·
4 minute read
The Data (Use and Access) Act 2025 (DUAA) is one of the most significant updates to the UK’s data protection framework since UK GDPR. With phased implementation already underway and continuing through 2026, it is reshaping how public sector organisations access, share and govern data.
This blog explains what the DUAA is, why it matters to the public sector and what public bodies need to know about workforce readiness and training to stay compliant and make the most of their data.
Contents:
- What Is the Data (Use and Access) Act 2025?
- Why the DUAA Matters for Public Sector Organisations
- Key Changes Introduced by the DUAA
- When Will the Data (Use and Access) Act 2025 Be Implemented?
- Training Implications for the Public Sector
- Preparing for DUAA: What Public Sector Leaders Should Do Now
- Conclusion
- Enquire About Team Training
What Is the Data (Use and Access) Act 2025?
The UK Data (Use and Access) Act 2025 updates and amends existing data legislation, including:
-
UK GDPR
-
The Data Protection Act 2018
-
Privacy and Electronic Communications Regulations (PECR)
The purpose of the DUAA is to make data use more practical, proportionate and innovation-friendly, while maintaining strong safeguards for individuals’ rights. It also supports the government’s wider digital and data strategy, particularly in areas such as public service reform, data sharing and responsible use of emerging technologies.
Why the DUAA Matters for Public Sector Organisations
Public bodies process large volumes of personal and sensitive data every day. The DUAA has implications across policy, service design, operational delivery and workforce capability.
Key reasons the Act matters include:
-
Greater use of data sharing to improve public services
-
Increased reliance on automated and data-driven decision-making
-
Higher expectations around governance, accountability and transparency
-
Stronger and more aligned regulatory enforcement powers
For public sector leaders, this makes data training a strategic requirement rather than a compliance exercise.
Key Changes Introduced by the DUAA
1. Changes to UK GDPR Rules
The DUAA keeps UK GDPR in place but modifies how some provisions work in practice, including:
-
Automated decision-making: Broader circumstances where automation can be used, with mandatory safeguards such as transparency and the ability to request human review
-
Subject Access Requests (SARs): Clearer rules on response times and the ability to pause the clock when clarification is required
-
Scientific and public interest research: Expanded definitions that affect how public bodies use data for analysis, evaluation and policy development
-
Children’s data: Stronger expectations for services likely to be accessed by children
2. Data Sharing and Access
The Act supports improved data access and reuse across sectors, including public bodies, to enable:
-
Better service design
-
Reduced duplication
-
Improved outcomes for citizens
This reinforces the need for clear data governance frameworks and confident, well-trained staff who understand lawful data sharing.
3. Regulatory and Enforcement Changes
The DUAA reforms the UK data regulator and strengthens enforcement powers, including:
-
Greater alignment of PECR penalties with UK GDPR fines
-
Enhanced oversight and accountability expectations
For public sector organisations, this raises the stakes on consistent compliance, documentation, and staff awareness.
When Is the Data (Use and Access) Act 2025 Being Implemented?
The UK Data (Use and Access) Act 2025 (DUAA) is not coming into force on a single date. Instead, it is being implemented in phases, with some provisions already live and others continuing to commence throughout 2026.
1️⃣ Royal Assent — 19 June 2025
The DUAA became law across the UK on this date. That means it exists as legislation, but many of its provisions don’t automatically take effect until they are “commenced” (activated) by secondary regulations.
2️⃣ Stage 1 — 20 August 2025
This is the first major group of provisions that were officially commenced:
✔ Technical provisions of the Act
✔ Amendments to parts of UK GDPR, the Data Protection Act 2018 and PECR
✔ Parts relating to the establishment of the new Information Commission (the successor governance body to the Information Commissioner’s Office)
✔ Some amendments to the Online Safety Act and digital verification credentials framework
3️⃣ Stage 2 — September 2025
A second set of commencement regulations brought certain law enforcement data processing amendments into force:
✔ Section 124 (amendments relating to retention of information in the context of Online Safety Act investigations) was commenced by 30 September 2025.
Additional related provisions (e.g., law enforcement exemptions) came into force between late August and September 2025.
4️⃣ Other Provisions — November 2025
Some provisions relating to intelligence services and joint processing were brought into force on 17 November 2025 under the Commencement No. 3 Regulations.
5️⃣ Ongoing — Rolled Out Through 2026
As of January 2026, the DUAA is actively being implemented. While some elements are already in force, other provisions, particularly those with broader operational or workforce impact, are expected to commence throughout 2026.
These include:
-
Changes affecting automated decision-making safeguards
-
Updates to subject access request handling
-
Wider application of revised data protection and governance rules
-
Provisions requiring new systems, registers, or operational readiness
Government guidance indicates that most remaining provisions are expected to be commenced within 12 months of Royal Assent, meaning full implementation is anticipated by mid-2026.
Training Implications for the Public Sector
The DUAA reinforces the need for role-appropriate, practical data training, not just generic awareness sessions.
Key training priorities include:
Data Protection Refresher Training
-
UK GDPR fundamentals plus DUAA changes
-
Real-world scenarios relevant to public services
Automated Decision-Making and AI Awareness
-
Understanding safeguards and transparency requirements
-
Managing risk in automated processes
Governance and Accountability
-
Lawful basis for processing
-
Documentation and audit readiness
Leadership and Senior Officer Briefings
-
Strategic risks and responsibilities under the DUAA
-
Oversight of data use and culture
Frontline and Operational Staff Training
-
Handling data confidently and lawfully
-
Managing SARs and data sharing in practice
What This Means for Public Sector Organisations Now
Because the DUAA is already partially in force:
-
Public sector organisations should treat the Act as live, not future legislation
-
Policies, procedures and training should already be under review
-
Workforce awareness and role-specific training should continue throughout 2026
The phased approach is intended to give organisations time to adapt, but regulators expect active preparation and compliance, not delay.
In Conclusion
The UK Data (Use and Access) Act 2025 represents a major shift in how data is accessed, shared, and used across the public sector. With implementation already underway since late 2025 and further provisions continuing to come into force throughout 2026, public bodies are now operating in a new and evolving data landscape.
The expectations on public sector organisations are clear: responsible and transparent data use, strong governance arrangements, and a capable, well-trained workforce that understands both current obligations and forthcoming changes.
Organisations that continue to invest early in training and preparation during 2026 will be best placed to remain compliant, reduce regulatory and operational risk, and unlock the full value of data to deliver more effective, trusted public services.
If you support public sector organisations with data protection, governance, or digital skills training, the DUAA presents a timely opportunity to help teams prepare with confidence.
