Search Legislation

Advanced Search

Data (Use And Access) Act 2025

Contents

Part 7: Other provision about use of, or access to, data

Information standards for health and social care

Section 121: Information standards for health and adult social care in England

  1. Section 121 makes provision about information standards for health and adult social care in England and information technology. It gives effect to Schedule 15 which amends Part 9 of the Health and Social Care Act 2012 (HSCA 2012).
  2. The provisions on information standards for health and adult social care in England make clear that information standards published under section 250 of the HSCA 2012 in relation to the processing of information include standards relating to information technology (IT) or IT services. The provisions extend the persons to whom information standards may apply to include providers of IT, IT services or information processing services using IT used, or intended for use, in connection with the provision in, or in relation to, England of health or adult social care.

Smart meter communication services

Section 122: Grant of smart meter communication licences

  1. Section 122 introduces Schedule 16 to the Act, which makes provision in connection with the grant of smart meter communication licences.

Information to improve public service delivery

Section 123: Disclosure of information to improve public service delivery to undertakings

  1. Section 35 of the Digital Economy Act 2017 (DEA 2017) provides a legal gateway to enable specified public authorities to share information to improve the delivery of public services to individuals and households. Section 123 of the Act amends section 35 DEA 2017 to also enable the sharing of information to improve the delivery of public services to businesses.
  2. Section 35 of the DEA 2017 allows only public authorities that are listed in Schedule 4 of the Act to share information for tightly constrained objectives which benefit individuals or households. In addition to being listed in Schedule 4, each public authority must also be authorised by regulations to use the power to share information under each different objective. These same constraints will apply to objectives which have the purpose of improving the delivery of public services to businesses.
  3. Under section 35, objectives are subject to the following conditions: they must be set out in regulations; for the improvement or targeting of the provision of a public service or the provision of a benefit (financial or otherwise); and support the delivery of a specified public authority’s functions. This includes the administration, monitoring or enforcement of the delivery of the function. These conditions will apply to objectives which have the purpose of improving the delivery of public services to businesses in the same way they apply to objectives relating to individuals and households.
  4. Section 35 of the DEA 2017 includes a further requirement that the sharing of information to improve public service delivery to individuals or households must have as its purpose the improvement of the well-being of individuals or households. This provision will require that where information is being shared for the benefit of businesses, objectives have as their purpose the assisting of undertakings in connection with any trade, business or charitable purpose.
  5. The provision uses the term "undertakings" for businesses, the definition of which includes any business, whether or not run for profit, along with any organisation established for charitable purposes. Because the definition of "charitable purposes" is drawn from different Acts in England and Wales, Scotland and Northern Ireland; the provision uses the definition from section 2 of the Charities Act 2011 to ensure that a uniform definition is being applied throughout the UK.

Retention of information by providers of internet services 

Section 124: Retention of information by providers of internet services in connection with death of child

  1. Subsection (1) of section 124 amends the Online Safety Act 2023 (OSA 2023), to include a provision on the retention of information by internet service providers in cases involving the death of a child. 
  2. Subsection (2) removes the signpost in section 100(7) of the OSA 2023 to section 103 of that Act and inserts new subsection (8A) after subsection 8. Subsection (8A) confirms that an information notice issued under section 100(1) must not require or authorise processing of information which could contravene the data protection legislation (as defined in section 236(1) of the OSA 2023). 
  3. Subsection (3)(a) amends section 101 of the OSA 2023 to create a new kind of information notice. It inserts new subsection (C1) creating a duty for OFCOM to issue an information notice to a provider of a service which falls within new subsection (E1) requiring the recipient to ensure retention of information relating to the use of the service by a child who has died. 
  4. New subsection (C1) also gives OFCOM the power to issue a notice to a "relevant person" as defined in section 101(7) of the OSA 2023 in order to ensure the retention of information relating to the use of a service within subsection (E1). This may include, for example, ex- providers of the service where relevant. 
  5. New subsection (A1) sets out the circumstances in which the duty or power to issue an information notice under new subsection (C1) applies. It also defines the term "investigating authority" as the senior coroner (in England and Wales), a procurator fiscal (in Scotland) or a coroner (in Northern Ireland). 
  6. New subsection (B1) sets out the details which the investigating authority needs to provide to OFCOM in order for subsection (C1) to apply. This includes information which will assist recipients of these information notices in identifying the relevant data and the details of any regulated service which has been brought to the investigating authority’s attention as being of interest in connection with the child’s death. 
  7. New subsection (D1) clarifies that the requirement to ensure the retention of information under a notice issued under subsection (C1) involves actively taking reasonable and timely steps to prevent the deletion of such information. This includes preventing both intentional deletion and potential deletion through routine systems or processes. 
  8. New subsection (E1) sets out the two ways in which a regulated service falls within scope of the new information notice provision; either it falls under a regulated service type defined by the Secretary of State in regulations, or it is a regulated service specifically notified to OFCOM by the investigating authority as per new subsection (B1)(d). 
  9. New subsection (F1) sets out the type of information that must be retained under the new information notice. The information must either fall within the kind of information which OFCOM can access under its existing powers under section 101(1) of the OSA 2023 or be the kind that a person might need to retain in order to respond to a notice under subsection (1) in future. 
  10. Subsection 3(b) of section 124 makes a consequential amendment to section 101(3) of the OSA 2023, making it clear that the new provisions inserted by subsection 3(a) include a power to obtain or generate information. 
  11. Subsection 3(c) inserts new subsection (5A) confirming that an information notice issued under section 101(C1) must not require processing of information which could contravene the data protection legislation (as defined in section 236(1) of the OSA 2023. 
  12. Subsection (4) amends section 102(1) of the OSA 2023, bringing notices issued under subsection 101(C1) within the definition of an "information notice" for the purposes of the OSA 2023, and subsection (10)(b) amends the corresponding definition in section 236(1) to reflect this change. This means other provisions in the OSA 2023 relating to "information notices", including enforcement provisions, will also apply to notices issued under new subsection (C1). 
  13. Subsection (4)(b) amends section 102(3) of the OSA 2023 to clarify that the requirements regarding information which must be included in information notices currently set out in section 102(3) only apply to information notices issued under sections 100(1) and 101(1) of the OSA 2023. It also adds the requirement for OFCOM to specify when the information covered by such a notice must be provided. It then omits subsection 102(4) as that is now addressed in new 102(3)(ca). 
  14. Subsection (4)(d) inserts new subsections (5A) to (5C) into section 102. New subsection (5A) outlines specific requirements for information notices issued under new section 101(C1). 
  15. New subsection (5B) gives OFCOM the power to extend the duration for which a person is obligated to retain information if they have been issued an information notice under section 101(C1). The period can only be extended in response to information received from the investigating authority. The period can only be extended by a maximum of six months at a time. 
  16. New subsection (5C) explains how OFCOM can exercise the power granted in subsection (5B). They can do so by issuing a notice to the person who received the initial information notice under section 101(C1). This notice specifies the further period for information retention and provides the reason for the extension. Importantly, there is no limit on how many times OFCOM can use this power. 
  17. Subsection (4)(e) of section 124 introduces a new subsection (9A) into section 102 which requires OFCOM to cancel an information notice under new subsection 101(C1) if the investigating authority advises OFCOM that the information specified in an information notice under section 101(C1) is no longer necessary to be retained. This cancellation is communicated through a notice to the person who initially received the information notice. 
  18. Subsection (4)(f) amends section 102(10), adding a definition of the term "the investigating authority", clarifying that it has the same meaning as defined in section 101. 
  19. Subsection (5) makes amendments to section 109 (offences in connection with information notices). These amendments introduce new subsections (6A) and (6B) to section 109. 
  20. Subsection (6A) establishes an offence: if a person, who has been issued an information notice under section 101(C1), deletes or alters information required to be retained, and their intention is to prevent the information's availability for an official investigation into the death of the child, they commit an offence. Subsection (6B) clarifies that information is considered deleted if it is irrecoverable, regardless of how it occurred. 
  21. Subsection (6) amends section 110 (senior managers’ liability: information offences), introducing a new subsection (6A) to section 110. It establishes an offence for an individual named as a senior manager of an entity if the entity commits an offence under section 109(6A), and the individual fails to take all reasonable steps to prevent that offence. Section 109(7) is amended to reflect the inclusion of the new offence under new subsection (6A). 
  22. Subsection (7) amends section 113(2) (penalties for information offences) to include the new offences in section 109(6A) and section 110(6A). 
  23. Subsection (8) omits the definition of data protection legislation currently in section 114 of the OSA 2023, and subsection (10)(a) moves that definition to section 236(1). Subsection (11) then amends section 237 (index of defined terms) to include the definition of data protection legislation now in section 236. 
  24. Subsection (9) amends section 225 (Parliamentary procedure for regulations) to confirm that the regulations made by the Secretary of State under new section 101(E1) are subject to the negative procedure. 

Information for research about online safety matters

Section 125: Information for research about online safety matters

  1. Section 125 inserts new section 154A into the OSA 2023 to allow creation of a new framework that would permit researchers access to information held by certain providers of internet services, for the purposes of research into online safety matters.
New section 154A – information for research about online safety matters
  1. Subsection (1) gives the Secretary of State the power to make regulations requiring providers of regulated services to provide information to independent researchers for them to carry out associated research. The information will be provided under a new framework created by the regulations.
  2. Subsection (2) gives examples of the type of provision the regulations might make, including matters of procedure, fees, enforcement and appeals. This is a non-exhaustive list of examples to give an indication of the types of matters to be set out in the regulations.
  3. Subsection (3) sets out a non-exhaustive list of the types of enforcement measures that the regulations might include, including potential financial or criminal liability.
  4. Subsection (4) makes provision for the appointment of an appropriate person (defined in subsection 8(b) as OFCOM or such other person or body as the Secretary of State may consider appropriate) to carry out functions under, or for the purposes of, the regulations. Regulations may require or authorise functions to be carried out by different appropriate persons appointed for such purpose.
  5. Subsection (5) confirms that the regulations may apply generally, or only to those descriptions of regulated services, researchers, research, or information as are specified in the regulations. It also sets out that the regulations may apply differently to each of these stated services, researchers, research, or information.
  6. Subsection (6) makes it clear that the regulations made under this power shall not require providers to do anything that would contravene data protection legislation or result in the disclosure of legally privileged material.
  7. Subsection (7) requires the Secretary of State to consult several named organisations and groups before making the regulations.
  8. Subsection (8) defines the term ‘independent research’ as research carried out other than on behalf of a regulated service. It also defines ‘appropriate person’ for the purposes of new section 154A(4).
  9. Subsection (3) of section 125 removes OFCOM’s duty to produce guidance under section 162(7) to (10) of the OSA 2023. Under section 162(1) to (6) of that Act, OFCOM must produce a report exploring what information is currently available to researchers, what factors are constraining their research, and what can be done in the future to improve access to data. The removal of OFCOM’s requirement to produce guidance following publication of that report is intended to avoid any conflict between the guidance and any regulations made under new section 154A(1).
  10. Subsection (4) makes provision in relation to parliamentary procedure. It requires the first set of regulations made to be subject to the affirmative parliamentary procedure. Any subsequent regulations, which are unlikely to amend significant policy detail of the regime, would then be made through the negative parliamentary procedure.
  11. Subsection (5) states that the consultation required under new section 154A(7) could be conducted before the Data (Use and Access) Act 2025 was passed.

Retention of biometric data

Section 126: Retention of biometric data and recordable offences

  1. Section 126 makes changes to Part 1 of the Counter-Terrorism Act 2008 (CTA 2008). Section 18A(3) of the CTA 2008 sets out that where an individual has a conviction for a recordable offence their biometric data (fingerprints and DNA profiles) can be retained indefinitely (unless the conviction is exempt). This is consistent with similar provisions in the Police and Criminal Evidence Act 1984 which set out the retention framework for biometric data retained for broader criminal investigations in England and Wales (the relevant provisions of CTA 2008 apply only to biometric data that is retained for the purposes of national security). However, section 18A(3) does not apply to individuals who received their conviction overseas or in Scotland. Section 126 makes changes to the sections 18A and 18E CTA 2008 to enable the indefinite retention of biometric data that relates to an individual who has an overseas conviction that is equivalent to a conviction for a recordable offence (section 18E(1) provides a definition of a recordable offence in either England and Wales or in Northern Ireland).
  2. Subsection (2) amends section 18A(3) so that it applies to convictions for recordable-equivalent offences as well as for recordable offences.
  3. Subsection (4) amends section 18E(1) to provide a definition of a recordable-equivalent offence. Recordable-equivalent offences are offences committed other than in England and Wales or Northern Ireland, if the act in question would constitute a recordable offence if it had been committed in England and Wales or Northern Ireland.
  4. Subsections (5) to (9) make certain amendments to section 18E in connection with the amendment made by subsection (4).
  5. Subsection (10) inserts new subsection (7A) into section 18E to recognise qualifying-equivalent offences. Section 18A(3) does not allow for the indefinite retention of biometric data of persons who have only one conviction, if they were under the age of 18 when they committed the offence in question. However, this exemption does not apply to "qualifying offences" (section 18E(7) defines this term). The purpose of the amendment made by subsection (10) is to ensure that overseas convictions for offences that correspond to qualifying offences are not exempt for the purposes of section 18A(3).
  6. Subsections (11) to (13) make provision for retrospective application. Subsection (11) sets out that amendments made by this section also apply retrospectively to biometrics received in the three years before commencement of the section. Subsections (12) and (13) set out that, where a law enforcement authority is holding section 18 material which it received in the three years before the commencement day, they can retain and use the biometric data. However, the effect of subsection (13)(b) is that the authority cannot use the biometric data in criminal proceedings instituted before the commencement day in England and Wales, Northern Ireland or Scotland, or in any criminal proceedings in any other country or territory at any point.
  7. Section 145 sets out that section 126 comes into force on Royal Assent of the Act.

Section 127: Retention of pseudonymised biometric data

  1. Section 127 makes changes to Part 1 of the CTA 2008. Section 18A(4) CTA 2008 provides that where a law enforcement authority is processing biometric data (fingerprints and DNA profiles) under the CTA 2008 and does not know the identity of the individual to whom the biometric data relates – and has never known the identity – they may retain the biometric data indefinitely. Data that is held in such a form may be referred to as being held in a "pseudonymised form". Pseudonymised biometric data can be used by the police to wash (i.e. check) against other biometric data, for example against biometric material that is submitted against visa or asylum applications. Section 18A(5) sets out that where a law enforcement authority comes to know the identity of the individual to whom the biometrics relate, and where the individual has no previous convictions, the authority is permitted to retain the biometrics for three years (the standard retention period within the CTA 2008) from that time; following which they must either destroy the data or make a national security determination to retain it.
  2. Subsection (5) of this section inserts new subsections (7) to (9) into Section 18A. New subsection (7) sets out that biometric data may be retained indefinitely by the law enforcement authority in cases where such biometric data is acquired from an overseas law enforcement authority in a format which identifies the individual to whom the data relates, but the law enforcement authority takes the necessary steps to pseudonymise the biometric data as soon as reasonably practicable after receipt. These steps must remove any identifiable information relating to the biometric data. If the law enforcement authority is in a position to identify the individual in question using other information that it holds, the effect of new subsection (7)(d) is that the authority cannot rely upon this new retention provision.
  3. Subsection (6) makes a consequential amendment to section 18E(1) to insert a new definition of an overseas law enforcement authority.
  4. Subsections (7) to (12) make provision for the retrospective application of section 127, enabling a law enforcement authority to apply the section to existing biometric data and retain this data if it pseudonymises it as soon as reasonably practicable after the commencement of the section. Subsection (8) limits retrospective application to biometric data obtained or acquired in the three years before commencement of the section.
  5. Subsections (9) and (10) set out when a law enforcement authority is required to pseudonymise biometric data that it obtained prior to the commencement of this section to be able to apply the provisions of the section to that data.
  6. Subsections (11) and (12) make provision in relation to the use of biometric data that was obtained in the three years before the commencement of the section, but that the law enforcement authority was, prior to commencement, required to destroy. For example, in a case where an overseas law enforcement authority supplies the authority with biometric data that was taken almost, or even more than, 3 years ago. The effect of subsection (12)(a) is that the authority may continue to retain and use the material (in so far as it is possible to use material that is not in an identifiable form). Subsection (12)(b)(i) provides that such legacy biometric data may not be used in criminal proceedings instituted before the commencement day in England and Wales, Northern Ireland, or Scotland. This includes criminal trials that are ongoing at the date of commencement, and retrials that take place after commencement (for example, where a prior conviction has been quashed). Subsection (12)(b)(ii) provides that legacy biometric data may not be used in any criminal proceedings in any other country or territory, even if the proceedings were instituted after commencement of the section.

Section 128: Retention of biometric data from INTERPOL

  1. Section 128 inserts a new section into the CTA 2008 (new section 18AA) to vary the regime governing the retention of biometric material obtained through INTERPOL co-operation. New section 18AA sets out updated retention rules for biometric data that has been received through INTERPOL. The National Crime Agency (NCA), in its capacity as the UK’s National Central Bureau (NCB), receives daily notifications from INTERPOL of all new, updated and cancelled notices and diffusions. INTERPOL notices are international requests for cooperation or alerts allowing police in member countries to share critical crime-related information, including information relating to national security cases, e.g. counter-terrorism investigations. Member countries may also request cooperation from each other through another alert mechanism known as a 'diffusion'. This is less formal than a notice and is circulated directly by an NCB to all or some member countries. INTERPOL notices or diffusions may include biometric materials, for example fingerprints.
  2. Subsection (2) makes a consequential amendment to section 18A(4) CTA 2008, to recognise the new retention power provided by new section 18AA.
  3. Subsection (3) inserts new sections 18AA and 18AB into the CTA 2008. New section 18AA(1) defines the biometric data to which the new section applies (subsection (1) refers to "section 18 material" - see section 18(2) CTA 2008 for a definition of that term). Subsection (1) is intended to apply to section 18 material that is provided as part of a notice or a diffusion.
  4. New section 18AA(2) provides that a law enforcement authority may retain the biometric data received from INTERPOL until the UK NCB informs the authority that the INTERPOL notice or diffusion has been cancelled or withdrawn. At this point, the law enforcement authority must either delete the biometric data from its systems, or it may make a National Security Determination under section 18B CTA 2008 to authorise its retention for a period of time.
  5. New section 18AA(3) makes equivalent provision for cases where the law enforcement authority is also the NCB.
  6. New section 18AA(5) clarifies that new section 18AA(1) also applies to biometric data that is not provided with an initial notification or diffusion, but that is provided subsequently as part of that request etc.
  7. Subsection (3) of section 128 also inserts a new section 18AB into the CTA 2008. Section 18AB confers a delegated power on the Secretary of State to make changes by secondary legislation to amend section 18AA where there are changes to INTERPOL’s name or its processes in relation to the processing or sharing of INTERPOL biometrics with member countries. For example, if INTERPOL was to adopt alternative forms of co-operation to its current notices and diffusions, this power would enable any consequential amendments to section 18AA that are necessary. Such secondary legislation would be subject to the affirmative procedure.
  8. Subsection (4) makes a consequential amendment to section 18BA(5) CTA 2008.
  9. The effect of subsection (5) is that new section 18AA will apply to biometric data received via INTERPOL prior to the commencement of this section, if the request or threat to which the data relates remains outstanding. Subsections (6) and (7) make provision to enable a law enforcement authority to continue to retain and use (in accordance with section 18D(1) CTA 2008) biometric data relating to live requests for co-operation etc., even if the requirement to destroy the material arose prior to the commencement of this section. However, such legacy material may not be used in evidence against the person to whom the material relates in criminal proceedings that were instituted before the commencement day or for any criminal proceedings in another country at any time.
  10. Section 145 sets out that section 128 comes into force on Royal Assent of the Act.

Trust services

Section 129: The eIDAS Regulation

  1. This section sets out that the term "the eIDAS Regulation" in the sections described below refers to Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, as retained by the EU (Withdrawal) Act 2018 , and amended by The Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019 S.I. 2019/89.
  2. The eIDAS Regulation sets out the legal framework and specifications for trust service products and services in the UK. This system supports the validation of electronic transactions. ‘Trust services’ include services specifically relating to electronic signatures, electronic seals, timestamps, electronic delivery services, and website authentication. The eIDAS Regulation requires that such trust services meet certain criteria - standards and technical specifications - to allow for interoperability across the UK economy.

Section 130: Recognition of EU conformity assessment bodies

  1. Section 130 adds new Article 24B to the eIDAS Regulation. This Article allows for the recognition of conformity assessment reports that have been issued by EU conformity assessment bodies accredited by the national accreditation body of an EU member state, and provides that these reports can be used to grant a trust service provider qualified status under Article 21 of the eIDAS Regulation, and also for the purposes of regular auditing requirements under Article 20(1).

Section 131: Removal of recognition of EU standards etc

  1. Section 131 sets out that the Secretary of State, by regulations, can amend or revoke Article 24A of the eIDAS Regulation in the future, should the continued unilateral recognition of EU qualified trust services no longer be appropriate. This power will also allow for the Secretary of State to revoke and amend other provisions of the eIDAS Regulation and associated Implementing Decision (EU) 2015/1506 (which are contingent upon the current recognition of EU qualified trust services and products) including a power to revoke new Article 24B.

Section 132: Recognition of overseas trust products

  1. Section 132 inserts new Article 45A into the eIDAS Regulation. Article 45A provides the Secretary of State with the power to make regulations to recognise and give legal effect to certain trust service products provided by trust service providers established outside the UK. The legal effect of overseas trust service products which are specified within regulations, will be equivalent to the legal effect of qualified trust service products provided by a qualified trust service provider established in the UK.
  2. There are two conditions which apply when making regulations under Article 45A: the Secretary of State must be satisfied that the reliability of an overseas trust service product is at least equivalent to the reliability of its qualified counterpart under the eIDAS Regulation; and he must have regard to (among other things) the relevant overseas law concerning the type of trust service product to be recognised.
  3. Section 132 also inserts new Article 45B into the eIDAS Regulation. Existing Articles 27 and 37 of the eIDAS Regulation provide that where public sector bodies require an advanced signature or seal for the use of an online public service, they must recognise electronic signatures and seals which meet advanced standards and additional technical requirements under Commission Implementing Decision 2015/1506. Likewise, where public sector bodies require an advanced signature or seal based on a qualified certificate, they must accept a qualified signature or seal which complies with Commission Implementing Decision 2015/1506. New Article 45B provides the Secretary of State with the power by regulations to recognise, for the use of online public services, specified electronic seals and signatures provided by trust service providers established outside the UK, as equivalent to electronic seals and signatures under Articles 27(1), 27(2), 37(1) and 37(2) of the eIDAS Regulation which comply with Implementing Decision 2015/1506.
  4. The Secretary of State must be satisfied that the reliability of a certain overseas electronic signature or seal is at least equivalent to the reliability of their respective counterpart under the eIDAS Regulation, and must have regard to (among other things) the relevant overseas law concerning the type of electronic signature or seal to be recognised.
  5. New Article 45C provides that regulations made under Articles 45A and 45B are able to include conditions which specified overseas trust service products must meet in order to be recognised. Such conditions may include meeting specific requirements within overseas law, or meeting specific technical or regulatory standards.
  6. New Article 45C also provides that the Secretary of State must consult the Commissioner as supervisory body for trust services before making regulations under new Articles 45A and 45B.

Section 133: Co-operation between supervisory authority and overseas authorities

  1. Section 133 amends Article 18(1) of the eIDAS Regulation to allow the Secretary of State by regulations to designate certain overseas regulators or supervisory bodies, with which the Commissioner as supervisory body for trust services within the UK, may give information, assistance to, or otherwise cooperate with in the interests of effective regulation or supervision trust services. This will replace the ability of the Commissioner to share information and cooperate with any public authority within the EU specifically. New Article 18(4) provides that the Secretary of State must consult the Commissioner, before making regulations under this Article.
  2. The amendment made to Article 18(2) under subsection (4) is not intended to change the substantive effect of that paragraph. The words in brackets are intended to clarify the relationship between the restrictions in the data protection legislation and the power under new Article 18(1), making clear that this power is to be taken into account when applying the data protection legislation.

Section 134: Time periods: the eIDAS Regulation and the EITSET Regulations

  1. Subsection (1) inserts Article 3A into eIDAS Regulation. New Article 3A provides that the rules of interpretation for periods of time in Article 3 of Regulation No 1182/71 (the ‘Time Periods Regulation’) apply to relevant time periods under eIDAS Regulation.
  2. Subsection (3) amends regulation 2 of the Electronic Identification and Trust Services for Electronic Transactions Regulation 2016 (S.I. 2016/696) (the ‘2016 Regulations’) to apply the rules under Article 3 of the Time Period Regulations also to relevant periods under the 2016 Regulations.
  3. Subsection (4) makes some minor changes to Schedule 1 (monetary penalties) to the 2016 Regulations to ensure consistency and clarity in calculation of time periods.

Copyright works and artificial intelligence systems

Section 135: Economic impact assessment

  1. Section 135 requires the Secretary of State to prepare and publish an economic impact assessment relating to copyright and artificial intelligence within 9 months of Royal Assent of this Act, and to lay it before Parliament.
  2. The impact assessment must cover the options relating to copyright and AI training set out in the Government’s December 2024 consultation on copyright and AI, and may include any alternative options. The impact assessment must consider, among other things, the impacts on copyright owners and developers and users of AI, including the impacts on micro, small, and medium-sized businesses, and individuals.

Section 136: Report on the use of copyright works in the development of AI systems

  1. Section 136 requires the Secretary of State to prepare and publish a report on the use of copyright works in the development of AI systems within 9 months of Royal Assent of this Act, and to lay it before Parliament.
  2. The report must consider the options relating to copyright and AI training set out in the Government’s December 2024 consultation on copyright and AI, as well as any appropriate alternative options. The report must consider and make proposals in relation to:
    • Technical measures and standards (such as those concerned with metadata) that may be used to control the use of, and access to, copyright works for the purpose of training AI systems. This would include measures and standards relating to access to works by web crawlers;
    • The effect of copyright on access to, and use of, data by developers of AI systems. This would include text and data mining;
    • Disclosure by developers of AI systems about their use of, and access to, copyright works for the purpose of training AI systems. This would include transparency about the use of web crawlers to access copyright works;
    • The granting of copyright licences to developers of AI systems, which may support remuneration of copyright owners;
    • Enforcement of requirements and restrictions relating to the use of, and access to, copyright works with AI systems. This would include enforcement by a regulator.
  1. Consideration of and proposals under each of the above areas must include consideration of and proposals in relation to AI systems developed outside the United Kingdom.
  2. In preparing the report the Secretary of State must consider the likely effect in the United Kingdom of proposals on copyright owners, and persons who develop or use AI systems.

Section 137: Progress statement

  1. Section 137 requires the Secretary of State, within 6 months of Royal Assent, to lay before Parliament a statement setting out what progress has been made towards the publication of the impact assessment required by section 135 and the report required by section 136.

Purported intimate images

Section 138: Creating, or requesting the creation of, purported intimate image of adult

  1. Section 138(2) inserts new sections 66E, 66F, 66G and 66H into the Sexual Offences Act 2003 to provide for new offences relating to creating (66E), or requesting the creation of (66F), purported intimate images of an adult without consent or reasonable belief in consent, as well as relevant definitions (66G) and time limits for prosecution of the offences (66H).
  2. Subsection (1) provides that it is an offence if a person (A) intentionally creates a purported intimate image of another person (B), without B’s consent or a reasonable belief in B’s consent.
  3. Subsection (2) provides that a "purported intimate image" of a person is an image which appears to be or include, but is not, or is not only, an authentic photograph or film of the person; appears to be of an adult; and appears to show them in an "intimate state". This does not cover images of children as the criminal law already captures the making of indecent images (including deepfake images) of children (i.e. those under the age of 18).
  4. Subsection(3) provides that an "intimate state" is defined, for the purposes of this offence, as it is in sections 66D(5) to 66D(9) of the Sexual Offences Act 2003.
  5. Subsection (4) provides that creating a purported intimate image of a person does not include modifying an authentic photograph or film, where those modifications do not add to the image either a new person, or a new element which constitutes an intimate state, which was not shown in the original authentic photograph or film.
  6. Subsection (5) provides for a defence of reasonable excuse to the offence of creating a purported intimate image without consent, with the legal burden on the defendant. This would mean that if a person could prove on the balance of probabilities that they had a reasonable excuse for creating the image without consent or reasonable belief in consent, they would not be guilty of this offence. The Government anticipates that this would apply only in very rare scenarios, where there is a genuinely reasonable, not spurious, excuse. The Government anticipates that the bar is especially high for images appearing to show a person engaged in sexual activity. For example, if a person created a purported intimate image of a person engaged in sexual activity, without that person’s consent or reasonable belief in consent, but claimed it was a legitimate work of satire, it is the Government’s view that it is extremely unlikely that they would be able to satisfy the legal burden of proving that there was a reasonable excuse.
  7. Subsection (6) sets out that the creating offence will be triable summarily, and that the maximum penalty on conviction is an unlimited fine or imprisonment not exceeding the maximum term for summary offences (or both).
  8. Subsection (7) places a duty on the Secretary of State to review the operation of the reasonable excuse defence to the offence of creating a purported intimate image, to publish the outcome of the review within two years of the offences coming into force, and to lay the report before Parliament. Section 66F subsection (1) provides that it is an offence if a person (A) intentionally requests the creation of a purported intimate image of another person (B), without B’s consent or a reasonable belief in B’s consent. The offence is committed whether the request is made to create a specific purported intimate image, or a purported intimate image in general.
  9. Subsection (2) provides that it is an offence to request that if a purported intimate image of another adult is created, it includes or excludes something in particular. This could be, for example, where one person offers to make some purported intimate images of a person in general, and another person replies with a request for a specific image, such as an image of that person in particular underwear, naked or engaged in a particular sexual act.
  10. Subsection (3) provides that a ‘request’ includes doing an act which could reasonably be taken to be a request (such as: nodding, giving a ‘thumbs up’, ‘liking’ a message or otherwise indicating agreement in response to an offer, or complying with condition of an offer, for example by sending money).
  11. Subsection (4) provides that making a "request" includes both making a request directed to a particular person or persons, and making a request available to one or more people (or people generally), without directing it to a particular person or people (for example, by posting a request on a large online forum).
  12. Subsection (5) provides that "consent" for the purposes of these offences means consent to the specific type of request in question: either consent to a request directed to a particular person or persons, or consent to a request made available to one or more people (or people generally), without directing it to a particular person or people.
  13. Subsection (6) provides that the offence can be committed irrespective of whether or not the image being requested is ever, in fact, created and irrespective of whether another individual has also made the same request for a purported intimate image. This ensures that if, for example, multiple people vote for the same option in a poll to request the creation of an image (or that an image should include or exclude a particular thing), each individual who votes would commit the offence. However, a person merely encouraging someone else to create an image when they are aware that the other person had already expressed a settled intent to create such an image would not commit the offence. The subsection also provides that the offence includes acts of requesting, irrespective of the location of any person who is being requested to create the image.
  14. Subsection (7) provides for a defence of reasonable excuse, to the offence of requesting the creation of a purported intimate image without consent, with the legal burden on the defendant. This would mean that if a person could prove on the balance of probabilities that they had a reasonable excuse for requesting the creation of the image, they would not be guilty of this offence. The Government anticipates that this would apply only in very rare scenarios where there is a genuinely reasonable, not spurious, excuse. The Government anticipates that the bar is especially high for images appearing to show a person engaged in sexual activity. For example, if a person created a purported intimate image of a person engaged in sexual activity, without that person’s consent or reasonable belief in consent, but claimed it was a legitimate work of satire, it is the Government’s view that it is extremely unlikely that they would be able to satisfy the legal burden of proving that there was a reasonable excuse.
  15. Subsection (8) sets out that the requesting offence will be triable only summarily, and that the maximum penalty on conviction is an unlimited fine or imprisonment not exceeding the maximum term for summary offences (or both).
  16. Subsection (9) provides that references to a purported intimate image, to creating such an image and to a person shown in an intimate state have the same meaning as in section 66E.
  17. Subsection (10) places a duty on the Secretary of State to review the operation of the reasonable excuse defence to the offence of requesting the creation of a purported intimate image, to publish the outcome of the review within two years of the offences coming into force, and to lay the report before Parliament.
  18. Section 66G subsection (1) sets out provisions relevant to sections 66E and 66F.
  19. Subsection (2) provides that "consent" to the creation, or a request for the creation, of a purported intimate image, includes general consent covering the particular act, as well as specific consent to that particular act
  20. Subsection (3) provides that when determining whether or not A’s belief in B’s consent was reasonable, regard must be had to all of the circumstances, including any steps that A has taken to ascertain whether B consents.
  21. Subsection (4) and (5) define "photograph" and "film".
  22. Subsection (6) provides that references to "image", "photograph" or "film" include data that can be converted into an image, photograph or film - for instance data stored on a hard drive or disc.
  23. Subsection (7) provides that an image appears to be an image of an adult if the impression conveyed is that the person shown is aged 18 or over; or if the predominant impression conveyed is that the person is 18 or over - even if some characteristics shown are of a person under 18.
  24. Subsection (8) defines the term ‘the maximum term for a summary offence’, which is used in new sections 66E and 66F as part of the maximum penalty of the offences. In line with how the same term is defined in other legislation, the definition sets out that if the offence is committed before the time when section 281(5) of the Criminal Justice Act 2003 comes into force, the term means 6 months, and if the offence is committed after that time, the term means 51 weeks.
  25. Section 66H subsection (1) makes an exception to the generally applicable statutory time limit for offences tried in a magistrates’ court in section 127(1) of the Magistrates’ Courts Act 1980 (which is six months from when the offence was committed), to enable prosecutions for the offences at sections 66E and 66F to be brought at any date which is both within six months from when the sufficient evidence comes to the prosecutor’s knowledge to justify a prosecution and within three years from when the offence was committed.
  26. Subsection (2) provides that a certificate signed by or on behalf of a prosecutor stating the date on which evidence which the prosecutor thinks is sufficient to justify a prosecution came to the prosecutor’s knowledge is conclusive evidence of that fact.
  27. Subsection (3) makes a consequential amendment to section 79(5) of the Criminal Justice Act 2003. The effect of the amendment is to exclude new sections 66E and 66F from the application of the general definition of an "image of a person" which otherwise applies for the purposes of Part 1 of that Act.
  28. Subsection (4) inserts new section 177DA into the Armed Forces Act 2006 to ensure that where a person commits a service offence, as respects which the corresponding offence under the law of England and Wales is the offence of creating a purported intimate image without consent or reasonable belief in consent, courts within the Service Justice System have the power to make a deprivation order in respect of the images to which the offence relates, and anything containing them. Such an order could be used to deprive the offender of ownership of the image or anything containing the image, such as a mobile phone, laptop or hard drive.
  29. New section 177DA does this by providing that for the purposes of the powers under section 177C of the Armed Forces Act 2006 to deprive offenders of certain property following conviction for a criminal offence (including property used for the purpose of committing the offence), purported intimate images to which the offence relates are to be treated as having been used for purposes of committing the offence, such that the power under section 177C of the Armed Forces Act 2006 will apply to such images.
  30. Subsection (5) provides that a person cannot be guilty under section 45 or 46 of the Serious Crime Act 2007, of encouraging or assisting the offence under new section 66F of the Sexual Offences Act 2003.
  31. Section 138(6) inserts a new section 154A into the Sentencing Act 2020. Subsections (1) and (2) ensure that where a person commits the offence of creating a purported intimate image without consent or reasonable belief in consent, courts have the power to make a deprivation order in respect of the images created during the commission of an offence, and anything containing them. Such an order could be used to deprive the offender of ownership of the image or anything containing the image, such as a mobile phone, laptop or hard drive.
  32. Subsection (2) does this by providing that for the purposes of the powers under section 153 of the Sentencing Act 2020 to deprive offenders of certain property following conviction for a criminal offence (including property used for the purpose of committing the offence), purported intimate images to which the offence relates are to be treated as having been used for purposes of committing the offence, such that the power under section 153 of the Sentencing Act 2020 will apply to such images.
  33. Subsections (3) to (5) ensure that where a person commits the offence of requesting the creation of a purported intimate image without consent or reasonable belief in consent, courts have the power to make a deprivation order in respect of the images connected to the offence, and anything containing them. Such an order could be used to deprive the offender of ownership of the image or anything containing the image, such as a mobile phone, laptop or hard drive.
  34. Subsection (4) does this by providing that for the purposes of the powers under section 153 of the Sentencing Act 2020 to deprive offenders of certain property following conviction for a criminal offence (including property used for the purpose of committing the offence), where a person commits the offence, purported intimate images which are connected with the offence, or any device containing those images, are to be treated as having been used for purposes of committing the offence such that the power under section 153 of the Sentencing Act 2020 will apply to such images.
  35. Subsection (5) provides that a purported intimate image of an adult is an "image which is connected with an offence" under new subsection (4) if it was in the offender’s possession or control as a result of the request, and it appears to be of the person who was the subject of the request. The subsection provides that, if the image meets these conditions, it does not have to be the precise image requested (for example, if the request was for a naked image of an individual, and the image appears to depict the same individual wearing only underwear, this would still be an "image connected with an offence" for these purposes).

Back to top