UK’s Data (Use and Access) Act 2025: Reshaping digital future and data protection

On 19-6-2025, the Government of United Kingdom granted royal assent to Data (Use and Access) Act 2025, establishing a new regulatory framework for data protection and redefining how shared data can be accessed. The Act will come into force in phases, as set out by the Secretary of State through commencement regulations.

Key points from UK’s Data (Use and Access) Act 2025:

1. 1. The Data (Use and Access) Act defines clear rules to allow individuals and businesses in UK to have greater control over data to be assessed and shared between parties, with the aim of promoting informed consent, strengthening consumer protection, and building trust. It facilitates secure data extraction and access across sectors, encouraging innovation while safeguarding privacy and transparency.
   2. It establishes a framework for digital identity systems, including register of certified providers, UK digital trust mark enabling secure digital verification of facts.
   3. National Underground Asset Register will be given a regulatory status to systematically map underground infrastructure, improving safety, reducing excavation risks, and enhancing planning and coordination efforts.
   4. The registration of events such as births and deaths will now shift from a paper-based system to digital records managed by designated officials, aiming to enhance administrative efficiency and service delivery.
   5. The Act amends the Data Protection Act 2018 by updating provisions on lawful processing, strengthening access rights, and updating rules on international data transfers, while introducing new statutory concepts such as ‘recognised legitimate interests’ as valid grounds for data handling.
   6. Amendments are made to the UK General Data Protection Regulation (‘UK’-‘GDPR’) and the Privacy and Electronic Communications Regulations to incorporate ‘recognised legitimate interests’ and streamline Data Subject Access Requests (‘DSAR’) while reducing compliance burdens for low-risk processing activities.

1. The Act allows data controllers to pause the DSAR response timeline while awaiting clarification from the requester, helping manage complex or vague requests more efficiently.
2. The Act strengthens protections for children’s personal data, requiring online services likely to be accessed by minors to address specific privacy risks and act in the best interests of the child.
3. The Act replaces the Information Commissioner’s Office with a newly formed Information Commission, designed to adopt a more responsive regulatory approach.
4. The Information Commission will be able to issue fines, compel audits, and require corrective actions for breaches of data protection obligations.
5. The Act broadens the definition of ‘scientific research’ and allows the use of personal data for research and public interest purposes without always requiring consent, provided appropriate safeguards are in place.
6. Schedule 16 the Act provides for the granting of smart meter communication licences, supporting the rollout and management of smart energy infrastructure across the UK.
7. Organisations will be required to maintain clear internal procedures for handling data protection complaints, encouraging early resolution and accountability.

8. The Information Commission will also issue industry-specific guidelines to support consistent interpretation and implementation of the Act’s data protection provisions.