The Data Use and Access Act 2025 (DUAA) marks a significant evolution in the UK’s data governance landscape. Designed to unlock the value of data while reinforcing public trust, the DUAA introduces a new legal framework for how organisations access, share, and manage data, particularly when it involves public sector information or linked datasets.
For organisations operating in highly regulated sectors such as finance, healthcare, insurance, and technology, the DUAA is not just a compliance obligation, it’s a strategic shift. It offers new opportunities for innovation and collaboration, but also imposes stricter expectations around transparency, proportionality and ethical oversight.
Why was the DUAA introduced?
The DUAA was developed in response to a growing need: enabling responsible data sharing while maintaining public confidence. The UK government recognises that data, particularly from the public sector, holds immense potential to drive innovation, improve services and support research. But without clear rules, the risks to privacy and trust are significant. Rather than replacing existing laws like the UK GDPR or the Data Protection Act 2018, the DUAA builds on them. It focuses on how data is accessed and governed at a systemic level, especially when multiple datasets are linked or used for public good or commercial purposes.
When does the DUAA take effect?
The DUAA received Royal Assent on 19 June 2025. Its provisions will be introduced in phases over the following 12 months. Some of the more technical elements, such as the accreditation of Trusted Research Environments (TREs) and data intermediaries, are expected to come into force from early 2026. This phased implementation is designed to provide organisations time to assess their current practices, update internal policies, and prepare for compliance.
Key changes introduced by the DUAA
- Lawful and Proportionate Data Access
Organisations must now demonstrate that any data access is lawful, proportionate to the intended purpose, and subject to appropriate oversight. This means:
-
- Clearly defining the purpose of data use
- Minimising the volume and sensitivity of data accessed
- Implementing robust security and audit controls
- Accreditation for TREs and Data Intermediaries
Entities that handle sensitive or linked datasets, particularly for research or innovation may need to become accredited. Accreditation ensures that these organisations meet high standards for privacy, security, and transparency, including maintaining detailed audit logs and protecting individual identities. - Public Transparency Through a Register
A new public register will disclose who has requested access to data, for what purpose, and the outcome. This measure is designed to enhance accountability and build public trust in how data is used. - Principles-Based Governance
The DUAA is underpinned by a set of core principles:
-
- Fairness
- Transparency
- Proportionality
- Security
- Public benefit
These principles should guide the organisational data governance strategy and operational decisions.
Preparing for Compliance
To prepare for the DUAA, organisations should:
- Review current data access and sharing practices.
- Identify whether accreditation as a TRE or data intermediary is required.
- Update internal policies to reflect DUAA principles and documentation standards.
- Prepare for public transparency as data access requests will be visible.
- Train staff involved in data handling and partnerships.
- Coordinate with legal and risk teams to ensure alignment with UK GDPR and other applicable legislation.
Failure to comply with the DUAA may result in loss of access to critical datasets, civil penalties under existing data protection laws, and reputational damage due to public reporting of misuse.
Further guidance on DUAA is available from the Information Commissioner’s Office.
Griffiths & Armour strongly recommends that organisations review their data protection and cyber security approach in light of this new legislation.
Further data protection and cyber risk guidance, supplemented by template policies and e-learning, can be accessed via RMworks, which is provided to all Griffiths & Armour clients. If you have any questions about the contents of this article, please get in touch.
