Legislation – Data (Use and Access) Act 2025

New Search

Introduction

Part 1
Access to customer data and business data

1 Customer data and business data

2 Power to make provision in connection with customer data

3 Customer data: supplementary

4 Power to make provision in connection with business data

5 Business data: supplementary

6 Decision-makers

7 Interface bodies

8 Enforcement of regulations under this Part

9 Restrictions on powers of investigation etc

10 Financial penalties

11 Fees

12 Levy

13 Financial assistance

14 The FCA and financial services interfaces

15 The FCA and financial services interfaces: supplementary

16 The FCA and financial services interfaces: penalties and levies

17 The FCA and co-ordination with other regulators

18 Liability in damages

19 Duty to review regulations

20 Restrictions on processing and data protection

21 Regulations under this Part: supplementary

22 Regulations under this Part: Parliamentary procedure and consultation

23 Related subordinate legislation

24 Repeal of provisions relating to supply of customer data

25 Other defined terms

26 Index of defined terms for this Part

Part 2
Digital verification services

27 Introductory

28 DVS trust framework

29 Supplementary codes

30 Withdrawal of a supplementary code

31 Review of DVS trust framework and supplementary codes

32 DVS register

33 Registration in the DVS register

34 Power to refuse registration in the DVS register

35 Registration of additional services

36 Supplementary notes

37 Addition of services to supplementary notes

38 Applications for registration, supplementary notes, etc

39 Fees for applications for registration, supplementary notes, etc

40 Duty to remove person from the DVS register

41 Power to remove person from the DVS register

42 Duty to remove services from the DVS register

43 Duty to remove supplementary notes from the DVS register

44 Duty to remove services from supplementary notes

45 Power of public authority to disclose information to registered person

46 Information disclosed by the Revenue and Customs

47 Information disclosed by the Welsh Revenue Authority

48 Information disclosed by Revenue Scotland

49 Code of practice about the disclosure of information

50 Trust mark for use by registered persons

51 Power of Secretary of State to require information

52 Arrangements for third party to exercise functions

53 Report on the operation of this Part

54 Index of defined terms for this Part

55 Powers relating to verification of identity or status

Part 3
National Underground Asset Register

56 National Underground Asset Register: England and Wales

57 Information in relation to apparatus: England and Wales

58 National Underground Asset Register: Northern Ireland

59 Information in relation to apparatus: Northern Ireland

60 Pre-commencement consultation

Part 4
Registers of births and deaths

61 Form in which registers of births and deaths are to be kept

62 Provision of equipment and facilities by local authorities

63 Requirements to sign register

64 Treatment of existing registers and records

65 Minor and consequential amendments

Part 5
Data protection and privacy

Chapter 1 Data protection

Terms used in this Chapter

66 The 2018 Act and the UK GDPR

Definitions in the UK GDPR and the 2018 Act

67 Meaning of research and statistical purposes

68 Consent to processing for the purposes of scientific research

69 Consent to law enforcement processing

Data protection principles

70 Lawfulness of processing

71 The purpose limitation

72 Processing in reliance on relevant international law

Processing of special categories of personal data

73 Elected representatives responding to requests

74 Processing of special categories of personal data

Data subject’s rights

75 Fees and reasons for responses to data subjects’ requests about law enforcement processing

76 Time limits for responding to data subjects’ requests

77 Information to be provided to data subjects

78 Searches in response to data subjects’ requests

79 Data subjects’ rights to information: legal professional privilege exemption

Automated decision-making

80 Automated decision-making

Obligations of controllers

81 Data protection by design: children’s higher protection matters

Logging of law enforcement processing

82 Logging of law enforcement processing

Codes of conduct

83 General processing and codes of conduct

84 Law enforcement processing and codes of conduct

International transfers of personal data

85 Transfers of personal data to third countries and international organisations

Safeguards for processing for research etc purposes

86 Safeguards for processing for research etc purposes

87 Section 86: consequential provision

National security

88 National security exemption

Intelligence services

89 Joint processing by intelligence services and competent authorities

90 Joint processing: consequential amendments

Information Commissioner’s role

91 Duties of the Commissioner in carrying out functions

92 Codes of practice for the processing of personal data

93 Codes of practice: panels and impact assessments

94 Manifestly unfounded or excessive requests to the Commissioner

95 Analysis of performance

96 Notices from the Commissioner

Enforcement

97 Power of the Commissioner to require documents

98 Power of the Commissioner to require a report

99 Assessment notices: removal of OFSTED restriction

100 Interview notices

101 Penalty notices

102 Annual report on regulatory action

103 Complaints by data subjects

104 Court procedure in connection with subject access requests

105 Consequential amendments to the EITSET Regulations

Protection of prohibitions, restrictions and data subject’s rights

106 Protection of prohibitions, restrictions and data subject’s rights

Miscellaneous

107 Regulations under the UK GDPR

108 Further minor provision about data protection

Chapter 2 Privacy and electronic communications

109 The PEC Regulations

110 Interpretation of the PEC Regulations

111 Duty to notify the Commissioner of personal data breach: time periods

112 Storing information in the terminal equipment of a subscriber or user

113 Emergency alerts: interpretation of time periods

114 Use of electronic mail for direct marketing by charities

115 Commissioner’s enforcement powers

116 Codes of conduct

Part 6
The Information Commission

117 The Information Commission

118 Abolition of the office of Information Commissioner

119 Transfer of functions to the Information Commission

120 Transfer of property etc to the Information Commission

Part 7
Other provision about use of, or access to, data

121 Information standards for health and adult social care in England

122 Grant of smart meter communication licences

123 Disclosure of information to improve public service delivery to undertakings

124 Retention of information by providers of internet services in connection with death of child

125 Information for research about online safety matters

126 Retention of biometric data and recordable offences

127 Retention of pseudonymised biometric data

128 Retention of biometric data from INTERPOL

129 The eIDAS Regulation

130 Recognition of EU conformity assessment bodies

131 Removal of recognition of EU standards etc

132 Recognition of overseas trust products

133 Co-operation between supervisory authority and overseas authorities

134 Time periods: the eIDAS Regulation and the EITSET Regulations

135 Economic impact assessment

136 Report on the use of copyright works in the development of AI systems

137 Progress statement

138 Creating, or requesting the creation of, purported intimate image of adult

Part 8
Final provisions

139 Power to make consequential amendments

140 Regulations

141 Extent

142 Commencement

143 Transitional, transitory and saving provision

144 Short title

SCHEDULES

Schedule 1 National Underground Asset Register (England and Wales): monetary penalties

Schedule 2 National Underground Asset Register (Northern Ireland): monetary penalties

Schedule 3 Registers of births and deaths: minor and consequential amendments

Schedule 4 Lawfulness of processing: recognised legitimate interests

Schedule 5 Purpose limitation: processing to be treated as compatible with original purpose

Schedule 6 Automated decision-making: minor and consequential amendments

Schedule 7 Transfers of personal data to third countries etc: general processing

Schedule 8 Transfers of personal data to third countries etc: law enforcement processing

Schedule 9 Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision

Schedule 10 Complaints: minor and consequential amendments

Schedule 11 Further minor provision about data protection

Schedule 12 Storing information in the terminal equipment of a subscriber or user

Schedule 13 Privacy and electronic communications: Commissioner’s enforcement powers

Schedule 14 The Information Commission

Schedule 15 Information standards for health and adult social care in England

Schedule 16 Grant of smart meter communication licences

Changes to legislation:

There are currently no known outstanding effects for the Data (Use and Access) Act 2025, Schedule 13. Help about Changes to Legislation

Close

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.

Schedules

Schedule 13Privacy and electronic communications: Commissioner’s enforcement powers

Section 115

Annotations:
Commencement Information

I1Sch. 13 not in force at Royal Assent, see s. 142(1)

This is the Schedule to be substituted for Schedule 1 to the PEC Regulations—

“Schedule 1Information Commissioner’s enforcement powers

Regulation 31

Provisions applied for enforcement purposes

1.

For the purposes of enforcing these Regulations, the following provisions of Parts 5 to 7 of the Data Protection Act 2018 apply with the modifications set out in paragraphs 2 to 29

  • section 140 (publication by the Commissioner);

  • section 141A (notices from the Commissioner);

  • section 142 (information notices);

  • section 143 (information notices: restrictions);

  • section 144 (false statements made in response to an information notice);

  • section 145 (information orders);

  • section 146 (assessment notices);

  • section 146A (assessment notices: approval of person to prepare report);

  • section 147 (assessment notices: restrictions);

  • section 148 (destroying or falsifying information and documents etc);

  • section 148A (interview notices);

  • section 148B (interview notices: restrictions);

  • section 148C (false statements made in response to interview notices);

  • section 149 (enforcement notices);

  • section 150 (enforcement notices: supplementary);

  • section 152 (enforcement notices: restrictions);

  • section 153 (enforcement notices: cancellation and variation);

  • section 154 and Schedule 15 (powers of entry and inspection);

  • section 155 and Schedule 16 (penalty notices);

  • section 156 (penalty notices: restrictions);

  • section 157 (maximum amount of penalty);

  • section 159 (amount of penalties: supplementary);

  • section 160 (guidance about regulatory action);

  • section 161 (approval of first guidance about regulatory action);

  • section 162 (rights of appeal);

  • section 163 (determination of appeals);

  • section 164 (applications in respect of urgent notices);

  • section 180 (jurisdiction);

  • section 181 (interpretation of Part 6);

  • section 182 (regulations and consultation);

  • section 196 (penalties for offences);

  • section 197(1) and (2) (prosecution);

  • section 198 (liability of directors etc);

  • section 200 (guidance about PACE codes of practice);

  • section 202 (proceedings in the First-tier Tribunal: contempt);

  • section 203 (Tribunal Procedure Rules).

General modification of references to the Data Protection Act 2018

2.

The provisions listed in paragraph 1 have effect as if—

(a)

references to the Data Protection Act 2018 or to a Part of that Act were references to the provisions of that Act or that Part as applied by these Regulations;

(b)

references to a particular provision of that Act were references to that provision as applied by these Regulations.

Modification of section 142 (information notices)

3.

Section 142 has effect as if—

(a)

in subsection (1), for paragraphs (a) and (b) there were substituted—

“(a)

require any person to provide the Commissioner with information or documents that the Commissioner reasonably requires for the purposes of determining whether that person has complied or is complying with the requirements of the PEC Regulations,

(b)

require a communications provider to provide the Commissioner with information or documents relating to another person’s use of an electronic communications network or electronic communications service for the purposes of determining whether that other person has complied or is complying with the requirements of the PEC Regulations, or

(c)

require any person to provide the Commissioner with information or documents that the Commissioner reasonably requires for the purposes of investigating a suspected failure by another person to comply with the requirements of the PEC Regulations.”;

(b)

in subsection (2)(a), for “(b)(i) or (b)(ii)” there were substituted “(b) or (c)”;

(c)

after subsection (8) there were inserted—

“(8A)

Subsections (8B) and (8C) apply if an information notice given to a person under subsection (1)(b) or (c) contains—

(a)

a statement that a duty of confidentiality applies in relation to the notice, and

(b)

an explanation of the effects of subsections (8B) and (8C).

(8B)

The person to whom the information notice is given, and any person employed or engaged for the purpose of that person’s business, must not disclose the existence of the notice without reasonable excuse.

(8C)

Subsection (8B) does not prevent—

(a)

a disclosure to a person employed or engaged for the purpose of the business of the person to whom the notice is given,

(b)

a disclosure made with the permission of the Commissioner (whether the permission is contained in the information notice or otherwise), or

(c)

a disclosure made for the purpose of obtaining legal advice.”;

(d)

subsections (9) and (10) were omitted.

Modification of section 143 (information notices: restrictions)

4.

(1)

Section 143 has effect as if subsections (1) and (9) were omitted.

(2)

In that section—

(a)

subsections (3)(b) and (4)(b) have effect as if for “the data protection legislation” there were substituted “the PEC Regulations”;

(b)

subsection (7)(a) has effect as if for “this Act” there were substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”;

(c)

subsection (8) has effect as if for “this Act (other than an offence under section 144)” there were substituted “section 148 or 148C or paragraph 15 of Schedule 15”.

Modification of section 145 (information orders)

5.

Section 145(2)(b) has effect as if for “section 142(2)(b)” there were substituted “section 142(2)”.

Modification of section 146 (assessment notices)

6.

Section 146 has effect as if—

(a)

in subsection (1)—

(i)

for “a controller or processor” there were substituted “a person within subsection (1A)”;

(ii)

for “the controller or processor” there were substituted “the person”;

(iii)

for “the data protection legislation” there were substituted “the requirements of the PEC Regulations”;

(b)

after subsection (1) there were inserted—

“(1A)

A person is within this subsection if the person—

(a)

is a communications provider, or

(b)

is engaged in any activity regulated by the PEC Regulations.”;

(c)

in subsection (2)—

(i)

for “controller or processor” there were substituted “person to whom it is given”;

(ii)

in paragraph (h), for “the processing of personal data” there were substituted “any activity regulated by the PEC Regulations”;

(iii)

in paragraph (i), for “process personal data on behalf of the controller” there were substituted “are involved in any such activity on behalf of the person to whom the notice is given”;

(d)

in subsection (3A), for “controller or processor” there were substituted “person”;

(e)

in subsection (7), for “controller or processor” there were substituted “person to whom the notice is given”;

(f)

in subsection (8)—

(i)

in paragraph (a), for “controller or processor” there were substituted “person to whom the notice is given”;

(ii)

in the words after paragraph (c), for “controller or processor” there were substituted “person”;

(g)

in subsection (9)—

(i)

in paragraph (a), for the words from “a controller” to “this Act” there were substituted “the person to whom the notice is given has failed or is failing to comply with the requirements of the PEC Regulations or that an offence under section 144, 148 or 148C or paragraph 15 of Schedule 15”;

(ii)

in paragraph (d), for “controller or processor” there were substituted “person”;

(h)

in subsection (10), for “controller or processor” there were substituted “person”;

(i)

subsection (11) were omitted;

(j)

in subsection (11A)—

(i)

for “controller or processor”, in the first place it occurs, there were substituted “person to whom it is given”;

(ii)

for “controller or processor”, in the second place it occurs, there were substituted “the person”.

Modification of section 146A (assessment notices: approval of person to prepare report)

7.

Section 146A has effect as if—

(a)

in subsection (1), for “a controller or processor” there were substituted “a person (“P”)”;

(b)

in subsection (2), for “The controller or processor” there were substituted “P”;

(c)

in subsections (3) to (6), for “the controller or processor” (in each place) there were substituted “P”.

Modification of section 147 (assessment notices: restrictions)

8.

(1)

Section 147 has effect as if subsection (5) were omitted.

(2)

In that section, subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “the PEC Regulations”.

Modification of section 148A (interview notices)

9.

Section 148A has effect as if—

(a)

in subsection (1)—

(i)

for “a controller or processor” there were substituted “a person”;

(ii)

in paragraph (a), for “as described in section 149(2)” there were substituted “to comply with a requirement of the PEC Regulations”;

(iii)

in paragraph (b), for “this Act” there were substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”;

(b)

in subsection (3)—

(i)

in paragraph (a), for “the controller or processor” there were substituted “the person mentioned in subsection (1)”;

(ii)

in paragraph (b), for “the controller or processor” there were substituted “that person”;

(iii)

in paragraph (c), for “the controller or processor” there were substituted “that person”.

Modification of section 148B (interview notices: restrictions)

10.

(1)

Section 148B has effect as if subsections (8) and (9) were omitted.

(2)

In that section—

(a)

subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “the PEC Regulations”;

(b)

subsection (6)(a) has effect as if for “this Act” there were substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”;

(c)

subsection (7) has effect as if for “this Act (other than an offence under section 148C)” there were substituted “section 144 or 148 or paragraph 15 of Schedule 15”.

Modification of section 149 (enforcement notices)

11.

(1)

Section 149 has effect as if subsections (2) to (5A) and (7) to (9) were omitted.

(2)

In that section—

(a)

subsection (1) has effect as if—

(i)

for “as described in subsections (2), (3), (4), (5) or (5A)” there were substituted “to comply with a requirement of the PEC Regulations”;

(ii)

for “sections 150 and 151” there were substituted “section 150”;

(b)

subsection (6) has effect as if the words “given in reliance on subsection (2), (3), (5) or (5A)” were omitted.

Modification of section 150 (enforcement notices: supplementary)

12.

(1)

Section 150 has effect as if subsection (3) were omitted.

(2)

In that section, subsection (2) has effect as if the words “in reliance on section 149(2)” were omitted.

Modification of section 152 (enforcement notices: restrictions)

13.

Section 152 has effect as if subsections (1), (2) and (4) were omitted.

Modification of Schedule 15 (powers of entry and inspection)

14.

(1)

Schedule 15 has effect as if paragraph 3 were omitted.

(2)

Paragraph 1(1) of that Schedule (issue of warrants in connection with non-compliance and offences) has effect as if for paragraph (a) (but not the final “and”) there were substituted—

“(a)

there are reasonable grounds for suspecting that—

(i)

a person has failed or is failing to comply with a requirement of the PEC Regulations, or

(ii)

an offence under section 144, 148, or 148C or paragraph 15 of this Schedule has been or is being committed,”.

(3)

Paragraph 2 of that Schedule (issue of warrants in connection with assessment notices) has effect as if—

(a)

in sub-paragraphs (1) and (2), for “controller or processor” there were substituted “person”;

(b)

in sub-paragraph (2), for “the data protection legislation” there were substituted “the PEC Regulations”.

(4)

Paragraph 5 of that Schedule (content of warrants) has effect as if—

(a)

in sub-paragraph (1)(c), for “the processing of personal data” there were substituted “an activity regulated by the PEC Regulations”;

(b)

in sub-paragraph (2)(d), for the words from “controller or processor” to the end there were substituted “person mentioned in paragraph 1(1)(a) has failed or is failing to comply with a requirement of the PEC Regulations”;

(c)

in sub-paragraph (3)(a) and (d)—

(i)

for “controller or processor” there were substituted “person mentioned in paragraph 2(1)”;

(ii)

for “the data protection legislation” there were substituted “the requirements of the PEC Regulations”.

(5)

Paragraph 11 of that Schedule (privileged communications) has effect as if, in sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “the PEC Regulations”.

Modification of section 155 (penalty notices)

15.

Section 155 has effect as if—

(a)

in subsection (1)—

(i)

in paragraph (a), for “as described in section 149(2), (3), (4), (5) or (5A)” there were substituted “to comply with a requirement of the PEC Regulations”;

(ii)

after paragraph (c), there were inserted “, or

(d)

has failed to comply with the prohibition in section 142(8B),”;

(b)

after subsection (1) there were inserted—

“(1A)

But the Commissioner may not give a penalty notice to a person in respect of a failure to comply with regulation 5A of the PEC Regulations.”;

(c)

for subsection (2) there were substituted—

“(2)

When deciding whether to give a penalty notice to a person and determining the amount of the penalty, the Commission must have regard to the matters listed in subsection (3), so far as relevant.”;

(d)

in subsection (3)—

(i)

for “the controller or processor” (in each place) there were substituted “the person”;

(ii)

in paragraph (c), for the words from “data subjects” to the end there were substituted “subscribers or users”;

(iii)

in paragraph (d), for the words “in accordance with section 57, 66, 103 or 107” there were substituted “with a view to securing compliance with the requirements of the PEC Regulations”;

(iv)

paragraph (g) were omitted;

(v)

in paragraph (j), the words “or certification mechanism” were omitted;

(e)

subsection (4) were omitted;

(f)

after subsection (4) there were inserted—

“(4A)

If a penalty notice is given to a body in respect of a failure to comply with any of regulations 19 to 24 of the PEC Regulations, the Commissioner may also give a penalty notice to an officer of the body if the Commissioner is satisfied that the failure—

(a)

took place with the consent or connivance of the officer, or

(b)

was attributable to any neglect on the part of the officer.

(4B)

In subsection (4A)

body” means a body corporate or a Scottish partnership;

officer”, in relation to a body, means—

(a)

in relation to a body corporate—

  1. (i)

    a director, manager, secretary or other similar officer of the body or any person purporting to act in such capacity, and

  2. (ii)

    where the affairs of the body are managed by its members, a member; or

(b)

in relation to a Scottish partnership, a partner or any person purporting to act as a partner.”;

(g)

subsections (6) to (8) were omitted.

Modification of Schedule 16 (penalties)

16.

Schedule 16 has effect as if paragraphs 3(2)(b) and 5(2)(b) were omitted.

Modification of section 156 (penalty notices: restrictions)

17.

(1)

Section 156 has effect as if subsections (1), (2), (4)(b) and (5) were omitted.

(2)

In that section, subsection (3) has effect as if for the words from “controller” to “determined by or” there were substituted “penalty notice to a person who acts”.

Modification of section 157 (maximum amount of penalty)

18.

Section 157 has effect as if—

(a)

subsection (1) were omitted;

(b)

in subsection (2)—

(i)

for “Part 3 of this Act” there were substituted “the PEC Regulations”;

(ii)

in paragraph (a), for the words from “section 35” to “or 78” there were substituted “regulation 5, 6, 7, 8, 14, 19, 20, 21, 21A, 21B, 22, 23 or 24”;

(c)

subsections (3) and (4A) were omitted;

(d)

after subsection (4A) there were inserted—

“(4B)

In relation to an infringement of section 142(8B) of this Act, the maximum amount of the penalty that may be imposed by a penalty notice is the higher maximum amount.”

Modification of section 159 (amount of penalties: supplementary)

19.

Section 159 has effect as if—

(a)

in subsection (1), the words “Article 83 of the UK GDPR and” were omitted;

(b)

in subsection (2), the words “Article 83 of the UK GDPR,” and “and section 158” were omitted.

Modification of section 160 (guidance)

20.

Section 160 has effect as if, in subsection (4)(f), for “controllers and processors” there were substituted “persons”.

Modification of section 162 (rights of appeal)

21.

Section 162 has effect as if subsection (4) were omitted.

Modification of section 163 (determination of appeals)

22.

Section 163 has effect as if subsection (6) were omitted.

Modification of section 180 (jurisdiction)

23.

(1)

Section 180 has effect as if subsections (2)(b), (c), (d) and (e) and (3) were omitted.

(2)

Subsection (1) of that section has effect as if for “subsections (3) and (4)” there were substituted “subsection (4)”.

Modification of section 181 (interpretation of Part 6)

24.

Section 181 has effect as if the definition of “certification provider” were omitted.

Modification of section 182 (regulations and consultation)

25.

(1)

Section 182 has effect as if subsections (3), (6), (8), (11), (12) and (14) were omitted.

(2)

Subsection (13) of that section has effect as if for “provision comes into force” there were substituted “coming into force of section 115 of the Data (Use and Access) Act 2025”.

Modification of section 196 (penalties for offences)

26.

(1)

Section 196 has effect as if subsections (3) to (5) were omitted.

(2)

In that section—

(a)

subsection (1) has effect as if the words “section 119 or 173 or” were omitted;

(b)

subsection (2) has effect as if for “section 132, 144, 148, 148C, 170, 171 or 184” there were substituted “section 144, 148 or 148C”.

Modification of section 200 (guidance about PACE codes of practice)

27.

Section 200 has effect as if, in subsection (1), for “this Act” there were substituted “section 144, 148 and 148C and paragraph 15 of Schedule 15”.

Modification of section 202 (proceedings in the First-tier Tribunal: contempt)

28.

Section 202 has effect as if, in subsection (1)(a), for sub-paragraphs (i) and (ii) there were substituted “on an appeal under section 162”.

Modification of section 203 (tribunal procedure rules)

29.

Section 203 has effect as if—

(a)

in subsection (1), for paragraphs (a) and (b) there were substituted “the exercise of the rights of appeal conferred by section 162”;

(b)

in subsection (2)—

(i)

in paragraph (a), for “the processing of personal data” there were substituted “any activity regulated by the PEC Regulations”;

(ii)

in paragraph (b), for “the processing of personal data” there were substituted “any such activity”.

Interpretation

30.

In this Schedule, “the PEC Regulations” means these Regulations.”