The second wave of provisions under the Data (Use and Access) Act 2025 (‘DUA Act’) officially came into effect on the 19 & 20 August 2025. The first wave of provisions immediately came into force upon the DUA Act receiving Royal Assent on 19 June 2025.
This second wave of provisions has come into force both directly via the DUA Act and by secondary legislation and covers law enforcement data processing and the expanded regulatory powers of the Information Commissioner amongst other areas. This article provides an overview of key (i.e. non-exhaustive) provisions that have taken effect in this second wave.
Section 69 of the DUA will align the conditions for law enforcement to obtain consent for the processing of personal information with those contained in Part 3 of the Data Protection Act 2018 and set out under the UK General Data Protection Regulations (UK GDPR).
Section 82 of the DUA amends section 62 of the Data Protection Act 2018, removing the requirement for law enforcement agencies to record their justification for consulting or disclosing personal data when using automated processing systems, under Part 3 of the Data Protection Act 2018. However, the requirement to log the data and time of these matters remains.
Section 96 of the DUA introduces a new section 141A to the Data Protection Act 2018, which will replace section 141. The most significant change this section brings is that the Information Commissioner is now permitted to serve notices via email. This change modernises the law in this regard, meaning there is no longer a specific need for these notices to be served via post or directly to the individual.
Section 97 of the DUA amends section 142 of the Data Protection Act 2018 to grant the Information Commission further investigative powers with regards to requiring the provision of documents as opposed to merely information.
Part 1 of the DUA introduces provisions enabling the creation of smart data schemes to allow for the sharing of customer or business data in real time with authorised third parties.
Section 72 of the DUA clarifies the circumstances under which personal data may be processed in the public interest or in accordance with international law. This provision is particularly useful for public bodies, or those organisations involved in cross-border processing.
Section 74 of the DUA inserts a new article 11A into the UK GDPR granting the Secretary of State additional powers in relation to the processing of special categories of personal data.
Sections 91-93, 95, 102, 117 & Schedule 14 of the DUA introduces several reforms of the Information commissioner’s office (ICO), including a requirement for the ICO to annually report to parliament on its performance. They also grant the Secretary of State the power to make regulations requiring the ICO to produce codes of practice and updates the procedures for how these codes are to be developed and consulted on.
Section 110-113 of the DUA makes updates to the Privacy and Electronic Communications (EC Directive) Regulations 2003 to align these regulations with the UK GDPR. Most notably Section 111 extends the current time for a provider of electronic communication services to report a personal data breach to the ICO to “not later than 72 hours after having become aware of it
Section 135-137 of the DUA amongst other things, requires that by March 2026 the Secretary of State is to prepare an economic impact assessment on the governments consultation on copyright and AI policy.
Subsequent provisions are expected to take effect throughout the remainder of 2025 and into 2026. The first set of ICO guidance on DUA Act provisions is expected to be published in winter 2025/2026.
To find out more about the key changes we expect to see, their impact, and how organisations can prepare themselves, read our full article here.
For further information please contact Ashleigh Dibb.