Search Legislation

Advanced Search

Data (Use And Access) Act 2025

Contents

Policy background

  1. The Government wants to harness the power of data for economic growth, to support a modern digital government, and to improve people’s lives. The Data (Use and Access) Act has been designed with the intention of achieving these 3 objectives.
  2. The UK data economy (its data market plus the value data adds to other sectors of the economy) represents an estimated 6.9 per cent of GDP (as of 2022). Data is essential to UK businesses: 77 percent of UK businesses handle some form of digital data; increasing to 99 percent for businesses employing more than 10 people. In 2021, data-enabled UK service exports accounted for 85 per cent of total service exports, estimated to be worth £259 billion.

Access to customer data and business data

  1. Smart Data is the secure sharing of customer data, upon the customer’s request, with authorised third-party providers (ATPs). ATPs can typically be defined as organisations who are neither the customer nor original service provider (e.g., the bank), and are offering services to the customer.
  2. ATPs use the customer’s data to provide innovative services for the consumer or business, such as automatic switching and account management, for example via account aggregation. The incumbent industry (e.g., the service provider such as the bank) may also opt to innovate and offer similar services.
  3. The provisions in this Act on Smart Data aim to improve data portability between suppliers, service providers, customers, and relevant third parties with a view to:
    • Rebalancing the information asymmetry between suppliers and customers;
    • Enabling customers to make better use of their personal data, e.g., enabling accurate tariff comparisons and providing access to better deals;
    • Enabling customers to benefit from a more competitive marketplace, including through lower prices and higher quality goods and service delivery; and
    • Providing new services in and across the sectors, such as those which may help consumers save and manage their money and services.
  1. Open Banking is the only active example of a regime that is comparable to a 'Smart Data scheme' – but it needs a legislative framework to put it on a permanent footing, from which it can grow and expand. In 2017, following a market investigation due to competition concerns, the CMA ordered the nine biggest banking providers in the UK to ‘open up’ the data relating to personal and business current accounts. The CMA required the nine largest banking providers to set up the Open Banking Implementation Entity to oversee the scheme. In January 2023, the CMA announced the substantial completion of the Open Banking roadmap, with focus shifting towards preparing for the transition to new arrangements for Open Banking. As of December 2024, there are over 12 million consumers and small businesses using Open Banking.

Digital Verification Services

  1. The digital verification service provisions in this Act aim to increase trust in and acceptance of digital identities across the UK to help make identity proofing easier, cheaper and more secure and to enable a trusted digital identity market to develop in the UK for those that choose to use it to prove things about themselves, for example when starting a new job or moving house. To do this, the Act establishes a legislative structure for the provision of digital verification services in the UK, where providers of those services wish to be registered on a government register. It also enables public authorities to disclose personal information to registered digital verification services providers for the purpose of identity and eligibility verification.

Powers relating to verification of identity or status

  1. Since 6 April 2022, employers and landlords have been able to use Identity Service Providers (IDSPs), also known as Digital Verification Service (DVS) providers, to carry out the digital identity checking element of Right to Work and Right to Rent checks. Completion of the prescribed checks provides the employer, landlord or letting agent with a statutory excuse against the imposition of a civil penalty if found to be employing or renting to someone disqualified from work or renting in the private rented sector as a result of their immigration status. An employer or other relevant person may also be required to carry out prescribed right to work checks in order to comply with the terms of an illegal working compliance order.
  2. The use of IDSPs is currently limited to checks of valid British or Irish passports (or Irish passport card), noting the holders of these are not in scope to use the Home Office online checking services.
  3. This system of right to work and right to rent checks was introduced under existing powers in the Immigration, Asylum and Nationality Act 2006, the Immigration Act 2014 and the Immigration Act 2016.
  4. The Act enables the Home Office to legislate to require employers and landlords who carry out right to work and right to rent checks using Identity Document Validation Technology (IDVT) to use the services of DVS Providers who are noted in the register established under Part 2 of the Act as complying with designated supplementary rules concerning these checks.

National Underground Asset Register

  1. There is estimated to be around 4 million kilometres of buried pipes and cables in the UK, and a hole is dug every 7 seconds to install, fix, maintain or repair these assets that are critical in keeping the water running, gas and electricity flowing and telecommunications lines connected. Approximately 1 in every 65 holes dug results in an accidental asset strike (c. 60,000 a year), causing around £2.4 billion worth of economic cost, putting workers’ lives at risk and causing disruption.
  2. There are 600+ owners of underground assets (or "apparatus") across the public and private sectors (including energy, water, telecommunications and local and transport authorities) who hold data about their own apparatus, which they are required by law to share for the purposes of ‘safe digging’. However, currently there is no standardised method to do this with multiple organisations having to be contacted for each dig, providing information in varied formats, scales, quality and on different timelines resulting in a complex process for installing, maintaining, operating and repairing buried apparatus.
  3. This Act streamlines the data-sharing process, reduces the risk of potentially lethal utility strikes on apparatus and promotes more efficient management and maintenance of underground apparatus, through establishment, on a statutory footing, of the National Underground Asset Register ("NUAR"). NUAR is a digital map that seeks to improve both the efficiency and safety of underground work by providing secure access to location data about pipes, cables and other types of apparatus installed in streets.
  4. The measures update existing data sharing obligations related to buried apparatus to take advantage of the opportunities provided by the data and technology developments that have happened since the previous legislative measures were made. They simplify and expedite the process by which apparatus data is shared by requiring undertakers to share their data in a prescribed manner through NUAR. This will ensure those planning and carrying out street works have access to up-to-date, comprehensive and standardised data when they need it, to carry out their work effectively and safely. This legislation also ensures a sustainable ongoing service through introduction of fees on those who benefit from the service, rather than relying on taxpayer funding. The provisions allow for data to be made available for purposes beyond safe digging, where appropriate.

Registers of births and deaths

  1. The birth of every child in England and Wales is required to be registered by the registrar of births and deaths for the sub-district in which the child was born. Similarly, the death of every person dying in England or Wales is required to be registered by the registrar of births and deaths for the sub-district in which the death occurred.
  2. This Act removes the requirement for paper registers to be held and stored securely in each registration district and enable all births and deaths to be registered electronically. This removes the current duplication whereby births and deaths are registered both electronically and in paper registers.
  3. Births and deaths will continue to be registered on information provided by a qualified informant at the register office in the sub-district in which the birth or death occurred. The Act includes a regulation-making power for the relevant minister to make regulations, to provide that if a person complies with specified requirements at the time of registering a birth or death they are to be treated as having signed the register in the presence of the registrar. This may include requiring a person to sign something other than the register or requiring a person to provide specified evidence of identity.
  4. With the introduction of an electronic register there will no longer be a requirement for the system of quarterly returns, as all birth and death entries will be held on the single electronic register maintained by the Registrar General. It will also provide flexibility in how births and deaths are registered in the future, removing the requirement for face-to-face registration.

Changes to the Data Protection Act 2018, UK General Data Protection Regulation and the Privacy and Electronic Communications Regulations 2003

  1. Targeted reforms to the UK’s data protection legislation intend to maintain high standards of protection, whilst facilitating the safe deployment and development of modern technologies, and the responsible use of personal data. These reforms intend to support economic growth and a modern digital government. Changes include:
    • Making it clear that research organisations can seek broad consent for areas of scientific research;
    • Allowing legitimate researchers doing scientific research in commercial settings to make equal use of the provisions by clarifying that commercial research activities can benefit from the special position of research in the data protection framework;
    • The creation of a new lawful ground under the UK GDPR of ‘recognised legitimate interests’;
    • Clarification of the rules in relation to the purpose limitation principle to address existing uncertainty around re-using personal data, including for public interest purposes; and
    • Permitting decisions based solely on automated processing which have legal or similarly significant effects for individuals to be taken in wider circumstances and clarifying the safeguards that must be in place when organisations take such decisions.
  1. The Act also modernises the governance structures of the ICO by:
    • Introducing a chair, non-executive and chief executive roles;
    • Providing a clearer framework of objectives and duties on which to report to Parliament; and
    • Introducing new, stronger powers of enforcement.
  1. The Act updates the Privacy and Electronic Communications Regulations 2003 through new provisions on: unsolicited direct marketing communications (e.g. nuisance calls); personal data breach reporting by communications service providers; confidentiality of terminal equipment; soft opt-in for charitable purposes; ICO’s enforcement powers; and sectoral codes of conduct.
  2. The Act clarifies the rules on international transfers and cross-border flows of personal data. International data flows can drive commerce, support research and innovation, and help people to stay socially connected to one another. This Act is intended to facilitate international trade by providing a clearer and more stable framework for international transfers of personal data.

Changes to Part 3 and Part 4 of the Data Protection Act 2018

  1. Some of the differences between Part 3 of the Data Protection Act 2018 (DPA 2018), which covers law enforcement processing, and the UK GDPR cause difficulties for competent authorities who process under both regimes depending on whether the processing is for a law enforcement or general purpose respectively.
  2. This Act makes changes to Part 3 DPA 2018 in order to reduce differences across the regimes by introducing a definition of consent that has the same meaning as in the other regimes; by conferring the ability to create codes of conduct and introducing similar exemptions for legal professional privilege and national security. All of these provisions currently exist under the UK GDPR.
  3. The Act also amends Part 3 DPA 2018 to remove the requirement for competent authorities 1 to inform the data subject that they have been subject to automated decision-making if certain conditions are met, including reconsideration, with meaningful human involvement, as soon as reasonably practicable. This change reflects the fact that, under certain circumstances, the current requirement could risk prejudicing an active investigation by tipping off an individual that they are of interest to the police.
  4. The Act also removes the requirement to record a justification in the logs of consultation and disclosure, which is resource intensive and holds limited value in maintaining accountability since it is unlikely that someone accessing the log for an improper purpose would enter an honest justification. The other safeguards, such as the requirement to record the time and date of consultation or disclosure, remain in the legislation.
  5. The current situation where competent authorities and the intelligence services are governed by different data protection regimes presents challenges to joint operational working. In response to the Manchester and Fishmongers’ Hall terrorist incidents and the increasing expectation that law enforcement and the intelligence services will work jointly in operational partnerships, the Act introduces a power that will allow the Secretary of State to issue a notice designating some specified competent authorities to process data jointly with the intelligence services under Part 4 DPA 2018 for national security purposes. This intends to enable these operational partnerships to respond to national security threats and protect the public, particularly where the processing of data requires complex decisions at pace.

Information standards for health and social care

  1. For the health and adult social care system to work efficiently and effectively, data needs to flow through the system in a standardised way, so that when it is accessed by or provided to an organisation for any purpose it can be read, be meaningful to, and be easily understood by the recipient and/or user of the data. This relies on data being collected, processed, and shared in a consistent way.
  2. This Act intends to improve people’s lives and life chances, by enabling more and better digital health and care services and supporting appropriate data-sharing across the wider health and adult social care sector.

Smart meter communication services

  1. The Smart Metering Implementation Programme is a Government Major Project Portfolio (GMPP) Programme that is estimated to deliver a net benefit to Great Britain of £6 billion 2 . The Government believes that its successful implementation is key for delivering energy bill reductions, improved customer service and the cost-effective delivery of net zero, by enabling the integration of renewables and emerging technologies such as heat pumps and electric vehicles.
  2. Central to the operation of smart metering is the activity of communicating to and from smart metering systems. The GB-wide smart meter communication service is provided by a single licensed entity, regulated by the Gas and Electricity Markets Authority (GEMA). Smart DCC Ltd was awarded the smart meter communication licence under section 6 of the Electricity Act 1989 and section 7AB of the Gas Act 1986 in September 2013 following an open competition and the licence term is coming to an end.
  3. This Act provides the Authority with flexibility to determine the best process to follow in appointing the successor smart meter communication licensee. This intends to ensure that the Authority is able to appoint a successor in a timely and efficient way that is in the best interest of energy consumers.

Information to improve public service delivery

  1. For public service delivery, the existing power under section 35 of the Digital Economy Act 2017 allows for data sharing that benefits households and individuals. With the intention of facilitating more responsive, joined-up public services across the digital economy, this Act extends powers under section 35 to allow data sharing to deliver public services to businesses.
  2. The aim of extending the powers is to enable businesses to access public services and support more easily, giving them easier access to information, guidance and business support services.

Retention of information by providers of internet services

  1. The Online Safety Act 2023 (OSA 2023) allows OFCOM to issue information notices to social media companies and other online services. These notices require recipients to provide certain data to OFCOM for the purposes of responding to an information request from the coroner or Procurator Fiscal in Scotland, or for preparing a report under section 163 of the OSA 2023.
  2. This Act expands on this. When a coroner or Procurator Fiscal suspects a child may have taken their own life, they can notify OFCOM. OFCOM must then issue information notices ordering providers of specified regulated services to preserve data on that child's use of those services for a period of time where that information may be needed to respond to an information notice issued under section 101 or to produce a report under section 163 of the OSA 2023.
  3. This Act also enables OFCOM to issue information notices requiring any other relevant person (as defined in the OSA 2023) to preserve data relating to the use of specified regulated services by that child where that information may be needed to respond to an information notice issued under section 101 or to produce a report under section 163 of the OSA 2023.
  4. The data preservation measure ensures that information on the child's social media and internet use remains available for the investigation by the coroner or Procurator Fiscal or should OFCOM need it in order to respond to a request from a coroner or Procurator Fiscal or to produce a report under section 163 of the OSA 2023. It prevents the data being deleted through routine processes while an investigation is active.
  5. The enforcement powers and penalties in the OSA 2023 for not complying with OFCOM information notices will apply to the new preservation measure, although the Act creates a limited number of new criminal offences tailored to this information notice process.

Information for research about online safety matters

  1. The provisions in this Act allow the Secretary of State to make regulations that create a new framework that would permit researchers access to information held by certain providers of internet services, for the purposes of research into online safety matters. OFCOM prepared a report, laid in Parliament on 8 July 2025, that provides significant evidence on the issue of access to online safety data for researchers. This report will provide a solid evidence base to inform the design of the access framework, and the Secretary of State will be under a duty to consult with OFCOM and other appropriate bodies before making regulations.

Retention of biometric data

  1. Sections 18 to 18E of the Counter-Terrorism Act 2008 (CTA 2008) set out the framework for the retention of biometrics (fingerprints and DNA profiles) for national security purposes. The CTA 2008 sets out a standard retention period for biometrics processed under this framework. Biometrics can be held for up to three years from the point at which the biometrics were taken, unless the individual has a prior UK conviction for a recordable offence, or, in cases where the police do not know the identity of the individual to whom the biometrics relate, under which circumstances they can be retained indefinitely. The CTA 2008 also includes the power for the police to submit National Security Determinations (NSDs) in cases where the individual does not have a conviction, but the police consider that it is both necessary and proportionate for the purposes of national security to retain the biometrics. NSDs require approval by a Chief Officer, and are reviewed by the independent Biometrics Commissioner. An NSD can be approved for up to five years, and can be renewed.
  2. Where the police receive biometrics of national security interest from overseas partners, they process these under the CTA 2008 framework (the biometrics processed under the CTA 2008 can be referred to as ‘section 18 material’). As the volumes of these international biometrics have increased over time, particularly those biometrics received from INTERPOL, the existing retention rules in the CTA 2008 have increasingly presented operational challenges for the police. Specifically, an NSD requires a substantial amount of information in order to present a sufficient national security case which can justify the necessity and proportionality of retaining the biometrics for a longer period. This level of information is often not available for biometrics received from overseas, and the volumes involved mean that this is becoming unsustainable for the police to process such a high number of NSDs. The changes in this Act intend to mitigate these issues by ensuring that biometrics of national security interest received from overseas partners (or that relate to persons who have overseas convictions) are able to be retained by the police, where they may have otherwise needed to be destroyed, whilst ensuring retention minimises the intrusion on individual rights.

Trust services

  1. Trust services such as electronic signatures, seals, and timestamps increase confidence in the use of electronic transactions through mechanisms such as verifying the identity of individuals and businesses online and confirming the integrity of electronic data e.g. documents. Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (incorporated into UK law at the end of the EU Transition Period under section 3 of the European Union (Withdrawal) Act 2018 as amended by the Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019/89, provides the legal framework for the use of trust services in the UK and the recognition of equivalent EU trust services. The ICO is the supervisory body for qualified trust service providers and can carry out audits, grant qualified status, and take enforcement action.
  2. The measures in the Act seek to ensure the effective functioning of the UK regime for present and future arrangements. This is to make sure that the regime is ready to support future demand for secure and trusted electronic transactions in the UK.
  3. Additional measures in the Act seek to prepare the UK to fully participate in the global digital economy by providing the legal basis for mutual recognition agreements on trust services with other countries. As the digital economy grows globally, there is increasing interest in the interoperability of trust services across borders. This Act supports interoperability which facilitates international business, reduces trade friction, lowers costs, and enhances confidence and security.

Creation/requesting the creation of purported intimate images

  1. As part of its mission to halve violence against women and girls, the government committed in its manifesto to ban the creation of sexually explicit deepfake images. Section 138 fulfils this commitment by creating new offences of creating, or requesting the creation of, a purported (or ‘deepfake’) intimate image of an adult without their consent or reasonable belief in their consent.
  2. There has been a significant rise in the accessibility of technology used to create purported intimate images, and in their prevalence online without the consent of the person depicted.
  3. Under section 66B of the Sexual Offences Act 2003, the law already captures situations where intimate images including deepfakes are shared without consent or reasonable belief in consent. However, there is currently no criminal offence of creating, or requesting the creation, of intimate image deepfakes of an adult, without consent or reasonable belief in consent. This behaviour can cause harm to the individuals depicted and forms part of a culture of wider harmful and misogynistic behaviour.
  4. The offences do not cover purported intimate images of children, as the criminal law already covers indecent images including deepfake images of children (i.e. those under the age of 18) in section 1 of the Protection of Children Act 1978.

Copyright and Artificial Intelligence

  1. The interaction of the copyright framework and artificial intelligence (AI) systems is a key area of work for the government. The underpinning objectives are to enhance rights holders’ control over use of their works; to help AI developers access high quality content legally; and to facilitate greater transparency over what material is being used and how.
  2. The provisions in this Act on reporting and an economic impact assessment (sections 135-137) and commitments to hold working groups on the relevant issues will ensure that the wide range of views on this issue will be taken into account and a practical plan put in place to deliver the objectives above. We will continue to engage extensively as we consider next steps.

Consultations

Access to customer data and business data

  1. In 2018, the previous government consulted on Smart Data (opens in new window) - specifically whether and how to extend the benefits of Smart Data to sectors beyond retail banking (delivered through Open Banking). Consultation responses were received from the technology, energy, communications, and financial sectors, as well as charities and academia.
  2. Respondents were in favour of the extension of Smart Data and generally in favour of legislation to mandate industry involvement in Smart Data initiatives, though some wanted more time for voluntary approaches to develop first. No significant voluntary schemes have developed in the absence of effective legislation and regulations.
  3. The previous government’s consultation response committed to primary legislation to extend the government's powers to mandate participation in Smart Data initiatives.
  4. The previous government considered that a voluntary approach would lead to continued slow progress and possible duplication of work across sectors. Delays would stem from limited incentives for data holders to share data; this has been evidenced in the slow progress of similar voluntary schemes, such as the Data Transfer Project and Open Transport. As companies in scope of the schemes are likely to bear much of the cost of Smart Data, there is a high risk that no schemes will voluntarily emerge on a wide scale.

Digital identity and attributes consultation

  1. In July 2021 the previous government published a digital identity and attributes consultation (opens in new window) . This followed on from the commitments made in the digital identity call for evidence response published in 2020, and the draft UK digital identity and attributes trust framework alpha version 1, published in February 2021.
  2. The 2021 consultation sought views on proposals which looked to enable the growth of a secure and trusted digital identity market in the UK. The proposals included establishing governance to make sure that organisations wanting to operate in the digital identity marketplace are supported when they choose to follow the rules and standards set out in the trust framework, and making it possible for more trusted data sets to be checked so people can more easily prove things about themselves as they create a digital identity.
  3. The consultation closed in September 2021 and received 270 responses. This consisted of 92 responses from organisations and 178 responses from individuals. The previous government's response to the consultation was published on 10 March 2022.

National Underground Asset Register

  1. In 2022, the previous government consulted on the future of the National Underground Asset Register (opens in new window) to elicit views on current practices in relation to how data is shared and accessed, the potential need for legislative reform to ensure data in the register is complete and up-to-date, and the running of the service once fully operational. The consultation also elicited views on the future funding model.
  2. The consultation closed in June 2022 and received 164 responses. These represented a range of interested groups, including local authorities, utility companies, surveyors, regulators and members of the public. The findings included the view that legislative reform would be needed to ensure workers are able to access complete data through NUAR; a preference for the NUAR database to continue to be controlled by government due to commercial and security risk; and calls to explore opportunities for NUAR data to be accessed for other use cases or by other user groups. There was no consensus on who should fund NUAR in the operational phase but general agreement that those who benefit from the service should contribute. In response, the previous government committed to:
    • Developing a charging framework that takes into account the comments raised by respondents;
    • Continuing to explore potential legislative reform; and
    • Considering opportunities for the wider market to enhance the NUAR service.
  1. The previous government's response to the consultation was published on 24 October 2022.

National Data Strategy and ‘Data: A New Direction’ consultation

  1. At the end of 2020, the previous government launched its National Data Strategy, and in September 2021 that government launched the "Data: a new direction" consultation (opens in new window) .
  2. This consultation closed in November 2021 having received close to 3000 responses. These were received from individuals, businesses, and other organisations including global think tanks, non-profit organisations, research institutes and trade bodies.
  3. The previous government's response to the consultation was published on 17 June 2022.

Copyright and Artificial Intelligence

  1. In December 2024, the government launched a consultation on copyright and artificial intelligence (AI) (opens in new window) . This consultation sought views on a range of issues relating to copyright and artificial intelligence, and how the legal framework can support both the creative industries and the AI sector.
  2. One of the key issues covered by the consultation was the use of copyright works to train AI systems. The government put forward four options and sought views on which option would best meet the following objectives:
    • Supporting right holders’ control of their content and ability to be remunerated for its use;
    • Supporting the development of world-leading AI models in the UK by ensuring wide and lawful access to high-quality data; and
    • Promoting greater trust and transparency between the AI and creative sectors.
  1. The consultation closed in February 2025 and received over 11,500 responses.

1 These are bodies defined under section 30 of the DPA 2018 as either bodies set out under Schedule 7 of that Act (the list includes police forces, government departments and bodies with functions relating to offender management such as the Youth Justice Board for England and Wales and the probation service providers) or any other person who has a "statutory function" for any of the "law enforcement purposes" (i.e. the prevention, detection, investigation and prosecution of criminal offences or the execution of criminal penalties as well as the prevention of threats to public security).

2 Smart meter roll-out: cost-benefit analysis 2019 (September 2019)

Back to top