The Data Use and Access Act 2025 (DUAA) - what does it mean for law enforcement agencies?

At a glance  

• The DUAA is a new Act of Parliament that updates some laws about digital information matters.  
• It changes data protection laws, including the laws that apply to law enforcement agencies (or ‘competent authorities’) that use personal information for law enforcement purposes. 
• These changes should help you deliver your public services more effectively.       
• Most of the changes offer you an opportunity to do things differently, rather than needing you to make specific changes to comply with the law.  
• The changes will be phased in between June 2025 and June 2026. 

In brief 

• What data protection laws does the DUAA change? 
• How might the DUAA help us to deliver our public services more effectively? 
• Are there any new requirements for us to meet? 
• What help can we expect from the ICO? 
• What can we do now to prepare for these changes? 
• What other laws does the DUAA change? 

What data protection laws does the DUAA change?  

The DUAA amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).   

How might the DUAA help us to deliver our public services more effectively? 

The DUAA might help you deliver your public tasks more effectively in the following ways: 

• New joint processing provisions: it allows you to work to intelligence services data protection rules when you are working with the intelligence services on joint operations; if this is necessary to safeguard national security and has been approved by the Home Secretary.  
• New national security exemption: it allows you to restrict some of the data protection rights that people have if this is necessary to safeguard national security.   
• New legal professional privilege exemption: it allows you to restrict people’s right to access their personal information if it is subject to legal professional privilege.  
• Logging: it removes the need for you to keep a log of the reasons why people within your organisation have accessed or disclosed the personal information you hold in automated processing systems. 
• Subject access requests (SARs): it allows you to take longer to respond to requests to access personal information, if you need extra time because of the complexity or number of requests that someone has made. It also makes it clear that you only need to make reasonable searches for information. 
• Definition of consent: it improves clarity by defining consent for law enforcement processing. 
• Codes of conduct: it allows experts to develop codes of conduct on using personal information for law enforcement purposes. 
• Automated decision-making: it allows you to use people’s personal information to make significant automated decisions about them in more circumstances, so long as you continue to apply appropriate safeguards. And it introduces a new safeguard to pro-actively re-consider a decision with human involvement, when this is necessary for some public interest reasons. 
• Disclosures to help you perform your public tasks: it allows other organisations to give you the personal information that you’ve requested, based on your declaration that you need the information to carry out your public tasks.    
• Making things clearer: it improves the way the law is written and structured to make it easier for you to follow and apply, but without materially changing how you can use personal information. For example, it rewords the test you need to apply when transferring personal information outside the UK. 

Are there any new requirements for us to meet? 

• Data protection complaints: if you don’t already do so, the DUAA requires you to take steps to help people who want to make complaints about how you use their personal information, such as providing an electronic complaints form. You must also acknowledge complaints within 30 days and respond to them ‘without undue delay’. 
• Information requests to other organisations to help you perform your public tasks: if you want another organisation to give you personal information, based on your declaration that you need it to carry out your public tasks, then you have to make sure that you need the information. We may take enforcement action against you if you hold or use information that you’ve received in this way, but don’t actually need.  

What help can we expect from the ICO? 

We’ll update our guidance for law enforcement agencies over time and as the changes come into effect. You can find more details about the updates we’re working on in Our plans for new and updated guidance. 

Updating all our guidance will take some time though, so until then we’ve produced a more detailed summary of all the data protection changes that might affect you. We’ve written this for data protection experts, including those people within your organisation who are responsible for making any changes you decide to make. 

The DUAA also makes some changes to the ICO to help us regulate more effectively:  

• it changes our structure;  
• it gives us some new powers to assist us in our investigations; and  
• it gives us some new duties and reporting requirements to enhance our transparency and accountability for how we work.  

These changes will enable us to continue to operate as a trusted, fair and independent regulator with a stronger and modernised structure. We’ll continue to offer you advice and services, and to focus on ensuring regulatory certainty, reducing regulatory burdens and encouraging innovation and growth. 

What can we do now to prepare for these changes? 

What other laws does the DUAA change? 

The DUAA also changes some other laws that we don’t regulate. You can find more information about these changes on the GOV.UK website.