Legislation – Data (Use and Access) Act 2025

New Search

Introduction

Part 1
Access to customer data and business data

1 Customer data and business data

2 Power to make provision in connection with customer data

3 Customer data: supplementary

4 Power to make provision in connection with business data

5 Business data: supplementary

6 Decision-makers

7 Interface bodies

8 Enforcement of regulations under this Part

9 Restrictions on powers of investigation etc

10 Financial penalties

11 Fees

12 Levy

13 Financial assistance

14 The FCA and financial services interfaces

15 The FCA and financial services interfaces: supplementary

16 The FCA and financial services interfaces: penalties and levies

17 The FCA and co-ordination with other regulators

18 Liability in damages

19 Duty to review regulations

20 Restrictions on processing and data protection

21 Regulations under this Part: supplementary

22 Regulations under this Part: Parliamentary procedure and consultation

23 Related subordinate legislation

24 Repeal of provisions relating to supply of customer data

25 Other defined terms

26 Index of defined terms for this Part

Part 2
Digital verification services

27 Introductory

28 DVS trust framework

29 Supplementary codes

30 Withdrawal of a supplementary code

31 Review of DVS trust framework and supplementary codes

32 DVS register

33 Registration in the DVS register

34 Power to refuse registration in the DVS register

35 Registration of additional services

36 Supplementary notes

37 Addition of services to supplementary notes

38 Applications for registration, supplementary notes, etc

39 Fees for applications for registration, supplementary notes, etc

40 Duty to remove person from the DVS register

41 Power to remove person from the DVS register

42 Duty to remove services from the DVS register

43 Duty to remove supplementary notes from the DVS register

44 Duty to remove services from supplementary notes

45 Power of public authority to disclose information to registered person

46 Information disclosed by the Revenue and Customs

47 Information disclosed by the Welsh Revenue Authority

48 Information disclosed by Revenue Scotland

49 Code of practice about the disclosure of information

50 Trust mark for use by registered persons

51 Power of Secretary of State to require information

52 Arrangements for third party to exercise functions

53 Report on the operation of this Part

54 Index of defined terms for this Part

55 Powers relating to verification of identity or status

Part 3
National Underground Asset Register

56 National Underground Asset Register: England and Wales

57 Information in relation to apparatus: England and Wales

58 National Underground Asset Register: Northern Ireland

59 Information in relation to apparatus: Northern Ireland

60 Pre-commencement consultation

Part 4
Registers of births and deaths

61 Form in which registers of births and deaths are to be kept

62 Provision of equipment and facilities by local authorities

63 Requirements to sign register

64 Treatment of existing registers and records

65 Minor and consequential amendments

Part 5
Data protection and privacy

Chapter 1 Data protection

Terms used in this Chapter

66 The 2018 Act and the UK GDPR

Definitions in the UK GDPR and the 2018 Act

67 Meaning of research and statistical purposes

68 Consent to processing for the purposes of scientific research

69 Consent to law enforcement processing

Data protection principles

70 Lawfulness of processing

71 The purpose limitation

72 Processing in reliance on relevant international law

Processing of special categories of personal data

73 Elected representatives responding to requests

74 Processing of special categories of personal data

Data subject’s rights

75 Fees and reasons for responses to data subjects’ requests about law enforcement processing

76 Time limits for responding to data subjects’ requests

77 Information to be provided to data subjects

78 Searches in response to data subjects’ requests

79 Data subjects’ rights to information: legal professional privilege exemption

Automated decision-making

80 Automated decision-making

Obligations of controllers

81 Data protection by design: children’s higher protection matters

Logging of law enforcement processing

82 Logging of law enforcement processing

Codes of conduct

83 General processing and codes of conduct

84 Law enforcement processing and codes of conduct

International transfers of personal data

85 Transfers of personal data to third countries and international organisations

Safeguards for processing for research etc purposes

86 Safeguards for processing for research etc purposes

87 Section 86: consequential provision

National security

88 National security exemption

Intelligence services

89 Joint processing by intelligence services and competent authorities

90 Joint processing: consequential amendments

Information Commissioner’s role

91 Duties of the Commissioner in carrying out functions

92 Codes of practice for the processing of personal data

93 Codes of practice: panels and impact assessments

94 Manifestly unfounded or excessive requests to the Commissioner

95 Analysis of performance

96 Notices from the Commissioner

Enforcement

97 Power of the Commissioner to require documents

98 Power of the Commissioner to require a report

99 Assessment notices: removal of OFSTED restriction

100 Interview notices

101 Penalty notices

102 Annual report on regulatory action

103 Complaints by data subjects

104 Court procedure in connection with subject access requests

105 Consequential amendments to the EITSET Regulations

Protection of prohibitions, restrictions and data subject’s rights

106 Protection of prohibitions, restrictions and data subject’s rights

Miscellaneous

107 Regulations under the UK GDPR

108 Further minor provision about data protection

Chapter 2 Privacy and electronic communications

109 The PEC Regulations

110 Interpretation of the PEC Regulations

111 Duty to notify the Commissioner of personal data breach: time periods

112 Storing information in the terminal equipment of a subscriber or user

113 Emergency alerts: interpretation of time periods

114 Use of electronic mail for direct marketing by charities

115 Commissioner’s enforcement powers

116 Codes of conduct

Part 6
The Information Commission

117 The Information Commission

118 Abolition of the office of Information Commissioner

119 Transfer of functions to the Information Commission

120 Transfer of property etc to the Information Commission

Part 7
Other provision about use of, or access to, data

121 Information standards for health and adult social care in England

122 Grant of smart meter communication licences

123 Disclosure of information to improve public service delivery to undertakings

124 Retention of information by providers of internet services in connection with death of child

125 Information for research about online safety matters

126 Retention of biometric data and recordable offences

127 Retention of pseudonymised biometric data

128 Retention of biometric data from INTERPOL

129 The eIDAS Regulation

130 Recognition of EU conformity assessment bodies

131 Removal of recognition of EU standards etc

132 Recognition of overseas trust products

133 Co-operation between supervisory authority and overseas authorities

134 Time periods: the eIDAS Regulation and the EITSET Regulations

135 Economic impact assessment

136 Report on the use of copyright works in the development of AI systems

137 Progress statement

138 Creating, or requesting the creation of, purported intimate image of adult

Part 8
Final provisions

139 Power to make consequential amendments

140 Regulations

141 Extent

142 Commencement

143 Transitional, transitory and saving provision

144 Short title

SCHEDULES

Schedule 1 National Underground Asset Register (England and Wales): monetary penalties

Schedule 2 National Underground Asset Register (Northern Ireland): monetary penalties

Schedule 3 Registers of births and deaths: minor and consequential amendments

Schedule 4 Lawfulness of processing: recognised legitimate interests

Schedule 5 Purpose limitation: processing to be treated as compatible with original purpose

Schedule 6 Automated decision-making: minor and consequential amendments

Schedule 7 Transfers of personal data to third countries etc: general processing

Schedule 8 Transfers of personal data to third countries etc: law enforcement processing

Schedule 9 Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision

Schedule 10 Complaints: minor and consequential amendments

Schedule 11 Further minor provision about data protection

Schedule 12 Storing information in the terminal equipment of a subscriber or user

Schedule 13 Privacy and electronic communications: Commissioner’s enforcement powers

Schedule 14 The Information Commission

Schedule 15 Information standards for health and adult social care in England

Schedule 16 Grant of smart meter communication licences

Changes to legislation:

There are currently no known outstanding effects for the Data (Use and Access) Act 2025, Chapter 2. Help about Changes to Legislation

Close

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.

Part 5Data protection and privacy

Chapter 2Privacy and electronic communications

109The PEC Regulations

In this Chapter, “the PEC Regulations” means the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426).

110Interpretation of the PEC Regulations

(1)

Regulation 2 of the PEC Regulations (interpretation) is amended as follows.

(2)

In paragraph (1)—

(a)

in the definition of “call”, at the end insert “, and a reference to making a call includes a reference to attempting to establish such a connection”,

(b)

in the definition of “communication”—

(i)

for “exchanged or conveyed between” substitute “transmitted to”, and

(ii)

for “conveyed”, in the second place it occurs, substitute “transmitted”, and

(c)

at the appropriate place insert—

““direct marketing” means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals;”.

(3)

After paragraph (1) insert—

“(1A)

In the application of these Regulations in relation to—

(a)

information that is sent but not received,

(b)

a communication that is transmitted but not received,

(c)

an electronic mail that is sent but not received, or

(d)

an unsuccessful attempt to make a call,

a reference to the recipient of the information, communication, electronic mail or call is to be read as a reference to the intended recipient.”

(4)

In paragraph (4) omit “, without prejudice to paragraph (3),”.

(5)

After that paragraph insert—

“(5)

References in these Regulations to a period expressed in hours, days, weeks, months or years are to be interpreted in accordance with Article 3 of the Periods of Time Regulation, except that Article 3(4) of that Regulation does not apply to the interpretation of a reference to a period in regulation 16A.

(6)

In paragraph (5), “the Periods of Time Regulation” means Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.”

111Duty to notify the Commissioner of personal data breach: time periods

(1)

In regulation 5A of the PEC Regulations (personal data breach)—

(a)

in paragraph (2), after “delay” insert “and, where feasible, not later than 72 hours after having become aware of it”, and

(b)

after paragraph (3) insert—

“(3A)

Where notification under paragraph (2) is not made within 72 hours, it must be accompanied by reasons for the delay.”

(2)

In regulation 5C of the PEC Regulations (personal data breach: fixed monetary penalty)—

(a)

in paragraph (4)(f), for “from the service of the notice of intent” substitute “beginning when the notice of intent is served”, and

(b)

in paragraph (5), for “21 days of receipt of the notice of intent” substitute “the period of 21 days beginning when the notice of intent is received”.

(3)

In Article 2 of Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (notification to the Commissioner)—

(a)

in paragraph 2—

(i)

in the first subparagraph, for the words from “no” to “feasible” substitute “without undue delay and, where feasible, not later than 72 hours after having become aware of it”,

(ii)

in the second subparagraph, after “shall” insert “, subject to paragraph 3,”, and

(iii)

after the third subparagraph insert—

“This paragraph is to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.”, and

(b)

for paragraph 3 substitute—

“3.

To the extent that the information set out in Annex 1 is not available to be included in the notification, it may be provided in phases without undue further delay.”

112Storing information in the terminal equipment of a subscriber or user

(1)

The PEC Regulations are amended in accordance with subsections (2) and (3).

(2)

For regulation 6 (storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user) substitute—

“Storing information in the terminal equipment of a subscriber or user6.

(1)

Subject to Schedule A1, a person must not store information, or gain access to information stored, in the terminal equipment of a subscriber or user.

(2)

In paragraph (1) and Schedule A1

(a)

a reference (however expressed) to storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user includes a reference to instigating the storage or access, and

(b)

except as otherwise provided, a reference (however expressed) to gaining access to information stored in the terminal equipment of a subscriber or user includes a reference to collecting or monitoring information automatically emitted by the terminal equipment.”

(3)

After regulation 6 insert—

“Power to provide exceptions to regulation 6(1)6A.

(1)

The Secretary of State may by regulations made by statutory instrument—

(a)

amend these Regulations—

(i)

by adding an exception to the prohibition in regulation 6(1), or

(ii)

by omitting or varying an exception to that prohibition, and

(b)

make consequential, supplementary, incidental, transitional, transitory or saving provision, including provision amending these Regulations.

(2)

Regulations under paragraph (1) may make different provision for different purposes.

(3)

Before making regulations under paragraph (1), the Secretary of State must consult—

(a)

the Information Commissioner, and

(b)

such other persons as the Secretary of State considers appropriate.

(4)

A statutory instrument containing regulations under paragraph (1) may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.”

(4)

Schedule 12 to this Act inserts Schedule A1 to the PEC Regulations.

(5)

A requirement to consult under regulation 6A of the PEC Regulations (inserted by subsection (3) of this section) may be satisfied by consultation undertaken before the day on which this Act is passed.

Annotations:
Commencement Information

I7S. 112 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

113Emergency alerts: interpretation of time periods

In regulation 16A of the PEC Regulations (emergency alerts), in paragraph (6), for the words from “7 days” to “paragraph (3)(b)” substitute “the period of 7 days beginning with the day on which the time period specified by the relevant public authority pursuant to paragraph (3)(b) expires”.

114Use of electronic mail for direct marketing by charities

(1)

Regulation 22 of the PEC Regulations (use of electronic mail for direct marketing purposes) is amended as follows.

(2)

In paragraph (2), after “paragraph (3)” insert “or (3A).

(3)

After paragraph (3) insert—

“(3A)

A charity may send or instigate the sending of electronic mail for the purposes of direct marketing where—

(a)

the sole purpose of the direct marketing is to further one or more of the charity’s charitable purposes;

(b)

the charity obtained the contact details of the recipient of the electronic mail in the course of the recipient—

(i)

expressing an interest in one or more of the purposes that were the charity’s charitable purposes at that time; or

(ii)

offering or providing support to further one or more of those purposes; and

(c)

the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of their contact details for the purposes of direct marketing by the charity, at the time that the details were initially collected, and, where the recipient did not initially refuse the use of the details, at the time of each subsequent communication.”

(4)

After paragraph (4) insert—

“(5)

In this regulation, “charity” means—

(a)

a charity as defined in section 1(1) of the Charities Act 2011,

(b)

a charity as defined in section 1(1) of the Charities Act (Northern Ireland) 2008 (c. 12 (N.I.)), including an institution treated as such a charity for the purposes of that Act by virtue of the Charities Act 2008 (Transitional Provision) Order (Northern Ireland) 2013 (S.R. (N.I.) 2013 No. 211), and

(c)

a body entered in the Scottish Charity Register, other than a body which no longer meets the charity test in section 7 of the Charities and Trustee Investment (Scotland) Act 2005 (asp 10),

and, in relation to such a charity, institution or body, “charitable purpose” has the meaning given in the relevant Act.”

Annotations:
Commencement Information

I10S. 114 not in force at Royal Assent, see s. 142(1)

115Commissioner’s enforcement powers

(1)

The PEC Regulations are amended in accordance with subsections (2) to (8).

(2)

In regulation 5 (security of public electronic communications services), omit paragraph (6).

(3)

Omit regulation 5B (personal data breach: audit).

(4)

In regulation 5C (personal data breach: fixed monetary penalty)—

(a)

in paragraph (10)—

(i)

omit “and Northern Ireland”, and

(ii)

in paragraph (a), for “a county court” substitute “the county court”, and

(b)

after paragraph (11) insert—

“(12)

In Northern Ireland, the penalty is recoverable—

(a)

if a county court so orders, as if it were payable under an order of that court;

(b)

if the High Court so orders, as if it were payable under an order of that court.

(13)

The Secretary of State may by regulations made by statutory instrument amend this regulation so as to substitute a different amount for the amount for the time being specified in paragraph (2) or (5).

(14)

Regulations under paragraph (13) may make transitional provision.

(15)

Before making regulations under paragraph (13), the Secretary of State must consult—

(a)

the Information Commissioner, and

(b)

such other persons as the Secretary of State considers appropriate.

(16)

A statutory instrument containing regulations under this regulation may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.”

(5)

For regulation 31 substitute—

“Information Commissioner’s enforcement powers31.

(1)

Schedule 1 provides for certain provisions of Parts 5 to 7 of the Data Protection Act 2018 to apply with modifications for the purposes of enforcing these Regulations.

(2)

In regulations 32 and 33, “enforcement functions” means the functions of the Information Commissioner under those provisions, as applied by that Schedule.”

(6)

Omit regulation 31A (third party information notices).

(7)

Omit regulation 31B (appeals against third party information notices).

(8)

For Schedule 1 substitute the Schedule set out in Schedule 13 to this Act.

(9)

In paragraph 58(1) of Schedule 20 to the Data Protection Act 2018 (transitional provision relating to the PEC Regulations) for “regulations 2, 31 and 31B of, and Schedule 1 to,” substitute “regulation 2 of”.

(10)

A requirement to consult under regulation 5C(15) of the PEC Regulations (inserted by subsection (4)(b) of this section) may be satisfied by consultation undertaken before the day on which this Act is passed.

Annotations:
Commencement Information

I11S. 115 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

116Codes of conduct

(1)

The PEC Regulations are amended as follows.

(2)

After regulation 32 insert—

“Codes of conduct32A.

(1)

The Commissioner must encourage representative bodies to produce codes of conduct intended to contribute to compliance with these Regulations.

(2)

Under paragraph (1), the Commissioner must encourage representative bodies to produce codes which take account of, among other things, the specific features of different sectors.

(3)

A code of conduct described in paragraph (1) may, for example, make provision with regard to—

(a)

rights and obligations under these Regulations;

(b)

out-of-court proceedings and other dispute resolution procedures for resolving disputes arising in connection with these Regulations.

(4)

The Commissioner must encourage representative bodies to submit codes of conduct described in paragraph (1) to the Commissioner in draft.

(5)

Where a representative body does so, the Commissioner must—

(a)

provide the representative body with an opinion on whether the code correctly reflects the requirements of these Regulations,

(b)

decide whether to approve the code, and

(c)

if the code is approved, register and publish the code.

(6)

The Commissioner may only approve a code if, among other things—

(a)

the code contains a mechanism for monitoring whether persons who undertake to apply the code comply with its provisions, and

(b)

in relation to persons other than public bodies, the mechanism involves monitoring by a body which is accredited for that purpose by the Commissioner under regulation 32B.

(7)

In relation to amendments of a code of conduct that is for the time being approved under this regulation—

(a)

paragraphs (4) and (5) apply as they apply in relation to a code, and

(b)

the requirements in paragraph (6) must be satisfied by the code as amended.

(8)

A code of conduct described in paragraph (1) may be contained in the same document as a code of conduct described in Article 40 of the UK GDPR (and a provision contained in such a document may be a provision of both codes).

(9)

In this regulation—

public body” has the meaning given in section 7 of the Data Protection Act 2018 (for the purposes of the UK GDPR);

representative body” means an association or other body representing categories of—

(a)

communications providers, or

(b)

other persons engaged in activities regulated by these Regulations;

the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018.

Accreditation of bodies monitoring compliance with codes of conduct32B.

(1)

The Commissioner may, in accordance with this regulation, accredit a body for the purpose of monitoring whether persons other than public bodies comply with a code of conduct described in regulation 32A(1).

(2)

The Commissioner may accredit a body only where the Commissioner is satisfied that the body has—

(a)

demonstrated its independence,

(b)

demonstrated that it has an appropriate level of expertise in relation to the subject matter of the code,

(c)

established procedures which allow it—

(i)

to assess a person’s eligibility to apply the code,

(ii)

to monitor compliance with the code, and

(iii)

to review the operation of the code periodically,

(d)

established procedures and structures to handle complaints about infringements of the code or about the manner in which the code has been, or is being, implemented by a person,

(e)

made arrangements to publish information about the procedures and structures described in sub-paragraph (d), and

(f)

demonstrated that it does not have a conflict of interest.

(3)

The Commissioner must prepare and publish guidance about how the Commissioner proposes to take decisions about accreditation under this regulation.

(4)

A body accredited under this regulation in relation to a code must take appropriate action where a person infringes the code.

(5)

If the action taken by a body under paragraph (4) consists of suspending or excluding a person from the code, the body must inform the Commissioner, giving reasons for taking that action.

(6)

The Commissioner must revoke the accreditation of a body under this regulation if the Commissioner considers that the body—

(a)

no longer meets the requirements for accreditation, or

(b)

has failed, or is failing, to comply with paragraph (4) or (5).

(7)

In this regulation, “public body” has the same meaning as in regulation 32A.

Effect of codes of conduct32C.

Adherence to a code of conduct approved under regulation 32A may be used by a person as a means of demonstrating compliance with these Regulations.”

(3)

In regulation 33 (technical advice to the Commissioner)—

(a)

omit “, in connection with his enforcement functions,” and

(b)

at the end insert “where the request is made in connection with—

(a)

the Commissioner’s enforcement functions, or

(b)

the Commissioner’s functions under regulation 32A or 32B (codes of conduct).”

(4)

In Schedule 1 (Commissioner’s enforcement powers) (inserted by Schedule 13 to this Act), in paragraph 18(b)(ii) (maximum amount of penalty), for “or 24” substitute “, 24 or 32B(4) or (5)”.

Annotations:
Commencement Information

I12S. 116 not in force at Royal Assent, see s. 142(1)