Data (Use and Access) Act 2025: ICO Consultation 

Last month the ICO, launched public consultations on its guidance in response to The Data (Use and Access) Act 2025 (DUA Act) coming into force.  

The DUA Act received Royal Assent on 19th June 2025. It amends, rather than replaces, the UK GDPR as well as the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the Data Protection Act 2018. (You can read a summary of the Act here.)  

The Act is not fully in force yet. The only substantive amendment (Section 78) to the UK GDPR that came into force on 19th June inserted a new Article 15(1A), relating to subject access requests: 

“…the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that paragraph.” 

Other provisions of the Act will commence in stages, 2 to 12 months after Royal Assent. The first commencement order, The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025, came into force on 20th August.  

Recognised Legitimate Interests 

The DUA Act amends Article 6 of the UK GDPR to introduce ‘Recognised legitimate interest’ as a new lawful basis for processing personal data. This covers activities such as crime prevention, public security, safeguarding, emergencies and sharing personal data to help other organisations perform their public tasks. The proposed ICO guidance aims to make it easier for organisations to successfully use recognised legitimate interest by explaining how it works, along with giving practical examples. Further details on the 10-week consultation, which closes on 30 October 2025, can be found here.  

Data Protection Complaints 

By June 2026, Data Controllers must have a process in place to handle data protection complaints. A complaint can come from anyone who is unhappy with how an organisation has handled their personal data. The proposed ICO guidance sets out the new requirements and informs organisations of what they must, should and could do to comply. Further details on the eight-week consultation, which closes on 19 October 2025, can be found here.  

Data protection professionals need to assess the changes to the UK data protection regime set out in the DUA Act. Our half day workshop will explore the new Act in detail giving you an action plan for compliance. A revised UK GDPR Handbook is now available incorporating the changes made by the DUA Act.

Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

Leave a Reply

Discover more from Your Front Page For Information Governance News

Subscribe now to keep reading and get access to the full archive.

Continue reading