UK Data (Use and Access) Act 2025 takes effect: key changes explained

Smart data schemes

The Act facilitates increased data portability in the UK, which means secure sharing of customer and business data with authorised third-party providers on the customer's request, through "smart data schemes" and "data intermediaries".

These powers will be used to develop the UK's approach to open banking and to establish an open finance regime in the UK (and similar regimes in other sectors and industries).

Digital ID verification services

The Act introduces a legislative framework for digital verification services: Enabling the use of digital identities in the UK - GOV.UK.

Structure and function

The functions and duties of the Information Commissioner will be replaced with a body: The Information Commission. It will adopt a new structure with a board of non-executive and executive members.

Powers

The regulator will have strengthened powers including in relation to enforcement of PECR, more closely aligning its penalty regime with penalties under the UK GDPR. The regulator will be able to:

• require organisations to produce reports on specified matters, especially when an assessment notice is issued;
• serve legal notices electronically to data controllers, including those overseas, without needing their prior consent; and
• establish stakeholder panels to inform codes of practice and develop impact assessments for key regulatory actions.

Special category data

There is potential for more classes of special category data to be introduced under a particular mechanism in the Act, via secondary legislation. If used, this could bring quite significant changes, e.g. all children's data.

Data Subject Access Requests (DSARs)

1. The Act introduces a new "applicable time period" and procedure for responding to DSARs, with clarification that data subjects are entitled only to findings from reasonable and proportionate searches. This codifies existing guidance, and may be helpful support in statute for controllers when faced with vexatious data subjects.
2. Under the Act, if a court is required to determine whether a data subject is entitled to information under their rights of access or portability, the court can require the controller to make available this information for the court's inspection. The court may not require it to be disclosed to the data subject or their representatives until after the decision.

Privacy Notices - New right to complain for data subject

Data subjects have a new right to complain to controllers. Controllers will need to facilitate the making of complaints, for example an electronic complaint form, and to include information about this right in privacy notices.

Automated decision making

Under the Act, restrictions on solely automated decision making will be substantially relaxed, with safeguards. There is more statutory clarity on what "solely" means. The same restrictions against automated decision making as in the UK GDPR remain for special category data.

Data transfers

The former regime (which restricted international transfer of personal data under Chapter V of the UK GDPR) is re-formulated. This should streamline transfer risk processes for low-risk data transfers.The Act introduces a "data protection test" to be applied by the Secretary of State when deciding whether to approve an international transfer, including by way of recognising a third country's data protection regime as adequate.

Legitimate Interests as lawful basis for processing

1. There are new "recognised legitimate interests". The 'balancing test' requirement for these is effectively removed (though these interests do not commonly tend to arise in standard commercial contexts). They are: (a) disclosure to public bodies who assert they need personal data to fulfil a public interest task; (b) disclosure for national, public security or defence purposes; (c) emergency response purposes; (d) detection, investigation or prevention of crime; and (e) safeguarding vulnerable individuals.
2. The Act clarifies that processing: (a) necessary for direct marketing, (b) intra-group transmission of personal data for administrative purposes; and (c) necessary for ensuring the security of networks and IT systems, can be based on legitimate interests lawful basis. (These are lifted from GDPR recitals, so are not new, but now moved into the body of UK statute).

Cookie consent

1. Cookie consent rules are expanded so that they also apply to a person who "instigates" the storage or access to stored data. The intention is to capture "cookie like" technologies such as tracking pixels and browser fingerprinting.
2. The Bill expands exceptions to the requirement for consent to use of cookies in situations which pose a low risk to user privacy. No user consent will therefore be required for analytics cookies or website appearance cookies. But clear information must be given about the cookies and there must be an ability to opt-out. No consent will be required where cookies are used for security purposes, to prevent or detect fraud or technical faults in connection with the requested service or to facilitate automatic authentication or maintaining a record of the selections made on a service by the subscriber or user.

Enforcement under PECR (Privacy and Electronic Communication (EC Directive) Regulations 2003)

The Information Commissioner's power to impose penalties under PECR – for cookie and electronic direct marketing related breaches – is currently capped at £500,000. This cap is removed and enforcement powers under UK GDPR and the DPA 2018 apply to ePrivacy breaches. There is a higher maximum penalty cap of £17,5000,00 or 4% of worldwide turnover.

Breach reporting under PECR

Communications service providers are subject to a parallel personal data breach reporting regime under PECR. Under the Act this is aligned with the 72 hour deadline under the UK GDPR.

Scientific research

The Act defines the term "scientific research" to bring it in line with existing GDPR recitals and regulatory guidance to encourage a broad interpretation, so that the UK GDPR's purpose limitation principle, and restrictions on processing special category data, are less likely to stand in the way of processing for what might be considered scientific research purposes. Similar clarifications are proposed for "historical" and "statistical" research.