

In section 84 (other definitions)—

(a)

after subsection (2) insert—

“(2A)

Designation notice” has the meaning given in section 82A.”, and

(b)

before subsection (7) insert—

“(6B)

Withdrawal notice” has the meaning given in section 82C.”

(6)

In section 104(1) (joint controllers), for “intelligence services” substitute “controllers”.

(7)

In section 202(1)(a)(i) (proceedings in the First-tier Tribunal: contempt) after “79,” insert “82E,”.

(8)

In section 203(1) (Tribunal Procedure Rules), after “79,” insert “82E,”.

(9)

In section 206 (index of defined expressions), in the Table—

(a)

in the entry for “competent authority”—

(i)

for “Part 3” substitute “Parts 3 and 4”, and

(ii)

for “section 30” substitute “sections 30 and 82”, and

(b)

at the appropriate places insert—

“designation notice (in Part 4)

section 84”;

“qualifying competent authority (in Part 4)

section 82”;

“withdrawal notice (in Part 4)

section 84”.

(10)

In section 199(2)(a) of the Investigatory Powers Act 2016 (bulk personal datasets: meaning of “personal data”), after “section 82(1) of that Act” insert “by an intelligence service”.