What is the Data Use and Access Act, or DUAA?
The Data Use and Access Act, or DUAA, is a new act of parliament which aims to drive innovation and economic growth across the UK through better data usage. To achieve this, it introduces targeted, pragmatic tweaks to UK data protection law. Our focus for this blog will be on the essential amendments that organisations need to note, detailing their commencement dates and the expected release timeline for updated ICO guidance.
The Information Commissioner’s Office (ICO) cheerfully states that these changes offer an opportunity to do things differently, rather than requiring you to overhaul your existing processes. We broadly agree. Many amendments are simply codifying pre-existing ICO guidance into law. It’s also important to note that the amendments come in stages, which gives your organisation time to properly embed any necessary changes. Now let’s take a look at the what and the when.
Your New Statutory Right to Breathe (And Ask for DSAR Clarity).
The DUAA brings in a ‘stop the clock’ rule. The usual one-month deadline to respond to a Data Subject Access Request (DSAR) will pause while you wait for the individual to give clarifications regarding what they are requesting. Furthermore, the Act clarifies that when dealing with a DSAR, you’re only required to perform a “reasonable and proportionate” search of the information you hold.
While this largely codifies existing case law and guidance, for organisations that receive a significant number of complex requests, this amendment provides a firmer legal basis to push back against excessive or unreasonable requests and manage response timelines more effectively. We suggest reviewing your current DSAR procedures to check they align with the changes.
Timescale: Has been in force since June 2025
Guidance: ICO Subject access request guidance to be finalised by Autumn 2025
A New Lawful Basis Just Dropped
The existing ‘legitimate interest’ basis is flexible, but it requires you to conduct a Legitimate Interest Assessment (LIA) to evidence that you’ve balanced your interests against the interests of the third-party data you’re using- this could be commercial, societal or even individual. The DUAA removes the requirement to conduct an LIA if the use of personal data falls under one of the new ‘recognised legitimate interest’ conditions.
How does this impact your organisation in the healthcare space?
- If your organisation receives ‘voluntary’ data requests from public bodies i.e. requests that are not made under statutory powers that require you to disclose; your administrative and legal burden to assess them will be reduced.
- You may now share this data under one of the ‘recognised legitimate interest’ conditions where they apply.
- The responsibility for assessing if the requested information is appropriate rests with the receiving public body, not you.
- Don’t forget: If you’re requested to share health data (Special Category Data), you’ll still need to identify an appropriate lawful basis for the share under Article 9.
Timescale: In force from December 2025
The 'We Don't Know Yet' Clause: Legal Clarity for Explorative Research
The DUAA provides clarity on processing personal data for ‘scientific research’, defining it to cover all reasonable scientific activity, whether publicly, privately, commercially, or non-commercially funded. This inclusion in the Act provides the statutory clarity that private companies engaged in MedTech and Digital Health research have been looking for.
The DUAA also confirms that research participants can give “broad consent” for their data to be used in scientific research. This is a useful amendment that reflects the realities of research—it’s inherently explorative, making it impractical to expect every possible future use of the data to be specified at the outset. Organisations conducting research will need to ensure the consent has been obtained in line with ethical standards, and where possible, give participants the ability to only consent to part of the research.
Timescale: In force from December 2025
Guidance: Draft ICO guidance for the research update is expected to launch for public consultation in November 2025
The DUAA Just Threw Another Log on the Data Transfer Fire
We know that organisations often find data transfers tricky. If you’re involved in transferring health data from the UK to a third country or international organisation—for example, when engaging third parties for data analytics or research collaboration—this change is important.
The Government now has more flexibility on adequacy decisions. Instead of a country’s data protection standard having to be “essentially equivalent” to the UK’s, they can now issue a decision if the standard is deemed “not materially lower”. This ‘materially lower’ test will also apply when organisations transfer data using the transfer mechanisms of standard contractual clauses or binding corporate rules.
Timescale: In force from December 2025
Guidance: Draft ICO Data Transfer guidance is currently being redrafted after public consultation. The expected publication date is Winter 2025/2026
Data Complaints: Now With Deadlines
Organisations must now implement a formal data protection complaints procedure. All complaints must be acknowledged within 30 days and responded to ‘without undue delay’. While many organisations were doing this already, this statutory update gives you stronger confidence when managing this often time-consuming activity.
We’d advise that your organisation makes sure you’ve covered the handling of such complaints in a relevant internal policy and supports this by embedding a complaints form into your privacy notice.
Timescale: In force from June 2026
Guidance: ICO Draft Complaints guidance is currently up for consultation, closing 19 October 2025
The 8fold Summary:
Good Governance is Great Business
By codifying common-sense practices (like the ‘stop the clock’ for DSARs) and pragmatically simplifying complex areas (like ‘recognised legitimate interests’), the Act aims to ease the compliance burden and support innovation. Organisations now have the necessary statutory clarity and firmer ground to manage individual rights, data disclosures, and promote critical research. This is how Good Governance is great business.
We’ll continue to monitor the ICO’s schedule for finalising its guidance on complaints, legitimate interests, and data transfers, ensuring you have the latest practical advice to properly embed these changes into your policies and procedures.
We’re the experts that have your back.
Struggling to handle complex Data Protection queries? Work with our team of Data Protection and Information Governance professionals to build a robust data governance framework and handle client queries.