Data (Use and Access) Act – Updating Data Protection Law and more

The DUA Act does not replace existing data protection legislation but does amend the UK GDPR, whilst introducing broader data governance regulation beyond governance of personal data.

The Government has set out that the overarching aim of the DUA Act is to “unlock the secure and effective use of data for the public interest, without adding pressures to the country’s finances”.

The DUA Act aims to streamline data sharing across sectors, from healthcare and transport to wider Government services, all whilst ensuring that robust security and privacy safeguards are maintained from previous regulations.

The Government projects that the DUA Act could contribute £10 billion to the UK Economy over the next 10 years by spurring innovation and cutting red tape.

The previous Bill

The DUA Act is a replacement of the previous Government’s data protection bill – the Data Protection and Digital Information Bill (“DPDI”).

The DPDI lapsed after the Parliamentary changeover and was never enacted. After the 2024 general election and change in government, policy refinement led to the introduction of the DUA Bill in October 2024.

Whilst not as extensive as the proposed DPDI Bill in terms of changes to the UK GDPR, the DUA Bill consolidated many of the key DPDI proposals with other new provisions, all aimed at bolstering data transparency and further simplifying lawful data usage.

Since the October 2024 formal introduction of the DUA Bill, it has journeyed through a particularly protracted ping-pong phase between the two houses, requiring numerous revisions and alterations across the previous eight months.

Early on in the legislative process of the DUA Bill, it appeared it was going through a rapid progression to Royal Assent, however progress slowed when high-profile amendments were extensively debated.

The areas of contention concerned AI, copyright and automated decision making, all of which received notable media attention and commentary by figures such as Sir Paul McCartney and Sir Elton John.

Whilst some commentators state there has been a late stage “compromise” on the transparency requirements related to AI and copyright, ultimately final amendments have been agreed and the provisions can now be brought into force by Ministers via secondary regulations.

The key changes and new provisions to be aware of

The DUA Act has introduced several noteworthy changes and reforms to UK data law:

Recognised legitimate interests

The DUA Act adds a new lawful basis for processing “recognised legitimate interests”. These pre-define certain activities as legitimate interests which will not require any separate balancing tests. As with the existing lawful basis of legitimate interests, public authorities cannot rely on this ground for processing carried out in the performance of their public tasks.

Data controllers will be able to rely on this basis for a fixed set of public-interest matters without doing a new legitimate interest assessments on each occasion.

The list of interests includes matters like:

• Safeguarding national security;
• Disclosure to a person carrying out a public interest task;
• Responding to emergencies;
• Detecting, preventing, or investigating crime;
• Security and defence; and,
• Protecting public security and defence; and safeguarding vulnerable individuals.

Therefore, a public authority may find this new lawful basis of use as it may give other data controllers more confidence to share personal data with a public authority as they can rely on this new lawful basis.

It should be noted that data controllers are still subject to necessity and proportionality considerations from Article 6 of the UK GDPR – but the administrative burden and associated paperwork is removed if one of these recognised legitimate interests categories is applicable to the processing.

Automated decision-making safeguards

The DUA Act also relaxes the strict ban on using solely automated decision-making under the UK GDPR, by narrowing the scope of it. It now only applies to cases involving special category data (biometric data and health etc).

The prohibition previously gave rights to individuals not to be subject to decisions based solely on automated processing if the decisions had legal effects on them.

There were exceptions (necessity, authorised by UK Law with safeguards, or it is based on the individual’s explicit consent).

This is now changing as an automated decision affecting someone based on ordinary personal data (i.e., not special category data) no longer has this automatic protection through the triggering of Article 22 of the UK GDPR.

In parallel, the DUA Act also strengthens other safeguards by making significant automated making subject to increased transparency, impact assessments, and clear accessible routes to human review.

Revised Subject Access Request (“SAR”) framework

The DUA Act has made reforms to SARs, which are aimed to balance practical efficiency with transparency.

The “reasonable and proportionate” search standard is now codified into law. If an entity has an exceptionally large data set to process and search through for an individual, the DUA Act explicitly gives the right to extra time to process a SAR for that individual.

There is a clear “stop the clock” right for data controllers, this is where search and response time limits are paused whilst a data controller is verifying a requestor’s identity.

There are also other changes relating to regulators’ enforcement powers, allowing different levels of fines to be issued based on the seriousness of breaches.

National Underground Asset Register (“NUAR”)

One of the flagship features of the DUA Act is the National Underground Asset Register. The NUAR is an initiative to create a comprehensive digital map of all underground pipes and cables across England, Wales, and Northern Ireland (gas, water, electricity, telecoms etc).

All owners of buried infrastructure will be required to upload all of their data on underground assets to the NUAR. Planners and members of the construction industry will (hopefully) no longer have to enquire multiple utility providers individually.

Instead, they should be able to quickly search the NUAR, this is being touted as making a “6-day process into 6 seconds”.

The aim is for the NUAR to become the “single statutory source of truth” for all buried infrastructure. Heavy duties are being imposed on local authorities and the asset owners to create the register.

Digital Verification Services (“DVS”)

The DUA Act is requiring the UK Government to publish a Digital Verification Services trust framework, to maintain a register of certified digital ID holders.

The idea is that only providers on the official register will be able to display the Government’s symbol for trusted identity services.

An “information gateway” is also being created, which is going to allow public bodies to quickly share identity data with the providers on the official register.

Right to rent and right to work checks will be able to be done via this mechanism, which should make it easier for UK citizens to verify their identities in a secure manner.

Economic growth mandate

As flagged above, the DUA Act is being linked to the Government’s wider economic growth agenda, which is meant to underpin all the other changes and provisions being introduced.

The economic changes come with the mandate from Government that regulators and departments should favour growth friendly interpretation of the law.

Implications for public authorities and local government

The aim of the DUA Act is to allow authorities and organisations to harness the benefits of data to deliver faster and more efficient public services, alongside data-driven innovation.

All changes introduced by the DUA Act should be implemented whilst maintaining and considering compliance with wider data protection principles.