Select an area of expertise to find out more about our experience.
Find out more about our barristers and business support teams here.
Select an area of expertise to find out more about our experience.
Find out more about our barristers and business support teams here.
The Data (Use and Access) Act 2025 (“DUAA”), which received Royal Assent on 19 June 2025, represents the most consequential reform to the United Kingdom’s data protection framework since Brexit. It does not supplant the UK GDPR, but rather amends and supplements the Data Protection Act 2018 (“DPA 2018”), recalibrating its operation.
While styled by government as evolutionary, the Act introduces substantive changes. Its policy intention is clear: to preserve the UK’s EU adequacy status while enabling greater efficiency in the use and sharing of personal data within public administration. However questions of proportionality, constitutional propriety, and whether the act will succeed in its aims remain to be determined.
The Act’s most immediate effect concerns Subject Access Requests (“SARs”). Section 78 now places on a statutory footing what the ICO has long guided: controllers must undertake only “reasonable and proportionate” searches, not exhaustive trawls through decades of legacy records. This provision is, by virtue of s.142, already in force.
For public authorities this provides long-sought relief; for applicants, perhaps frustration. For example, a SAR spanning thirty years of records may now legitimately be limited to accessible digital files, rather than compelling manual searches of paper archives.
The Act introduces the capacity for controllers to extend SAR response times by two months where requests are numerous or complex and introduces “stop the clock” provisions, permitting controllers to pause the one-month response period while seeking necessary clarification. However, the pause must be justified and proportionate; it cannot be used to defer compliance indefinitely. A scenario that is bound to occur and is not clarified is the issue of what a controller should do if a SAR submitter fails to respond to such a clarification request. The ‘right’ answer is likely to be situational contingent and this question may well be the subject of future litigation. Controllers should consider whether a partial response can be issued even where a SAR submitter fails to engage with a clarification request.
Of note is the retrospective application of these provisions to 1 January 2024. Such retroactivity is unusual in data protection law and could also give rise to litigation, particularly in disputes already before the courts or the ICO.
Section 70 introduces the concept of “recognised legitimate interests”, dispensing with the balancing test otherwise inherent in Article 6(1)(f) UK GDPR for specified purposes, including:
This is significant. For years, public sector data sharing has been hampered by the need for close balancing of rights under the legitimate interests basis and the accordant uncertainty this presented for a controller when considering how a court would conduct the same balancing exercise. Now, processing within the above categories will qualify automatically as lawful.
Nevertheless, individuals will be reassured that controllers remain bound by the requirements of necessity and proportionality, together with all other data protection principles. The removal of the balancing test should not be mistaken for a licence to engage in carte blanche public-sector information exchange.
The DUAA introduces important amendments to Parts 3 and 4 of the DPA 2018.
Section 71 introduces “assumptions of compatibility” in relation to certain re-uses of data, such as:
This clarification will assist NHS Digital in population health initiatives, local authorities in safeguarding and housing interventions, and police in the maintenance of intelligence databases. Yet, it does not relieve controllers of the duties of data minimisation, fairness, and accountability. Compatibility presumptions operate within, not outside, the framework of lawful and proportionate processing.
Section 72 clarifies that international treaties may constitute a lawful basis under Articles 6(1)(e) and 9(2)(g) UK GDPR. This provides much-needed certainty for UK-US data sharing agreements and cross-border law enforcement cooperation.
Nevertheless, adequacy consequences loom large. EU jurisprudence (as in Schrems II) has been unforgiving where third-country arrangements are perceived as weakening fundamental rights. The Commission has extended UK adequacy until December 2025, but reserves the right to review at any time.
Of interest to private companies, section 67 expands the definition of scientific research to include commercial activity, enabling closer collaboration between the public sector and private industry. NHS-pharma partnerships and university-defence collaborations stand to benefit.
Equally significant is the introduction of “broad consent”, permitting participants to consent to families of related research projects rather than each study individually. While operationally pragmatic, this may invite challenge under UK human rights law if employed to justify unforeseen or highly sensitive secondary uses. Robust governance will be essential.
The Act mandates enhanced complaint handling: electronic forms, acknowledgment within 30 days, and timely resolution. While laudable in principle, these duties impose new burdens on already stretched public authorities. Failure to comply may increase exposure to ICO enforcement and judicial review. Public authorities should take steps to implement processes to ensure compliance with these new obligations.
The phased implementation timetable, at present extending to June 2026 but potentially subject to changes, requires strategic planning. Public bodies must adapt policies, retrain staff, and update information-sharing agreements.
Most importantly, a cultural shift is required. The Act seeks to replace risk-averse minimisation with purpose-driven sharing. Yet the risk of overcorrection, moving too quickly into expansive data use without adequate safeguards, must be guarded against.
The Act affords significant new powers to the Secretary of State, including the ability to extend or amend recognised legitimate interests by regulation. This centralisation of power, coupled with narrowed individual rights in certain contexts, is likely to attract judicial scrutiny.
The balance between operational efficiency and the preservation of rights is delicate. Expanded sharing must be matched by enhanced governance and audit mechanisms if public trust is to be maintained.
The DUAA 2025 is not a revolution, but it is undoubtedly a major recalibration of UK data protection law. For the public sector it offers welcome clarity, particularly on SARs and lawful bases for data sharing. Yet it also poses constitutional and adequacy risks, which will require vigilance from practitioners, regulators, and the courts. The private sector may find new opportunities in the provisions on research and innovation and of course, data protection affects us all.
The Act equips data controllers with new tools for the digital age. Whether those tools strengthen or corrode public trust will depend on their responsible, proportionate, and transparent use.
A monthly data protection bulletin from the barristers at 5 Essex Chambers
The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.
