Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

The Data Use and Access Act: Everything You Need to Know

  • Published: February 1, 2026
  • Category: Information Governance

Share this post

Avatar photo
Roz Ryan-Mills

Share this post

What is the Data Use and Access Act, or DUAA?

The Data Use and Access Act, or DUAA, is a new act of parliament which aims to drive innovation and economic growth across the UK through better data usage. To achieve this, it introduces targeted, pragmatic tweaks to UK data protection law. Our focus for this blog will be on the essential amendments that organisations need to note, detailing their commencement dates and the expected release timeline for updated ICO guidance.

The Information Commissioner’s Office (ICO) cheerfully states that these changes offer an opportunity to do things differently, rather than requiring you to overhaul your existing processes. We broadly agree. Many amendments are simply codifying pre-existing ICO guidance into law. It’s also important to note that the amendments come in stages, which gives your organisation time to properly embed any necessary changes. Now let’s take a look at the what and the when.

Need Help? Book a Call with our Expert Team
Data Use and Access Act

Your New Statutory Right to Breathe (And Ask for DSAR Clarity).

The DUAA brings in a ‘stop the clock’ rule. The usual one-month deadline to respond to a Data Subject Access Request (DSAR) will pause while you wait for the individual to give clarifications regarding what they are requesting. Furthermore, the Act clarifies that when dealing with a DSAR, you’re only required to perform a “reasonable and proportionate” search of the information you hold.

While this largely codifies existing case law and guidance, for organisations that receive a significant number of complex requests, this amendment provides a firmer legal basis to push back against excessive or unreasonable requests and manage response timelines more effectively. We suggest reviewing your current DSAR procedures to check they align with the changes.

Timescale: Has been in force since June 2025

Guidance: ICO Subject access request guidance to be finalised by Autumn 2025

A New Lawful Basis Just Dropped

The existing ‘legitimate interest’ basis is flexible, but it requires you to conduct a Legitimate Interest Assessment (LIA) to evidence that you’ve balanced your interests against the interests of the third-party data you’re using- this could be commercial, societal or even individual. The DUAA removes the requirement to conduct an LIA if the use of personal data falls under one of the new ‘recognised legitimate interest’ conditions.

How does this impact your organisation in the healthcare space?

    • If your organisation receives ‘voluntary’ data requests from public bodies i.e. requests that are not made under statutory powers that require you to disclose; your administrative and legal burden to assess them will be reduced.
    • You may now share this data under one of the ‘recognised legitimate interest’ conditions where they apply.
    • The responsibility for assessing if the requested information is appropriate rests with the receiving public body, not you.
    • Don’t forget: If you’re requested to share health data (Special Category Data), you’ll still need to identify an appropriate lawful basis for the share under Article 9.

Timescale: In force from December 2025 

Guidance: ICO Draft Recognised Legitimate Interest Guidance is currently up for consultation (closes 30 October 2025)

The 'We Don't Know Yet' Clause: Legal Clarity for Explorative Research

The DUAA provides clarity on processing personal data for ‘scientific research’, defining it to cover all reasonable scientific activity, whether publicly, privately, commercially, or non-commercially funded. This inclusion in the Act provides the statutory clarity that private companies engaged in MedTech and Digital Health research have been looking for.

The DUAA also confirms that research participants can give “broad consent” for their data to be used in scientific research. This is a useful amendment that reflects the realities of research—it’s inherently explorative, making it impractical to expect every possible future use of the data to be specified at the outset. Organisations conducting research will need to ensure the consent has been obtained in line with ethical standards, and where possible, give participants the ability to only consent to part of the research.

Timescale: In force from December 2025

Guidance: Draft ICO guidance for the research update is expected to launch for public consultation in November 2025

The DUAA Just Threw Another Log on the Data Transfer Fire

We know that organisations often find data transfers tricky. If you’re involved in transferring health data from the UK to a third country or international organisation—for example, when engaging third parties for data analytics or research collaboration—this change is important.

The Government now has more flexibility on adequacy decisions. Instead of a country’s data protection standard having to be “essentially equivalent” to the UK’s, they can now issue a decision if the standard is deemed “not materially lower”. This ‘materially lower’ test will also apply when organisations transfer data using the transfer mechanisms of standard contractual clauses or binding corporate rules.

Timescale: In force from December 2025

Guidance: Draft ICO Data Transfer guidance is currently being redrafted after public consultation. The expected publication date is Winter 2025/2026

Data Complaints: Now With Deadlines

Organisations must now implement a formal data protection complaints procedure. All complaints must be acknowledged within 30 days and responded to ‘without undue delay’. While many organisations were doing this already, this statutory update gives you stronger confidence when managing this often time-consuming activity.

We’d advise that your organisation makes sure you’ve covered the handling of such complaints in a relevant internal policy and supports this by embedding a complaints form into your privacy notice.

Timescale: In force from June 2026

Guidance: ICO Draft Complaints guidance is currently up for consultation, closing 19 October 2025

The 8fold Summary:
Good Governance is Great Business

By codifying common-sense practices (like the ‘stop the clock’ for DSARs) and pragmatically simplifying complex areas (like ‘recognised legitimate interests’), the Act aims to ease the compliance burden and support innovation. Organisations now have the necessary statutory clarity and firmer ground to manage individual rights, data disclosures, and promote critical research. This is how Good Governance is great business.

We’ll continue to monitor the ICO’s schedule for finalising its guidance on complaints, legitimate interests, and data transfers, ensuring you have the latest practical advice to properly embed these changes into your policies and procedures.

We’re the experts that have your back.

Struggling to handle complex Data Protection queries? Work with our team of Data Protection and Information Governance professionals to build a robust data governance framework and handle client queries.

Book a Call with our Expert Team

Other Articles​

Loading...
Title graphic reading 'Organisational Growth vs Governance Debt'

Organisational Growth vs Governance Debt:
A scale-up decision easily ignored

Read More →

February 11, 2026
HIPAA Compliance

Understanding HIPAA Compliance: Key Insights

Read More →

April 2, 2025
NHS virtual wards governance compliance What Are Virtual Wards?

Navigating the Regulatory Landscape: Governance in the World of Virtual Wards

Read More →

November 15, 2023
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept