Advanced search

Data (Use and Access) Act 2025

This legislation updates requirements in areas including data subject access requests (DSAR)s, disclosure of data to the police and patients rights to complain about data use.

The Data Use and Access Act (DUAA) 2025 received Royal Assent on the 17 June 2025, meaning it is now officially law. This new law amends but does not replace the Data Protection Act 2018, the UK GDPR or the Privacy and Electronic Communications Regulations (PECR). The changes will be implemented over the next 12 months with the exact dates for each measure set out in commencement regulations.

The Information Commissioner’s Office (ICO) has stated that the DUAA “changes data protection laws in order to promote innovation and economic growth and make things easier for organisations, whilst it still protects people and their rights.” It is designed to improve transparency, support safe data sharing, clarify how health and care data can be accessed and used particularly for research, planning and other secondary use and give the public more confidence in how their data is used.

What it means for GPs and practices

The below points are selected from the ICO’s update on what the revised legislation means for regulated organisations. We have highlighting the points that are most relevant to GPs and practices.

  • Data Subject access requests (DSARs): The DUAA introduces a “stop the clock” provision which will allow organisations to pause the response time – without the risk of missing the deadline – if they need data subjects to clarify or refine their requests or to provide more information. Once the organisation has the information they need, the response time continues. In addition, the previous law did not explicitly state that searches needed to be “reasonable and proportionate”, although this has been established by case law.
  • Disclosures that help other organisations perform their public tasks: it allows you to give personal information to organisations such as the police, without having to decide whether that organisation needs the information to perform its public tasks or functions. Instead, the organisation making the request is responsible for this decision.
  • Right for a data subject to complain to a controller (GP Practice): The DUAA introduces a right for people to complain to organisations and competent authorities if they think that they’ve used their personal information in a way that doesn’t comply with the law. It places an obligation on organisations and competent authorities to help people to make complaints, requiring them to take steps such as providing an electronic complaints form. They must acknowledge complaints within 30 days and advise the complainant of the outcome without undue delay. They must also take appropriate steps in the meantime, such as making enquiries into the subject matter of the complaint and keeping the complainant informed about progress.
  • Research: The DUAA clarifies that people can give ‘broad consent’ to an area of scientific research. It also allows for the re-use of people’s personal information for scientific research without giving them a privacy notice, if that would involve a disproportionate effort as long as the privacy notice is published on your website.
  • New lawful basis: The DUAA introduces a new lawful basis for processing into the UK GDPR.  The new lawful basis allows processing that is necessary for reasons specified in an annex of “recognised legitimate interests”.
  • Automated decision-making: whilst the DUAA opens up automated decision making to the full range of reasons, or ‘lawful bases’, that an organisation can rely on when they use people’s personal information to make significant automated decisions about them, it retains the restrictions on the use of special category personal information. Health data is special category data.
  • Cookie rules: the DUAA allows you to set some types of cookies without having to get consent, such as those you may use to collect information for statistical purposes and improve the functionality of your website.
  • Information Standards for Health: The DUAA adds a new information standard relating to information technology or IT services used, or intended to be used, in connection with the processing of information. The amendments to the Health and Care Act 2022 (HCA 2022) made it mandatory for health and social care organisations to comply with information standards rather than just have regard to them as in the Health and Social Care Act 2012 (HSCA 2012). This means that health care organisations can now be mandated to use specified IT services or technology.
  • Power for Secretary of State: The DUAA providers powers for the Secretary of State to add additional safeguards or to be more prescriptive in the way they must be applied. There are also new powers granted to the Secretary of State to add new special categories of personal data to enable “the Government to rapidly respond to future technological and societal developments.”
  • Changes to the ICO: the current Information Commissioner’s Office will be replaced by 2027 with a new Information Commission which will be a corporate structure with a Chief Executive.

We are reviewing all of the changes from the DUAA and their impact on general practice, while waiting for further guidance from the ICO, and will provide further guidance/information in the forthcoming months.