On 19 June 2025, the Data (Use and Access) Act (the “DUA Act”) received Royal Assent. The DUA Act is intended by the UK government to enhance the UK’s digital strategy and unlock the use of data, harnessing its capabilities to boost public services and contribute to the UK economy.
The Data (Use and Access) Bill was first introduced to Parliament on 23 October 2024, and was the third iteration of data reform put forward by successive governments. Despite the DUA Bill including many of the same reforms set out in its previous iteration (the Data Protection and Digital Information (No. 2) Bill) introduced by the last Conservative government in March 2023, its passage through Parliament was not straightforward. It underwent a prolonged period of ping pong between the two Houses of Parliament, as members of the House of Lords sought to strengthen provisions intended to address the use of copyright works to train AI models.
In this Law Now update, we re-cap some of the key areas for change that will be introduced by the DUA Act and will publish a series of further Law Now updates that will focus on the impact of these changes for business and how organisations can prepare and position themselves to take advantage of the new data regulatory landscape in the UK.
What are the key areas of reform under the DUA Act?
Key areas of change introduced by the DUA Act include the following:
Smart Data schemes: Sharing customer and business data
Part 1 of the DUA Act sets out a framework for the Secretary of State and the Treasury to establish new Smart Data schemes that will require data holders who are in-scope of such a scheme to provide access to customer data (broadly, information relating to a customer of a trader) and business data (broadly, information about goods and services supplied or provided by a trader). Such access may be to customers and other specified third parties that are authorised by the customer to receive the data. These reforms have parallels with recent data developments in the EU, in particular the requirements of the EU Data Governance Act (which has been applicable since September 2023) and the EU Data Act (which came into effect on 11 January 2024 and will become applicable in September 2025). However, unlike the Data Governance Act, Smart Data schemes are not limited to public sector data, and unlike the Data Act, which is focussed on IoT technology, Smart Data schemes are not exclusively about access of data generated by connected products.
You can read more about the Smart Data schemes framework here, and we have looked in detail at how it compares with data sharing under the Data Act here.
Beyond Open Banking and towards Open Finance
The Smart Data framework described above is intended to support the UK’s Open Banking scheme on a long-term basis, and to spark further innovation in the financial services sector. The Treasury will be able to empower the Financial Conduct Authority (FCA) to make rules to regulate smart data schemes in the sector and to use its supervisory and enforcement powers. This is intended to enable so-called ‘Open Finance’, which has been discussed for a number of years, and is intended to roll out the principles of data sharing beyond banking, to other financial services, including investment advice and personalised guidance.
Digital identity verification
The DUA Act also sets out a framework for establishing ‘trusted’ providers of digital verification services. This is set out in Part 2. This includes a ‘trust mark’ for organisations that have been certified against the framework, a register of providers, and an information-sharing gateway. The government hopes that use of the trust mark will enable consumers to make informed decisions about organisations with whom they share personal data and give them confidence that organisations displaying the trust mark will process their personal data to a stringent set of standards.
In addition to the changes for digital verification services that will be introduced by the DUA Act, the government plans to introduce a digital wallet – called the GOV.UK Wallet – and a digital driving licence for use in 2025.
You can read more about the new rules under the DUA Act, the UK’s plans for digital IDs and how they compare with EU digital IDs in our earlier article here.
Public sector data sharing
The DUA Act brings in changes that are intended to enhance public services by facilitating better data sharing among public bodies. This includes the creation of a National Underground Asset Register (NUAR), a government digital service that will provide access to a map of the country’s underground pipes and cables. These proposals will make it mandatory for organisations that install apparatus underground to sign-up and record prescribed information regarding the installation. The government hopes that the NUAR will streamline the process by which infrastructure asset data is shared and improve the way buried infrastructure is installed, maintained, operated and repaired. The government says that NUAR will allow construction workers to access location data in 6 seconds on average, a process that currently takes 6 days.
The DUA Act also establishes a framework for the introduction of mandatory information standards relating to information technology or IT services used in the UK health and care system, to ensure that health and care data is recorded and managed in a standardised manner. This is intended to enhance health and care professionals’ access to such data by making it more interchangeable.
These proposed reforms are comparable to recent developments in the EU under the Data Governance Act and the Common European Data Spaces, which seek to increase access to data held by public bodies and enhance data sharing in strategic sectors.
Data protection and e-privacy reform
The DUA Act introduces a number of significant reforms to UK data protection and e-privacy law. This includes:
- Clarifying that commercial, privately funded activities fall within the scope of processing for “scientific research purposes” and relaxing the conditions for obtaining consent to such processing.
- Introducing a new “recognised legitimate interest” lawful basis for processing.
- Introducing criteria for assessing whether further processing of personal data is compatible with its original purpose and a list of conditions that would be considered compatible with the original purpose.
- Expanding the circumstances in which automated decision-making may be used.
- Setting out “higher protection matters” that must be taken into account when data is processed in the course of providing information society services that are likely to be accessed by children.
- Reforming the rules for cross-border transfer of personal data.
- Bringing the enforcement powers under PECR into line with UK GDPR, so that enforcement mechanisms and penalties are the same in most cases (e.g. fines of up to £17.5m or 4% of global turnover for certain failures to comply).
Artificial intelligence
This aspect of the DUA Bill was the most hotly contested between the two Houses of Parliament, with the House of Lords repeatedly seeking amendments aimed at bolstering the position of copyright holders amidst concern that their works are being used to train AI models without their permission, where that is required. This was resisted by the government, whose preference is to await until the outcome of the Copyright and AI Consultation in order to take an ‘holistic’ approach to any copyright law reforms, rather than legislate piecemeal. This means that transparency proposals from the House of Lords that would have led to copyright holders being provided information about which of their works were used in AI training did not make it into the DUA Act.
The DUA Act will, though, require the government to publish in 9 months an assessment of the economic impact of each of the four policy options described by the government in the Copyright and AI Consultation Paper, and a report on the use of copyright works in the development of AI systems. The government must give a “progress statement” on both of these in 6 months.
Next steps
Some of the data protection changes set out in the DUA Act came into force on 19 June 2025, others will follow two months later, whilst a number of other provisions of the Act will require secondary legislation before coming into force. Look out for future Law Now updates, in which our specialists will focus in more detail on each of the key areas of change proposed under the DUA Act and what impact they will have for businesses.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.