The new Data (Use and Access) Act 2025 - a health sector perspective

This briefing focuses on the implications of the Act for those in the health sector.

Lawful bases

The concept of lawfulness under the UK GDPR remains unchanged in principle: all controllers must identify a lawful basis under Article 6 to process personal data, and an additional basis under Article 9 for special category data (including health data).

The DUA Act introduces clarifications that may affect health bodies:

• Article 6(1)(e) (public task) is clarified to mean that the task must be one of the controller. Public, and indeed private, bodies cannot rely on the statutory functions of another body to legitimise their processing

• A new lawful basis - Article 6(1)(ea) - introduces Recognised Legitimate Interests, allowing non-public bodies to process personal data for specific purposes (e.g. safeguarding, national security, public health) without conducting a full legitimate interests assessment

While public authorities remain excluded from relying on Article 6(1)(ea) or 6(1)(f) for their own processing, the Act facilitates improved data sharing from private organisations to public bodies. This may help address long-standing barriers to collaboration, such as legal uncertainty or risk aversion.

Automated decision-making (ADM)

The Act introduces Article 22A, which maintains a similar approach to automated decision-making to that currently set out in the UK GDPR but clarifies that a decision is 'solely automated' only where there is no 'meaningful' human involvement. It is also mandatory to consider the extent to which any decisions have been reached in reliance on automated profiling when assessing whether there is meaningful human involvement.

This higher threshold therefore places a renewed emphasis on demonstrable human oversight. Any bodies using AI or algorithmic tools must ensure that human review is substantive and not merely symbolic. This will be particularly relevant for those exploring AI-assisted triage, eligibility assessments, or resource allocation.

Health information standards

The Act amends the Health and Social Care Act 2012 to introduce new information standards for health and social care data. These standards aim to improve interoperability across NHS trusts, GP practices, ambulance services, and social care providers.

The Secretary of State is empowered to issue binding standards for IT providers to the NHS, with enforcement tools including public censure. While implementation will take time, the long-term goal is to enable real-time access to patient data across systems - a significant step toward integrated care.

Research

The Act introduces several changes to support scientific and medical research, as follows:

• Broader consent: Individuals may now consent to types or categories of research, even if specific projects are not known at the time of consent - provided ethical safeguards are in place.

• Expanded definition: The term “scientific research” is clarified to include commercial and non-commercial research, provided it is reasonably describable and conducted in accordance with recognised standards.

These changes are likely to be welcomed by all bodies involved in research partnerships, clinical trials, or innovation programmes.

Additional provisions

The DUA Act also introduces:

• Smart data schemes: A statutory framework for secure data sharing between consumers and authorised third-party providers, with potential applications in energy, finance, and telecoms

• Digital identity services: A trust framework and register for digital verification services, supporting secure online identification

• Cookies and marketing: Limited exemptions from consent for certain cookie uses and direct marketing by charities and political parties

• ICO powers: Enhanced enforcement powers for the Information Commissioner, including the ability to compel witness attendance and issue higher fines under PECR

• Subject access requests (SARs): The DUA makes it clear that organisations only have to make reasonable and proportionate searches when someone asks for access to their personal information

• Children and online services: If a provider delivers an online service that is likely to be used by children, the DUA explicitly requires the organisation to take their needs into account when that organisation decides how to use their personal information. Organisations should already satisfy this requirement if they comply with the ICO's age appropriate design code (AADC).

• Data protection complaints: the DUA requires organisations to take steps to help people who want to make complaints about how it uses their personal information, such as providing an electronic complaints form. Organisations are also required to acknowledge complaints within 30 days and respond to them 'without undue delay'.

Our thoughts

The DUA Act builds on existing data protection principles rather than overhauling them. The impact will vary depending on each organisation's use of AI, involvement in research, or reliance on data sharing with private partners.

While the Act is now in force, many of its provisions will require secondary legislation, guidance, or transitional arrangements. You should begin preparing for implementation now - particularly in areas such as ADM governance, research consent, and cross-sector data sharing.

DACB’s specialist information law team advises a wide range of health sector organisations and is well placed to support both current compliance and forward planning under the DUA Act.