ICO closed consultations on DUAA updates to part 3 law enforcement
- Start date 27 August 2025
- Closing date 27 October 2025
- Type ICO consultation
- Status Closed, with a summary of responses
About the consultation
Between 27 August and 27 October 2025 we conducted closed consultations for changes to part 3 of the Data Protection Act 2018 (DPA), introduced by the Data Use and Access Act 2025 (DUAA). The separate consultations focused on three DUAA amendments to our existing part 3 guidance: Logging, Consent and the National Security Exemption.
We received 11 responses in total to our closed consultations. We thank everyone who took the time to comment and share their views. Respondents included representatives from UK police and investigatory services, justice, central government and civil society.
Our guidance is aimed at ‘competent authorities’ who use personal information for any of the law enforcement purposes and their associated processors. In particular Data Protection Officers (DPOs) and those with specific data protection responsibilities in the context of law enforcement processing.
Key themes
Below is a summary of the key themes we received from our closed consultations.
Logging
Respondents thought the guidance is well-structured and easy to navigate, with helpful examples that support understanding of logging practices. While it may not introduce new concepts, it is considered a valuable reference tool for Data Protection Impact Assessments (DPIAs) and internal advisory work.
ICO response
We welcome the positive feedback on the structure and accessibility of the guidance. We have made clear that the guidance says what organisations must, should and could do to comply with data protection legislation. We have also made clear that the scope of the guidance is limited to the requirements of part 3 of the DPA and applies to competent authorities and processors.
There was call for greater clarity around legal interpretations, particularly whether logging must be system-based or if manual methods are acceptable, and what constitutes “disproportionate effort” for compliance with legacy systems.
ICO response
The ICO has focused this guidance on automated processing systems as described by the legislation. We have provided clarity on what the law requires rather than addressing individual circumstances. Wider concerns will be addressed via routine stakeholder engagement. We will consider further clarification on these issues if we identify there is an operational need to do so.
Respondents expect to use the guidance regularly, especially for impact assessments, but they described practical challenges to implementation such as limited funding, outdated systems and supplier constraints.
ICO response
We acknowledge there are constraints to implementing logging obligations. The updated guidance provides clarity on what the law requires. It also provides regulatory certainty about when the ICO would need sight of any recorded logs for investigatory or regulatory purposes.
National security exemption
Respondents liked that the guidance is clear, logical, well laid out and accessible. They particularly liked the clarity on the use of the exemption and the position adopted on neither confirm nor deny responses and the information about ministerial certificates.
ICO response
We are pleased that respondents welcome the approach taken and the clarity provided in the different sections of the guidance. Our aim was to make it straightforward and easy to follow for reference purposes.
There was a call for further clarification on the scope of national security and increased certainty on when the exemption can be applied.
ICO response
There is an acceptance that data protection legislation does not include a definition of national security and that is made clear in the guidance. The need for flexibility to adapt to changing threats is also set out. The description and examples of what national security can cover are intended to help with interpretation. Based on the consultation responses as a whole, we think that the guidance provides regulatory certainty in terms of when the exemption can be applied by explaining how the exemption works and the effects on law enforcement processing.
There were requests for more examples to include the types of instances where the exemption would apply and when it wouldn’t be appropriate to rely on it ie where the link to national security is weak.
ICO response
We agree that examples are a good way to bring the guidance to life and help to consider when it might be appropriate to apply the exemption. We feel that the example included works well in setting out when the exemption could apply and how you should record your decisions. The guidance also explains that you cannot use the exemption if the impact of compliance would be trivial or not linked to national security eg to avoid embarrassment. This is an example of where the link to national security is weak.
Consent
Respondents welcomed the clarity provided on the use of consent for law enforcement purposes.
ICO response
We are pleased that respondents welcome the clarity provided on the use of consent under part 3 of the DPA. The new definition for consent under part 3 aligns with the existing definition of consent under UK GDPR. We already have detailed guidance on what consent means. The main purpose of updating this guidance was to provide clarity on its application under part 3 and to signpost to existing guidance for further information.
There was a call for greater clarity on what is meant by freely given, specific, informed, and unambiguous.
ICO response
Our existing UK GDPR guidance on consent provides further explanation about what is meant by freely given, specific, informed and unambiguous. However, we acknowledged it was also important to provide this clarity in the context of law enforcement and so added it in to these guidance updates. This is particularly relevant in relation to freely given consent and where there might be power imbalances.
Respondents appreciated the example provided which highlights the limited circumstances in which consent could be used for law enforcement processing. Overall, it was suggested that the guidance could be clearer that in most cases, consent will not be an appropriate basis for law enforcement processing.
ICO response
Examples are a good way to bring guidance to life. The most useful examples are those that don’t state the obvious, which we try to avoid when writing our guidance. In most cases consent is not an appropriate basis to rely on when using someone's data for law enforcement purposes. It was difficult to find a good example to demonstrate this without stating the obvious. Instead, we focused on making the message clearer in the opening paragraphs and finding an example where consent could be an appropriate basis to use for law enforcement.