The Data Use and Access Act

The Data Use and Access Act (DUAA) become law on 19 June 2025.  It implements a number of changes to data protection, the most significant relevant to General Practice are listed here:

New Information Commission

The establishment of the Information Commission represents a fundamental shift in UK data regulation. This new body replaces the Information Commissioner’s Office (ICO) with expanded powers and a more robust governance structure.

Complaint Handling

The act introduces specific requirements for complaint handling processes. Organisations must implement explicit procedures to manage and resolve data protection complaints effectively, with clear timelines and escalation procedures.

Revised Subject Access Request (“SAR”) framework

The act has made reforms to SARs, which are aimed to balance practical efficiency with transparency.  Searches now need to be “reasonable and proportionate”.

Using AI to make decisions

The act effectively permits automated decision-making (ADM) in many circumstances, as long as the organisation using the relevant AI or other technology implements a range of safeguards.

Disclosures that help other organisations perform their public tasks

The act allows you to give personal information to organisations such as the police, without having to decide whether that organisation needs the information to perform its public tasks or functions. Instead, the organisation making the request is responsible for this decision.  

Assumption of compatibility

The act allows you to assume that some re-uses of personal information are compatible with the original purpose you collected it for, without having to do a compatibility test. This includes disclosing personal information for the purposes of archiving in the public interest, even if you originally only got consent for a different purpose.