The Data (Use and Access) Bill (DUA Bill) is one of the most significant pieces of data legislation in the UK since the Data Protection Act (DPA 2018) and UK GDPR.
As of May 2025, the Bill is nearing the end of its legislative journey, with important implications for businesses, public sector bodies, and individuals.
Where is the bill now?
As of mid-May 2025, the DUA Bill is in the final stages of parliamentary scrutiny. On 12 May 2025, the Bill returned to the House of Lords for consideration of amendments made by the House of Commons, a process known as “parliamentary ping pong.” This stage involves both Houses agreeing on the final text, with the Lords reviewing changes made by MPs, including those relating to the protection of information in the National Underground Asset Register, powers of the Financial Conduct Authority, and the use of funds from financial penalties.
Assuming no further delays, the Bill is expected to receive Royal Assent by mid-2025, with main provisions likely coming into force in early 2026.
Key features and reforms
1. Streamlined data access for innovation
The Bill’s primary aim is to modernise data use and encourage responsible sharing between organisations, especially in sectors like healthcare, technology, and scientific research. The goal is to drive innovation while maintaining robust privacy safeguards.
2. Data intermediaries and smart data schemes
A notable innovation is the introduction of “data intermediaries”- trusted third parties that facilitate secure data sharing under “smart data” schemes. These intermediaries will ensure that customer data is shared ethically and in compliance with regulatory requirements.
3. Trust framework for digital identity
The Bill mandates the creation of a trust framework to set baseline standards for digital verification services. This is designed to ensure digital identity products and services are reliable and secure.
4. Enhanced data sharing for public interest
Provisions are included to facilitate data sharing in the NHS and for projects deemed in the public interest, such as health research or environmental initiatives. However, organisations must still demonstrate that data use is proportionate and necessary.
5. Changes to data protection and privacy
- Legitimate interest: The Bill provides a list of “recognised legitimate interests,” allowing personal data use in certain circumstances without a full legitimate interest assessment. Direct marketing, intra-group data sharing, and network security may qualify.
- Special categories of data: New powers allow the Secretary of State to add special categories of personal data, enabling rapid response to technological and societal developments.
- Data subject access requests (DSARs): The Bill clarifies that only reasonable and proportionate searches are required for DSARs and allows more time to clarify the scope before responding.
- Automated decision-making (ADM): The Bill relaxes some restrictions, potentially allowing more flexibility for AI and automated systems to process personal data.
- International data transfers: Amendments streamline the UK’s ability to grant adequacy decisions for data transfers to other countries.
- Cookies and tracking: The Bill expands circumstances where cookies and tracking technologies can be used without user consent.
- Fines and penalties: The cap on fines under the Privacy and Electronic Communications Regulations (PECR) is increased to align with the UK GDPR, raising the stakes for non-compliance.
6. ICO powers and data ethics
The Information Commissioner’s Office (ICO) is set to receive expanded enforcement powers and will be tasked with developing new codes of practice, particularly for AI and automated decision-making. A new data ethics framework will also provide guidance for fair and transparent data practices. We will be looking at how the ICO will be changing its remit in a separate blog.
Pending amendments
Several possibly contentious amendments have been debated:
- AI and copyright: Attempts to include AI and intellectual property protections in the Bill were defeated, as the government is conducting a separate consultation on AI’s impact on copyright law.
- Children’s Data: The ICO has called for clearer protections for children’s data, an area still under discussion.
- The Data (Use and Access) Bill is a major reform in the UK’s data governance, aiming to balance innovation with privacy and public trust. With Royal Assent expected soon and enforcement likely from 2026, organisations should consider what action they should take now to ensure compliance. This could include
- Review and update policies: Ensure internal practices, especially around automated decision-making and DSARs, are ready for the new rules.
- Engage stakeholders: Communicate with partners about changes to data-sharing agreements.
- Scientific research and web crawlers: Proposed changes to definitions and the regulation of web crawlers were dropped after controversy.
- Investing in training: Educating staff on data ethics and compliance.
Whether you are a multinational corporation or a new entrepreneur, CSRB is here to support your understanding and implementation of existing and proposed data privacy legislation.
We provide support services tailored to your unique needs and industry. Please get in touch to discuss how CSRB can help you use improved privacy and data protection processes for business improvement as well as compliance.
