What is it?
The Data (Use and Access) Act 2025 (DUAA) is a piece of legislation passed by parliament in June 2025. It makes changes to (but does not replace) the:
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations (PECR)
What does it change?
The main aim of the DUAA is to promote innovation and economic growth by streamlining data protection processes.
The act doesn't introduce many new requirements, as it's focused on clarifying existing laws and making it easier to process data for specific reasons (while still keeping it safe).
Changes include:
- Making it easier for organisations to use (or reuse) personal data for legitimate purposes, such as scientific research, healthcare and law enforcement
- Allowing the wider use of AI for automated decision making
Greater protection for children's data used by online services such as websites and software