0203 3013384
SUPPORT

THE DATA (USE AND ACCESS) ACT
how to prepare

_0000_2560px-Macmillan_Cancer_Support_logo.svg
_0012_rhodes
_0018_Boxpark_LOGO
_0010_reigate_and_banstead_borough_council
_0013_SWAST
_0015_RDUH
_0014_Bristol-Airport-logo
_0003_Exeter Chiefs
_0001_Maidstone Borough Council
_0002_Birmingham Airport

the data (use
and access) act

HELPING YOU PREPARE FOR THE DUAA CHANGES

This page will help you answer some frequently asked questions regarding the new Data Use and Access Act. Read about some of the key changes below.

What is the Data (Use and Access) Act?

The Data (Use and Access) Act (or “DUAA”) is a new piece of UK legislation that aims to upgrade current data protection legislation in the UK (such as the UKGDPR, Data Protection Act 2018 and the Privacy and Electronic Communications Regulation PECR). Its main purpose is to strengthen how data is safeguarded, while not stifling innovation or technological advancement, with the additional goals of improving public services, supporting research, and boosting economic growth.

For public sector organisations, the bill will likely mean clearer guidance and legal backing for sharing data in appropriate ways. It could reduce some of the uncertainty or red tape they currently face when trying to work with other departments or researchers. Over time, this could lead to more collaboration, better decision-making, and improved services. Private and third-sector organisations, especially those working in partnership with government or using public sector data, may see new opportunities as well. The DUAA could open up safer access to anonymised data for research or product development, supporting innovation in areas like healthcare, housing, or education.

However, all organisations handling data will need to ensure they meet high standards for privacy and security, and may need to adapt their practices to align with the new legal framework. So far, the only change to have been immediately implemented is the one regarding the “reasonable and proportionate search” rule for DSARs, and the others will need secondary legislation for implementation.

Overview
Key changes
FAQS
DUA Act training course
Book a meeting

12 KEY CHANGES IN THE DATA (USE AND ACCESS) ACT

Use of cookies

Hover to reveal how the DUAA is introducing a more relaxed approach to cookies.
There are new exceptions to consent requirements for some cookies (a more relaxed approach). This extends to cookies used for collecting statistical information about how a service or website is being used (analytical purposes) and optimisation of content display to reflect user preferences. Transparency and opt-out requirements remain the same.
LEARN MORE ON OUR COURSE

New lawful basis

Hover to reveal more about this new lawful basis the DUA Act is introducing.
The act introduces a new legal basis of ‘recognised legitimate interests’. This provision will only apply to private and third sector organisations, and allows the processing of data without conducting the usual balancing test. Some examples include crime prevention and detection, responding to emergencies, and safeguarding individuals.
LEARN MORE ON OUR COURSE

Soft opt-in

Hover to reveal more information about how the DUA Act has extended the soft opt-in to include charity organisations.
The DUAA will significantly help charities by extending the 'soft opt-in' marketing rule (under PECR) to them. This means if a charity gets someone's contact details when they show interest or support, the charity can send them marketing without needing explicit consent, as long as an an opt-out is always provided.
LEARN MORE ON OUR COURSE

the information commission

Hover to reveal more information about the changes the DUAA makes to the ICO.
The DUA Act gets rid of the ICO and creates a new 'Information Commission,' replacing the Information Commissioner with a Chair and other members. It also changes how people complain: individuals must now go to the business first, and only if their complaint isn't handled well can they then escalate it to the Information Commission.
LEARN MORE ON OUR COURSE

Data subject access requests

Hover to reveal more information about the changes the DUAA makes to DSAR responses.
The DUA Act aims to clarify confusion on Data Subject Access Requests (DSARs) and make them less burdensome for businesses. It clarifies that individuals are only entitled to information that comes from a 'reasonable and proportionate' search, which should cut down on costs and admin.
LEARN MORE ON OUR COURSE

Automated decision making

Hover to reveal more information about how the DUA Act changes the rules around automated decision making.
The DUAA is easing up on rules for Automated Decision Making (ADM). It will allow ADM without needing to get consent, as long as it doesn't involve sensitive 'special category' data.Even when special category data isn't used, safeguards are still required, like being clear about how ADM is used and letting people challenge decisions and ask for human review.
LEARN MORE ON OUR COURSE

Scientific research

Hover to reveal more about the changes the DUA Act makes to the definition of scientific research for data processing purposes.
The definition of 'scientific research' is expanding to include any research that can reasonably be called scientific. This broadens the situations where we can process sensitive 'special category' data for research, including privately funded and commercial projects. Plus, individuals will now be able to consent to their data being used for scientific research even if the exact purposes aren't clear yet.
LEARN MORE ON OUR COURSE

International data transfers

Hover to reveal more information about how the DUA Act changes approvals of data transfers.
Instead of 'adequacy decisions,' we'll now have 'transfers approved by regulations.' This means the UK Secretary of State needs to confirm that the other country's data protection standard isn't 'materially lower' than the UK's. This probably won't have a huge impact on international data transfers from the UK because the core framework remains pretty similar.
LEARN MORE ON OUR COURSE

Digital identity trust mark

Hover to reveal more information about the DUA Act's "digital verification services".
The DUA Act is setting up a system for 'trusted' digital verification services (DVS). This involves creating a DVS register and an additional certification process called the DVS Trust Framework, which the Secretary of State will develop with the ICO.
LEARN MORE ON OUR COURSE

Children's data

Hover to reveal more information about what the DUA Act sets out about safeguarding children's data.
To better protect children's data, the DUAA adds 'children's higher protection matters' to the idea of data protection by design and default, especially for online services kids can access. This means businesses and the ICO now have extra responsibilities to consider how vulnerable children are when handling data, aiming to put stronger safeguards in place for young people.
LEARN MORE ON OUR COURSE

Purpose limitation

Hover to reveal more information about how the DUA Act brings clarity to 'further processing' of data.
The DUA Act provides criteria to help decide if new processing aligns with the original purpose, such as the connection between the purposes, the context of data collection, and potential impacts on individuals. It also lists situations where new processing is considered compatible, such as when the individual consents, or if the processing is needed to meet a legal obligation, like a court order.
LEARN MORE ON OUR COURSE

Smart data schemes

Hover to reveal more information about the DUA Act's 'Smart Data Schemes'.
The DUA Act is introducing 'Smart Data Schemes,' which let the government create rules for how businesses and customers can share data. Think of it like how Open Banking already works in the UK, letting you share your financial data with other apps. The government will hold consultations to figure out exactly which businesses can access this data and what safeguards need to be in place.
LEARN MORE ON OUR COURSE

frequently asked questions

The Act is designed to modernise the legal framework for how personal and non-personal data is accessed, shared, and used across sectors, while maintaining strong protections for individual rights.

While the UK GDPR and DPA 2018 focus primarily on the protection of personal data, the Data Use and Access Act expands the focus to include broader data access mechanisms, including standards for data sharing, use of public sector data, and support for innovation.

No. The Act complements existing data protection legislation rather than replacing it. Organisations still need to comply with the UK GDPR and DPA 2018 where personal data is involved.

The Act applies to public bodies, private organisations handling public sector data, and companies engaged in data-driven innovation. It may also have implications for international companies processing UK data or collaborating with UK public sector bodies.

Organisations will need to review existing data-sharing arrangements, ensure transparency with data subjects, and potentially formalise new documentation and oversight mechanisms.

The Information Commissioner’s Office (ICO) may issue enforcement notices or fines where organisations fail to meet new legal obligations under the Act, particularly where public trust or transparency is compromised.

Guidance is expected from the Department for Science, Innovation and Technology (DSIT) and the ICO. Organisations should also seek legal or consultancy advice to interpret specific obligations and assess impact.

The Act doesn’t directly amend existing international data transfer rules, but global organisations may need to consider how cross-border access and re-use of UK public data is managed in line with the Act’s principles.

NEED SOME SUPPORT IMPLEMENTING THE DUAA CHANGES?

CHAT TO A CONSULTANT

BOOK A MEETING
MAKE AN ENQUIRY

understanding the data (use and access) ACT
TRAINING COURSE

Overview

keep up with data
Protection law
with our data (use and access) ACT Course

Are you overwhelmed or confused by the many changes introduced in the new Data (Use and Access) Act (DUAA)? Do you need an expert’s guidance on what the various amendments mean, and how this will affect your organisation?

Course contents include:

  • Background and Evolution of the Legislation
  • Navigating the New Data Protection Landscape
  • Key Changes Introduced by the Act
  • Broader Implications and Sector-Wide Impact
  • Action Points for UK Organisations
  • Compliance Guidance for EU-Based Organisations
  • Next Steps for Global Operations and Multinational Compliance

This course is delivered by the well known industry expert Ralph O’Brien. Ralph delivers many of our training courses.

When you train with us at DPAS, you’ll get more than just the training. We’ll provide you with free policies, templates, and tools after the course has concluded. We will also supply you with the relevant resources to help you throughout.

WANT TO FULLY UNDERSTAND THE DUAA?

VISIT OUR COURSE PAGE TO LEARN MORE.

VISIT THE COURSE PAGE
MAKE AN ENQUIRY

got a question?

get in touch with us

recent blogs from our team

Picture of Alex Haslam

Breaking down 9 key changes in the Data (Use and Access) Act

While by no means an exhaustive breakdown of every change, this guide provides a snapshot into some of the key changes.
READ MORE
Picture of Mel

13 Easy to Understand Changes in the Data (Use and Access) Bill

As we can now expect the bill to come into law very soon, here are 13 of the bill's most interesting key changes that you'll want to know.
READ MORE
Picture of Mel

Understanding the Data (Use and Access) Bill: A Guide for Data Protection Practitioners – What is recognised legitimate interest?

Recognised Legitimate Interests, how they interact with the current legal framework, and what practical steps organisations need to take to ensure compliance and readiness.
READ MORE