Skip to main content
Hafan

For the public - the Data Use and Access Act (DUAA) 2025 - how does this affect me?

Latest updates - 19 June 2025

19 June 2025 - This page was published

The DUAA is a new Act of Parliament that updates some laws about digital information matters.  

This includes some changes to the data protection laws we regulate and that govern how organisations are allowed to use your personal information. These changes will be phased in between June 2025 and June 2026.  

What difference does this make to how an organisation can use my personal information?   

Many of the changes don’t really affect how an organisation can use your personal information. They just make what is and isn’t already allowed clearer.  

However, there are some changes that do open up the ways an organisation can use your personal information. Any changes like this  have safeguards to ensure you are still properly protected.  

What are the main data protection changes?    

Changes to complaints procedures    

  • An organisation must take steps to help you if you want to make a complaint about how it uses your personal information, such as providing an electronic complaints form. It also must acknowledge your complaint within 30 days and respond to it ‘without undue delay’.  

Changes to how an organisation can use your personal information 

  • Automated decision-making: an organisation can use your personal information to make significant automated decisions about you, if it can show it has a valid reason. This reason is known as a ‘legitimate interest’ and it needs to outweigh the impact on your rights and freedoms. This won’t be allowed for some information that is more protected and is known as ‘special category information’. For example, information about racial or ethnic origin or sexual orientation. (An automated decision is a decision made by a computer without any meaningful human involvement.) 
  • Direct marketing ‘soft opt in’: a charity that has collected your personal information because you’ve supported, or expressed an interest in, their work, can send you direct marketing emails, unless you ask it not to. 
  • Archiving in the public interest: an organisation can give out your personal information when it is needed for the purposes of ‘archiving in the public interest’. Even if you originally provided it for a different reason, and you only consented to the organisation using it for that reason. (Archiving in the public interest means preserving records of public value.)   
  • National security exemption: a law enforcement agency (such as the police) does not have to follow some of the usual rules about how it can use your personal information, if this is necessary to protect national security.   
  • Designation notices: law enforcement agencies, and the intelligence services (such as MI5), who are working together on joint operations can work to the same intelligence services’ rules when using your information, if the Secretary of State authorises this. (Before the DUAA, they each worked to slightly different data protection laws.) 
  • Cookies: an organisation no longer needs your consent to set some cookies if the intrusion on your privacy is limited, such as those that improve the functionality of its website. 

Changes to what an organisation must do when it uses your personal information 

  • Children and online services: an organisation must think about children when it uses personal information to provide online services, and make sure it properly protects them. 
  • Privacy notices: an organisation no longer needs to inform you that it intends to re-use your personal information for research, archiving in the public interest, or generating statistics, if it would involve a disproportionate effort for it to do so. So long as it protects your rights in other ways and still explains what it’s doing by publishing details on its website.

Changes to how the law is regulated 

  • The DUAA makes some changes to the ICO:  
    • it changes our structure to help us regulate more effectively;  
    • it gives us some new powers to assist us in our investigations; and  
    • it gives us some new duties and reporting requirements to enhance our transparency and accountability for how we work.  
  • The Secretary of State has been given some new powers to allow them to amend some aspects of the law in the future, so long as this is agreed by Parliament.   

What other changes does the DUAA make?  

The DUAA also changes some other laws that we don’t regulate. You can find more information about these changes at on the GOV.UK website.

How can I find out more? 

We will update our ‘For the public’ website content as the changes are phased in.  

We’ve also provided some resources to help organisations prepare. Although these are written for experts and organisations rather than for people whose information they are using, you may find them useful if you want some more details.