Data (Use and Access) Act 2025 made

The Data (Use and Access) Act 2025 has been made. This act makes a variety of provisions, including for digital verification services, as well as in regard to data protection and privacy, amending the UK GDPR and Data Protection Act 2018 amongst others.

This act came partially into force on the day it was passed, but the majority of its provisions will enter into force as and when commencement regulations are made.

The Data (Use and Access) Act 2025 makes a wide variety of provisions for different data-related systems and powers. These include provisions concerning digital verification services and the DVS register, the National Underground Asset Register and registers of births and deaths.

In addition, parts 5-7 of the Act concern data protection and privacy, as well as data use and access. This includes amendments to the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Some of the key data protection and privacy changes made by the new Data (Use and Access) Act 2025 include (amongst many other provisions):

• Amendments to the UK GDPR that permit organisations to make decisions about individuals based solely on automated processing, even where these produce ‘legal’ or ‘similarly significant’ effects for those persons. (See section 80).

• The provision of safeguards for this amendment, such as certain requirements for organisations to provide the subjects of automated decisions with information about those decisions, and the requirement to afford these individuals the opportunity to make representations about or contest these decisions. (See section 80).

• Similar amendments to the Data Protection Act 2018 as those to the UK GDPR, in order to effect these same provisions for use in law enforcement processing. (See section 80(3)).

• The provision of exemptions to these safeguards under certain circumstances, e.g. for the purposes of national security. (See section 80(3)).

• Provisions relating to the time period that organisations have in which to respond to individuals’ data access requests. Notably, these provide that wherever data controllers require additional information to fulfil an access request, the period in which the controller must wait to receive this information does not count towards the statutory time limit they have in which to fulfil the request. (See section 76).

• Provisions that require providers of information society services to consider certain child protection measures, where these online services are likely to be accessed by children. (See section 81).

• Provisions relating to the definition of ‘scientific research’ and the seeking of consent in research for broad areas of related research, in regard to personal data processing. (See sections 67-68).

• Provisions to simplify rules around transferring personal data internationally. (See section 85 and schedule 9).

• Amendments to the UK GDPR that require organisations to facilitate and handle complaints from individuals, where they claim that there has been a breach of the GDPR by that data controller. (See section 103).

This Act is partially in force already, albeit only for some provisions which concern interpretation, the retention of certain biometric data by law enforcement agencies, and other limited measures. Other provisions concerning law enforcement processing and the Information Commissioner will come into force on 19th August 2025, and the remaining majority of this Act will come into force at such time as commencement regulations are made.

Sources :

UK (A) 2025/18 – Data (Use and Access) Act 2025, made 19th June 2025