Legislation – Data (Use and Access) Act 2025

New Search

Introduction

Part 1
Access to customer data and business data

1 Customer data and business data

2 Power to make provision in connection with customer data

3 Customer data: supplementary

4 Power to make provision in connection with business data

5 Business data: supplementary

6 Decision-makers

7 Interface bodies

8 Enforcement of regulations under this Part

9 Restrictions on powers of investigation etc

10 Financial penalties

11 Fees

12 Levy

13 Financial assistance

14 The FCA and financial services interfaces

15 The FCA and financial services interfaces: supplementary

16 The FCA and financial services interfaces: penalties and levies

17 The FCA and co-ordination with other regulators

18 Liability in damages

19 Duty to review regulations

20 Restrictions on processing and data protection

21 Regulations under this Part: supplementary

22 Regulations under this Part: Parliamentary procedure and consultation

23 Related subordinate legislation

24 Repeal of provisions relating to supply of customer data

25 Other defined terms

26 Index of defined terms for this Part

Part 2
Digital verification services

27 Introductory

28 DVS trust framework

29 Supplementary codes

30 Withdrawal of a supplementary code

31 Review of DVS trust framework and supplementary codes

32 DVS register

33 Registration in the DVS register

34 Power to refuse registration in the DVS register

35 Registration of additional services

36 Supplementary notes

37 Addition of services to supplementary notes

38 Applications for registration, supplementary notes, etc

39 Fees for applications for registration, supplementary notes, etc

40 Duty to remove person from the DVS register

41 Power to remove person from the DVS register

42 Duty to remove services from the DVS register

43 Duty to remove supplementary notes from the DVS register

44 Duty to remove services from supplementary notes

45 Power of public authority to disclose information to registered person

46 Information disclosed by the Revenue and Customs

47 Information disclosed by the Welsh Revenue Authority

48 Information disclosed by Revenue Scotland

49 Code of practice about the disclosure of information

50 Trust mark for use by registered persons

51 Power of Secretary of State to require information

52 Arrangements for third party to exercise functions

53 Report on the operation of this Part

54 Index of defined terms for this Part

55 Powers relating to verification of identity or status

Part 3
National Underground Asset Register

56 National Underground Asset Register: England and Wales

57 Information in relation to apparatus: England and Wales

58 National Underground Asset Register: Northern Ireland

59 Information in relation to apparatus: Northern Ireland

60 Pre-commencement consultation

Part 4
Registers of births and deaths

61 Form in which registers of births and deaths are to be kept

62 Provision of equipment and facilities by local authorities

63 Requirements to sign register

64 Treatment of existing registers and records

65 Minor and consequential amendments

Part 5
Data protection and privacy

Chapter 1 Data protection

Terms used in this Chapter

66 The 2018 Act and the UK GDPR

Definitions in the UK GDPR and the 2018 Act

67 Meaning of research and statistical purposes

68 Consent to processing for the purposes of scientific research

69 Consent to law enforcement processing

Data protection principles

70 Lawfulness of processing

71 The purpose limitation

72 Processing in reliance on relevant international law

Processing of special categories of personal data

73 Elected representatives responding to requests

74 Processing of special categories of personal data

Data subject’s rights

75 Fees and reasons for responses to data subjects’ requests about law enforcement processing

76 Time limits for responding to data subjects’ requests

77 Information to be provided to data subjects

78 Searches in response to data subjects’ requests

79 Data subjects’ rights to information: legal professional privilege exemption

Automated decision-making

80 Automated decision-making

Obligations of controllers

81 Data protection by design: children’s higher protection matters

Logging of law enforcement processing

82 Logging of law enforcement processing

Codes of conduct

83 General processing and codes of conduct

84 Law enforcement processing and codes of conduct

International transfers of personal data

85 Transfers of personal data to third countries and international organisations

Safeguards for processing for research etc purposes

86 Safeguards for processing for research etc purposes

87 Section 86: consequential provision

National security

88 National security exemption

Intelligence services

89 Joint processing by intelligence services and competent authorities

90 Joint processing: consequential amendments

Information Commissioner’s role

91 Duties of the Commissioner in carrying out functions

92 Codes of practice for the processing of personal data

93 Codes of practice: panels and impact assessments

94 Manifestly unfounded or excessive requests to the Commissioner

95 Analysis of performance

96 Notices from the Commissioner

Enforcement

97 Power of the Commissioner to require documents

98 Power of the Commissioner to require a report

99 Assessment notices: removal of OFSTED restriction

100 Interview notices

101 Penalty notices

102 Annual report on regulatory action

103 Complaints by data subjects

104 Court procedure in connection with subject access requests

105 Consequential amendments to the EITSET Regulations

Protection of prohibitions, restrictions and data subject’s rights

106 Protection of prohibitions, restrictions and data subject’s rights

Miscellaneous

107 Regulations under the UK GDPR

108 Further minor provision about data protection

Chapter 2 Privacy and electronic communications

109 The PEC Regulations

110 Interpretation of the PEC Regulations

111 Duty to notify the Commissioner of personal data breach: time periods

112 Storing information in the terminal equipment of a subscriber or user

113 Emergency alerts: interpretation of time periods

114 Use of electronic mail for direct marketing by charities

115 Commissioner’s enforcement powers

116 Codes of conduct

Part 6
The Information Commission

117 The Information Commission

118 Abolition of the office of Information Commissioner

119 Transfer of functions to the Information Commission

120 Transfer of property etc to the Information Commission

Part 7
Other provision about use of, or access to, data

121 Information standards for health and adult social care in England

122 Grant of smart meter communication licences

123 Disclosure of information to improve public service delivery to undertakings

124 Retention of information by providers of internet services in connection with death of child

125 Information for research about online safety matters

126 Retention of biometric data and recordable offences

127 Retention of pseudonymised biometric data

128 Retention of biometric data from INTERPOL

129 The eIDAS Regulation

130 Recognition of EU conformity assessment bodies

131 Removal of recognition of EU standards etc

132 Recognition of overseas trust products

133 Co-operation between supervisory authority and overseas authorities

134 Time periods: the eIDAS Regulation and the EITSET Regulations

135 Economic impact assessment

136 Report on the use of copyright works in the development of AI systems

137 Progress statement

138 Creating, or requesting the creation of, purported intimate image of adult

Part 8
Final provisions

139 Power to make consequential amendments

140 Regulations

141 Extent

142 Commencement

143 Transitional, transitory and saving provision

144 Short title

SCHEDULES

Schedule 1 National Underground Asset Register (England and Wales): monetary penalties

Schedule 2 National Underground Asset Register (Northern Ireland): monetary penalties

Schedule 3 Registers of births and deaths: minor and consequential amendments

Schedule 4 Lawfulness of processing: recognised legitimate interests

Schedule 5 Purpose limitation: processing to be treated as compatible with original purpose

Schedule 6 Automated decision-making: minor and consequential amendments

Schedule 7 Transfers of personal data to third countries etc: general processing

Schedule 8 Transfers of personal data to third countries etc: law enforcement processing

Schedule 9 Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision

Schedule 10 Complaints: minor and consequential amendments

Schedule 11 Further minor provision about data protection

Schedule 12 Storing information in the terminal equipment of a subscriber or user

Schedule 13 Privacy and electronic communications: Commissioner’s enforcement powers

Schedule 14 The Information Commission

Schedule 15 Information standards for health and adult social care in England

Schedule 16 Grant of smart meter communication licences

Schedules

Schedule 9Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision

Section 85

Part 1Minor and consequential amendments

The UK GDPR

1

The UK GDPR is amended as follows.

2

In Article 13(1)(f) (information to be provided where personal data is collected from the data subject)—

(a)

for “adequacy regulations under section 17A of the 2018 Act” substitute “regulations under Article 45A”, and

(b)

for “reference to the appropriate or suitable safeguards” substitute “the safeguards relied on”.

3

In Article 14(1)(f) (information to be provided where personal data is not obtained from the data subject)—

(a)

for “adequacy regulations under section 17A of the 2018 Act” substitute “regulations under Article 45A”, and

(b)

for “reference to the appropriate or suitable safeguards” substitute “the safeguards relied on”.

4

In Article 15(2) (right of access by the data subject)—

(a)

after “organisation” insert “in reliance on Article 46”, and

(b)

for “appropriate safeguards pursuant to Article 46 relating to” substitute “safeguards provided in accordance with Article 46(1A)(a)(i) or (b)(i) for the purposes of”.

5

(1)

Article 40 (codes of conduct) is amended as follows.

(2)

In paragraph 3 omit “appropriate” in both places.

(3)

In paragraph 5, for “provides sufficient appropriate safeguards” substitute “is capable of providing safeguards for the purposes of Article 46”.

6

In Article 42(2) (certification) omit “appropriate” in both places.

7

In Article 46(2)(d) (transfers subject to appropriate safeguards: standard data protection clauses), after “Commissioner” insert “for the purposes of this Article”.

8

In Article 57(1) (Commissioner’s tasks)—

(a)

in point (m) omit “which provide sufficient safeguards,”, and

(b)

after point (s) insert—

“(sa)

provide authorisation required under regulations made under Article 47A;”.

9

In Article 58(3) (authorisation and advisory powers of the Commissioner), after point (j) insert—

“(k)

to provide authorisation required under regulations made under Article 47A”.

10

In Article 83(5)(c) (general conditions for imposing administrative fines), for “44” substitute “44A”.

The 2018 Act

11

The 2018 Act is amended as follows.

12

Omit section 17A (transfers based on adequacy regulations) and the italic heading before it.

13

Omit section 17B (transfers based on adequacy regulations: review etc).

14

Omit section 17C (standard data protection clauses).

15

Omit section 18 (transfers of personal data to third countries etc: public interest).

16

In section 24(2) (manual unstructured data held by FOI public authorities)—

(a)

in paragraph (c), for “44 to 49” substitute “44A to 49A”, and

(b)

omit paragraph (ca).

17

In section 26(2) (national security and defence exemption), omit paragraph (fa).

18

In section 75 (transfers on the basis of appropriate safeguards), after subsection (7) (inserted by Schedule 8 to this Act) insert—

“(8)

For provision about standard data protection clauses which the Commissioner considers are capable of securing that the data protection test in this section is met, see section 119A.”

19

In section 78A (law enforcement processing: national security exemption) (inserted by section 88 of this Act), in subsection (2)(e), after sub-paragraph (i) insert—

“(ia)

section 119A (standard clauses for transfers to third countries);”.

20

(1)

Section 119A (power of Commissioner to specify standard clauses for transfers to third countries etc providing appropriate safeguards) is amended as follows.

(2)

In subsection (1), for the words from “provide” to the end substitute “are capable of securing that the data protection test set out in Article 46 of the UK GDPR or section 75 of this Act (or both) is met in relation to transfers of personal data”.

(3)

In subsection (3), after paragraph (a) insert—

“(aa)

may make provision generally or in relation to types of transfer described in the document,”.

21

In section 149(2)(e) (enforcement notices), for “44 to 49” substitute “44A to 49A”.

22

(1)

Section 182 (regulations and consultation) is amended as follows.

(2)

Omit subsection (4).

(3)

In subsection (6), for “Where regulations under this Act” substitute “For the purposes of this Act, where regulations”.

(4)

In subsection (7), for “Where regulations under this Act” substitute “For the purposes of this Act, where regulations”.

(5)

In subsection (8)—

(a)

for “Where regulations under this Act” substitute “For the purposes of this Act, regulations”,

(b)

after “procedure”” insert “if”,

(c)

in paragraph (a), for “the urgency” substitute “an urgency”, and

(d)

in paragraph (b), for “the period of 120 days” substitute “a period”.

(6)

Omit subsections (9) and (10).

(7)

In subsection (11), after “by regulations” insert “made under this Act or another enactment that are”.

(8)

For subsection (14) substitute—

“(14)

For the purposes of this section, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for regulations to come into force without delay.”

23

In section 205(2)(e) (references to periods of time) omit “and (9)”.

24

In paragraph 26(9)(d) of Schedule 2 (exemptions etc for journalistic, academic, artistic and literary purposes), for “44” substitute “44A”.

25

(1)

Part 3 of Schedule 21 (further transitional provision etc: transfers to third countries and international organisations) is amended as follows.

(2)

In the heading before paragraph 4, for “adequacy decisions and adequacy regulations” substitute “transfers approved by regulations”.

(3)

In paragraph 4 (UK GDPR: adequacy decisions and adequacy regulations)—

(a)

in sub-paragraph (1), for “based on adequacy regulations” substitute “to be treated as approved by regulations made under Article 45A of the UK GDPR”,

(b)

in sub-paragraph (4)(a), for “lists or other” substitute “schemes, lists or other arrangements or”, and

(c)

omit sub-paragraph (6).

(4)

In paragraph 6 (UK GDPR: application of certain provisions referring to regulations made under section 17A of the 2018 Act)—

(a)

in sub-paragraph (1)(a), for “section 17A” substitute “Article 45A of the UK GDPR”,

(b)

for sub-paragraph (2) substitute—

“(2)

Those provisions are Articles 13(1)(f), 14(1)(f), 45C, 49(1) and 49A(1) of the UK GDPR.”, and

(c)

after that sub-paragraph insert—

“(3)

In its application to transfers treated as approved by virtue of paragraph 1, Article 45C(5) of the UK GDPR (transfers approved by regulations: monitoring) has effect as if the reference to Article 45A(4)(b) were omitted.”

(5)

Omit paragraphs 7 and 8 (UK GDPR: transfers subject to appropriate safeguards provided by standard data protection clauses).

(6)

In paragraph 9 (UK GDPR: transfers subject to appropriate safeguards provided by binding corporate rules)—

(a)

in sub-paragraph (1)—

(i)

for “The appropriate safeguards referred to in Article 46(1) of the UK GDPR may be provided for” substitute “The requirement for safeguards to be provided under Article 46(1A)(a)(i) of the UK GDPR may be satisfied”, and

(ii)

after “described” insert “in”,

(b)

in sub-paragraph (3)(a)—

(i)

for “or provision” substitute “, of provision”, and

(ii)

for “(or both)” substitute “or of the amendment of Chapter 5 of the UK GDPR by the Data (Use and Access) Act 2025”, and

(c)

in sub-paragraph (4), after paragraph (a) insert—

“(aa)

changing references to provision made by regulations under section 17A into references to provision made by regulations made under Article 45A of the UK GDPR;”.

(7)

In the heading before paragraph 10, for “adequacy decisions and adequacy regulations” substitute “transfers approved by regulations”.

(8)

In paragraph 10 (law enforcement processing: adequacy decisions and adequacy regulations)—

(a)

in sub-paragraph (1), for “based on adequacy regulations” substitute “to be treated as approved by regulations made under section 74AA,

(b)

in sub-paragraph (4)(a), for “lists or other” substitute “schemes, lists or other arrangements or”, and

(c)

omit sub-paragraph (6).

(9)

In paragraph 12 (Part 3 (law enforcement processing): application of certain provisions referring to regulations made under section 74A)—

(a)

the existing text becomes sub-paragraph (1),

(b)

in that sub-paragraph—

(i)

for the words before paragraph (a) substitute “In sections 74B and 76(A1)—”, and

(ii)

in paragraph (a), for “74A” substitute 74AA, and

(c)

after that sub-paragraph insert—

“(2)

In its application to transfers treated as approved by virtue of paragraph 10, section 74B(7) (transfers approved by regulations: monitoring) has effect as if the reference to section 74AA(4)(b) were omitted.”

Part 2Transitional provision

The UK GDPR: transfers approved by regulations

26

(1)

Regulations made under section 17A of the 2018 Act (transfers based on adequacy regulations) and in force immediately before the relevant day are to be treated, on and after that day, as if made under Article 45A of the UK GDPR (inserted by Schedule 7 to this Act).

(2)

In this paragraph, “the relevant day” means the day on which paragraph 4 of Schedule 7 to this Act comes into force.

The UK GDPR: transfers subject to appropriate safeguards

27

(1)

For the purposes of Article 44A(1)(a) and (2)(b) of the UK GDPR (general principles for transfers of personal data), a transfer of personal data to a third country or an international organisation made on or after the relevant day is made subject to appropriate safeguards where—

(a)

the transfer is made under arrangements entered into before the relevant day,

(b)

safeguards are provided in accordance with paragraph 2 or 3 of Article 46 of the UK GDPR or paragraph 9 of Schedule 21 to the 2018 Act, and

(c)

if the transfer had been made immediately before the relevant day, it would have satisfied—

(i)

the condition in Article 46(1) of the UK GDPR relating to data subjects’ rights and legal remedies, and

(ii)

the requirements of the last sentence of Article 44 of the UK GDPR (level of protection must not be undermined).

(2)

Sub-paragraph (1) has effect in addition to Article 46(1A) of the UK GDPR.

(3)

In this paragraph—

international organisation” has the same meaning as in the 2018 Act (see section 205 of that Act);

personal data” has the same meaning as in the 2018 Act (see section 3 of that Act);

the relevant day” means the day on which paragraph 6 of Schedule 7 to this Act comes into force;

third country” has the same meaning as in Part 3 of the 2018 Act (see section 33 of that Act).

The UK GDPR: transfers subject to appropriate safeguards provided by standard data protection clauses

28

(1)

Regulations made under section 17C of the 2018 Act (standard data protection clauses) and in force immediately before the relevant day are to be treated, on and after that day, as if made under Article 47A(1) of the UK GDPR (inserted by Schedule 7 to this Act).

(2)

In this paragraph, “the relevant day” means the day on which paragraph 8 of Schedule 7 to this Act comes into force.

29

(1)

This paragraph applies to a requirement for safeguards to be provided under—

(a)

Article 46(1A)(a)(i) of the UK GDPR, or

(b)

paragraph 27(1)(b) of this Schedule.

(2)

The requirement may be satisfied on and after the relevant day by a version of pre-commencement standard clauses incorporating changes where—

(a)

all of the changes are made in consequence of the amendment of Chapter 5 of the UK GDPR by this Act, and

(b)

none of the changes alters the effect of the clauses.

(3)

Changing a reference to regulations under section 17A of the 2018 Act into a reference to regulations made under Article 45A of the UK GDPR is to be treated as a change falling within sub-paragraph (2).

(4)

Sub-paragraphs (2) and (3) cease to apply in relation to pre-commencement standard clauses if—

(a)

the clauses are specified in regulations and a provision of the regulations relating to the clauses is amended or revoked on or after the relevant day, or

(b)

the clauses are specified in another document and a provision of the document relating to the clauses is amended or withdrawn by the Information Commissioner on or after the relevant day.

(5)

Sub-paragraph (2) has effect in addition to Article 46(2) and (3) of the UK GDPR.

(6)

In this paragraph—

pre-commencement standard clauses” means standard data protection clauses specified in—

(a)

regulations made under section 17C of the 2018 Act and in force immediately before the relevant day, or

(b)

a document issued by the Information Commissioner under section 119A of the 2018 Act before the relevant day and not withdrawn before that day;

the relevant day” means the day on which paragraph 6 of Schedule 7 to this Act comes into force.

The UK GDPR: transfers necessary for important reasons of public interest

30

(1)

Regulations made under section 18(1) of the 2018 Act (transfers necessary for important reasons of public interest) and in force immediately before the relevant day are to be treated, on and after that day, as if made under Article 49(4A) of the UK GDPR (inserted by Schedule 7 to this Act).

(2)

In this paragraph, “the relevant day” means the day on which paragraph 9(5) of Schedule 7 to this Act comes into force.

The UK GDPR: restrictions on transfers of personal data to third countries and international organisations

31

(1)

Regulations made under section 18(2) of the 2018 Act (restrictions on transfers of personal data to third countries and international organisations) and in force immediately before the relevant day are to be treated, on and after that day, as if made under Article 49A of the UK GDPR (inserted by Schedule 7 to this Act).

(2)

In this paragraph, “the relevant day” means the day on which paragraph 10 of Schedule 7 to this Act comes into force.

Part 3 of the 2018 Act (law enforcement processing): transfers approved by regulations

32

(1)

Regulations made under section 74A of the 2018 Act (transfers based on adequacy regulations) and in force immediately before the relevant day are to be treated, on and after that day, as if made under section 74AA of that Act (inserted by Schedule 8 to this Act).

(2)

In this paragraph, “the relevant day” means the day on which paragraph 4 of Schedule 8 to this Act comes into force.

Part 3 of the 2018 Act (law enforcement processing): transfers subject to appropriate safeguards

33

(1)

For the purposes of section 73(3) of the 2018 Act (general principles for transfers of personal data), a transfer of personal data to a third country or an international organisation made on or after the relevant day is a transfer made subject to appropriate safeguards where—

(a)

an appropriate pre-commencement legal instrument binds the intended recipient of the data, and

(b)

if the transfer had been made immediately before the relevant day, the requirement in section 75(1)(a) of the 2018 Act (binding legal instrument containing appropriate safeguards) would have been satisfied by virtue of that instrument.

(2)

Sub-paragraph (1) has effect in addition to section 75(1A) of the 2018 Act.

(3)

For the purposes of sub-paragraph (1), a legal instrument is an “appropriate pre-commencement legal instrument”, in relation to a transfer of personal data, if—

(a)

it was entered into before the relevant day,

(b)

it is intended to be relied on in connection with the transfer or that type of transfer, and

(c)

at least one competent authority is a party to the instrument.

(4)

In this paragraph—

competent authority” has the same meaning as in Part 3 of the 2018 Act (see section 30 of that Act);

international organisation” has the same meaning as in the 2018 Act (see section 205 of that Act);

personal data” has the same meaning as in the 2018 Act (see section 3 of that Act);

the relevant day” means the day on which paragraph 6 of Schedule 8 to this Act comes into force;

third country” has the same meaning as in Part 3 of the 2018 Act (see section 33 of that Act).