The Data (Use and Access) Act 2025 – Data Protection Changes

The Data (Use and Access) Act 2025 – Data Protection Changes

The Data (Use and Access) Act 2025 has now been passed, but not all of it is in force. Some parts require the government to pass a regulation bringing that section into force. This should be done in the next 6–9 months. The ICO is also putting out guidance ‘in due course’.

Background

The Act isn’t a ‘data protection act’ in itself – it’s an act that amends the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). If you look at the legislation on the government website, then you can see the changes made under the DUAA as they are annotated. You don’t need to keep going back to the DUAA, as it only amended those pieces of data protection legislation.

1. Consent

If you process data and rely on the consent of the data subject to do so, then:

  • You must be able to demonstrate that the data subject consented to the processing
  • If the consent is in writing as part of a document which also concerns other things, then the request for consent must be:
      • Clearly distinguishable from the other matters
      • In an intelligible and easily accessible form; and
      • In clear and plain language
      • Any consent that doesn’t meet the above criteria isn’t binding
      • The data subject may withdraw consent at any time but any processing carried out before the consent was withdrawn is still valid
      • You can only rely on consent if you tell the data subject that they can withdraw that consent and it is easy to withdraw that consent
      • Consent is not freely given if a service is conditional on consent to the processing of personal data that is not necessary for the provision of that service e.g. if you don’t accept my marketing, you can’t get the service

2. Legitimate interest

There is now a short list of recognised processing using legitimate interest. This means that you don’t need to do a legitimate interest assessment if your activity is on the list. The list isn’t terribly useful at this point but I’m hoping that more activities will be added.

  • Disclosure for between persons of data where the processing is in the public interest
  • National security, public security and defence
  • Emergencies
  • Crime
  • Safeguarding vulnerable individuals

The DUAA provides examples of types of processing under legitimate interests and these are more helpful:

  • direct marketing,
  • intra-group transmission of personal data (whether relating to clients, employees or other individuals) for internal administrative purposes, and
  • processing that is necessary for the purposes of ensuring the security of network and information systems.

3. Compatible purpose processing

This section has the criteria to use to determine if your ‘new’ processing is compatible with your ‘current’ processing.

Criteria:

  • any link between the original purpose and the new purpose;
  • the context in which the personal data was collected, including the relationship between the data subject and you;
  • the nature of the processing – is it special categories of personal data or criminal convictions
  • the possible consequences of the intended processing for data subjects
  • the existence of appropriate safeguards (for example, encryption or pseudonymisation)

Your ‘new’ purpose is compatible with your ‘current’ purpose if:

  • The data subject consents
  • The new purpose is scientific or historical research, archiving in the public interest, or statistical purposes (most of you will use the statistical purposes)
  • It’s an activity listed in Annex 2:
      • Disclosure of data between persons for a public task
      • Disclosure for the purposes of archiving in the public interest
      • Public security
      • Emergencies
      • Crime
      • Protection of vital interests of data subjects and others
      • Safeguarding vulnerable individuals
      • Taxation
      • Legal obligations

4. Research, Archiving and Statistical Purposes (RAS)

Personal data may only be processed for RAS purposes if:

  • the processing consists of the collection of the personal data (whether from the data subject or otherwise),
  • the processing is carried out in order to convert the personal data into anonymous data, or
  • without the processing, the RAS purposes cannot be fulfilled.

You now don’t need to individually inform each data subject if you intend to further use their data for (and only for) the purposes of scientific or historical research, the purposes of archiving in the public interest or statistical purposes.

You can only abstain from notifying each person if providing the information is impossible or would involve a disproportionate effort and you have made the information publicly available (eg. putting it in the privacy notice on the website.)

5. Subject Access Requests

The ‘reasonable and proportionate search’ from case law has been codified in the Act. ‘The data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data.’

The time limits have changed slightly and you must comply with a SAR without undue delay and within one month commencing when:

  • You receive a request;
  • Further information is needed to deal with the request (e.g. you process a large amount of information concerning the data subject);
  • You need to identify the requestor; or
  • You’re charging a fee for a manifestly unfounded or excessive request.

You can extend the time to respond by a further two months if the request is complex or if there are a number of them.

You must tell the data subject that you need more time within the first month and the reason why.

6. Automated decision making

You must have safeguards in place:

  • provide the data subject with information about the automated decision making
  • enable the data subject to make representations about it
  • enable the data subject to obtain human intervention by you about the decision
  • enable the data subject to contest such decisions

You can’t use automated decision making using all or part of sensitive data unless:

  • you have the explicit consent of the data subject
  • the decision is required or authorised by law.

 

7. Data protection by design: children’s higher protection matters

If you have an information society service (a website) likely to be accessed by children, when assessing what appropriate technical and organisational measures to take, you must look at:

  • how children can best be protected and supported when using the services, and
  • the fact that children:
      • merit specific protection because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing, and
      • have different needs at different ages and at different stages of development.

 

8. Complaints

You now need a complaints procedure and must provide a complaint form which can be completed electronically and by other means.

If you receive a complaint under this section, you must acknowledge receipt of the complaint within the period of 30 days beginning when the complaint is received.

You must without undue delay:

  • take appropriate steps to respond to the complaint, and
  • inform the complainant of the outcome of the complaint.

Taking appropriate steps to respond to the complaint includes making enquiries into the subject matter of the complaint, to the extent appropriate, and informing the complainant about progress on the complaint.

9. PECR – Charities

Charities can now use legitimate interest to send electronic mail for the purposes of direct marketing where:

  • the sole purpose of the direct marketing is to further one or more of the charity’s charitable purposes;
  • the charity obtained the contact details of the recipient of the electronic mail in the course of the recipient:
  • expressing an interest in one or more of the purposes that were the charity’s charitable purposes at that time; or
  • offering or providing support to further one or more of those purposes; and
  • You have to give the recipient a simple means of refusing the use of their contact details for the purposes of direct marketing by the charity, at the time that the details were initially collected, and, where the recipient did not initially refuse the use of the details, at the time of each subsequent communication (this is the unsubscribe in emails).

 

10. Cookies

Currently, you need consent to drop any cookies on a user’s device. The Act changes that but for the UK only. If your website is also used in the EU, then you still need consent for all non-essential cookies.

The DUAA changed PECR this way:

You can access a device and store cookies/pixels etc on it if the sole purpose of the storage or access is to enable you to:

  • to collect information for statistical purposes about how the service is used with a view to making improvements to the service, or
  • to collect information for statistical purposes with a view to making improvements to the website,
  • enable the way the website appears or functions when displayed on, or accessed by, the terminal equipment to adapt to the preferences of the subscriber or user
  • enable an enhancement of the appearance or functionality of the website when displayed on, or accessed by, the terminal equipment

These purposes are statistical to improve the website and to enhance its appearance and function. Other cookies, such as analytical and marketing, are not covered by the new amendments and you still need consent for those.

You must not share any data with any other person except for the purpose of enabling that other person to assist with making improvements to the service or website.

You must give the user clear and comprehensive information about the purpose of the storage or access.

The user must have a simple means of objecting, free of charge, to the storage or access and does not object.

Why these changes aren’t particularly brilliant:

  •  you still need consent for the other cookies (analytic and marketing etc etc) that you use
  • if you are going to use legitimate interest for statistical cookies, then you will need to inform the user about those cookies and provide an ‘opt out’ button.
  • the law in the EU is still that consent is required for all non-essential cookies
  • is it practical to change your cookie popups or would it be easier to just stay with consent as the legal basis?

 

Share This

Share this post with your friends!

Share This

Share this post with your friends!