05/09/2025
The Data (Use and Access) Act 2025 (the Act) passed into law on 19th June 2025. This long awaited piece of legislation amends the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR). Whilst very few changes have immediate effect, organisations will need to make some amendments to their procedures and documentation.
Laura Cook – a solicitor in our specialist information law team - outlines some key changes that local authorities should be aware of, and how you can prepare, below.
Key changes and actions you should take now
Data Subject Access Requests (DSARs)
The Act introduces a number of changes which largely codifies the Information Commissioner’s Office (ICO) existing guidance.
- Searches for a requester’s personal data only need to be reasonable and proportionate. This makes clear that an individual’s right to of access is limited and organisations are not required to undertake exhaustive or disproportionate searches. What would be considered to be ‘reasonable and proportionate’ will depend on the context, size of the organisation and available resources.
- Where you need to confirm the requester’s identity, the deadline for response is calculated from the data you receive the appropriate confirmation.
- Where you need to seek clarity from the requester on the scope of a DSAR, the deadline for response is calculated from when satisfactory clarification is received.
- The statutory deadline for response (usually one month) may be extended by a further two months where a request is complex or where the number of requests received is large. Notification of the required extension must be sent to the requester before the end of the initial one month deadline.
The above changes are in force now and are deemed to have come into force on 1 January 2024. The following change is yet to come into force, but organisations may want to make the required changes so they are ready once it does become law.
- Where information is withhold from disclosure on the basis of legal privilege or confidentiality, you must explain that the exemption is being used and why. You must also inform the requester of their right to check the applicability of the exemption with the ICO, make a complaint to the ICO, or apply to a court for a compliance order.
Although many organisations will already be dealing with DSARs this way, you should review and update your internal protocols on DSAR to ensure they align with the above changes.
A new “right to complain”
Individuals will have the right to complain directly to an organisation about how they use their personal data. This will become the first line of complaint resolution, with matters only being escalated to the ICO where a local resolution has not been found.
Complaints will need to be acknowledged within 30 calendar days and responded to ‘without undue delay’. Additionally, regulations may be introduced which require organisations to report the number of complaints they receive.
Organisations should amend their privacy policy and ensure they have an internal complaints procedure in place in readiness for this change, or ensure that any existing policies align with the new requirements.
‘Legitimate interests’ lawful basis
The Act will introduce certain ‘recognised legitimate interests’, where it will be no longer necessary to balance the rights and freedoms of individuals against the legitimate interests of the controller when relying on a recognised legitimate interest. The list currently includes ‘safeguarding of vulnerable individuals’ – local authorities will still need to be able to demonstrate that the processing is necessary to safeguard those individuals though. This list may change over time; it can be amended by secondary legislation.
Once the change comes into force, where you are processing data within scope of a new recognised legitimate interest there will be no need to undertake a legitimate interest assessment (LIA).
Disclosures to other organisations
Where information is requested by an organisation performing a public task (for example the police) the onus will no longer be on disclosing organisations to decide whether the receiving organisation needs the information to perform its public tasks or functions. The organisation making the request will be responsible for this decision.
Special category data
The Act includes provisions allowing the Secretary of State to add new types of special category data to the list in the UK GDPR by secondary legislation. Whilst any new categories may be subsequently removed (again by secondary legislation) the core categories already listed in the UK GDPR will not be able to be changed.
The implications of this are currently unclear, but organisations should keep abreast of any updates as they are enacted.
Reusing personal information: assumption of compatibility
Where personal data is passed from a controller, who collected the data for one purpose, that data may be re-used by a second controller in certain situations (including archiving in the public interest and safeguarding vulnerable individuals) without having to carry out a compatibility test. Controllers will be able to assume the purpose is compatible with the original purpose it was collected for.
Although this change is unlikely to have a massive impact day-to-day, it does provide some clarity where data is shared between organisations.
Regulator update: an Information Commission
The ICO will be replaced with a new Information Commission (IC). The IC will have a different structure and new investigatory powers (including powers to require documents and to require individuals to attend interviews). Although these changes are unlikely to impact organisations day-to-day, it is important that organisations familiarise themselves with the changes before they come into force due to the forthcoming changes to how the ICO currently conducts investigations.
When do the changes come into force?
A number of provisions of the Act came into force on 19th June (such as those relating to DSAR searches) and a handful more on 19th August (including those relating to the ICO’s powers). The majority of changes, however, will be brought into force by secondary legislation. It is unclear how long this will take, but this will most likely be within the next 12 months or so.
What next?
The ICO will update its guidance on these changes over the next few months.
Organisations should ensure they are aware of all the proposed changes and make a plan to ensure they are ready when they come into effect. This will include a review of protocols and procedures and making required amends to policies. Staff may also need to be trained to deal with the new right to complain.
Contact our Information Law team to find out more about how Bevan Brittan can help you prepare.