Data (Use and Access) Act 2025

United Kingdom

v1.0

7 domains

18 controls

The Data (Use and Access) Act 2025 amends and supplements the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003. It introduces new rules on data sharing, access, and use, aiming to facilitate responsible data use while maintaining strong privacy protections.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (7)

DUAA 2025: Part 1 - Access to Customer and Business Data (Smart Data)

3 controls

Controls in the DUAA 2025: Part 1 - Access to Customer and Business Data (Smart Data) domain of Data (Use and Access) Act 2025 — 3 controls
Code	Title	Description
DUAA-P1-AUTH	Authorised persons and accreditation under smart data schemes	Provides for the accreditation and oversight of authorised persons (third parties) who may receive customer or business...
DUAA-P1-FEESENF	Fees, levies and enforcement of smart data schemes	Allows fees and levies to fund scheme operation and provides enforcement mechanisms (including for interface standards a...
DUAA-P1-SMARTDATA	Smart data schemes for customer and business data	Empowers the Secretary of State / Treasury to make smart data scheme regulations requiring data holders to provide custo...

DUAA 2025: Part 2 - Digital Verification Services

3 controls

Controls in the DUAA 2025: Part 2 - Digital Verification Services domain of Data (Use and Access) Act 2025 — 3 controls
Code	Title	Description
DUAA-P2-DVS	Digital verification services and the DVS trust framework	Establishes a regime for digital verification services (DVS), including the DVS trust framework, a register of accredite...
DUAA-P2-GATEWAY	Information gateway for identity verification	Provides an information gateway enabling public authorities to share information with registered DVS providers to suppor...
DUAA-P2-TRUSTMARK	DVS trust mark usage	Controls the use of the digital verification services trust mark, which only registered providers conforming to the trus...

DUAA 2025: Part 3 - National Underground Asset Register

1 controls

Controls in the DUAA 2025: Part 3 - National Underground Asset Register domain of Data (Use and Access) Act 2025 — 1 controls
Code	Title	Description
DUAA-P3-NUAR	National Underground Asset Register	Establishes the National Underground Asset Register (NUAR) and obligations on undertakers to provide and keep up to date...

DUAA 2025: Part 4 - Registers of Births and Deaths

1 controls

Controls in the DUAA 2025: Part 4 - Registers of Births and Deaths domain of Data (Use and Access) Act 2025 — 1 controls
Code	Title	Description
DUAA-P4-REGISTERS	Digitisation of registers of births and deaths	Provides for the form in which registers of births and deaths are kept, enabling electronic registration and amending th...

DUAA 2025: Part 5 - Data Protection and Privacy Reforms

8 controls

Controls in the DUAA 2025: Part 5 - Data Protection and Privacy Reforms domain of Data (Use and Access) Act 2025 — 8 controls
Code	Title	Description
DUAA-P5-ADM	Automated decision-making reforms	Reforms the rules on automated decision-making, permitting a wider range of solely automated decisions subject to safegu...
DUAA-P5-CHILDREN	Children's data protection by design (ISS)	Requires providers of information society services likely to be accessed by children to consider how to protect children...
DUAA-P5-COMPLAINTS	Complaints to data controllers	Introduces a duty for controllers to facilitate and handle data protection complaints from data subjects, including ackn...
DUAA-P5-DSR	Data subject access requests (reasonable and proportionate searches)	Clarifies the handling of data subject access requests, including that controllers need only carry out reasonable and pr...
DUAA-P5-LAWFUL	Lawful processing and recognised legitimate interests	Reforms the lawful bases under the UK GDPR, including a new list of recognised legitimate interests for which a balancin...
DUAA-P5-PECR	PECR reforms (cookies, direct marketing, penalties)	Amends the Privacy and Electronic Communications Regulations: relaxes consent for certain low-risk cookies, adjusts dire...
DUAA-P5-RESEARCH	Research, statistics and archiving processing	Clarifies and consolidates the rules for processing for scientific or historical research, statistical and archiving pur...
DUAA-P5-TRANSFERS	International transfers data protection test	Reforms the international transfer regime, introducing a data protection test for adequacy regulations and transfer mech...

DUAA 2025: Part 6 - The Information Commission

1 controls

Controls in the DUAA 2025: Part 6 - The Information Commission domain of Data (Use and Access) Act 2025 — 1 controls
Code	Title	Description
DUAA-P6-INFOCOMM	The Information Commission	Abolishes the office of the Information Commissioner and establishes the Information Commission as a body corporate, tra...

DUAA 2025: Part 7 - Other Provision (Health Information Standards)

1 controls

Controls in the DUAA 2025: Part 7 - Other Provision (Health Information Standards) domain of Data (Use and Access) Act 2025 — 1 controls
Code	Title	Description
DUAA-P7-HEALTH	Information standards for health and adult social care	Provides for mandatory information standards for IT used in health and adult social care in England, requiring conforman...

Maps to 2 other frameworks

18 total controls

GDPR

3 source controls mapped|3 target controls covered

17%

ISO 27701:2019

1 source controls mapped|1 target controls covered

Compare Data (Use and Access) Act 2025 with GDPR

Frequently Asked Questions

What is Data (Use and Access) Act 2025?

Data (Use and Access) Act 2025 is a compliance framework from United Kingdom with 7 domains and 18 controls. The Data (Use and Access) Act 2025 amends and supplements the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003. It introduces new rules on data sharing, access, and use, aiming to facilitate responsible data use while maintaining strong privacy protections. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Data (Use and Access) Act 2025 have?

Data (Use and Access) Act 2025 has 18 controls organised across 7 domains. The largest domains are DUAA 2025: Part 5 - Data Protection and Privacy Reforms (8 controls), DUAA 2025: Part 1 - Access to Customer and Business Data (Smart Data) (3 controls), DUAA 2025: Part 2 - Digital Verification Services (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Data (Use and Access) Act 2025 map to?

Data (Use and Access) Act 2025 maps to 2 other compliance frameworks. The top mapping partners are GDPR (17% coverage), ISO 27701:2019 (6% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with Data (Use and Access) Act 2025 compliance?

Start your Data (Use and Access) Act 2025 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Data (Use and Access) Act 2025 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 18 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.

Get Started Free →

Free forever — no credit card required