Opinion

ICO issues guidance on the Data (Use and Access) Act

ICO issues guidance on the Data Use and Access Act
Published Date
Jul 4 2025
On June 19 2025, the Information Commissioner’s Office (ICO) published guidance on the Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on the same day. The DUAA introduces significant changes to the UK data protection and data sharing regimes, including to the UK GDPR, the DPA 2018, and PECR. 

Guidance

To support the transition, the ICO has published a range of guidance and resources for organisations, law enforcement agencies, data protection experts, and the public. These include:

  • An overview of the DUAA for organisations, which summarises the changes relevant to organisations, and outlines (in the ICO’s view) how the DUAA could help such organisations to innovate – in particular, calling out the changes to research provisions, automated decision-making, and cookie rules.
  • An overview of the DUAA for law enforcement agencies – in particular, highlighting a new national security exemption and new provisions applicable to joint processing when working with intelligence services. 
  • An overview of the DUAA for data protection experts and other practitioners (including DPOs and people with data protection responsibilities). This overview outlines the specific changes to the UK data protection and e-privacy regime, as well as the reforms to the structure and powers of the ICO.  

The ICO notes that implementation of the DUAA will be phased, with most provisions expected to come into force within two to six months of Royal Assent, though some may take up to a year. The ICO encourages organisations to: (i) familiarise themselves with the changes, including by considering the ICO’s new guidance; (ii) consider children’s needs when processing personal data when offering an online service to children (to reflect the new explicit requirement, and in line with the ICO’s existing Children’s code); and (iii) prepare to handle complaints (in accordance with the new complaints procedure requirement).

ICO regulatory approach

Due to the phased implementation of the DUAA, the ICO has also published commentary clarifying its intended regulatory approach (including to enforcement) during the transition period. For example, the ICO notes that it may exercise discretion when considering regulatory action for alleged non-compliance with provisions under existing legislation, if such provisions will be removed, amended or replaced by the DUAA. Key points from the ICO’s commentary include:

  • The ICO will exercise discretion: The ICO states it will make judgment calls on whether to proceed with enforcement under the previous or updated regime if there is on-going non-compliance – “In some cases, we will need to exercise our discretion when considering regulatory action on alleged non-compliance with an existing provision under the data protection legislation which is going to be removed, amended or replaced with a similar provision under the DUAA. We will make a judgement on whether to proceed with regulatory action under the old provision or, where there is ongoing non-compliance, consider action under the new provisions.”
  • The ICO will consider contemporaneous guidance (when assessing non-compliance): “When considering regulatory action on the DUAA’s new provisions, we will consider the ICO guidance available to organisations at the time of the alleged non-compliance.” 
  • The ICO will publish further guidance: The ICO confirms it plans to publish new and updated guidance to reflect the DUAA, and that it will identify the nature, scope, and timeline of such guidance on the ICO’s new dedicated planned guidance page (available here).
  • The ICO will conduct public consultations on new powers: The ICO notes that the DUAA provides the ICO with enhanced powers, such as the power to compel witnesses to attend interviews, request technical reports, and issue larger fines for breaches under PECR (up to a maximum of £17.5 million or 4% of global turnover, whichever higher). The ICO confirms that, as it is required to produce statutory guidance on such powers, it will launch public consultations on such guidance closer to the commencement of the relevant DUAA provisions. 

ICO reform

Under the DUAA, the ICO will be restructured to align with the approach taken by other UK regulators. The future Information Commission will comprise a board of non-executive directors and a CEO, chaired by John Edwards (current Information Commissioner). On June 30 2025, the ICO announced Paul Arnold as being the first CEO of the future Information Commission. 

The ICO’s press release and overview of its new and updated guidance is available here. For a high-level overview of the DUAA, please also see the A&O Shearman blog post here.

 

Related capabilities