The "Data (Use and Access) Act 2025" is a comprehensive legislative effort to establish regulations for data access, use, and related services within the United Kingdom. It covers a broad spectrum, including the sharing and retention of customer and business data, the creation of an Information Commission, and amendments to existing data protection legislation like the Data Protection Act 2018. This Act also addresses digital verification services, the National Underground Asset Register (NUAR), birth and death registry reforms, and the regulation of electronic communications and online safety. It also introduces measures concerning AI systems and copyrighted works, and provisions against purported intimate images, reflecting a wide-ranging approach to governing data in modern society.

The new Data (Use and Access) Act 2025 (DUAA 2025) introduces significant changes to data access and use, and also amends existing legislation, including the Data Protection Act 2018 (DPA 2018) and the EU General Data Protection Regulation (EU GDPR).

This article summarizes the main themes and most important ideas or facts presented in the provided excerpts from the "Data (Use and Access) Act 2025" and the "Data Protection Act 2018," highlighting key changes and new provisions.

Overarching Themes

The "Data (Use and Access) Act 2025" (DUAA 2025) appears to be a significant piece of legislation aimed at modernizing data access and use, fostering innovation, enhancing competition, and streamlining digital services within the UK. A central theme is the empowerment of individuals and businesses to access and utilize their own data, while also introducing mechanisms for regulated data sharing and digital identity verification. The Act also demonstrates a clear intent to update and amend the existing "Data Protection Act 2018" (DPA 2018) to align with these new objectives and streamline data protection provisions.

Key Provisions and Ideas

The DUAA 2025 introduces several critical components:

A. Access to Customer and Business Data (Part 1)

This part focuses on regulating access to various forms of data:

• Definitions: The Act defines "customer data" broadly to include "information relating to a customer of a trader," such as "prices or other terms," "how they are used," or "their performance or quality." "Business data" is also covered. A "data holder" can be the trader themselves or a person who processes the data in the course of business. A "trader" is defined as someone who "supplies or provides goods, services or digital content in the course of a business."

• Customer Empowerment: A core principle is the ability for customers to request their own data from a data holder, or to authorize a "third party recipient" to receive it on their behalf. Section 2(1) states: "The Secretary of State or the Treasury may by regulations make provision requiring a data holder to provide customer data— (a) to the customer, at the customer’s request, or (b) to a person of a specified description who is authorized by the customer to receive the data (an “authorized person”), at the customer’s request or at the authorized person’s request."

• Data Management Capabilities: The Secretary of State or Treasury can make regulations enabling or requiring data holders to "produce, collect or retain" customer data, and even "make changes to customer data, including to require rectification of inaccurate customer data, at the request of a customer or authorized person" (Section 2(3)).

• Authorized Person Actions: Regulations can empower authorized persons to "take, on the customer’s behalf, action that the customer could take in relation to goods, services or digital content supplied or provided by a person who is, or has been, a data holder" (Section 2(4)). This suggests a move towards delegated data management and service interaction.

• Economic Impact Considerations: Before making regulations, the Secretary of State or Treasury must consider "the likely effects for existing and future customers," "data holders," "small businesses and micro businesses," "innovation," and "competition in markets" (Section 2(5) and Section 4(5)). This indicates a focus on balancing data access with broader economic interests.

• Business Data Access: Similar provisions exist for "business data," allowing regulations to require data holders to provide this data to a customer of the trader or "to another person of a specified description" (Section 4(1)).

B. Digital Verification Services (DVS) and Trust Marks (Part 2)

This section introduces a new regulatory framework for digital identity:

• DVS Register: The Secretary of State is mandated to "establish and maintain a register of persons providing digital verification services," known as the "DVS register" (Section 32). This aims to create a centralized list of trusted providers.

• Trust Mark: The Secretary of State "may designate a mark for use in the course of providing, or offering to provide, digital verification services" (Section 50). This "Trust Mark" will likely signify that a service provider is registered and compliant, building public trust.

• Integration with Other Legislation: The excerpts show the "DVS-registered person" designation being integrated into other acts, such as for prescribing documents or checks for official purposes (e.g., amendments to other unspecified acts under Section 50(9), (1A), and (2)). This suggests that DVS-registered persons will play a crucial role in future digital identification processes.

• National Security Exemption: Notably, the Secretary of State can refuse to register a person in the DVS register if "stating the reason described in subsection (3)(b)(i) would be contrary to the interests of national security" (Section 32(4)).

C. National Underground Asset Register (NUAR) (Part 3)

This part establishes a significant infrastructure project for data on underground assets:

• Mandate: The Secretary of State "must keep a register of information relating to apparatus in streets in England and Wales" (Section 56(1)), to be known as the "National Underground Asset Register (NUAR)."

• Scope: NUAR covers "apparatus in streets" across England and Wales (Section 56) and Northern Ireland (Section 58). The Act also explicitly allows for a single register for England, Wales, and Northern Ireland (Section 58(5)).

• Purpose: While not explicitly detailed, the implications of NUAR are to improve safety, efficiency, and planning for works involving underground infrastructure by providing a comprehensive, centralized source of information. The mention of "monetary penalties" (Section 56, Schedule 1) indicates enforcement for compliance with data provision requirements.

• Data Access for Works: Regulations can mandate that "a person executing works in a street" has "access to NUAR in relation to the street in question" (Section 57(7)), highlighting the practical application of this data.

• Crown Application: The provisions of NUAR "bind the Crown" (Section 56(5A)), ensuring comprehensive coverage.

D. Amendments to the Data Protection Act 2018 and UK GDPR

The DUAA 2025 introduces extensive amendments to the DPA 2018 and the UK GDPR, indicating a significant overhaul of the UK's data protection landscape. The provided list of changes in the DPA 2018 excerpts is extensive and includes:

• Omissions and Substitutions: Numerous sections, headings, and words are being omitted or substituted. This suggests a re-framing of existing data protection provisions. For example, "s. 19 and cross-heading omitted by 2025 c. 18s. 86(6)" and "s. 77 cross-heading substituted by 2025 c. 18Sch. 8 para. 8."

• New Insertions: Many new sections and subsections are inserted, such as "s. 3(8A) inserted by 2025 c. 18s. 117(3)" and "s. 45A inserted by 2025 c. 18s. 79(6)." These new provisions will dictate future data processing and protection practices.

• Modification of Enforcement Powers: Changes to sections relating to "assessment notices" and "penalty notices" (e.g., Schedule 11, paragraphs 5, 6, 17) suggest adjustments to the Information Commissioner's enforcement powers.

• UK GDPR Amendments: The UK GDPR is explicitly amended, including the omission of Article 57(1)(f) and paragraph 2, and Article 77 (right to lodge a complaint with the Commissioner) is also omitted (Section 103(5)-(6)). This suggests a potential streamlining or re-allocation of data subject rights and the Commissioner's tasks.

• New Regulation Powers: After Chapter 9, a new "CHAPTER 9A Regulations" is inserted into the UK GDPR, granting the Secretary of State powers to make "UK GDPR regulations" with consultation requirements (Section 107, Article 91A).

• National Security Exception Revisions: The DPA 2018's provisions related to national security certificates are significantly altered, including the omission of subsections and the insertion of new conclusive evidence provisions (Section 88, amending Section 79 of DPA 2018).

• Direct Marketing Definition: A new definition for "direct marketing" is inserted into Article 4(1) of the UK GDPR (Schedule 11, para 2).

E. Trust Services (eIDAS Regulation)

The DUAA 2025 also impacts the eIDAS Regulation (Regulation (EU) No. 910/2014 on electronic identification and trust services):

• Amendments to eIDAS: The eIDAS Regulation itself is amended, with new articles inserted to address "Recognition of overseas trust products" (Section 132). This suggests the UK is establishing its framework for recognizing digital trust services from outside the EU.

• Regulation-making Power: The Secretary of State is granted powers to make regulations in connection with the eIDAS Regulation, including "transitional provision or savings" and "different provision for different purposes" (Section 131(5)).

Implications and Next Steps

The DUAA 2025 signifies a fundamental shift in the UK's approach to data. Key implications include:

• Increased Data Portability and Control: The emphasis on customer and business data access will empower individuals and entities to control and utilize their own information, potentially fostering new services and competition.

• Standardization and Trust in Digital Identity: The DVS register and Trust Mark aim to create a more reliable and interoperable ecosystem for digital identity verification, which could facilitate online transactions and public service access.

• Enhanced Infrastructure Data Management: NUAR will provide a critical single source of truth for underground assets, improving safety, efficiency, and planning in construction and utility sectors.

• Reformed Data Protection Landscape: The extensive amendments to the DPA 2018 and UK GDPR signal a move towards a more tailored UK data protection regime, potentially diverging further from the EU's GDPR in some aspects while maintaining core principles. Businesses will need to carefully review these changes to ensure compliance.

• Government Oversight and Regulation: The Act grants significant regulation-making powers to the Secretary of State and the Treasury, indicating an active role for the government in shaping data access and use.

Terminology

• 2018 Act: Refers to the Data Protection Act 2018.

• Affirmative Procedure: A parliamentary procedure where regulations cannot be made unless a draft has been laid before and approved by a resolution of each House of Parliament.

• Apparatus: In the context of the National Underground Asset Register, this refers to infrastructure such as pipes, cables, or other equipment located within streets.

• Authorised Person: A person of a specified description who is authorized by a customer to receive customer data or to take action on their behalf.

• Business Data: Information relating to a trader's business, which may be subject to regulations for provision to customers or other specified persons.

• Customer Data: Information relating to a customer of a trader, including details about goods, services, and digital content supplied, as well as information about the provision of such data.

• Data Holder: In relation to customer or business data, this means the trader or a person who processes that data in the course of a business.

• Data Regulations: Regulations made by the Secretary of State or the Treasury under sections 2 or 4 of the Data (Use and Access) Act 2025, governing access to customer and business data.

• Digital Content: Non-physical goods or services supplied electronically.

• Digital Verification Services (DVS): Services that facilitate the verification of identity or other attributes in a digital context.

• DVS Register: A register of persons providing digital verification services, maintained by the Secretary of State.

• eIDAS Regulation: Regulation (EU) No. 910/2014 of the European Parliament and the Council on electronic identification and trust services for electronic transactions in the internal market.

• Information Commissioner: The independent authority established to uphold information rights in the public interest.

• Monetary Penalties: Financial penalties that can be imposed for non-compliance with requirements under various parts of the Act, such as those related to NUAR.

• National Underground Asset Register (NUAR): A register of information relating to apparatus in streets in England, Wales, and Northern Ireland, to be kept by the Secretary of State.

• Negative Procedure: A parliamentary procedure where regulations become law unless either House of Parliament passes a resolution to annul them within a specified period.

• Personal Data: Defined with the same meaning as in the Data Protection Act 2018 (Section 3(2) of that Act).

• Processing (of data): Defined with the same meaning as in the Data Protection Act 2018 (Section 3(4) of that Act).

• Public Authority: A person whose functions are of a public nature or include functions of that nature.

• Secretary of State: A minister of the Crown in the UK government, often responsible for various policy areas including digital and data.

• Smart Meter Communication Licence: A licence related to the communication services for smart meters, as outlined in the Energy Act 2008 amendments.

• Subordinate Legislation: Legislation made under powers granted by an Act of Parliament (also known as secondary legislation).

• Supplementary Code: Codes of practice related to digital verification services, which the Secretary of State must review.

• Third Party Recipient: A person of a description specified in data regulations who is authorized to receive customer data or business data.

• Trader: A person who supplies or provides goods, services, or digital content in the course of a business.

• Trust Mark: A designated mark for use by persons registered in the DVS register, indicating compliance with standards for digital verification services.

• UK GDPR: The retained EU law version of the General Data Protection Regulation (Regulation (EU) 2016/679).

• Welsh Ministers: Ministers of the Welsh Government, whose consent may be required for regulations relating to Wales.

This article provides a high-level analysis of the key data protection-related changes in the Data (Use and Access) Act 2025. It is not exhaustive and should not be considered legal advice. Organizations should consult the full text of the legislation and seek professional legal counsel to ensure compliance with their specific obligations. To book a consultation contact us for support with compliance and implementation.