top of page

UK Data (Use and Access) Act 2025 (DUAA)

To promote technical innovation and economic growth, in 2025 the UK Government introduced the UK Data (Use and Access) Act 2025, which will allow different methods of managing personal data whilst still providing appropriate protection for data subjects and their rights. The key components of DUAA, introduced on 5th February 2026, are summarised below:

  • Personal data can be re-purposed for activities compatible with the original purpose of collecting it, including scientific and historical research, detecting and preventing crime, public security and statistical analysis.

  • Personal information can be used for scientific research under specific scenarios (a) introducing 'broad consent' from data subjects and (b) without the need to provide an updated privacy notice to them, as long as their rights are protected and the privacy notice is availble on the applicable website.

  • A widening of the list of 'legal bases' that can be used got the processing of personal data to increase the use of automated decision making about them. This change does not apply to Special Category Data (as per GDPR Art.9).

  • Relaxing of some cookie consent requirements, e.g. for statistical purposes or improving website functionality.

  • Data Subject Access Requests (DSARs) only require the conducting of reasonable and proportionate searches. DUAA has clarifed that the response deadline only starts when specific crieteria have been met - e.g. the requester's identity has been validated.

  • Clarification that activities related to direct marketing can be a legitimate interest.

  • Charities can send email marketing to data subjects who have engaged with them in some way, provided they have not objected.

  • Disclosures to public authorities (e.g. the police) no longer require the discloser to validate the reasons for requesting the disclosure. That responsibility now passed to the organisation requesting and receiving the personal data. 

  • A new lawful basis for processing based on 'recognised legitimate interests'. Such activities remove the current need to balance the impact on data subjects whose data is being processed, e.g. when protecting the security of the general public.

  • International transfers now require the data to be protected to a level 'not materially lower' than UK standards.

  • Digital services likely to be accessed by children need to consider their protection and support when implementing safeguards.

  • An incease in the maximum fines that can be imposed for breaches of PECR to £17.5m or 4% of global annual turnover.

The full text of the the Data (Use and Access) Act 2025 can be reviewed here.

Prepared by Simon Hastings, 17.02.2026

bottom of page