Skip to main content

The Data Use and Access Act 2025 (DUAA) - what does it mean for law enforcement agencies?

Latest updates - 19 June 2026

19 June 2026 - We have updated this guidance to reflect that all data protection provisions in the Data (Use and Access) Act 2025 are now in force. The guidance now includes links and an overview of new and updated ICO guidance to support organisations. We have removed the DUAA preparation checklist and added a new section on ‘ICO new powers’.

19 June 2025 - this guidance was published

At a glance  

  • The Data (Use and Access) Act 2025 (DUAA) updates some laws about digital information matters. 
  • It changes data protection laws, including the laws that apply to law enforcement agencies (or ‘competent authorities’) that use personal information for law enforcement purposes. 
  • These changes should help you deliver your public services more effectively.       
  • Most of the changes offer you an opportunity to do things differently, rather than needing you to make specific changes to comply with the law.  
  • The changes came into force between June 2025 and June 2026. 

In brief 

 

What data protection laws does the DUAA change?  

The DUAA amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).   

How might the DUAA help us to deliver our public services more effectively? 

The DUAA might help you deliver your public tasks more effectively in the following ways: 

  • New joint processing provisions: it allows you to work to intelligence services data protection rules when you are working with the intelligence services on joint operations; if this is necessary to safeguard national security and has been approved by the Home Secretary.  
  • New national security exemption: it allows you to restrict some of the data protection rights that people have if this is necessary to safeguard national security. Our new guidance on this exemption provides more detail.
  • New legal professional privilege exemption: it allows you to restrict people’s right to access their personal information if it is subject to legal professional privilege. Our Part 3 right of access guidance will be updated soon. 
  • Logging: it removes the need for you to keep a log of the reasons why people within your organisation have accessed or disclosed the personal information you hold in automated processing systems. We’ve published guidance on logging for law enforcement purposes
  • Subject access requests (SARs): it allows you to take longer to respond to SARs, if you need extra time because of the complexity or number of requests that someone has made. It also makes it clear that you only need to make reasonable searches for information. Our Part 3 right of access guidance will be updated soon. 
  • Definition of consent: it improves clarity by defining consent for law enforcement processing. We’ve updated our law enforcement guidance to reflect this provision. 
  • Codes of conduct: it allows experts to develop codes of conduct on using personal information for law enforcement purposes. We’ve published guidance on codes of conduct
  • Automated decision-making: it allows you to use people’s personal information to make significant automated decisions about them in more circumstances, so long as you continue to apply appropriate safeguards. And it introduces a new safeguard to pro-actively re-consider a decision with human involvement, when this is necessary for some public interest reasons. We’ve consulted on our draft guidance on automated decision-making, including profiling.
  • Disclosures to help you perform your public tasks: it allows other organisations to provide personal information you’ve requested, where you have confirmed that you need it to carry out your public tasks.    
  • Making things clearer: it improves the way the law is written and structured to make it easier for you to follow and apply, but without materially changing how you can use personal information. For example, it rewords the test you need to apply when transferring personal information outside the UK. 

Are there any new requirements for us to meet? 

  • Data protection complaints: if you don’t already do so, the DUAA requires you to take steps to help people who want to make complaints about how you use their personal information, such as providing an electronic complaints form. You must also acknowledge complaints within 30 days and respond to them ‘without undue delay’. We’ve published new complaints guidance for organisations to help you prepare.  
  • Information requests to other organisations to help you perform your public tasks: if you want another organisation to give you personal information, where you have confirmed that you need it to carry out your public tasks, you have to make sure that you need the information. We may take enforcement action against you if you hold or use information that you’ve received in this way, but don’t actually need. We’ve published new guidance on requesting personal information for your public tasks or official functions

What help can we expect from the ICO? 

We’re working hard to make sure organisations understand what has changed and what it means in practice. Over the last year, we’ve published new and updated guidance, particularly in areas most impacted by the DUAA. 

We’ll continue updating our guidance for law enforcement agencies over time, prioritising the areas of greatest impact. You can find more details about the updates we’re working on in Our plans for new and updated guidance.  

We’ve produced a more detailed summary of all the data protection changes that might affect you. We’ve written this for data protection experts, including those people within your organisation who are responsible for making any changes you decide to make. 

The DUAA also makes some changes to the ICO to help us regulate more effectively:  

  • it changes our structure;  
  • it gives us some new powers to assist us in our investigations; and  
  • it gives us some new duties and reporting requirements to enhance our transparency and accountability for how we work.  

These changes will enable us to continue to operate as a trusted, fair and independent regulator with a stronger and modernised structure. We’ll continue to offer you advice and services, and to focus on ensuring regulatory certainty, reducing regulatory burdens and encouraging innovation and growth. 

ICO new powers  

Among the new powers that DUAA provides us with is the ability to compel a witness to attend an interview and to request reports of approved persons.  

Our new draft enforcement procedural guidance sets out the process we will follow when carrying out investigations, taking enforcement action, and exercising some of our other duties. We will be publishing the final guidance in due course.  

Our aim is to give businesses certainty about what to expect by publishing guidance before we begin using them. However, the law has commenced and we can, and will, use these powers where necessary for the most serious cases. 

What other laws does the DUAA change? 

The DUAA also changes some other laws that we don’t regulate. You can find more information about these changes on the GOV.UK website.