Search Legislation

Advanced Search

Data (Use And Access) Act 2025

Contents

Legal background

Access to customer data and business data

  1. Part 1 contains regulation-making powers and ancillary provisions to allow the Secretary of State or the Treasury, by regulations, to require suppliers of goods, services and digital content, and other persons who process the relevant data, to provide customers or their authorised representatives with access to data relating to that customer (customer data) and to publish or provide customers or other parties with contextual information relating to the goods, services or digital content provided by the supplier (business data). Part 1 intends to facilitate the secure sharing of data with authorised third parties, at the customer’s request and in "real time", and provision of data in this way is referred to as "Smart Data".
  2. The Part 1 powers are intended to be used to facilitate the long-term continuation of Open Banking and extend its benefits in an open finance scheme, both of which the Government committed to support in its manifesto. They also largely reflect clauses in Part 3 of the Data Protection and Digital Information Bill of the 2022-3 and 2023-4 sessions the objectives of which, further to a consultation in 2019, was to enact powers to introduce Smart Data schemes across the economy.
  3. The powers, where they are exercised, are intended to provide enhanced data portability rights beyond the right to data portability in Article 20 of the UK GDPR. The Government’s view is that the UK GDPR does not guarantee provision of customer data in "real time" or in a useful format, does not cover wider contextual data and does not apply where the customer is not an individual.
  4. These powers replace the regulation-making powers in sections 89-91 (supply of customer data) of the Enterprise and Regulatory Reform Act 2013 (ERRA 2013) which enable the Secretary of State to make regulations to require the suppliers of goods or services to provide customer data to a customer or to a person authorised by the customer at the customer’s or authorised person’s request. The ERRA 2013 powers were introduced as a backstop should it not be possible for suppliers to develop voluntary programmes for the release of customer data.
  5. The Government is of the view that the ERRA 2013 powers are no longer sufficient to enable effective Smart Data schemes. For instance, they do not cover wider business data; they do not allow the regulations to make provision by reference to specifications and technical requirements published by a specified person which is essential as IT and security standards will require frequent updating to function in a fast-paced IT environment; they do not contain powers to require the collection and retention of data which is necessary to ensure that suppliers have consistent data sets for disclosure; they do not contain powers to regulate the onward disclosure or use of data which might be necessary.
  6. Since 2013, the Government’s understanding of what is required for a successful "Smart Data scheme" has evolved in particular because of the Open Banking scheme, in which the Competition and Markets Authority, following a market study, ordered (under its competition powers) the nine biggest banking providers in the UK to open up data relating to personal and business current accounts. These banking providers were required to set up the Open Banking Implementation Entity to oversee the scheme and to develop standards for data sharing interfaces to be used in the scheme. The Open Banking scheme enables customers to share their bank and credit card transaction data securely with third parties who can provide them with applications and services, and over 12 million customers now use it.
  7. The Government has also had regard to the recent enactment of powers in Part 4 of the Pension Schemes Act 2021 (which amend the Pensions Act 2004 and the Financial Services and Markets Act 2000) for pensions dashboards, an electronic communications service which allows individuals to access information about their pensions in one place.

Digital Verification Services

  1. The digital verification service market is a nascent one, and although there exist various disparate laws, standards and guidance which persons providing such services should follow, this Act establishes a legislative structure which includes rules which such persons must comply with if they wish to be registered on a government register, use a Trust Mark and access an information gateway through which public authorities will be permitted to share information.
  2. This legislative structure will make it much easier for an individual who wants to use digital verification services to recognise trusted digital identity providers within the digital identity market.

Powers relating to verification of identity or status

  1. The Home Office has powers to prescribe right to work and right to rent checks for employers and landlords to follow, in order to obtain a statutory excuse (defence) against a civil penalty for employing or renting to a disqualified person. A disqualified person is a person who is prevented from working or renting due to their immigration status. A person specified in an illegal working compliance order may also be required to carry out right to work checks in order to comply with the terms of an illegal working compliance order.
  2. This Act amends powers in the Immigration, Asylum and Nationality Act 2006, the Immigration Act 2014 and the Immigration Act 2016 so that the Home Office can require by way of orders or regulations for employers, landlords and persons (where they choose to carry out certain digital checks in place of manual checks) to use the services of organisations registered as complying with designated supplementary rules concerning the provision of these services.

National Underground Asset Register

  1. This Act sets out a new legal framework which will put the National Underground Asset Register ("NUAR") on a statutory footing by imposing a new duty on the Secretary of State to keep a register, i.e., NUAR, and make the information in NUAR available to other persons. The Act achieves this by building upon and modernising existing provisions made in the New Roads and Street Works Act 1991 ("NRSWA 1991") for England and Wales, and in the Street Works (Northern Ireland) Order 1995 ("SWNIO 1995").

Registers of births and deaths

  1. The provision for registering births and deaths is principally governed by the Births and Deaths Registration Act 1953, the Registration Service Act 1953 and the Registration of Births and Deaths Regulations 1987, which are based on legislation that has been in place since 1836.

Data Protection

  1. The UK is a party to the Council of Europe "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data", which became open for signature in 1981. Parliament passed the Data Protection Act 1984 to ensure compliance with the standards set out in the Convention and ratified the Convention in 1985.
  2. The Data Protection Act 1984 was repealed and replaced by the Data Protection Act 1998, which implemented the EU Data Protection Directive (95/46/EC) ("the 1995 Directive").
  3. The 1995 Directive was replaced by the EU General Data Protection Regulation (2016/679) (the "EU GDPR"), which applied directly in the UK from 25 May 2018. This was supplemented in the UK by the Data Protection Act 2018 (DPA 2018), in particular Part 2 of the Act, which repealed the Data Protection Act 1998 and exercised derogations provided by the EU GDPR.
  4. The EU GDPR does not apply to processing by competent authorities for law enforcement purposes. Such processing was subject to EU Directive 2016/680 1 , which was transposed into UK law in DPA 2018 (in particular in Part 3 of the Act).
  5. The DPA 2018 provides for a further processing regime for processing by the Intelligence Services (in Part 4 of the Act).
  6. The EU GDPR was incorporated into UK law at the end of the EU Transition Period under section 3 of the European Union (Withdrawal) Act 2018 (EUWA 2018) and modified by the Data Protection, Privacy and Electronic Communication (Amendments etc) (EU Exit) Regulations 2019 under the power in section 8 EUWA 2018 to create the UK GDPR.
  7. The UK’s data protection framework therefore comprises three regulatory regimes:
    • General processing of personal data - governed by the UK GDPR as supplemented by Part 2 of the DPA 2018;
    • Processing by "competent authorities" (as defined in section 30 & schedule 7 DPA 2018) for law enforcement purposes - governed by Part 3 DPA 2018; and
    • Processing by the UK intelligence services - governed by Part 4 DPA 2018.
  1. Part 5 DPA 2018 sets matters concerning the constitution, functions, powers and duties of the Information Commissioner. Part 6 sets out enforcement procedures.

Privacy and Electronic Communications Regulations

  1. The Privacy and Electronic Communications (EC Directive) Regulations 2003 transposed Directive 2022/58/EC. These contain some special rules for certain types of processing, such as personal data collected through cookies and direct marketing, which overlay the general rules for processing in the UK GDPR.
  2. The Data (Use and Access) Act makes various amendments to these existing sources of data protection law.

Information standards for health and social care

  1. Existing legislation regarding the processing of information and IT systems is not sufficient to achieve the policy objective. Even if existing legislative mechanisms were used to oblige health and adult social care providers to purchase information technology products and services with appropriate technical features (either directly or via professional regulation), this would be insufficient to bring the wholesale change to the supplier market that is needed. This is because the legislation does not concern the providers of the IT on which the processing relies and who can ensure that all IT and services supplied meet relevant technical requirements.
  2. In relation to processing of information, the key legislation is section 250 of the Health and Social Care Act 2012 (HSCA 2012) as amended by the Health and Care Act 2022 (HCA 2022). As amended, section 250 will enable the Secretary of State to prepare and publish standards ("information standards") in relation to the processing of information concerning or connected with the provision of health care or adult social care and will enable NHS England to prepare and publish information standards in relation to information concerning or connected with the provision of NHS Services. The standards may be applied to the Secretary of State, NHS England, public bodies which exercise functions in connection with the provision of health or adult social care and private bodies which are required to be registered with the Care Quality Commission. Where an information standard is applied to a person, that person must comply with the standard (unless that requirement is waived), except that the Secretary of State is required only to have regard to an information standard published by NHS England.

Smart meter communication services

  1. The provisions insert new sections into the Energy Act 2008 and make consequential amendments to the Electricity Act 1989 and Gas Act 1986 in order to provide the Authority with the flexibility to determine whether to appoint the smart meter communication licensee via a competitive or non-competitive process.

Information to improve public service delivery

  1. The sharing of information held by different public bodies can help those bodies deliver better public services. The Digital Economy Act 2017 (DEA 2017) allows data sharing in order to deliver public services which benefit individuals and households. Section 123 of this Act amends section 35 to extend these data sharing powers to support the delivery of public services which benefit businesses, or "undertakings".
  2. The section also defines the term "undertakings" to include those carrying on trade whether for profit or not for profit and any body established for charitable purposes.
  3. Part 5 of the DEA 2017, which includes section 35, contains safeguards to limit the circumstances under which information can be shared. Section 35 of the DEA 2017 provides a gateway to enable specified public authorities, listed in Schedule 4 of the DEA 2017, to share information for tightly constrained objectives which must be for the benefit of individuals or households. Those objectives must be set out in regulations and must be for the improvement or targeting of the provision of a public service. The same framework of constraints apply to the sharing of information to improve delivery of public services to undertakings.

Retention of information by providers of internet services

  1. Section 101 of the Online Safety Act 2023 (OSA 2023) created a new power for OFCOM to issue information notices to relevant persons (as defined by section 100(5)(a)-(e)) requiring them to provide information to OFCOM for the purposes set out in section 101(1)).
  2. The provision in the Act builds on this, by creating a requirement for OFCOM, when notified of a child death by the Coroner (or Procurator Fiscal in Scotland), to issue an information notice to providers of specified kinds of regulated service requiring them to retain certain information relating to the use of the service by the deceased child for a specified period.
  3. It also gives OFCOM the power, where relevant, to issue such information notices to any other relevant person (as defined in section 101 OSA 2023) requiring retention of information relating to a child’s use of specific kinds of regulated service 2 .
  4. The provision will help ensure that in those cases caught, should OFCOM, the Coroner or the Procurator Fiscal require the information at a later stage of the investigation, it has not been deleted through routine processes or otherwise.
  5. The provision also provides for the enforcement powers relating to information notices issued under section 101 of the OSA 2023 to apply to the new information notices under this provision, and creates additional criminal offences tailored to this provision.

Information for research about online safety matters

  1. The OSA 2023 creates a new regulatory regime, overseen by OFCOM, imposing various duties on the providers of certain internet services, to include ‘user-to-user services’ and ‘search services’.
  2. Section 162 OSA 2023 requires OFCOM to prepare a report, which must be published by July 2025, that will describe how, and to what extent, persons carrying out independent research into online safety matters are currently able to obtain information from providers of regulated services to inform their research. It will also explore the legal and other issues which currently constrain the sharing of information with researchers and will assess the extent to which greater access to information for such purposes might be achieved.

Trust services

  1. Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (incorporated into UK law at the end of the EU Transition Period under section 3 of the EUWA 2018) as amended by the Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019/89, provides the legal framework for the use of trust services in the UK and the recognition of equivalent EU trust services.
  2. The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (EITSET Regulations) further implement Regulation (EU) No 910/2014, designating the Information Commissioner (the "IC") as the UK’s supervisory body and setting out an enforcement regime. The EITSET Regulations were amended by the DPA 2018 to reflect changes in the IC’s investigative powers.
  3. The provisions in the Act aim to support the effective functioning and ongoing development of the UK trust services market.

Creation/requesting the creation of purported intimate images

  1. These provisions insert new sections into the Sexual Offences Act 2003 which provide for new offences relating to creating, or requesting the creation of, purported intimate images of an adult without consent or reasonable belief in consent.
  2. A purported intimate image refers to an image which appears to be a photo or video of an adult in an intimate state. The meaning of ‘intimate state’ is set out in section 66D(5) to 66D(9) in the Sexual Offences Act 2003.
  3. This does not cover the creation of purported intimate images of children, as the criminal law already captures the making of indecent images including deepfake images of children (i.e. those under the age of 18) in section 1 of the Protection of Children Act 1978.

1 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA ("the Law Enforcement Directive")

2 This is intended to capture, for example, information held by ex-providers.

Back to top