Skip to main content

ICO launches consultations for Data (Use and Access) Act 2025 amendments

  • Date 21 August 2025
  • Type News
  • Launch commences with ‘recognised legitimate interest’ – a new lawful basis - and ‘data protection complaints for organisations’ guidance consultations
  • Regulator seeking quality responses to help inform final guidance
  • Amendments give organisations more confidence to use personal information in the public interest and supports organisations establishing a data protection complaints process

In response to the Data (Use and Access) Act 2025 (DUAA) coming into force, the Information Commissioner’s Office (ICO) has launched public consultations to help shape final guidance.  

The ICO has produced and is consulting on draft guidance to support organisations in understanding and applying upcoming amendments. These include: 

These guidance pieces and consultations are a significant step in the ICO’s commitment to provide clear guidance on the amendments which give organisations more confidence in handling personal information. 

Emily Keaney, Deputy Commissioner, said: 

The DUAA received Royal Assent on 19 June 2025 with the first provisions coming into force on 19-20 August 2025. The Department for Science and Innovation (DSIT) has set out the commencement plans.

Consultation details 

‘Recognised legitimate interest’ is a new lawful basis. This new basis will give organisations greater confidence to use personal information for certain pre-approved purposes. These public interest purposes cover activities like crime prevention, public security, safeguarding, emergencies and sharing personal information to help other organisations perform their public tasks. Our detailed guidance will make it easier for organisations to successfully use recognised legitimate interest by explaining how it works, along with giving practical examples. Public authorities should continue to use the public task lawful basis when using personal information for public tasks or official functions. Further details on the 10-week consultation, which closes on 30 October 2025, can be found here

By June 2026, organisations must have a process in place to handle data protection complaints. A complaint can come from anyone who is unhappy with how an organisation has handled their personal information. Our guidance sets out the new requirements and informs organisations of what they must, should and could do to comply. Further details on the eight-week consultation, which closes on 19 October 2025, can be found here

ICO resources 

To support organisations in their understanding of new data protection legislation, the ICO proactively publishes general data protection plans for new and updated guidance

Notes to editors
  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator that exists to empower people through their information rights. The ICO regulates the whole economy, including government and the public sector. 
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.  
  3. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.  
  4. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.